Thursday, 14 May 2015

ozwpan driver - Remote packet-of-death vulnerabilities in Linux Kernel

"The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero." [1]
1. A remote packet can be sent, resulting in funny subtractions of
signed integers, which causes a memcpy(kernel_heap, network_user_buffer, -network_user_provided_length).

There are two different conditions that can lead to this:
https://lkml.org/lkml/2015/5/13/740
https://lkml.org/lkml/2015/5/13/744

2. A remote packet can be sent, resulting in divide-by-zero in softirq, causing hard crash:
https://lkml.org/lkml/2015/5/13/741

3. A remote packet can be sent, resulting in a funny subtraction, causing an insanely big loop to lock up the kernel: https://lkml.org/lkml/2015/5/13/742

4. Multiple out-of-bounds reads, resulting in possible information leakage, explained in the last paragraph of the introductory email here: https://lkml.org/lkml/2015/5/13/739

The above is a repost of this: http://seclists.org/oss-sec/2015/q2/446

You may find more information about ozwpan here: https://lkml.org/lkml/2015/5/13/739

[1] https://lkml.org/lkml/2015/5/13/739

Wednesday, 13 May 2015

VENOM Vulnerability - Virtualized Environment Neglected Operations Manipulation

VENOM is short for Virtualized Environment Neglected Operations Manipulation and it is a vulnerability in the QEMU’s virtual Floppy Disk Controller (FDC). The vulnerable code is used in numerous virtualization platforms and appliances such as Xen, KVM, and the native QEMU client. 

The vulnerability has been assigned the following CVE (CVE-2015-3456). As far as we know, VMware, Microsoft Hyper-V, and the Bochs hypervisors are not impacted by this. 

The interesting fact about VENOM is that it applies to a wide range of virtualization platforms (using the default configurations) and it allows for arbitrary code execution. Due to the fact that the vulnerability exists in the hypervisor’s codebase, it affects all host and guest Operating Systems. 

However, the vulnerability can be exploited only with escalated privileges (root, administrator). 

Saturday, 9 May 2015

{ } YARA - The pattern matching swiss knife for malware researchers

This is a blog post about YARA, the pattern matching tool which allows malware researchers to identify and classify malware samples. It is a very interesting tool and fairly easy to get the hand of it. In a few lines of code you can create descriptions of malware families (or anything else you would like to describe) based on textual or binary patters. 

You can create simple rules or more complex ones, depending on what you trying to do. It supports wild-cards, case-insensitive strings, regular expressions, special operators and has a number of additional features to play with. 

YARA is also multi-platform! It can be run on Windows, Linux and Mac OS X. It can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Wednesday, 6 May 2015

Download recursively all files from a certain directory listing using wget

This is going to be a quick blog post about wget which I believe it is very interesting for you to know how to do this. From your Linux box you can use wget to recursively download all the files listed in a directory listing. 

If you have seen something similar to Figure 1, then this is what directory listing looks like. If someone wants you to have access to their files on the web server through HTTP then it is a quick and easy way of doing it, but most of the time is a misconfiguration allowing the hosted files to be publicly available to unauthorised users. 

Figure 1 - Directory Listing


Saturday, 2 May 2015

Things you should know about the Opera browser (Presto) and its features

For me, the ultimate browser is the Opera Web Browser. I have been using Opera as my default browser under Windows since 2001 (Mozilla under Linux) where I had the luxury of having multiple tabs open while I was enjoying the amazing speed of the fastest browser at the time. Due to the fact most viruses were being written at the time to affect Internet Explorer, Opera was unaffected by malicious scripts and viruses hosted on web servers/portals. Also, one of the most life saving features of Opera was that whatever happened to the OS (the OS used to hang and crash a lot back then) you would never loose your work! All my tabs, with all the things I was reading/researching were kept as they were, no matter what e.g. power failure. 

Many "experts" at the time were claiming that a multi-tab browser is a pointless feature because you are always going to be using one tab in front of you at any time anyway. Today the answer to these people seems obvious, but back then it was a nightmare to convince these "opinionated experts"  that multi-tab browsing is the future.