Tag Archives: SANS

New tool: immutable.py, (Sat, Jan 18th)

This post was originally published on this site

When performing triage on a Linux system you suspect might be compromised, there are many aspects of the system that you may want to look at. In SANS FOR577, we talk about some existing tools and even writing your own bash script to collect triage data. In a case I worked a year or so ago, the attacker installed an LD_PRELOAD rootkit, which was itself pretty interesting, but one aspect that was a little unusual in this case was that they also set the immutable bit on /etc/ld.so.preload. I've used the find command to find suid and guid binaries and scripts, but it is a bit more of a pain to find files with the immutable bit. So, I wrote by a Python script that takes one or more file or directory names and returns the names of any that have the immutable bit. You can also add a switch to search recursively and another to return full path rather than relative (the default). I figured I can't be the only person who ever needed a tool like this, so I've added it to my GitHub script repo.

As with all of my tools/scripts, if you have have questions or suggestions you can e-mail me at my address below or on the handlers list.

References:

https://www.sans.org/cyber-security-courses/linux-threat-hunting-incident-response/

https://raw.githubusercontent.com/clausing/scripts/refs/heads/master/immutable.py

https://github.com/clausing/scripts

—————
Jim Clausing, GIAC GSE #26
jclausing –at– isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Curious Case of a 12-Year-Old Netgear Router Vulnerability, (Wed, Jan 15th)

This post was originally published on this site

Routers play an essential role in networking and are one of the key components that allow users to have internet connectivity. Vulnerabilities in routers could result in reduced speeds or the possibility of vulnerable equipment being compromised and turned into part of a botnet. While looking at the DShield weblogs, I noticed an interesting URL in the “First Seen” URLs page as follows:

Microsoft January 2025 Patch Tuesday, (Tue, Jan 14th)

This post was originally published on this site

This month's Microsoft patch update addresses a total of 209 vulnerabilities, including 12 classified as critical. Among these, 3 vulnerabilities have been actively exploited in the wild, and 5 have been disclosed prior to the patch release, marking them as zero-days. The updates span various components, with significant attention required for vulnerabilities that could lead to privilege escalation and remote code execution. Users and administrators are strongly advised to prioritize the application of these patches to safeguard against potential threats and maintain system integrity.

Hikvision Password Reset Brute Forcing, (Mon, Jan 13th)

This post was originally published on this site

One common pattern in password resets is sending a one-time password to the user to enable them to reset their password. The flow usually looks like:

  1. User Requests a password reset
  2. The user enters an e-mail address or phone number that is already registered with the application
  3. The application may ask for a password reset question
  4. The user now receives a random code that is entered into the password reset page
  5. finally, the user can reset their password

Overall, this approach is not terrible. It is similar to sending a one-time password reset link via email but avoids the issue of the user having to click on a link (which may be difficult with some mobile applications). This reset method tends to work better with users using mobile phones as they may be able to receive the code via SMS. Or, if they use a "fat" email client on a desktop, they can easily type the code into the mobile device.

But there is a critical issue that is often overlooked:

The page verifying the code MUST implement some basic brute force protection. Otherwise, it tends to be easy to brute force the code, which is often just a five or six-digit number. Of course, this assumes that the code is random! More about this later.

This has been an issue a few times already. Facebook, for example, suffered from this weakness last year. Only a limited number of attempts should be allowed to implement some brute force protection, and the time the code is valid should be constrained. In my opinion, for an "average" site, five attempts and 30 minutes seem reasonable.

One reminder that this is still an issue came today from our "First Seen URLs" page. While not an actual "First Seen" URL, the URL

/PSIA/Custom/HIK/userCheck

had a bit of a breakout with more users than normal reporting honeypot hits for this URL.

An exploit for the Hikvision issue has been available since 2018 when Rasmus Moorats published a blog with some code showing how to exploit the vulnerability [1]. Rasmus even went a significant step further. With access to the firmware, he could decompile it, and reverse engineer the function used to create the reset code. Turns out that the code was not random at all, but instead derived from the UPNP data. This data can be retrieved without authentication. You do not necessarily have to be on the same network, but an HTTP request for /upnpdevicedesc.xml is all it takes.

[1] https://nns.ee/blog/2018/08/01/hikvision-keygen.html

 


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Multi-OLE, (Sun, Jan 12th)

This post was originally published on this site

VBA macros and embedded files/objects are stored as OLE files inside OOXML files.

You can have .docm files with many OLE files, like this one, analyzed with zipdump.py:

If you analyze this with oledump.py, each OLE file inside the ZIP container will get its own letter prefix:

Use this letter prefix to select the correct stream, like this for the VBA code stream:

If it's the first OLE file (prefix A) you want to analyze with oledump.py, it's actually not necessary to include the letter:

But the letter is required for any other OLE file:

Although it is not case-sensitive:

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Windows Defender Chrome Extension Detection, (Fri, Jan 10th)

This post was originally published on this site

With the recent Cyberhaven Extension(2) attack, looking for specific Chrome extensions installed can be very helpful.   If you are running Defender with enhanced vulnerability management, Defender automatically catalogs installed extensions by going to Vulnerability Management -> Inventories and selecting Browser Extension from the Defender Console.  Also, you can do Hunt Queries on the DeviceTvmBrowserExtensions table.  

Make Malware Happy, (Mon, Jan 6th)

This post was originally published on this site

When I teach FOR610[1], I like to use a funny quotation with my students: “Make malware happy!” What does it mean? Yes, we like malware, and we need to treat it in a friendly way. To help the malware work or detonate successfully, it’s recommended that we replicate the environment where it was discovered (or at least, as much as possible). This is not always easy because we often receive a sample outside of its context.