This Week In Security: Robinhood, Apple Mail, ASLR, And More Windows 7

February 14, 2020 by Jonathan Bennett 10 Comments

First off this week, a ransomware named Robinhood has a novel trick up its sleeve. The trick? Loading an old known-vulnerable signed driver, and then using a vulnerability in that driver to get a malicious kernel driver loaded.

A Gigabyte driver unintentionally exposed an interface that allows unfettered kernel level read and write access. Because it’s properly signed, Windows will happily load the driver. The ransomware code uses that interface to turn off the bit that enforces the loading of signed drivers only. From there, loading a malicious driver is trivial. Robinhood uses it’s kernel-level access to disable anti-virus applications before launching the data encryption.

This is a striking example of the weakness of binary signing without a mechanism to revoke those signatures. In an ideal world, once the vulnerability was found and an update released, the older, vulnerable driver would have its signature revoked.

The last Windows 7 Update For Real This Time, Maybe

More news in the ongoing saga of Windows 7/Server 2008 reaching end-of-life. KB4539602 was released this patch Tuesday, fixing the black background problem introduced in the last “final” round of updates. Surely that’s the last we’ll hear of this saga, right?

Not so fast. Apparently that patch has led to multiple Windows Server 2008 machines failing to boot after install. According to Microsoft, the problem is a missing previous patch that updates SHA-2 support. Continue reading “This Week In Security: Robinhood, Apple Mail, ASLR, And More Windows 7” →

Quick And Dirty Digital Conversion For Analog SLR

November 14, 2019 by Lewin Day 37 Comments

The unarguable benefits of digital photography has rendered the analog SLR obsolete for most purposes. This means that a wide selection of cameras and lenses are available on the second hand market for pennies on the dollar, making them ripe targets for hacking. [drtonis] decided to experiment with a quick and easy digital conversion to an old Canon A-1, and it’s got us excited about the possibilities.

Who needs Instagram filters? Just distort in-camera!

It’s a simple hack, but a fun one. The SLR is opened up, and the spring plate for holding the film is removed. A Raspberry Pi camera then has its original lens removed, and is placed inside the film compartment. It’s held in with electrical tape, upon a 3mm shim to space it correctly to work with the original optics.

[drtonis] notes that the build isn’t perfect, with some aberration likely caused by the reflective electrical tape in the film cavity. However, we think it’s a nice proof of concept that could go so much further. A Raspberry Pi Zero could be easily squeezed inside along with the camera, and everything glued in place to make things more robust. A specialist paint such as Stuart Semple’s Black 2.0 could also help cut down on light leaks inside. Plus, there’s plenty of small screens that can be used with the Raspberry Pi that would provide a useful preview function.

We’d love to see more conversions like this one. While it’s unlikely they’ll compete with commercial DSLRs on outright performance, everyone loves a little bit of charming distortion here and there, and all manner of fancy lenses can be had for cheap for analog platforms. We’ll be keeping a close eye on the tipline for further This fundevelopments – you know what to do!

Continue reading “Quick And Dirty Digital Conversion For Analog SLR” →

ASLR^CACHE Attack Defeats Address Space Layout Randomization

February 15, 2017 by Pedro Umbelino 45 Comments

Researchers from VUSec found a way to break ASLR via an MMU sidechannel attack that even works in JavaScript. Does this matter? Yes, it matters. A lot. The discovery of this security flaw along with the practical implementation is really important mainly because of two factors: what it means for ASLR to be broken and how the MMU sidechannel attack works inside the processor.

Address Space Layout Randomization or ASLR is an important defense mechanism that can mitigate known and, most importantly, unknown security flaws. ASLR makes it harder for a malicious program to compromise a system by, as the name implies, randomizing the process addresses when the main program is launched. This means that it is unlikely to reliably jump to a particular exploited function in memory or some piece of shellcode planted by an attacker.

Breaking ASLR is a huge step towards simplifying an exploit and making it more reliable. Being able to do it from within JavaScript means that an exploit using this technique can defeat web browser ASLR protection running JavaScript, the most common configuration for Internet users.

ASLR have been broken before in some particular scenarios but this new attack highlights a more profound problem. Since it exploits the way that the memory management unit (MMU) of modern processors uses the cache hierarchy of the processor in order to improve the performance of page table walks, this means that the flaw is in the hardware itself, not the software that is running. There are some steps that the software vendors can take to try to mitigate this issue but a full and proper fix will mean replacing or upgrading hardware itself.

In their paper, researchers reached a dramatic conclusion:

Continue reading “ASLR^CACHE Attack Defeats Address Space Layout Randomization” →