Security Week 25: In * NIX reanimated the ancient vulnerability, WannaCry was not completed, the CIA listens on our routers

Earth, 2005 Mysterious events are happening all over the planet: Nokia is launching a tablet on Linux , the development of the game with the members of the Metallica group in the lead roles is being done in great secrecy, Jobs announced the transfer of Macs to the Intel platform.

Meanwhile, at the CancSecWest conference, Gael Delallo from Beijaflore presented a fundamental report on the vulnerabilities of the memory management system in a variety of NIXs, and illustrated his findings with exploits for Apache. All patched up. Several years have passed.

2010 Rafal Voytchuk demonstrated exploiting vulnerabilities of the same class in the Xorg server. In the same year, Jon Oberaide published a couple of funny posts about his innocent games with the nix kernel stack. All patched up again.
')
2016 year. The Google Project Zero was born out of the exploitation of exploiting kernel stack vulnerabilities under Ubuntu. Oberaide says hello in the comments. Ubuntu patched up.

2017 year. Never was this, and here again . Qualys has learned how to cheat with the username stack in any Nix, according to Delallo's ideas.

The exploits of the user-mode stack are based on a simple question - if the dynamic area (heap) and the stack grow towards each other, what will happen when they meet? However, one should not think that the Nix cores are developed by fools! They, of course, thought about such a development of events (well, by our time they had precisely thought of it). And in all modern Unix-like operating systems, the user-mode stack is fenced with a special memory page, an attempt to access which causes an exception or the completion of the process.

But here's what's strange. Suddenly it turned out that this guard page can be successfully bypassed, for which there are many ways. And Delallo talked about this in 2005. Everybody is patching again, fun and with a song.

The principle of operation of this bearded bug is based on increasing the stack size without writing to it. This is done differently in different operating systems, for example, using a recursive procedure call, or multi-megabyte command line arguments. The stack pointer moves to its beginning (lower address), the stack grows sharply, and - hop, - the stack pointer is already behind the guard page. Access to the watch page itself does not occur, there is no error. It turns out that the stack area overlaps with the dynamic area.



This allows you to replace the return address from the function in the stack and thus run arbitrary code with elevated permissions.

Qualys experienced this technique only locally, but theoretically a similar trick can be cranked remotely, or, at least, it would be useful for Trojans to increase their own privileges. Researchers see two ways to fix this vulnerability: fantastic and realistic. Fantastic is to inflate the guard page to at least 1 MB, and preferably more. A realistic one is just to recompile the whole user-space code with the -fstack-check option in GCC, after which the stack pointer will not be able to jump over the guard page without writing to it. And in FreeBSD, it is still worth at least including this very guard page - by default it is not involved there.

Researcher suggested premature birth WannaCry

The fatal for many, the WannaCry Trojan is either made with crooked hands, or broke free before it is completed. Such an interesting theory was expressed by Jake Williams from Rendition InfoSec, after an in-depth analysis of the EternalBlue and WannaCry code news . In his opinion, the creators of Ranswary made several "overwhelming mistakes."

For a start, bitcoin hardcoding addresses for ransom payments look very strange. Not only did it allow an adventurous person to snatch a small bit of himself, interrupting the address in the hex editor, it also becomes impossible to control the payment - as Williams rightly remarked, try to figure out who the victims of the transactions that fall into the purse belong to. And yet, it’s not so difficult to trace the further fate of money from one address (mixers do not always save), that is, problems with the withdrawal of the amount are provided.

It is much more practical to generate your own address for each infection, or at least for several infections, this would immediately remove most of the problems. Actually, seasoned welders do that. But not the authors of WannaCry. In total, there are three versions of the address in the captured samples, and it is likely that only one of them belongs to the original attackers.

There, in the piggy bank of blunders, is the famous “switch” of WannaCry, the domain, upon detection of which the Trojan stops working on the Web. In itself, this is quite a common practice, but, have mercy, what prevented you from making a slightly more complex check than the status code 200? In the case of many other bots, the exchange with the management server is encrypted and the Trojan is turned off only on command.

With the hypothesis that vonakray is the brainchild of Krivorukov script-kiddies, a number of signs pointing to the North Korean origin of this epidemic do not fit. The Lazarus group, which is suspected in connection with WannaCry, did not give a reason to accuse it of non-professionalism. Therefore, Williams offered a different explanation. In his opinion, the unfinished WannaCry simply accidentally escaped from the test environment and went on to spread uncontrollably.

This is damn similar to the truth, although it is not very clear what prevented the creators in time from pulling the switch, registering the stop domain, while the spread of the Trojan did not have time to assume the nature of the epidemic. And yet - it will be funny if it turns out that the hardcoded bitcoin address is only a placeholder, and does not correspond to any real wallet. At least, there have not been any write-offs from famous WannaCry wallets.

CIA has been monitoring our routers for years.

Wikileaks has published details of the CIA's program for monitoring traffic passing through D-Link, Linksys, 3Com and Panet Tec routers. Poetically named Cherry Blossom, the program includes the creation of special firmware, which are flashed to the routers remotely. The firmware looks like a real one, but only tears it out of the traffic and sends to its server email addresses, chat names, MAC addresses, VoIP numbers. And if necessary, it can even redirect traffic “where necessary”.



The only more or less difficult stage of the operation is the implementation of the firmware on an unsuspecting router. However, what happens with Mirai is exactly on the shoulder of the brainchild of the CIA - the agency has developed Tomato and Surfside exploits for routers. They do not work everywhere, and for other cases, the documentation recommends that the firmware be implemented promptly. That is, infiltrate the supplier company and quietly flash all routers in stock. Romance spy work as it is. Still alive in the CIA spirit of the old school!

Antiquities

"Justice"

Very dangerous, it infects COM files when it is accessed by DOS 43h, 4Bh, 3Dh, 56h functions. It is written to the end of files and changes 5 bytes of their beginning (NOP; NOP; JMP Loc_Virus). COMMAND.COM is infected by the "Lehigh" virus algorithm. Periodically sends information recorded on the disk to a sector with a different number. Contains the text "AND JUSTICE FOR ALL". Intercepts int 13h and int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 72.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.