Linux bug imperils tens of millions of PCs, servers, and Android phones

(credit: amalthya)

For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.

The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can't be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that's executed by the kernel.

The vulnerability is notable because it's exploitable in a wide array of settings. On servers, people with local access can exploit it to achieve complete root access. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions. It can also be exploited on devices and appliances running embedded versions of Linux. While security mitigations such as supervisor mode access prevention and supervisor mode execution protection are available for many servers, and security enhanced Linux built into Android can make exploits harder, there are still ways to bypass those protections.

Read 2 remaining paragraphs | Comments

Guerilla researcher created epic botnet to scan billions of IP addresses

In one of the more audacious and ethically questionable research projects in recent memory, an anonymous hacker built a botnet of more than 420,000 Internet-connected devices and used it to perform one of the most comprehensive surveys ever to measure the insecurity of the global network.

In all, the nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open. A large percentage of the unsecured devices bore the hallmarks of broadband modems, network routers, and other devices with embedded operating systems that typically aren't intended to be exposed to the outside world. The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. There were no signs of life from the remaining 2.3 billion IPv4 addresses.

Continually scanning almost 4 billion addresses for nine months is a big job. In true guerilla research fashion, the unknown hacker developed a small scanning program that scoured the Internet for devices that could be logged into using no account credentials at all or the usernames and passwords of either "root" or "admin." When the program encountered unsecured devices, it installed itself on them and used them to conduct additional scans. The viral growth of the botnet allowed it to infect about 100,000 devices within a day of the program's release. The critical mass allowed the hacker to scan the Internet quickly and cheaply. With about 4,000 clients, it could scan one port on all 3.6 billion addresses in a single day. Because the project ran 1,000 unique probes on 742 separate ports, and possibly because the binary was uninstalled each time an infected device was restarted, the hacker commandeered a total of 420,000 devices to perform the survey.

Read 16 remaining paragraphs | Comments

Highlights of CanSecWest Day 2: Hacks Both Common and Sublime

Another day has passed here at CanSecWest with a mixed bag of results. Overall the content was, again, quite good, PWN2OWN shows us the future, HallCon and BarCon were all kinds of awesome, and I had two distinct “a ha!” moments.

My first “a ha!” came during DongJoo Ha and KiChan Ahn’s “Is Your Gaming Console Safe?: Embedded Devices, an AntiVirus-free Safe Hideout for Malware.” You might ask “Marcus, what is so compelling here? They’re just gaming consoles,” and that’s true. You know what they also are? Embedded devices with distinctly powerful CPUs. With the growth of home-brew builds (customized operating systems) available for many gaming consoles, more and more these are being looked at as attack and attacker platforms.

One example I found particularly powerful was a Nintendo DS running metasploit to compromise Windows devices. Clearly, a gaming console is just like any other device on the network. The second demo (and the actual “a ha!” moment) was when the presenters actually injected code into the gaming files themselves. Yes, boys and girls, you read that right. It is possible to inject code into games just as you would inject code into any DLL or application. They showed this on both installed games and games downloading from the Internet. I was left a bit unclear as to the limitation on an unbroken gaming console, but the implications are far reaching–a networked device is a networked device. They can all be 0wned. When you combine this with the fact that there is no awareness that malware or attacks can happen on these types of embedded devices along with the fact that people will download and install almost anything without a second thought, the potential for abuse is clear.

The Adobe sessions at CanSecWest this year were one of the main reasons I attended. Adobe is a huge target for cybercriminals and malware writers lately as client-side exploits are quite the trend. While attending Haifei Li’s “Understanding and Exploiting Flash ActionScript Vulnerabilities,” I was very disappointed–mainly because I could not understand the speaker. Later in the day, however, I reviewed the slides and enjoyed my second “a ha!” moment.

The slides are remarkably clear in explaining the essence of ActionScript vulnerabilities. They are due, according to Li, to various program flow-calculating errors in the Verification/Generation Process, and that the Verification Flow and the Execution Flow are not the same. This is a very big deal because code can pass verification mode but during execution mode can still trigger a vulnerability. Byte-code blocks make it difficult for the verification process to recognize the correct flow, which can then result in many ActionScript vulnerabilities. Clearly, ActionScript vulnerabilities and exploits will be with us for quite some time.

The final session that struck home for me was “Welcome To Rootkit Country,” from Graeme Neilso. His targets were atypical of traditional rootkit targets as he focused on firewalls and routers. Neilso’s question “Can the integrity of the OS be trusted?” had many heads nodding in agreement. (I was one of them.) Even I was surprised by the amount of firmware that still uses hardcoded passwords and no integrity checking. Let’s be honest: You are just asking for trouble here. Neilso walked us through rolling your own rooted firmware as well as methods of installing both remotely and locally across a wide variety of firewalls. Again, I walked away believing this more firmly than ever–any device, any OS, any application can be broken or 0wned. At this point I was roped into hallway discussions on the future of embedded-device security, rootkits, and what PWN2OWN really means for the future of the security industry.

When you consider how much infrastructure runs on embedded devices and how enterprises are more and more rapidly adopting mobile technologies, these types of conferences are becoming more relevant than ever.

Although it was really no surprise, the iPhone 0wnage by Charlie Miller during PWN2OWN was a portent of the near future of iPhone exploits and attacks. Miller used a drive-by download attack to 0wn the phone. Like many attacks, the phone user is simply required to surf to a rigged website. This caused a browser crash, but once it was relaunched Miller was able to hijack the entire address book. Pay attention to this type of attack, as it has far-reaching implications. Far more impressive to me was the BlackBerry attack by Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann. By using vulnerabilities in WebKit, an open-source browser recently added to Blackberry, they were able to steal the device’s contact list, image database, and even write a file into it by chaining together a series of bugs. What makes this so impressive? The fact that BlackBerry is an almost unknown system. The attackers had to rely on assumptions on Java Virtual Machine and browser functionality. RIM is said to be planning to add ASLR and DEP in the future; however, because there are established evasions for these defenses, we shall see where this goes.

Today holds one more Adobe session for me, stale pointer theory, and some cool fuzzing.