Security Week 30: PHP-porn vulnerability, eavesdropping on keyboards, UAC bypass in Windows 10

On Wednesday, Laboratories experts from the GReAT team (Global Research and Analysis Team) answered questions from Reddit users. One of the key topics of discussion was the attribution of complex cyber attacks. The topic is initially difficult. For obvious reasons, the initiators of such attacks in no way announce their actions, but rather make the investigation as difficult as possible, using a host of ways to preserve anonymity. Only indirect evidence remains. Which ones you can look at in this comment: the language (human) in the code, the compilation time of the malicious files (may indicate a specific time zone), typical targets, IP addresses where data is eventually led, and so on. The problem is that all this data is easy to fake, sending the investigation in the wrong direction. That is why our experts in their reports give facts rather than make generalizations.



The ever-growing “political” component of cyber attacks does not add clarity. Technologies have penetrated into our ordinary life in such a way that they are inevitably discussed not only by techies. And decisions are made, alas, not only on the basis of dry facts. The same thread provides two examples of positive interaction between experts and society: (1) vendors and police work together to block the activity of ransomware Trojans and (2) any initiatives to share information about threats between researchers and potential victims in a safe way. By the way, we recently announced one project from the first category: Europol, the Netherlands Police, together with the Laboratory and Intel Security, launched a new website where victims of cryptographics can get information to decrypt data without paying a ransom.



However, this answer from the thread on Reddit seemed to me the best:

')

Question : So how should we pronounce Kaspersky? Casper Sky, Casper Sky or Casper? Or how?

Answer : Yes.



There is also an interesting discussion of personal security on the network using Windows, Macs and Linux. Let's go to the news. All issues of digest - here .



Pornhub has paid 20 thousand dollars to researchers for vulnerability in PHP

News Research



This story is good because it showed not only a vulnerability (more precisely two vulnerabilities) in PHP, but also a working application scenario. Moreover, everything ended well: an important Internet resource was not hacked, but, on the contrary, increased the safety of users. Both vulnerabilities (CVE-2016-5771 and CVE-2016-5773, the description here and here ) must be addressed simultaneously. They simultaneously affect the algorithm of deserialization of data received from the client, and the algorithm of the garbage collector. Their operation in a rather non-standard manner (Ruslan Habalov, one of the authors of the study, admits that the right combination of actions was extremely difficult to detect) leads to the launch of an arbitrary code.







And here comes the Pornhub. More precisely not so. The presence of the Bug Bounty Pornhub program initially motivated researchers to get started. Exploiting vulnerabilities on PornHub servers allowed for full access to the data. For example, track the actions of users, download the source code of sites and so on. The researchers, however, limited themselves to "proof", uploading a text file with a postcard to admins to the server. As a result, Pornhub paid the discoverers 20 thousand dollars, another thousand for each vulnerability was added by the consortium Internet Bug Bounty, which unites the developers of network software.



Researchers have discovered the unavoidable vulnerability of wireless keyboards

News List of vulnerable devices.



Remember the study about the vulnerability of receivers for wireless mice? The authors of the study from Bastille Networks decided not to stop at what had been accomplished and, having studied the characteristics of connecting mice to receivers (this is not about Bluetooth devices), they took up keyboards. Previously, researchers found a way to unauthorized add an “extra” keyboard to trusted devices on a USB receiver, and then claimed that it was not about intercepting user input, since the connection to the keyboard (as opposed to transferring data from mice) is encrypted.







So, it turned out that it is not always encrypted. 8 out of 12 tested keyboards do not encrypt data in principle, which makes it quite easy to intercept them. Moreover, USB receivers for such keyboards constantly transmit information so that devices can connect to them. These signals can be used to identify the manufacturer and select vulnerable devices for interception. Field tests showed the possibility of such interception with the help of "store" components at a distance of up to 250 meters. Fortunately, there are no models of the most popular manufacturers like Logitech or Microsoft in the list of affected devices, but there are, for example, HP , Kensington , and Toshiba . In addition to intercepting input, there is also the possibility of transmitting characters to a remote computer.



Unlike the Mousejack vulnerability, where the authorization system was hacked, and at least in Logitech were able to close the hole, these devices are in principle “not treated”. According to the researchers, the problem cannot be solved without changing the controller (3 different types were found in all 12 devices), that is, it is easier to buy another keyboard. Or use wired.



The way to bypass User Account Control in Windows 10 uses the built-in utility DiskCleaner

News Research



Researchers Matt Graber and Matt Nelson have found a non-standard way of circumventing the User Account Control feature designed to restrict user rights. "Vulnerability" exists only in Windows 10 and was discovered through the analysis of the built-in utility DiskCleaner. By default, this utility is called according to the schedule by the SilentCleanup task. After launching, a directory is created in the Temp folder of the user partition where several DLLs and one executable file, dismhost.exe, start to be copied. The latter starts and starts loading copied DLLs in turn.







The trick is that this whole process is performed with elevated privileges, although the work takes place in a user folder. Any other process with normal user privileges can write to the Temp folder, which means it is possible to replace DLLs with another and execute arbitrary code with extended rights. Such is the simple rut. Interestingly, Microsoft does not consider UAC bypass (namely bypassing the request for rights request by any means) as a vulnerability, since UAC is not considered a security system (security boundary, read more here ).



What else happened:

Firefox starts blocking Flash content and encourages everyone to switch to HTML5.



Serious vulnerability in Lastpass password manager.



Chrome fixed a sandbox escape (and another 47 bugs).



Antiquities:

Family "MPHTI"



Very dangerous viruses infect the boot sectors of the hard drive and floppy disks. The old boot sector is stored in the penultimate (“MPHTI-a”) or the last (“MPHTI-b”) sector of the root directory of the infected disk. Depending on their counter, they can destroy information on the first 8 tracks on all available disks. Intercept int 13h. They contain the text "1991, MIPT".



Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 95.



Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.