Security Weekly 6

Security Weekly 6

Security Weekly 6: In NIX revived an ancient vulnerability, WannaCry was not completed, the CIA is listening to our routers

The Earth, 2005 year. On the whole planet there are mysterious events: Nokia brings to the market a tablet on Linux, in secret is the development of the game with the members of the group Metallica in the lead roles, Jobs announced the transition of the Macs to the Intel platform.

Meanwhile, at the CancSecWest conference, Gael Delallo from Beijaflore presented a fundamental report on the vulnerabilities of the memory management system in a variety of NIX-a and illustrated his findings with exploits for Apache. All are patched up. Several years have passed.

The 2010 year. Rafal Voychuk demonstrated the exploitation of a vulnerability of the same class in the Xorg server. In the same year, Jon Oberaide published a couple of funny reports about his innocent games with the Nix core stack.

The 2016 year. Google Project Zero was aroused by researching the exploitation of the kernel stack vulnerabilities under Ubuntu. Oberaide sends greetings in the comments. Ubuntu patch.

The 2017 year. Never such was, and here again. Qualys has learned to cheat with the user’s stack in any nicks, according to Dellallo’s ideas.

Exploits of the user’s stack are based on a simple question:

  • If the dynamic area (heap) and the stack grow towards each other, then what will happen when they meet?

However, you should not think that the Knicks are developed by fools! They, of course, thought about such a development of events (well, by our time, they already guessed right). And in all modern Unix-like operating systems, the user’s stack is surrounded by a special page of memory, access to which causes an exception or termination of the process.

  • But that’s strange. Suddenly it turned out that this patrol page can be successfully circumvented, of which there are many ways. Delallo also spoke about this in 2005. All again patching.

The principle of operation of this bug is based on increasing the volume of the stack without writing to it.

This is done differently in different OSes, for example:

  • A using a recursive procedure call, or multi-byte command-line arguments. The stack pointer moves to its beginning (the bottom address), the stack grows abruptly, and – hop, – the stack pointer is already behind the guard page. Access to the most guarded page does not occur, there is no error. It turns out that the area of the stack overlaps with the dynamic area.





This allows you to override the return address from the function on the stack and thus run arbitrary code with elevated privileges.

Qualys tested this technique only locally, but theoretically, this trick can be performed remotely, or, at least, it will be useful for Trojans to increase their own privileges. Researchers see two ways to correct this vulnerability: fantastic and realistic. Fantastic is to inflate the guard page at least up to 1 MB, but better than that. And realistic is just to recompile all the user space code with the -stack-check option in GCC, after which the stack pointer will no longer be able to jump through the guard page without writing to it. And in FreeBSD it is still worth at least to include this same watchdog – by default, it is not used there.

The researchers found some deficiencies in Wanna Cry

Fatal for many, the WannaCry either done with crooked hands or broke free before it was finished. Such a curious theory was expressed by Jake Williams of Rendition InfoSec, after a thorough analysis of the news of the EternalBlue code and WannaCry. In his opinion, the creators of Ransomvars allowed several “staggering errors.”

  • To start with, it seems very strange that hardcore bitcoin addresses are used to pay out foreclosures. Not only that, it allowed someone enterprising to snatch a small fraction of themselves, breaking the address in the hex editor, so it’s also impossible to control the payment – as Williams rightly noted, try to figure out who exactly the victims of the transactions that fall into the wallet belong to. And yet, to trace the future fate of money from one address is not so difficult (mixers do not always save), that is, problems with the withdrawal of the amount are secured.
  • It is much more practical to generate your own address for each infection, or even for several infections, this would immediately remove most of the problems. Actually, experienced ransomware and do. But not the authors of WannaCry. In total, there are three variants of the address in the captured samples, and it is likely that only one of them belongs to the original attackers.
  • The famous “switch” WannaCry, the domain, on detection of which the Trojan stops working on the Net. This is in itself a very common practice, but, pardon, what prevented you from making a slightly more complicated test than the status code 200? In the case of many other bots, the exchange with the management server is encrypted and the Trojan is turned off only on command.

With the hypothesis that Wanna cry is the brainchild of the “script-kiddies”, there are a number of signs that point to the North Korean origin of this epidemic. The Lazarus group, suspected in connection with WannaCry, did not give reason to accuse her of unprofessionalism. Therefore, Williams suggested another explanation. In his opinion, the unfinished WannaCry simply accidentally broke out of the test environment and went on to spread uncontrollably.

This is damn similar to the truth, although it is not very clear what prevented the creators from pulling the switch in time by scrapping the stop domain until the spread of the Trojan could take on the nature of the epidemic. And yet – it will be funny if it turns out that the bug-coded address is only a placeholder, and does not correspond to any real wallet. At least, WannaCry has not had any write-offs from the known wallets yet.

The CIA has been following our routers for years

Wikileaks published details of the CIA’s program to monitor traffic passing through the D-Link, Linksys, 3Com and Parent Tec routers. Poetically called Cherry Blossom, the program includes the creation of special firmware, which is stitched onto the routers remotely. The firmware looks like real, but only rips out of the traffic and sends email addresses, names, found in chat rooms, MAC addresses, VoIP numbers to its server. And, if necessary, can even redirect traffic “where necessary.”

Cherry Blossom Architecture (U)


The only more or less complicated stage of the operation is the introduction of firmware on an unsuspecting router. However, what turns out Mirai, just on the shoulder child of the CIA – for routers, the agency developed exploits of Tomato and Surfside. They do not work everywhere, and for other cases, it is recommended to introduce the firmware in an operational way. That is, to intrude into the supplier company and quietly flash all the routers in the warehouse. The romance of espionage work, as it is. Still, the spirit of the old school is alive in the CIA!