Extalio.Newsletter

[14/3/19]
xNewsletter

Going through Twitter and blogs every day and filtering through the junk takes too much time. We figured others are having the same problem. Which is why we decided to compile a list of the interesting content that was published lately. We will publish every few weeks (when enough exciting things have happened).

Vulnerabilities

CVE-2019-8372: Local Privilege Elevation in LG Kernel Driver

Vulnerability in a driver that exposes high privilege functionality to an unprivileged process, allowing it to read an EPROCESS security token and use it to gain privilege escalation.

Hacking Jenkins - Abusing Meta Programming for Unauthenticated RCE

A previous article published an authentication vulnerability. This article explains how to take advantage of the vulnerability to execute code. Jenkins has a DSL (Domain Specific Language) called Pipeline built with Groovy. There is a way of sending Jenkins Pipeline code just for validation (not execution). Using a Groovy annotation used for meta-programming, a JAR file can be downloaded from a remote server and get executed.

WordPress 5.0.0 Remote Code Execution

Combining Path Traversal and LFI in Wordpress to gain RCE. The exploitation takes advantage of the image crop code. Cropped images are saved in a path that is based on the image metadata. Manipulating the image metadata allows for Path Traversal and thus saving the image anywhere on the filesystem. Saving the file in the theme directory will load it when the theme is used.

CVE-2019-0539 Exploitation

Exploiting a Chakra JIT Type Confusion vulnerability. Takes us step by step through the exploitation process, the different hurdles, and ways to overcome them to get a RW primitive.

Interesting Research

Thunderclap

IOMMUs are created to protect against Direct Memory Access (DMA) attacks. DMA-enabled devices can RW all system memory. The IOMMU essentially virtualizes the memory that needs to be exposed to a specific device. The problem here is that while communications with the MMU is based on tested kernel code, the driver code that talks to IOMMUs is written by third parties with no understanding of security. The paper gives background on the underlying technology and the threat model, discusses different vulnerabilities they found in all major operating systems, and the possible mitigations.

Windows Object Case Sensitivity

Windows has legacy support for case sensitivity but ignores it by default. There is a registry key that controls the lookup. WSL is case sensitive which is why Windows got a new feature of setting a folder attribute that allows sensitive search on that folder. Goes on to find all the object types that support naming and case sensitivity and finds a lookup bug that can be used to plant objects if any are created with an OBJ_CASE_INSENSITIVE flag.

Tools

GHIDRA (mirror)

An open source younger brother to IDA from NSA. Notable or missing features: Has an undo button! No Debugger support. Supports project collaboration by design. Has a good decompiler. Smart data flow analysis. Ability to load multiple binaries.

idenLib - Library Function Identification

Statically linked library function signature identification with plugins for IDA and x64dbg.

https://github.com/elfmaster/dt_infect

Code injection library for ELF binaries. It patches the DT_NEEDED table (used for dynamic linking) and sets another binary as the first entry, which will be looked first for unknown symbols.

We hope you enjoyed.
Your friends can subscribe on extal.io/xnews to get the newsletter in the email or use our RSS.