Security Week 44: zero-day in Windows, vulnerability in the Mirai botnet, serious holes in MySQL

We have another week of patches with nuances. Let's start with the next news about the Mirai botnet used for at least two large-scale DDoS attacks. Due to the leakage of the source, this seemingly one-time story turns into a massive series with sequels and prequels. Spin-offs have also appeared this week: researchers from Invincea Labs dug up three vulnerabilities in the Mirai attack code (detailed in this news or in the original research ).

The most serious vulnerability leads to a buffer overflow in the Mirai code. The problem is incorrect processing of the HTTP Location header, which may be present in the response of the attacked server. The code is responsible for removing the http: // prefix from the resulting string. This is done very simply: take the length of the string and subtract from it the number of prefix characters (seven pieces). If we slip a very short Location header (out of five characters) in the response, we will get a negative number (5-7 = -2), which leads to buffer overflow and failure.

The important point: the failure occurs in the process that performs the attack. That is, you can thus stop the attack from the infected device, but do not turn it off from the botnet. In general, it turns out some very familiar, but an inverted situation. If we were talking about a legitimate program, we would talk about a “critical vulnerability that can be easily exploited by an attacker with the help of a specially prepared response to the http request” or something like that. Urgent patch! And here? In theory, on the contrary, it becomes possible to effectively extinguish attacks. But a moral-ethical question arises: is not this a “burglary in response to hacking” procedure?

Hacking back or, literally, attempts to attack the attackers do lead to some ethical and legal difficulties. There are plenty of reasons not to hack the server of cybercriminals, even if you really want, and known names, passwords and turnout. First, it is often simply illegal. Secondly, you are likely to break not the abode of evil, but an unsuspecting user with a trojan on your computer. Thirdly, this practice will cause a natural desire to have sharply sharpened attack tools “just in case”, which are incredibly easy to move to the dark side. Your crusade against cybercrime ultimately results in the spread of malware.
')


Okay, in the context of this vulnerability, Mirai seems to be all harmless: here, in general, there are no exploits, you just change your web server's configuration slightly. But as I showed in the paragraph above, conceptually, such an action is no different from exploiting a vulnerability in a bona fide software. What do experts advise? The authors of the report do not recommend anything: decide for yourself. Here, even the very analysis of the vulnerability of Mirai with examples from the source is not clear how to interpret - whether we inform the public, or we help bot farmers to treat bots.

Survived.

Researchers from Google released information about the zero-day vulnerability in Windows before the release of the patch. Microsoft is unhappy.

News A post on the Google Threat Research team blog.

On October 31, a group of Google security researchers published a brief description of the zero-day vulnerability in Windows. Vulnerability allows you to locally enhance user privileges and can be used in the sandbox escape mechanism. Microsoft researchers sent information about a detected vulnerability on October 21, giving only seven days to develop a patch. This is where an interesting moment begins: the generally accepted “waiting time” (while the vendor prepares and distributes the patch) is several weeks, but in this case the period was much less. Microsoft was unable to close the vulnerability in time: it turned out that Google spread the data about a serious problem while there is no solution. Although, for example, a “crutch” was added to Chrome, making it impossible to use the “escape” in this browser.

Why is that? Google has a public document that details the waiting times for vulnerabilities that are actively exploited . According to researchers of this company, it is better for in-the-wild exploits to spread information so that they know about the problem and try to do something on their own, if the vendor hasn’t matured with a patch or at least an announcement. By the way, on October 21, Google sent vulnerability information back to Adobe about Flash, and that’s where everyone had time .

The problem is that generally accepted standards of etiquette in the relationship of vendors and researchers do not exist. Obviously, Google’s arguments are fair, but so are Microsoft’s counter-arguments. According to them (a detailed analysis of this news ), this behavior of Google threatens Microsoft customers - after all, disclosing even the smallest amount of information about a vulnerability could lead to an exploit being used much more widely. Vulnerability promise to close November 9th. But discussions about the ethics of research in information security will continue for a long time, until everyone finally agrees.

Critical vulnerabilities discovered in MySQL and compatible DBMS

News Legal Hackers research .

For a change - standard vulnerabilities without nuances and sracha . In September, I already mentioned a critical vulnerability in MySQL, which is currently closed. The discoverer, David Golunski from the Legal Hackers group decided not to stop there and fixed two new serious vulnerabilities affecting both MySQL and the MariaDB and Percona Server forks based on the code of this DBMS.

It is noteworthy that vulnerabilities can be shared, which gives the attacker full access to the affected system. The first vulnerability (CVE-2016-6663) allows a local DBMS user to elevate privileges. Using this problem as a foothold, it is possible to apply the second vulnerability and get root rights. The second vulnerability (CVE-2016-6664) is related to the unsafe access of MySQL with the error.log file. By the way, the September vulnerability can also be used to develop an attack if it has not been patched.

Vulnerabilities have already been closed in all the products mentioned. MariaDB developers got an interesting solution: they promptly closed the first hole (6663), and left the patch for the second for later. The argument is simple: without the "springboard" to get the rights of the superuser will not work.

What else happened

Patches for iTunes and iCloud control panels for the Windows platform.

Laboratories experts published a report on DDoS attacks for the third quarter of the year. On the agenda is the continuing growth in the share of DDoS attacks using Linux machines (78.9%).

Antiquities

"Goodbye-839"

Resident non-hazardous virus, standardly affects .COM, .EXE, and OVL files loaded into memory. On Sunday, he performs the tune “Goodbye America” by the rock group “Nautilus-Pompilius”. Intercepts int 1Ch, 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 68.



Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.