To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Tôi hiểu rồi!
Artwork

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
Nội dung được cung cấp bởi Alex Murray and Ubuntu Security Team. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Alex Murray and Ubuntu Security Team hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.

Tương tự như Ubuntu Security Podcast

Player FM - Ứng dụng Podcast
Chuyển sang chế độ ngoại tuyến với ứng dụng Player FM !
Get it on App Store Get it on Google Play

Ubuntu Security Podcast « »
Episode 161

14:40
 
Nghe
Đang phát
Chia sẻ
 

MP3Trang chủ episode
Manage episode 329895496 series 2423058
Nội dung được cung cấp bởi Alex Murray and Ubuntu Security Team. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Alex Murray and Ubuntu Security Team hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.

Overview

This week we take a look into BPFDoor, a newsworthy backdoor piece of malware which has been targeting Linux machines, plus we cover security updates for Bind, Vim, Firefox, PostgreSQL and more.

This week in Ubuntu Security Updates

32 unique CVEs addressed

[USN-5429-1] Bind vulnerability [00:38]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • Only affects most recent releases
  • When using bind configured with DNS over HTTPS (DoH) possible for a client to cause the server to terminate a TLS connection early and hence trigger an assertion failure within Bind -> terminates -> DoS

[USN-5430-1] GNOME Settings vulnerability [01:18]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • GNOME includes support for desktop sharing via RDP + VNC
  • By default in Ubuntu we have a no open ports policy)
  • However, GNOME settings daemon contained a logic flaw where when disabling the remote desktop service via the gnome-control-center UI it would then automatically get re-enabled on next login

[USN-5424-2] OpenLDAP vulnerability [01:57]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • Episode 160
  • SQL injection in the sql backend of slapd via an SQL statement within a LDAP query

[USN-5433-1] Vim vulnerabilities [02:20]

  • 9 CVEs addressed in Xenial ESM (16.04 ESM)
  • All various instances of memory corruption vulnerabilities, where if a user was tricked into opening a specially crafted file, could then either crash Vim or possibly get code execution as the user
    • Whilst a lot of regular desktop users may not use Vim, is still often used by sysadmins to edit config files / inspect other files which they find on the machine - and in that case, this can then be a good privesc target

[USN-5432-1] libpng vulnerabilities [03:01]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • Speaking of specially crafted files :) - same for libpng - is used by many other higher level libraries / applications

[USN-5434-1] Firefox vulnerabilities [03:20]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • 100.0.2
  • 2 vulns courtesy of ZDIs Pwn2Own - Manfred Paul - achieved code execution within the privileged component of Firefox thereby escaping Firefox’s internal sandbox - awarded $100k USD

[USN-5435-1] Thunderbird vulnerabilities [03:57]

[USN-5436-1] libXrender vulnerabilities [04:28]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • Remote X server could trigger OOB write -> memory corruption -> code execution

[USN-5437-1] libXfixes vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • 32-bit platform specific issue - but roughly same as above

[USN-5438-1] HTMLDOC vulnerability [04:46]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Used to covert HTML/Markdown files to generate EPUB/HTML/PS/PDF with ToC etc
  • Crafted HTML file could trigger a heap buffer overflow -> crash/code execution

[USN-5439-1] AccountsService vulnerability [05:06]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • Old CVE-2020-16126 was inadvertently reintroduced as the patch which fixed it got dropped accidentally

[USN-5440-1] PostgreSQL vulnerability [05:36]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Possible for an attacker who is able to create non-temp objects could then achieve SQL code execution as the superuser

[USN-5404-2] Rsyslog vulnerability [05:51]

Goings on in Linux Security Community

BPFDoor malware targeting Linux and Solaris [06:08]

  • https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

  • https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896

  • https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/

  • Malware that has been in the wild for a while (over 5 years)

  • Reported on by PwC in their Cyber Threats 2021: A year in Retrospect report

    • Attribute it to a Chinese threat actor which they call Red Menshen
    • Observed targeting telco providers and govt, education and logistics via custom backdoor ‘BPFDoor’

  • Stealthy - allows to backdoor a system for RCE but without opening any new network ports or firewall rules by piggy-backing on existing network facing applications

  • Uses BPF filter to watching incoming packets and activate accordingly

  • Earlier versions are on VT - with lots of other variants too

  • Even source code too - https://pastebin.com/kmmJuuQP

  • As I said - stealthy

    • deletes itself from the filesystem and renames its processes to look innocent so can hide in plain sight
    • loads BPF filter to sniff traffic
    • upon activation then will modify firewall to allow attacker direct access

  • In more detail:

    • Copies itself to /dev/shm/kdmtmpflush and then forks to clean itself up to alter timestamps (timestomp) to a specific timestamp (7:17pm Thursday October 30th 2008)
    • Drops a file at /bar/run/haldrund.pid to prevent further copies of itself from running
    • Deletes itself from the /dev/shm/ ramdisk and then exits to leave the forked copy running resident in memory and then use BPF filter to watch for incoming traffic to activate

  • Doesn’t appear to have any particular persistence mechanism but some reports suggest use of crontab or rc/init scripts

  • By deleting itself from the ramdisk this avoids detection from filesystem scanners (although processes running from since deleted binaries are a suspicious sign themselves and can be easily detected since once the binary is removed the kernel notes this in /proc/self/exe for the process)

  • Renames its argv[0] so that it looks like other commonly found processes like dbus-daemon / udevd / auditd etc

  • Also wipes its environ too to try and help hide it’s activities, however this again is another suspicious activity and can easily be detected (e.g. strings on /proc/$PID/environ will show as empty which is basically never normally the case for normal processes)

  • BPF filter inspects either ICMP, TCP or UDP packets and then if it has a special magic value in the first couple bytes it passes into the main packet processing routine

    • This then looks for a couple specific passwords (encrypted via RC4) - if found then sets up either a local bindshell for the attacker to connect to OR connects back to the attacker via a reverse bindshell
    • Then sets up an iptables rule to redirect traffic from the original port to the port of the bindshell on the localhost

  • bindshell masquerades its process name to look like postfix as well as setting a specific environment too (including HISTFILE=/dev/null)

  • Then attacker has full access to the machine (as the user)

  • Reasonably advanced malware

  • What is not clear is what is the initial compromise vector and then how to privesc from that to give privileges to load BPF filter on a raw socket

  • Why it is important to keep systems updated with latest patches etc.

Get in contact

  continue reading

231 tập

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
Artwork

Episode 161

Ubuntu Security Podcast

139 subscribers

published

Nghe Đang phát
iconChia sẻ
 
MP3Trang chủ episode
Manage episode 329895496 series 2423058
Nội dung được cung cấp bởi Alex Murray and Ubuntu Security Team. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Alex Murray and Ubuntu Security Team hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.

Overview

This week we take a look into BPFDoor, a newsworthy backdoor piece of malware which has been targeting Linux machines, plus we cover security updates for Bind, Vim, Firefox, PostgreSQL and more.

This week in Ubuntu Security Updates

32 unique CVEs addressed

[USN-5429-1] Bind vulnerability [00:38]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • Only affects most recent releases
  • When using bind configured with DNS over HTTPS (DoH) possible for a client to cause the server to terminate a TLS connection early and hence trigger an assertion failure within Bind -> terminates -> DoS

[USN-5430-1] GNOME Settings vulnerability [01:18]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • GNOME includes support for desktop sharing via RDP + VNC
  • By default in Ubuntu we have a no open ports policy)
  • However, GNOME settings daemon contained a logic flaw where when disabling the remote desktop service via the gnome-control-center UI it would then automatically get re-enabled on next login

[USN-5424-2] OpenLDAP vulnerability [01:57]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • Episode 160
  • SQL injection in the sql backend of slapd via an SQL statement within a LDAP query

[USN-5433-1] Vim vulnerabilities [02:20]

  • 9 CVEs addressed in Xenial ESM (16.04 ESM)
  • All various instances of memory corruption vulnerabilities, where if a user was tricked into opening a specially crafted file, could then either crash Vim or possibly get code execution as the user
    • Whilst a lot of regular desktop users may not use Vim, is still often used by sysadmins to edit config files / inspect other files which they find on the machine - and in that case, this can then be a good privesc target

[USN-5432-1] libpng vulnerabilities [03:01]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • Speaking of specially crafted files :) - same for libpng - is used by many other higher level libraries / applications

[USN-5434-1] Firefox vulnerabilities [03:20]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • 100.0.2
  • 2 vulns courtesy of ZDIs Pwn2Own - Manfred Paul - achieved code execution within the privileged component of Firefox thereby escaping Firefox’s internal sandbox - awarded $100k USD

[USN-5435-1] Thunderbird vulnerabilities [03:57]

[USN-5436-1] libXrender vulnerabilities [04:28]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • Remote X server could trigger OOB write -> memory corruption -> code execution

[USN-5437-1] libXfixes vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • 32-bit platform specific issue - but roughly same as above

[USN-5438-1] HTMLDOC vulnerability [04:46]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Used to covert HTML/Markdown files to generate EPUB/HTML/PS/PDF with ToC etc
  • Crafted HTML file could trigger a heap buffer overflow -> crash/code execution

[USN-5439-1] AccountsService vulnerability [05:06]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • Old CVE-2020-16126 was inadvertently reintroduced as the patch which fixed it got dropped accidentally

[USN-5440-1] PostgreSQL vulnerability [05:36]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Possible for an attacker who is able to create non-temp objects could then achieve SQL code execution as the superuser

[USN-5404-2] Rsyslog vulnerability [05:51]

Goings on in Linux Security Community

BPFDoor malware targeting Linux and Solaris [06:08]

  • https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf

  • https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896

  • https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/

  • Malware that has been in the wild for a while (over 5 years)

  • Reported on by PwC in their Cyber Threats 2021: A year in Retrospect report

    • Attribute it to a Chinese threat actor which they call Red Menshen
    • Observed targeting telco providers and govt, education and logistics via custom backdoor ‘BPFDoor’

  • Stealthy - allows to backdoor a system for RCE but without opening any new network ports or firewall rules by piggy-backing on existing network facing applications

  • Uses BPF filter to watching incoming packets and activate accordingly

  • Earlier versions are on VT - with lots of other variants too

  • Even source code too - https://pastebin.com/kmmJuuQP

  • As I said - stealthy

    • deletes itself from the filesystem and renames its processes to look innocent so can hide in plain sight
    • loads BPF filter to sniff traffic
    • upon activation then will modify firewall to allow attacker direct access

  • In more detail:

    • Copies itself to /dev/shm/kdmtmpflush and then forks to clean itself up to alter timestamps (timestomp) to a specific timestamp (7:17pm Thursday October 30th 2008)
    • Drops a file at /bar/run/haldrund.pid to prevent further copies of itself from running
    • Deletes itself from the /dev/shm/ ramdisk and then exits to leave the forked copy running resident in memory and then use BPF filter to watch for incoming traffic to activate

  • Doesn’t appear to have any particular persistence mechanism but some reports suggest use of crontab or rc/init scripts

  • By deleting itself from the ramdisk this avoids detection from filesystem scanners (although processes running from since deleted binaries are a suspicious sign themselves and can be easily detected since once the binary is removed the kernel notes this in /proc/self/exe for the process)

  • Renames its argv[0] so that it looks like other commonly found processes like dbus-daemon / udevd / auditd etc

  • Also wipes its environ too to try and help hide it’s activities, however this again is another suspicious activity and can easily be detected (e.g. strings on /proc/$PID/environ will show as empty which is basically never normally the case for normal processes)

  • BPF filter inspects either ICMP, TCP or UDP packets and then if it has a special magic value in the first couple bytes it passes into the main packet processing routine

    • This then looks for a couple specific passwords (encrypted via RC4) - if found then sets up either a local bindshell for the attacker to connect to OR connects back to the attacker via a reverse bindshell
    • Then sets up an iptables rule to redirect traffic from the original port to the port of the bindshell on the localhost

  • bindshell masquerades its process name to look like postfix as well as setting a specific environment too (including HISTFILE=/dev/null)

  • Then attacker has full access to the machine (as the user)

  • Reasonably advanced malware

  • What is not clear is what is the initial compromise vector and then how to privesc from that to give privileges to load BPF filter on a raw socket

  • Why it is important to keep systems updated with latest patches etc.

Get in contact

  continue reading

231 tập

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Tất cả các tập

×
 
Loading …

Chào mừng bạn đến với Player FM!

Player FM đang quét trang web để tìm các podcast chất lượng cao cho bạn thưởng thức ngay bây giờ. Đây là ứng dụng podcast tốt nhất và hoạt động trên Android, iPhone và web. Đăng ký để đồng bộ các theo dõi trên tất cả thiết bị.

 

Tương tự như Ubuntu Security Podcast

Nghe hơn 500 chủ đề
Player FM - Ứng dụng Podcast
Chuyển sang chế độ ngoại tuyến với ứng dụng Player FM !
Get it on App Store Get it on Google Play

Hướng dẫn sử dụng nhanh

Podcast hàng đầu
Tạp chí thể thao
Tạp chí kinh tế
KBS WORLD Radio Tiếng Hàn qua phim ảnh
Vietnamese News - NHK WORLD RADIO JAPAN
Tạp chí tiêu điểm
The Present Writer
Tạp chí khoa học
Podcasts – Life Abroad Podcast
Player FM logo
Trợ giúp / Hỏi đáp FAQ | Nâng cấp | Advertise
Nghệ thuật|Kinh doanh|Hài kịch|Kinh tế|Giải trí|Tin tức|Chính trị|Tôn giáo
Khoa học|Bóng đá|Thể thao|Chuyện kể|Công nghệ|Tội phạm có thật
Bản quyền 2024 | Sơ đồ trang web | Chính Sách Bảo Mật | Điều khoản dịch vụ | | Bản quyền
Episode being played series thumbnail
icon icon
Tốc độ
Cài đặt series
1x
1x
Volume
100%
icon
icon icon
/

Xem Player FM trong ...
Player FM
Browser
Chrome
Safari
Firefox