April 16, 2014

Backdoor found for several D-Link routers

d-link-dir-615An intentional backdoor designed into some of D-Links home routers has been found by security researcher Craig Heffner. Having reversed engineered the firmware used in a D-Link DIR-100 router Craig discovered that by setting a browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (without the quotes) he could gain full access to the router without entering a username and password.

If exploited an attacker would be able to change any of the settings on the router and gain access to the network. During his research Craig discovered that the browser string was only mentioned once on the Internet in a Russian forum post from a few years ago that noted that the string was probably significant. As such there are no reports of this backdoor being used in the wild, D-Link has acknowledged the existence of the backdoor and said a fix would be available by the end of October.

“Various media reports have recently been published relating to vulnerabilities in network routers, including D-Link devices. Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards,” said D-Link in a statement. “We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.”

It is thought that the backdoor was intentionally programmed into the web server so that the router could be automatically configured when used with services like dynamic DNS. Since the web server contained all the code necessary to alter the routers settings, the programmers by-passed the authentication mechanism with the hard-coded browser string. This in turn allowed them to set the parameters for legitimate reason. It was likely they didn’t think that the string would ever be discovered.

Based on string searches Heffner says it can be reasonably concluded that the following D-Link devices are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

Additionally, several Planex routers also appear to use the same firmware:

  • BRL-04UR
  • BRL-04CW

D-Link already has new firmware available for several of the affected models, some of which aren’t listed in Heffner’s original list:

  • DIR-300
  • DIR-600
  • DIR-615
  • DIR-645
  • DIR-815
  • DIR-845L
  • DIR-865L
  • DSL-320B
  • DSL-321B

In brief: New free eBook released to those with no prior experience to protect privacy in a digital world

(LiveHacking.Com) – The CryptoParty, a new, decentralized, global initiative aimed at introducing basic cryptography tools to the general public, has released its first handbook. The CryptoParty Handbook is designed to help those with no prior experience to protect their basic human right to Privacy in the online world.

The book covers a variety of topics like passwords, browsing, email encryption, VPNs, hard disk encryption and secure file sharing. In each of these areas the book describes the dangers to privacy and recommends which open source tools to use.

By recommending open source tools, rather than commercial tools, the authors hope that users will start to take their online privacy seriously without needing to spend money on sometimes expensive software products.

The CryptoParty Handbook is the brainchild of Marta Peirano and Adam Hyde who came up with the idea after the first Berlin CryptoParty, held on the 29th of August, 2012. Others including Julian Oliver and Danja Vasiliev, co-organisers of the Berlin CryptoParty (along with Marta) were very enthusiastic about the book. It was written in the first 3 days of October 2012 at Studio Weise7, Berlin. Approximately 20 people were involved in its creation, some more than others, some local and some far (Melbourne in particular).

FERC opens new office to look at potential cyber and physical security risks to energy facilities

(LiveHacking.Com) – The Federal Energy Regulatory Commission (FERC) has opened a new office that will focus on potential cyber and physical security risks to energy facilities under its jurisdiction. Known as the Office of Energy Infrastructure Security (OEIS) its tasks is to identify and fix vulnerabilities toenergy facilities from cyber attacks and such physical threats including electromagnetic pulses.

The formation of the OEIS comes to meet the need for a more agile approah to dealing with the growing potential for cyber security attacks and physical security risks against energy facilities. For mitigation to be effective the OEIS will formulate and oversee the development of rapid interactions among regulators, industry and federal and state agencies. In short, the OEIS is intended to enhance the USA’s ability to guarantee the reliability of its power system.

“Creating this office allows FERC to leverage its existing resources with those of other government agencies and private industry in a coordinated, focused manner,” Wellinghoff said. “Effective mitigation of cyber and other physical attacks requires rapid interactions among regulators, industry and federal and state agencies.”

The remit for the Office of Energy Infrastructure Security is:

  • Identifying, communicating and mitigating potential cyber and physical security threats and vulnerabilities to FERC-jurisdictional energy facilities using the Commission’s existing statutory authority
  • Providing assistance, expertise and advice to other agencies in identifying, communicating and mitigating potential cyber and physical threats and vulnerabilities to FERC-jurisdictional energy facilities
  • Participating in inter-agency and intelligence-related coordination and collaboration efforts with appropriate federal and state agencies and industry representatives on cyber and physical security matters related to FERC-jurisdictional energy facilities including, but not limited to, participating in conferences, workshops and classified briefings; and
  • Conducting outreach with private sector owners, users and operators of energy delivery systems regarding identification, communication and mitigation of cyber and physical threats to FERC-jurisdictional energy facilities.

Joseph McClelland will become the Director for the new Office. McClelland was previously the Director of the Office of Electric Reliability since its formation in 2006. The Office of Electric Reliability will now be run by Ted Franks, who will serve as Acting Director.

In brief: Web Cryptography API draft published

(LiveHacking.Com) – The Web Cryptography Working Group, part of the W3C web standards consortium, has published the First Public Working Draft of Web Cryptography API. The API, which  itself is agnostic of the underlying implementation of key storage, provides a way that allow rich web applications to perform basic cryptographic operations.

According to the Abstract section of the draft the “specification describes a JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Key storage is provided for both temporary and permanent keys. Access to keying material is contingent on the same origin policy. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications.”

The API also provides interfaces for key generation, key derivation, key import and export, and key discovery.

The group will is now looking for discussion and feedback on this draft document by web developers, companies, standardization bodies or forums interested in deployment of secure services with web applications. More versions of the standard will be published in 2013 and the final specification should be released in 2014.

 

Authorities Prepare for Possible Cyber Attacks During Olympic Games

(LiveHacking.Com) – During the last Olympic Games it was estimated that China was subjected to approximately 12 million online attacks per day. In preparation for the upcoming 2012 games in the United Kingdom, the  Department of Homeland Security’s National Cybersecurity and Communications Integration Center has posted a report warning that criminals and ‘hacktivists’ could use the 2012 Olympics as platform for cyberattacks.

The report warns that scams and malware campaigns will grow in scale and complexity in the lead up to the 27 July opening ceremony in London with the supporting information systems including transport infrastructure and law enforcement communications seen as the prime targets. In response the Olympic organizers have already started running ‘technical rehearsals’ from their Technology Operations Center (TOC) situated on Canary Wharf. During the games over one hundred personnel will monitor the UK’s critical systems which includes over 900 servers, 1,000 network and security devices, and 9,500 computers.

Internet users are also warned that phishing attempts which imitate official Olympic correspondences have already begun circulating in the wild. The report notes that a spam message with a malicious attachment (Early Check-In 2012 Olympics.doc) has already been spotted. The document exploits a RTF Stack Buffer Overflow Vulnerability and installs additional malware on the victim’s computer.

“British law enforcement organizations have been collaborating with the U.S. Secret Service and other industry experts to understand attack vectors, detection methods and mitigation strategies to combat the threat. However, the cyber implications are more expansive than localized attacks against systems and encompass globally distributed Olympic-themed malware, spam campaigns and scams,” says the report.

It is antisipated that protestors could choose to launch denial of service (DOS) attacks during the games with the added complication that some of the 5,000 IT staff working during the games could launch insider attacks. The report also warns about potential information theft, again facilitated by an insider.

 

Security Update for WordPress 3.3

(LiveHacking.Com) – The WordPress team has released WordPress 3.3.2 to fix 6 security vulnerabilities including two cross-site scripting vulnerabilities and a privilege escalation. The fixed vulnerabilities come in two distinct parts. First, three external libraries included in WordPress received security updates and second, the WordPress core security team have fixed three further vulnerabilities.

The external libraries are all connected with the way WordPress uploads files. Plupload, which WordPress currently uses for uploading media, has been updated to  version 1.5.4. Plupload, which gives WordPress the ability to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, fixed a the way the Flash part of the library worked to avoid CSRF issues.

Two other Flash related libraries were also updated, SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins and SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

The other three vulnerabilities, which the WordPress core security team fixed, are:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

WordPress 3.3.2 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

Samaba Updated to Close Nine-Year-Old Security Hole

(LiveHacking.Com) – A new version of Samaba has been released to fix a nine year old security vulnerability that allows remote code execution as the “root” user from an anonymous connection. All versions of Samaba from Samba 3.0.x to 3.6.3 are affected. Samba 3.0.x was released in 2003 meaning that the vulnerability has been in the code base for almost a decade!

According to the security advisory the “code generator for Samba’s remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network.” The problem revolves around memory allocation length checks which can be controlled by the connecting client. This means that a specially crafted RPC call can be used to cause the server to execute arbitrary code.

This is the most serious type vulnerability possible as it does not require an authenticated connection. Users and vendors are encouraged to patch their Samba installations immediately.

Affected Operating Systems

Samba is the open source implementation of the SMB/CIFS networking protocol used predominantly by Windows. It enables file and print sharing between Windows, Mac OS X, Linux and FreeBSD machines and often comes pre-installed on popular Linux distributions and is included in OS X from Apple.

Samba is also included on certain embedded devices like network storage and media sharing devices. Due to their embeedded nature it is likely that a new firmware release will be needed from the manufacturers, which in many cases won’t happen. If you use such a device you need to only use it on a trusted network.

The open source network attached storage solution FreeNAS has been updated to include the fixes. FreeNAS-8.0.4-RELEASE-p1 contains Samba 3.6.4 and can be downloaded from https://sourceforge.net/projects/freenas/files/FreeNAS-8.0.4/

Patch Availability

Patches are now available at http://www.samba.org/samba/security. Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been released to correct the defect and due to the seriousness of this vulnerability, patches have been released for all Samba versions currently out of support and maintenance from 3.0.37 onwards.

Microsoft Moves Against Zeus Botnets With New Action Codenamed Operation b71

(LiveHacking.Com) – Microsoft is no stranger to fighting botnets. Over the last eighteen months it has led a varirty of operations (b49b107 and b79) to dismantle botnet networks which are used to conduct various criminal activities including spamming, click fraud, and malware distribution. This week, together with partners in the financial services industry, Microsoft led Operation b71 a new action to disrupt Zeus (Win32/Zbot) botnets.

Zeus botnots are complex and Microsoft have not been able to shutdown every botnot in existence (and nor was that its goal), however  Microsoft expect that Operation b71 will significantly impact the cybercriminals’ operations and infrastructure. Operation b71, which targeted the command and control infrastructure of various botnets using ZbotSpyeye and Ice IX variants of the Zeus family of malware, was carried out by Microsoft together with the Information Sharing and Analysis Center (FS-ISAC), the Electronic Payments Association (NACHA), Kyrus Tech and F-Secure.

After a months of investigation and a successful pleading before the U.S. District Court for the Eastern District of New York there was a coordinated seizure of command and control servers in Scranton, Penn. and Lombard, Ill. (which are some of the worst known Zeus botnets). This has disrupted the net and yielded valuable evidence and intelligence.

The Zeus malware uses keylogging to record a victim’s keystrokes to monitor online activity and gain access to usernames and passwords in order to steal a victim’s identity, take money from their bank accounts and make online purchases.

“Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets. These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit. Overall, Microsoft has detected more than 13 million suspected infections of this malware worldwide, with more than 3 million in the United States alone,” wrote Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit.

The operation culminated in the physical seizure of command and control servers. Representatives from Microsoft, FS-ISAC and NACHA were escorted by U.S. Marshals during the operation. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers.

“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time,” added Boscovich.

Researchers Crack HD Con­tent Pro­tec­tion System

(LiveHacking.Com) - Security researchers have broken the High-band­width Di­gi­tal Con­tent Pro­tec­tion (HDCP) system used on HD devices (such as Blu-ray) with HDMI ports to pro­tect di­gi­tal video sent to TVs and monitors against un­aut­ho­ri­zed copying.

Using a man-in-the-middle (or in this case a computer board in the middle), Prof. Dr.-Ing Tim Güneysu of the Secure Hardware Group at Germany’s Ruhr University of Bochum, has found a way to con­nect any non-com­pli­ant mo­ni­tor (which would include devices able to record the video) to a HDCP ­pro­tec­ted video sour­ce.

To do the decoding the professor and his students used a low-cost Di­gi­lent’s Atlys De­ve­lop­ment Board with a Xi­l­inx Spar­tan-6 LX45 FPGA. The board has all the necessary con­nec­tors for video input and out­put. The total setup cost no more than $250.

“We developed an independent hardware solution instead, based on a cheap FPGA board” explained Prof. Dr.-Ing. Tim Güneysu, who set to work with the final year student Benno Lomb. “We were able to tap the HDCP encrypted data streams, decipher them and send the digital content to an unprotected screen via a corresponding HDMI 1.3-compatible receiver.”

The result is that the team can now:

  • Suc­cess­ful­ly con­nect any non-com­pli­ant mo­ni­tor to a HDCP ­pro­tec­ted video sour­ce
  • Extract all secret ses­si­on keys es­ta­blis­hed du­ring au­then­ti­cation
  • De­crypt sin­gle-link video streams with a re­so­lu­ti­on of 720p or 1080i in re­al-ti­me.

This man-in-the-middle attack is of little interest for pirates as there are simplier ways to “rip” a Blu-Ray disc. However Prof. Güneysu does see a real threat to security-critical systems, for example at authorities or in the military.

Although Intel is already offering a new security system, HDCP 2.0, but since it is backward compatibile, the weak point will also remain a problem in coming years.

Apple Releases Security Updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4

(LiveHacking.Com) - With the launch of the much anticipated iOS 5, Apple has also issued a significant number of patches for a range of it products including some of its iOS applications, its Safari web browser, OS X 10.7, OS X 10.6 (via Security Update 2011-006) and Apple TV.

The full list along with links to the Apple knowledge base is as follows:

  • HT4999 - iOS 5 Software Update
  • HT5000 - Safari 5.1.1
  • HT5001 - Apple TV 4.4
  • HT5002 - OS X Lion v10.7.2 and Security Update 2011-006
  • HT5003 - Pages for iOS v1.5
  • HT5004 - Numbers for iOS v1.5

iOS 5
Apple are emphasizing the 200 new features in iOS 5, but it also contained multiples security fixes. Most of these are found in WebKit the HTML rendering engine at the heart of iOS’s version of Safari. Many of the issues fixed in Safari 5.1.1 are common with those in iOS 5, however the Safari 5.1.1 list is shorter due to the more frequent releases of Safari for the desktop.

Other iOS 5 fixes of interesting include:

  • A user’s AppleID password and username were logged to a file that was readable by applications on the system. This is resolved by no longer logging these credentials.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption existed in freetype, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. A buffer overflow existed in libTIFF’s handling of CCITT Group 4 encoded TIFF images.

Safari 5.1.1
Along with the long list of WebKit fixes, some of which are common with the fixes in iOS 5 and iTunes 10.5, there are several fixes for bugs that allowed arbitrary code execution or a cross-site scripting attack if the user visited a maliciously crafted website.

Apple also say that JavaScript performance has been improved up to 13% over Safari 5.1.

OS X Lion v10.7.2 and Security Update 2011-006
The update to Lion and the release of Security Update 2011-006 (which is available for OS X 10.6.8) fixes a number of problems including:

  • Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privileges. A format string vulnerability existed in Application Firewall’s debug logging.
  • Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. An out of bounds memory access issue existed in ATS’ handling of Type 1 fonts. This issue does not affect OS X Lion systems.
  • OS X 10.7: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.
  • OS X 10.6: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
  • Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.
  • Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution. A memory corruption issue existed in CoreFoundation’s handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.
  • Several updates for PHP, python, postfix and QuickTime.

Pages and Numbers for iOS
Opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution

Due to buffer overflow and memory corruption issues, opening a maliciously crafted Microsoft Word or Excel document may lead to an unexpected application termination or arbitrary code execution.