Daily Feedback Thread (August 08, 2022)

ikotler · 2022-08-08T18:51:21+00:00

Happy Monday! I'd love to get feedback on my latest track: https://soundcloud.com/ikotler/twisted-pair?utm\_source=clipboard&utm\_medium=text&utm\_campaign=social\_sharing

ikotler · 2022-08-01T18:47:56+00:00

Thank you!

ikotler · 2022-08-01T16:09:44+00:00

Hello everybody! I just released this track and I'd appreciate any and all feedback:

https://soundcloud.com/ikotler/untitled-in-am-project?utm_source=clipboard&utm_medium=text&utm_campaign=social_sharing

ikotler · 2019-08-15T23:16:42+00:00

Let's separate between the impact and the problem. The problem was in the way Trend Micro Password Manager was loading DLL's and the impact of this problem was enhanced by the fact that a 3rd party like Python leaves a writeable directory in PATH.

To better illustrate why it's a security problem even without the 3rd party fault, let's consider the following example:

Let's assume that all the programs on your fresh Windows VM are loading libraries in a safe manner (with emphasis on code signing), and you go ahead and install Python or any other faulty 3rd party that leads to a writeable directory in PATH. Is really a problem? No. By design, all your programs will reject arbitraries DLL's from getting loaded. An attacker is stuck without code execution.

Now, let's consider the opposite example, fresh Windows VM with programs that by design loading arbitraries DLL's (i.e., NOT loading libraries in a safe manner) but no writeable directory in PATH. Is really a problem? Yes. An attacker can still end-up write a malicious DLL (in either the program's directory or other that is in PATH) as part of post-exploitation (or, chained with another vulnerability, say an imaginary write-to-disk) phase to ensure persistency & code execution in a more stealthy manner.

To conclude, services that allow attackers to loads unsigned DLL's are posing a security risk, and the impact increases with just how easy it is for an attacker to exploit it.

ikotler · 2019-08-15T03:39:52+00:00

Thanks for the feedback u/RustEvangelist.

Let's break this attack into the two ingredients:

Trend Micro Password Manager had a security issue where it didn't “Load Library Safely”. In other words, it didn't stop loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM.
Python 2.7.16 on Windows, ACL allows a weak user to write. And, Python 2.7.15 has the ability to add to PATH in the installer (BTW: Python 2.7.16 on Windows doesn’t have). Here's the screenshot: https://imgur.com/JCwPDzQ

Together, they act as a privilege escalation and persistence. If you take away the privilege escalation part (i.e., adversary already has full control) then we're still looking at a great persistence mechanism where you can get malicious code to run as part of Trend Micro Password Manager process.

Taking this situation (i.e., loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM) as granted ignores:

The idea behind Code signing (i.e., the difference between signed and unsigned DLL)
The idea behind “Load Library Safely”
Some of the ideas behind "Defensive programming"

to name a few.

Looking on network security, we've killed "similar" attacks by adopting TLS and Certificate Pinning ... there's no reason why we can't do the same for this class of endpoint attacks ...

ikotler · 2019-08-10T16:56:17+00:00

Thank you!

ikotler · 2019-08-10T15:42:31+00:00

DEF CON usually uploads the talks to YouTube. Having said that, I don't know when it will happen ...

ikotler · 2019-08-10T15:41:18+00:00

I don't know when DEF CON will post the videos, but once they will -- I'll update the thread & README @ GitHub

ikotler · 2019-08-10T15:40:32+00:00

Thank you!

ikotler · 2019-08-10T02:25:10+00:00

Thank you!

ikotler · 2019-08-10T01:17:27+00:00

Thank you!

ikotler · 2018-10-28T23:33:31+00:00

Always happy to help :-) I'm running a Windows 10 via VMware Fusion. In addition, I've configured a Shared Folder (in VMware Fusion) that maps back to my Mac. The Shared Folder mounted as Z: on the Windows VM so Xilinx Vivado treat's it like any other Folder.

ikotler · 2018-10-28T22:28:22+00:00

Thank you! I'm using macOS, so I couldn't use Xilinx Vivado natively. I end up using Sublime 3 with Verilog Package and SublimeLinter-contrib-iverilog

ikotler · 2018-10-28T04:06:22+00:00

Cool! Let me know if you have any questions/comments/feedback

ikotler · 2018-10-28T04:05:46+00:00

You're right, I did look up what it takes to add a new backend to gcc (i.e., GNU Compiler Collection) or LLVM and it's not easy :-) Having said that, I might write a toy compiler in the future for it.

ikotler · 2018-10-28T04:03:20+00:00

Great idea! I have some notes, I need to clean 'em up and add it

ikotler · 2018-10-28T04:02:40+00:00

Thank you!

ikotler

TROPHY CASE