Tag Archives: Privilege escalation

Plundervolt. Don’t panic!

16 December 2019

Last Tuesday, Intel (1) published a patch for a new hardware vulnerability dubbed Plundervolt (CVE-2019-11157). As always with hardware vulnerabilities, Plundervolt got a lot of attention in the media.(2)(3)(4) A Google search for “plundervolt intel” shows about 167.000 hits as of today. The vulnerability was detected by a research team lead by Kit Murdock (5) some month ago.

In parallel, Microsoft published a patch for the privilege escalation vulnerability CVE-2019-1458.(6) CVE-2019-1458 is actively used in attacks (7), so it also got some media attention (Google search “CVE-2019-1458”: 88.000 hits as of today).

Plundervolt logo.

Plundervolt logo.

From my point of view, hardware vulnerabilities are always somewhat overvalued, especially in terms of their benefit in cyber operations. The vulnerabilities named RyzenFall, FallOut, Chimera and MasterKey in AMD processors, which were discovered last year, are maybe the best examples.(8) So, lets take a closer look on PlunderVolt and CVE-2019-1458.

The table below shows the CVSS V3.1 Severity for the vulnerabilities.

Plundervolt CVE-2019-1458 comparison

Plundervolt / CVE-2019-1458 comparison

The main difference is in the Privileges Required (PR) to exploit the vulnerability. For Plundervolt, Murdock et al. “assume the standard Intel SGX adversary model where the attacker has full control over all software running outside the enclave (including privileged system software such as operating system and BIOS).”(5) That means that the system must already be fully compromised before Plundervolt can be exploited.

In contrast, CVE-2019-1458 allows the attacker to acquire high privileges on a system once he hijacked a standard user account. So, by exploiting CVE-2019-1458 the attacker sets up the environment to exploit Plundervolt.

From an attacker’s point of view, CVE-2019-1458 is more valuable than Plundervolt. Once one system is compromised, the attacker can use it as base of operations for the exploration of the victim’s network. In the worst case, the Active Directory is compromised within some minutes, so the attacker has access to all secrets, or he can push ransomware to all computers.

For organized crime and APTs, CVE-2019-1458 is a universally exploitable tool to achieve goals.

Plundervolt gets interesting if the attacker is interested in encryption key details which are used internally only, for example in Transparent Database Encryption (TDE) or in trusted execution environments. Murdock et al. “demonstrate the effectiveness of our attacks by injecting faults into Intel’s RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts.”(5) In the worst case, this results in the loss of all data in a TDE secured database, since vendors use Intel’s AES-NI on-chip implementation to speed up cryptographic computations.

So, Plundervolt is interesting for organized crime and APTs when it comes to industrial espionage or in attacks against targets which are relevant for national security.

Fortunately, the time frame for exploitation is short. The patch for CVE-2019-1458 will be automatically rolled out through the WSUS infrastructure within the next weeks. Plundervolt should be patched, with high priority on critical systems, if a company is target of espionage or operates critical infrastructures.

Do you know your threat profile and critical systems? Without this knowledge efficient vulnerability management is not possible. Not sure? So, take it as a New Year’s resolution…

References

  1. Intel Security Center. INTEL-SA-00289 [Internet]. Intel Security Center. 2019 [cited 2019 Dec 13]. Available from: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html
  2. Gatlan S. Intel Patches Plundervolt, High Severity Issues in Platform Update [Internet]. BleepingComputer. 2019 [cited 2019 Dec 13]. Available from: https://www.bleepingcomputer.com/news/security/intel-patches-plundervolt-high-severity-issues-in-platform-update/
  3. O’Donnell L. Modern Intel CPUs Plagued By Plundervolt Attack | Threatpost [Internet]. threatpost. 2019 [cited 2019 Dec 13]. Available from: https://threatpost.com/intel-cpus-plundervolt-attack/151006/
  4. Khandelwal S. New PlunderVolt Attack Targets Intel SGX Enclaves by Tweaking CPU Voltage [Internet]. The Hacker News. 2019 [cited 2019 Dec 13]. Available from: https://thehackernews.com/2019/12/intel-sgx-voltage-attack.html
  5. Murdock K, Oswald D, Garcia FD, Van Bulck J, Gruss D, Piessens F. Plundervolt: Software-based Fault Injection Attacks against Intel SGX}. In: Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P’20) [Internet]. San Francisco, CA; 2019 [cited 2019 Dec 13]. Available from: https://plundervolt.com/
  6. MSRC. CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability [Internet]. Microsoft Security. 2019 [cited 2019 Dec 16]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458
  7. Kaspersky Global Research and Analysis Team. Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium | Securelist [Internet]. SECURELIST. 2019 [cited 2019 Dec 16]. Available from: https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/
  8. Cimpanu C. AMD Confirms RyzenFall, MasterKey, Fallout, and Chimera Vulnerabilities [Internet]. BleepingComputer. 2018 [cited 2019 Dec 16]. Available from: https://www.bleepingcomputer.com/news/hardware/amd-confirms-ryzenfall-masterkey-fallout-and-chimera-vulnerabilities/

How to defeat antivirus evasion and privilege escalation techniques

4 February 2018

Last weekend I read two very informative posts on Antivirus Evasion by Mattia Campagnano. But part 2 [1] puzzled me somewhat.

“Following up to my previous post Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt. 1), we’re going now to perform the same attack on a genuine Windows 10 machine, where all latest updates have been installed.”

For a moment I thought ‘a security professional mistakes compliance for security’ because ‘fully patched’ means not that the system is resilient against cyber-attacks. But both posts show that even the most secure Windows ever is vulnerable against privilege escalation and AV evasion if the basic configuration is not changed and fundamental elements of cyber hygiene are missing.

Why are such attacks successful?

First, the user was logged in with permanent administrative privileges. This makes life easy for attackers and fosters lateral movement.

Revoking permanent administrative privileges on workstations and servers must be a basic element of any cyber security program. Under normal conditions, standard users should not have any administrative privileges for their devices at all. If needed, they can be temporarily granted through User Account Control (UAC).

Second, UAC was not set to the highest level “Always notify me”. Unfortunately this is the standard setting after a fresh installation of Windows. With this, privilege escalation is possible without user notification. If configured properly, UAC will notify the user even if he works with administrative privileges.

The BypassUAC method in the meterpreter attack framework will fail, if UAC is set to the highest level. The following excerpt of the code [2] makes this clear

case get_uac_level
 when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
 fail_with(Failure::NotVulnerable,
  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
 )
 when UAC_DEFAULT
    print_good('UAC is set to Default')
    print_good('BypassUAC can bypass this setting, continuing...')
 when UAC_NO_PROMPT
    print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
    shell_execute_exe
  return
end

Standards like the DISA STIG for Windows 10 [3] activate all UAC features to make life for the attackers as difficult as possible. From my point of view, the STIGs should be considered also in industry to create workplaces resilient against cyber-attacks. And Microsoft should raise the Windows default for UAC to “Always notify me” for all versions. If a user wants to reduce the security level, he should do this on his own responsibility.

Besides the secure configuration of IT systems and cyber hygiene is user awareness training the third essential pillar of a security program. Users and help desk staff must take proper actions if their system unexpectedly enters the secure desktop and asks for permissions of an action they never asked.

Have a good weekend.

  1. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 44: AV Evasion (pt 2). The S@vvy_Geek Tips Tech Blog
  2. Rapid7 bypassuac_vbs.rb  Metasploit Framework. (Accessed: 3rd February 2018)
  3. Windows 10 Security Technical Implementation Guide. STIG Viewer | Unified Compliance Framework® Available at: https://www.stigviewer.com/stig/windows_10/. (Accessed: 3rd February 2018)
  4. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt.1). The S@vvy_Geek Tips Tech Blog

Dvmap: the first Android malware with code injection capabilities

25 June 2017

In the train back from Berlin last week I had the opportunity to go through my reading list. The news about Dvmap, an Android malware which code injection capabilities, caught my attention.

Kaspersky’s Roman Unuchek published a great post in the Kaspersky Lab Securelist blog on 8 June 2017 about Dvmap. Dvmap is hidden in the app colourblock which was downloaded more than 50.000 times from the Google Play Store. Google removed the app from the Play Store by now.

Dvmap injects malicious code into the Android system libraries at runtime and deactivates security features of the OS. It is capable to downloading extensions from a C&C Server. In addition, the attackers used some clever method to bypass the security features of the Play Store.

To inject code in system libraries at runtime on Linux-based operating systems root privileges are required. And this is what Dvmap tries at first. Since the standard user does not work as root, the trojan must use existing, unpatched vulnerabilities to gain root rights.

Support Codename Android Version Linux Kernel Distribution
No Gingerbread 2.3.x 2.6.35 0,80%
No Ice Cream Sandwich 4.0.x 3.0.1 0,80%
No Jelly Bean 4.1.x 3.0.31 3,10%
No Jelly Bean 4.2.x 3.4.0 4,40%
No Jelly Bean 4.3 3.4.39 1,30%
Yes KitKat 4.4 3.10 18,10%
Yes Lollipop 5.0 3.16.1 8,20%
Yes Lollipop 5.1 3.16.1 22,60%
Yes Marshmallow 6.0 3.10 31,20%
Yes Nougat 7.0 4.4.1 8,90%
Yes Nougat 7.1 4.4.1 0,60%

(Data collected during a 7-day period ending on June 5, 2017. Any versions with less than 0.1% distribution are not shown. Source: Android Dashboards at Android Developers.com)

The above table shows that 89.6 percent of the Android devices which downloaded software from the Google Play Store run Android versions which are supported by Google. Sounds good.

Unfortunately, Google delivers patches to their partners for further distribution to the consumers. And this is where the trouble begins.

In post ‘Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review’ published on 22 March 2017 in the Google Security Blog one reads:

We provided monthly security updates for all supported Pixel and Nexus devices throughout 2016, and we’re thrilled to see our partners invest significantly in regular updates as well. There’s still a lot of room for improvement, however. About half of devices in use at the end of 2016 had not received a platform security update in the previous year.

With this, about 55% of the devices which downloaded software from the Google Play Store in June 2017 were vulnerable e.g. against Dirty Cow (CVE-2016-5195), a nine-year-old bug in the Linux kernel that was detected in October 2016. Since all Linux kernel from 2.x through 4.x before 4.8.3 were affected, nearly all Android version are affected as well.

From the Android Security Review 2016 we learn that “More than 735 million devices from 200+ manufacturers received a platform security update in 2016”. With this, about 360 million devices are vulnerable to Dirty Cow and Dvmap today.

Google’s partners “invested significantly in regular security updates in the past years”, but sadly not enough. Enterprise customers with an MDM solution like Airwatch in place can take this risk. The consumers foot the bill. Who cares?

Have a great week!