Wednesday, January 28, 2015

CVE-2015-0235: A GHOST in the Machine

This post was authored by Nick BiasiniEarl Carter, Alex Chiu and Jaeson Schultz

On Tuesday January 27, 2015, security researchers from Qualys published information concerning a 0-day vulnerability in the GNU C library. The vulnerability, known as “GHOST” (a.k.a. CVE-2015-0235), is a buffer overflow in the __nss_hostname_digits_dots() function. As a proof-of-concept, Qualys has detailed a remote exploit for the Exim mail server that bypasses all existing protections, and results in arbitrary command execution. Qualys intends to release the exploit as a Metasploit module.

CVE-2015-0235 affects the functions gethostbyname() and gethostbyname2() --functions originally used to resolve a hostname to an IP address. However, these functions have been deprecated for approximately fifteen years, largely because of their lack of support for IPv6.  The superseding function is getaddrinfo() which does support IPv6 and is not affected by this buffer overflow. Programs that still utilize the deprecated gethostbyname() and gethostbyname2() functions may potentially be affected by GHOST.

Friday, January 23, 2015

Flash 0-day Exploited by Angler Exploit Kit

This post was authored by Nick Biasini, Earl Carter and Jaeson Schultz

Flash has long been a favorite target among Exploit Kits (EK). In October 2014 the Angler EK was believed to be targeting a new Flash vulnerability. The bug that the Angler exploit kit was attempting to exploit had been “accidentally” patched by Adobe’s APSB14-22 update. According to F-Secure, the vulnerability that Angler was actually attempting to exploit was an entirely new bug, CVE-2014-8439. The bug was severe enough that Adobe fixed it out-of-band.

Fast forward to January 2015. With the emergence of this new Flash 0-day bug, we have more evidence that the Angler Exploit Kit developers are actively working on discovering fresh bugs in Flash for themselves. The group is incorporating these exploits into the Angler EK *before* the bugs are publicized. Considering these 0-day exploits are being used alongside one of Angler’s preferred methods of distribution, malvertising, thus intensifying the potential for large-scale compromise.

Tuesday, January 13, 2015

Microsoft Update Tuesday January 2015: Another Light Month, No IE Bulletins, More Changes to Reporting

This post was written by Yves Younan.

Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were publicly disclosed prior to today, while another one was being actively exploited by attackers.

Microsoft made a number of changes to Update Tuesday last month, such as dropping deployment priority in favor of their exploitability index (XI). This month more changes were made to the program: Microsoft is no longer providing their Advance Notification Service (ANS) to the general public, but is instead only providing it to premier customers.

Tuesday, January 6, 2015

Ransomware on Steroids: Cryptowall 2.0

This post was authored by Andrea Allievi and Earl Carter.

Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper. Under the Windows 32-bit on Windows 64-bit (WOW64) environment, it is indeed able to switch the processor execution context from 32 bit to 64 bit.