Wireshark Multiple Denial of Service Vulnerabilities
GNU glibc CVE-2015-8779 Stack Buffer Overflow Vulnerability
GNU glibc CVE-2015-1781 Multiple Buffer Overflow Vulnerabilities

(credit: Ron Amadeo)

It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google's official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren't eligible to receive the fixes. Even those that do qualify don't receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.

"Extremely serious bug"

The first vulnerability was disclosed by Mark Brand, a researcher with Google's Project Zero security team. Indexed as CVE 2016-3861, it allows attackers to execute malware or escalate local privileges on vulnerable phones. Brand warned that it's "an extremely serious bug" because it can be exploited in a large variety of ways. He also said CVE 2016-3861 wasn't particularly hard to detect, a finding that increases the chances that other researchers already knew about it. (In any event, Brand included exploit code with his disclosure.) Brand didn't say exactly which Android version introduced the code-execution vulnerability, but he indicated that it's present in at least several of the most recent releases.

Read 5 remaining paragraphs | Comments

Supermicro IPMI 'close_window.cgi' Multiple Buffer Overflow Vulnerabilities
Oracle July 2016 Critical Patch Update Multiple Vulnerabilities
Xen CVE-2016-7093 Local Privilege Escalation Vulnerability
Xen CVE-2016-7094 Local Denial of Service Vulnerability
Xen CVE-2016-7092 Local Privilege Escalation Vulnerability
AST-2016-007: RTP Resource Exhaustion
[slackware-security] php (SSA:2016-252-01)
Apple iOS CVE-2016-4654 Memory Corruption Vulnerability

Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best hacks are the ones which use a feature or the way the computer is supposed to work. To illustrate this, lets review an interesting blog post published yesterday[1]. It demonstrates how easy it is to steal credentials from a locked computer. If the attack is not new, the method used is really awesome. You probably know that computers tend to generate a lot of network request that may content sensitive information. As an example, if you specify an URL like file:// in a web page, Internet Explorer will try to access the file via SMB and will disclosethe current user credentials. In the new attack, no need to play with cables to sniff traffic, no MitM or altered web pages.Access to the USB port of a locked computer (read: a user being logged in but away for a coffee break) is enough.

To perform the attack, a low-cost device is required like the USB Armory [2] or the Hak5 Turtle[3], both can be connected to a host computer via USB and provide TCP/IP service via an Ethernet over USB protocol. When you connect such device into the USB port, a driver is loaded by the operating system (which does not require any user intervention), a new interface is set up and classic TCP/IP communications occur. What happens in this case? The host computer will consider this interface as the new default one for a few second and tries to configure it by requesting an IP address via DHCP.

The USB Armory is configured to provide DHCP services but with a specific option (number 252) to provide the proxy auto configuration script also called WPAD (Web Proxy Autodiscovery Protocolsubnet net mask { ... option local-proxy-config}

The key point is that WPAD provided by DHCP has a higher priority than the one provided by DNS.The tool that will handle the requests and capture data is Responder[5]. A nice demonstrationis available on Youtube[6]. Evil!

The next question ishow to protect against this kind of attack?. Its not easy becausecountermeasures may affect the computer operations or restrict users"> - - [09/Sep/2016:08:26:53 +0200] GET /wpad.dat HTTP/1.1 200 591 - WinHttp-Autoproxy-Service/5.1

How to mitigate this attack?

Completely disabling USB port is not an option but restricting the use of some USB devices (usually HID of Human Interface Devices) can be implemented by a GPO or a specific software.

If you dont use automatic proxy discovery, monitor your DNS logs for requests like wpad.domain.com. The WPAD configuration over DHCP has a higher priority then DNS. However as explained by Microsoft[7]:

Now, if DHCP is configured to provide the WPAD location, IE stops the detection and will make a GET request for the wpad.dat file and no further searching is done. This is true even if the DHCP 252 option is incorrect and a correct entry is configured as a DNS record. Please also be aware that IE still sends out the DNS query in this situation, even the DNS result wont be adopted."> 09-Sep-2016 08:26:54.672 queries: info: client query: wpad.xxxxx IN AAAA + ( 08:26:54.672 queries: info: client query: wpad.xxxxx IN A + (

If you dont use the DHCP option 252 in your network, a good idea is to track such feature via your IDS. Here is a"> alert udp any 67 - any 68 (msg:ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel content:|02| content:|fc| content:/wpad.dat)

(Note that this rule wont protect you against the attack described here because the DHCP traffic remains local but it can help you to detect a classic MitM attack)

Finally, you can track the use of devices like the USB Armory by monitoring the following registry key: HKLM\SYSTEM\CurrentControlSet\Enum\USB. Here is a screenshot" />

This can be implemented with a host based IDS like OSSEC[8].

As you can see, this attack is not easy to mitigate. If you have tips to protect against such USB attack, feel free to share!

[1] https://room362.com/post/2016/snagging-creds-from-locked-machines/
[2] https://inversepath.com/usbarmory
[3] http://hakshop.myshopify.com/collections/lan-turtle/products/lan-turtle
[4] https://en.wikipedia.org/wiki/Ethernet_over_USB
[5] https://github.com/Spiderlabs/Responder

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status