December 1, 2020

Linux kernel heap quarantine versus use-after-free exploits

It's 2020. Quarantines are everywhere – and here I'm writing about one, too. But this quarantine is of a different kind.

In this article I'll describe the Linux Kernel Heap Quarantine that I developed for mitigating kernel use-after-free exploitation. I will also summarize the discussion about the prototype of this security feature on the Linux Kernel Mailing List (LKML).

March 17, 2020

CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem

This article discloses exploitation of CVE-2019-18683, which refers to multiple five-year-old race conditions in the V4L2 subsystem of the Linux kernel. I found and fixed them at the end of 2019. I gave a talk at OffensiveCon 2020 about it (slides).

Here I'm going to describe a PoC exploit for x86_64 that gains local privilege escalation from the kernel thread context (where the userspace is not mapped), bypassing KASLR, SMEP, and SMAP on Ubuntu Server 18.04.

March 5, 2020

Intel x86 Root of Trust: loss of trust

The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME). This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company's platforms. The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.

Positive Technologies specialists have discovered an error in Intel hardware, as well as an error in Intel CSME firmware at the very early stages of the subsystem's operation, in its boot ROM. Intel CSME is responsible for initial authentication of Intel-based systems by loading and verifying all other firmware for modern platforms. For instance, Intel CSME interacts with CPU microcode to authenticate UEFI BIOS firmware using BootGuard. Intel CSME also loads and verifies the firmware of the Power Management Controller responsible for supplying power to Intel chipset components.

January 21, 2020

Fileless ransomware FTCODE now steals credentials

In 2013, SophosLabs announced infections by a ransomware written in PowerShell. The attack targeted users from Russia. The ransomware encrypted files and renamed them with an extension .FTCODE, whence the name of the virus. The malware arrived as spam containing an HTA file attachment. The ransom demand took the form of a text file with a message in Russian instructing the victim on how to pay the ransom and decode the files.

A few years later, in autumn 2019, new mentions of FTCODE infections appeared. Hackers ran a phishing campaign targeting recipients of PEC certified emails in Italy and other countries. Victims received emails with attachments containing macros that downloaded malicious code. Apart from encryption, the ransomware also installed JasperLoader, a Trojan downloader, on victims' computers. This Trojan can be used to distribute various types of malware. For example, there have been cases when attackers downloaded the Gootkit banking Trojan onto victims' computers.

In mid-October 2019, a new version of the ransomware appeared capable of stealing passwords and credentials from users' computers. The data is retrieved from popular browsers and mail clients installed with default parameters.

PowerShell is often used to develop malware, because the interpreter of this language is included with Windows 7 and later. PowerShell also allows running a malicious code without saving it to a file on a victim's computer. The webinar on such threats is available at the Positive Technologies website.