Episode 14 MP3 | Youtube | Twitch.TV | Twitter | FacebookiTunesStitcher


Title: Trump Email Server Drama

Synopsis:

  • There is a mail server contracted by Trump’s businesses that is sending “Advertisements”
    • What most of the rest of us would probably call spam
  • The email server referenced is specifically serving up stuff related to events and promotions for the Trump Hotel business
  • it’s not tied into campaign stuff
  • The reason it’s talking to that bank is because they’ve done business before, and the Trump Hotel organization did advertising for them.
  • This is all normal business-y stuff.

References:

http://blog.erratasec.com/2016/11/debunking-trumps-secret-server.html

https://theintercept.com/2016/11/01/heres-the-problem-with-the-story-connecting-russia-to-donald-trumps-email-server/

Title: Google releases windows 0day, MS complains

Synopsis:

Example quote from reddit uesr tieluohan 192 points 1 day ago

Note that the 7 day disclosure came from the fact that the bug was already being actively exploited. For such supercritical vulnerabilities 7 days is not really more unreasonable than the 90 day deadline for other bugs.”

References:

https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html

https://www.reddit.com/r/netsec/comments/5ag423/windows_has_a_bug_and_google_just_let_everyone/

Title: Dirty Cow CVE-2016-5195

Synopsis:

Why should we care?

Principle Points

  • Exploits Copy on Write (COW)
    • Ex.: COW may also be used as the underlying mechanism for snapshots.
    • Create a file owned by root that a normal user can read but can’t write to.
      • Ping is run as root, anyone can run it but it doesnt do much.
      • If you run DC and pass a string to the root file, suddenly a normal user has write access.
  • Local Priv Escalation, so what?
    • the Dirty COW flaw exists in a section of the Linux kernel, which is a part of virtually every distro of the open-source operating system, including RedHat, Debian, and Ubuntu, released for almost a decade.
  • Creates a race condition with virtual memory and physical disk
    • I don’t need this vmem address space
    • Overwriting said address space before it’s moved to disk
    • What’s a race condition: “Certain events have to occur in a special order that are otherwise very unlikely…try it over and over again see if you get lucky”
  • Average life of a Linux Bug is 5 years. – Google Researcher Kees Cook.
    • Torvalds knew about it 11 years ago, tried to fix it, couldn’t, meh, nobody will find it anyway.
  • Dirtycow.ninja:
    • Don’t sensationalize all this shit, take everything seriously.
    • “Gives any user root in 5 seconds” – Engadget and their subtle titles.
    • Don’t ignore regular, workaday bugs.
    • All the boring normal bugs are way more important, just because there’s a lot more of them.
    • The major issue with the bug isn’t its danger, but its age: it is easy to exploit reliably, and thanks to the nine years it’s been hiding in the code, it will be in millions of computers.

Example:

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

“trivial to execute, never fails and has probably been around for years.” Because of its complexity, he was only able to detect it because he had been “capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox,” Oester said.

Docker Won’t Save you – Gabriel Lawrence

“more interesting to me than a local privilege escalation, this is a bug in the Linux kernel, containers such as Docker won’t save us.”

References:

DC Demo

https://www.youtube.com/watch?v=kEsshExn7aE

LiveOverFlow Youtube Channel https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w
PoC: https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
Patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
Dirty Cow Explained: https://www.martijnlibbrecht.nu/2/
Dirty Cow Web Store: https://dirtycow.ninja/
V3 Article: http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-protect-against-dirty-cow-security-flaw
Hacker News: http://thehackernews.com/2016/10/linux-kernel-exploit.html
Kees Cook: https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/
What is a COW: https://en.wikipedia.org/wiki/Copy-on-write
Docker Won’t Save You: http://www.theregister.co.uk/2016/11/01/docker_user_havent_patched_dirty_cow_yet_bad_news/

ProTip of the Week:

Details:

Use NginX as a reverse proxy for your C2 to receive multiple callbacks, from multiple tools, to the same redirector (or Listening Post (LP)) IP or hostname, to just one port. The article author details how his team uses a single redirector/LP to manage callbacks for 9 different configurations.
References:

https://twitter.com/Ne0nd0g

https://www.swordshield.com/2016/10/multi-tool-multi-user-http-proxy/