Episode 2 MP3 | Youtube | Twitch.TV | Twitter | FacebookiTunesStitcher

 

Capsec DC tonight at the verizon center’s green turtle. 6pm until whenever.

Primary news stories


Episode 1 Story Updates:

Elon Musk comments on the AI and DARPA’s grand cyber challenge, and says “It’s all fun and games until (Skynet)”

References:

https://twitter.com/elonmusk/status/753525069553381376


Title: Windows 10 UAC bypass

Synopsis:

Windows DiskCleanup creates a folder in the temp directory, moves some DLLs and an exe in, then launches the exe and loads the DLLs in a certain order. It’s a race condition because you can swap in your DLLs. Then it cleans up for you, which is nice.

References:

https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
https://github.com/hfiref0x/UACME


Title: Keepass thievery

Synopsis:

Harmj0y and friends detail some weaknesses they’ve put together for attacking keepass during assessments, and release a new tool called “KeeThief”. Keepass is used in several environments as a more secure alternative to the endemic password spreadsheets issue found on almost every network. The guides walk through ways to locate database and key files, as well as extract and crack the master password hash.

LastPass users are also at risk as security researcher Tavis Ormandy has taken a break from making AV vendors cry, and taken aim at the cloud passed password manager.

References:

http://www.harmj0y.net/blog/redteaming/a-case-study-in-attacking-keepass/

http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/


Title: LastPass autofill gives away the goods

Synopsis:

Attacks targeting LastPass users can craft a specially crafted website which will trick LastPass into divulging the passwords for the user in question. Already patched by LastPass, bounty of 1k paid out to the researcher.

References:

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

http://www.theregister.co.uk/AMP/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/


Title: Privilege escalation like it’s 1995

Synopsis:

This is a local privilege escalation vulnerability in NetBSD discovered by akat1 (akatl). Exploits a race condition in the deliver() function in mail.local(8), which delivers message from standard input to chosen user mailbox. The vulnerability is a race condition attempted when an object is sent, it’s checked to see if it exists, then the ownership of the file is changed and the file is opened for sending. An attacker exploits this by initiating a message, at which point the lstat() function checks whether the file exists, then the attacker symlinks to a sensitive file, the open() function opens the sensitive file, and the fchown() function changes the ownership of the file to the user. OpenBSD fixed the issue almost 20 years ago and FreeBSD uses sendmail(8) which provides it’s own implementation.

References:

http://akat1.pl/?id=2


Title: Breaking the base protocol for most radio and voice communications (ASN.1)

Synopsis:

References:

https://www.reddit.com/r/netsec/comments/4tw2ok/cve20165080_rf_baseband_asn1_buffer_overflow/

https://github.com/programa-stic/security-advisories/blob/master/ObjSys/CVE-2016-5080/README.md


Title: “No means No” according to the 9th Circuit Court of Appeals

Synopsis:

9th Circuit Court of Appeals says visiting a website after being told not to is “digital trespass” and opens liability under CFAA

References:
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/12/9th-circuit-its-a-federal-crime-to-visit-a-website-after-being-told-not-to-visit-it/


Title: Shoutout to Gynvael “GynDream” Coldwind

Synopsis:

Livestreams going through CTF and other challenges, showing his methods for completing challenges. Similar to what George “Geohot” Hotz did back in 2014.

References:

http://gynvael.coldwind.pl/?blog=1
https://livectf.blogspot.com/