Misc

QEMU, Unicorn, Zelos, and AFL

I should start by telling you that this post does not contain anything fundamentally new. Hence, if you already know the tools mentioned in the title, this post may probably not be for you. However, if you are not too familiar with these tools and want to understand a little bit more on how they work together, you should keep on reading.

First, let us get a high-level overview of the different tools. We begin with QEMU. QEMU is a piece of software to emulate hardware such as processors. Imagine, for example, that you are running an operating system such as Linux or Windows on a x86-64 machine and that you would like to analyze a binary that has been compiled for an ARM or MIPS processor. Of course, you can use static analysis on the binary, but if you want to find out more about the runtime behavior, well, it would be good to have a corresponding runtime environment. Continue reading “QEMU, Unicorn, Zelos, and AFL”

Continue reading
Misc

Security Advisories for Ivanti DSM Suite

From the end of 2019 on, we reported two critical vulnerabilities in the Ivanti DSM Suite to the vendor. The following CVE IDs were assigned to the issues (but note that they have a status of RESERVED, i.e. titles and descriptions may change in the future):

  • CVE-2020-12441: Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4
  • CVE-2020-13793: Unsafe storage of AD credentials in Ivanti DSM netinst 5.1

The vulnerabilities have meanwhile been fixed and an updated software version can be downloaded here. Continue reading “Security Advisories for Ivanti DSM Suite”

Continue reading
Misc

VMware NSX-T Distributed Firewall can be bypassed by default

We recently came across an issue when playing around with VMware NSX-T which not anyone might be aware of when getting started with it. Because many of our customers start with transitioning to NSX-T, we want to share this with you. In short, the Distributed Firewall (DFW) of NSX-T can be easily bypassed in the default configuration because it only works effectively if at the same time, the SpoofGuard feature is enabled on all logical switch ports which is not the case by default.

Continue reading “VMware NSX-T Distributed Firewall can be bypassed by default”

Continue reading
Misc

Windows Insight: The Windows Telemetry ETW Monitor

The Windows Insight repository now hosts the Windows Telemetry ETW Monitor framework. The framework monitors and reports on Windows Telemetry ETW (Event Tracing for Windows) activities – ETW activities for providing data to Windows Telemetry. It consists of two components:

  • the Windbg Framework: a set of scripts for monitoring Windows Telemetry ETW activities. The scripts are fed to a running windbg instance, connected to the Windows instance whose Windows Telemetry ETW activities are monitored.
  • the Telemetry Information Visualization (TIV) framework for visualization of information and statistics. The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page.

wintel

The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909.

Continue reading “Windows Insight: The Windows Telemetry ETW Monitor”

Continue reading
Misc

Dissection of an Incident – Part 2

After our last blogpost regarding Emotet and several other Emotet and Ransomware samples that we encountered, we recently stumbled across a variant belonging to the Gozi, ISFB, Dreambot respectively Ursnif family. In this blogpost, we want to share our insights from the analysis of this malware, whose malware family is mainly known for being a banking trojan that typically tries to infect browser sessions and sniff/redirect data. In particular, we are going to provide details about the first stage Word Document, the embedded JavaScript/XSL document, an in-depth runtime analysis of the downloaded executable, and some details regarding detection.

Also, with this blog post, we are releasing a Rekall plugin called pointerdetector that enumerates all exported functions from all DLLs and searches the memory for any pointer to them (essentially a search for dynamically resolved APIs). This plugin can assist in identifying dynamically resolved APIs and especially memory regions containing DLLs loaded with techniques such as reflective DLL injection. This blog post will contain some examples illustrating the usage of this plugin, as well.

If you are interested in a hands-on analysis of Incidents and malicious files, we are giving another round of our Incident Analysis workshop at Troopers20.

Continue reading “Dissection of an Incident – Part 2”

Continue reading
Misc

Windows Insight: Code integrity and WDAC

The Windows Insight repository now hosts three articles on Windows code integrity and WDAC (Windows Defender Application Control):

  • Device Guard Image Integrity: Architecture Overview (Aleksandar Milenkoski, Dominik Phillips): In this work, we present the high-level architecture of the code integrity mechanism implemented as part of Windows 10.
  • Windows Defender Application Control: Initialization (Dominik Phillips, Aleksandar Milenkoski): This work describes the process for initializing WDAC performed by the Windows loader and the kernel when Windows 10 is booted.
  • Windows Defender Application Control: Image verification (Aleksandar Milenkoski): This work discusses the workflow of WDAC for verifying images.

– Aleksandar Milenkoski

Continue reading
Misc

PSD2 – Mandatory Account Access for Third Party Providers

On September 14th the final deadline of complying with the new Payment Service Directive PSD2 will be reached. Among other things, this directive will bring quite a few technical challenges for credit institutions. These include new requirements on two-factor authentication and API access for third parties. In this blog post we will give a short overview of what this means for banks from a security perspective and outline a few of the security-related issues based on what we have been observing during recent assessments of such APIs.

Continue reading “PSD2 – Mandatory Account Access for Third Party Providers”

Continue reading
Misc

A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources

Some weeks ago, Heinrich and I had the pleasure to participate in the heisec-Webinar “Emotet bei Heise – Lernen aus unseren Fehlern”. We really enjoyed the webinar and the (alas, due to the format: too short) discussions and we hope we could contribute to understand how to make Active Directory implementations out there a bit safer in the future.

Continue reading “A Follow-Up on the Heisec Webinar on Emotet & Some Active Directory Security Sources”

Continue reading
Misc

LibreOffice – A Python Interpreter (code execution vulnerability CVE-2019-9848)

While waiting for a download to complete, I stumbled across an interesting blogpost. The author describes a flaw in LibreOffice that allowed an attacker to execute code. Since this was quite recent, I was interested if my version is vulnerable to this attack and how they fixed it. Thus, I looked at the sources and luckily it was fixed. What I didn’t know before however was, that macros shipped with LibreOffice are executed without prompting the user, even on the highest macro security setting. So, if there would be a system macro from LibreOffice with a bug that allows to execute code, the user would not even get a prompt and the code would be executed right away. Therefor, I started to have a closer look at the source code and found out that exactly this is the case!

 

Continue reading “LibreOffice – A Python Interpreter (code execution vulnerability CVE-2019-9848)”

Continue reading