Brenden O’Leary of GitLabs joins This Week in Enterprise tech to discuss the proper uses of GitLab. Co-host, Curtis Franklin, asks about the responsibility of code repositories regarding malicious code that may be stored. Are code repositories responsible for malware leaks into the wild?
Tag Archives: malicious code
Huge number of sites imperiled by critical image-processing vulnerability [Updated]
By Dan Goodin | Ars Technica
Attack code exploiting critical ImageMagick vulnerability expected within hours.
A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.
The vulnerability resides in ImageMagick, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.
According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker’s choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.
“The exploit is trivial, so we expect it to be available within hours of this post,” Huber wrote in a blog post published Tuesday. He went on to say: “We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.”
Update, May 4, 2016: 3:55: Almost 24 hours after this post went live, researchers from website security firm Suciri published an independent analysis that concurs with Huber’s assessment. It also sheds new light on how the exploit works. They said that recent versions of ImageMagick don’t properly filter the uploaded file names before passing them to the server processes such as HTTPS. The ommission allows attackers to execute commands of their choosing, leading to a full remote command capability.
“The vulnerability is very simple to exploit,” Sucuri founder and CTO wrote in Wednesday’s post. “An attacker only needs an image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.”
As Huber predicted, it didn’t take long for people to develop proof-of-concept exploits. At least one of them is publicly available.
ImageMagick maintainers have also acknowledged the possibility of critical vulnerabilities allowing remote code execution. They haven’t issued any patches, but they did suggest website administrators add several lines of code to configuration files to block at least some of the possible exploits. Huber has made the same recommendation and put the lines in this downloadable file. He went a step further by advising sites that use ImageMagick to also verify that all uploaded image files begin with the expected “magic bytes” corresponding to the image file types before allowing the files to be processed. Admins should consider temporarily suspending image uploading in cases where these mitigations can’t immediately be put in place.
The code-execution bug was discovered by security researcher Nikolay Ermishkin, who is expected to release an advisory in the coming hours. Huber went public in an attempt to prevent malicious attacks after learning the vulnerability details were already being widely disseminated ahead of Ermishkin’s planned disclosure. The code-execution vulnerability came to light after it was used in recent bug bounty submissions.
One attack scenario would involve a social media site, blogging service, or news site that accepts image uploads from untrusted end users. An attacker could upload a file ending with png, jpg, or another supported extension, even though the contents are in a different format. Once ImageMagick detects the mismatched format, it will attempt to transform the image into an intermediate format that in some cases results in an insecure decoding path. That condition, in turn, can lead to code execution on the server.
Huber said that the mitigations he recommended are effective against all of the exploit samples he has seen, but he went on to say there’s no guarantee the measures will eliminate all types of attack. Until the full scope of the vulnerability is disclosed, people using ImageMagick should assume that the mitigations are incomplete. That means admins should monitor this vulnerability closely and be ready to put additional defenses in place. Another option is either to sanitize images before they’re processed by ImageMagick or disable all formats except the ones needed.
The threat at least in part stems from ImageMagick supporting more than 200 different formats, including nroff (man pages) and postscript. In the longer term, admins should consider switching to GraphicMagick, an ImageMagick fork that supports a much smaller number of file types. Update: About 40 minutes after this post went live, security researcher Dan Tentler said he has developed a working proof-of-concept exploit.
State-sponsored cyberspies inject victim profiling and tracking scripts in strategic websites
Web analytics and tracking cookies play a vital role in online advertising, but they can also help attackers discover potential targets and their weaknesses, a new report shows.
Security researchers from FireEye have discovered an attack campaign that has injected computer profiling and tracking scripts into over 100 websites visited by business executives, diplomats, government officials and academic researchers.
The researchers believe the compromised websites attract visitors involved in international business travel, diplomacy, energy production and policy, international economics and official government work. They include sites belonging to embassies, educational and research institutions, governments, visa services, energy companies, media organizations and non-profit organizations.
While no exploits or malicious code have been served through the injected scripts, the goal of the attackers appears to be the identification of unique users who can be targeted with attacks tailored for their specific computer and software configurations. FireEye has named the reconnaissance campaign WITCHCOVEN and believe that it’s the work of state-sponsored attackers.
When users visit one of the compromised websites, their browsers get silently redirected to one of several WITCHCOVEN profiling servers. Scripts hosted on those servers collect information like the user’s IP address, their browser type and version, the language setting, the referring website, the version of Microsoft Office and browser plug-ins like Java, Flash Player, etc.
In addition, they also install so-called supercookies or evercookies inside users’ browsers. These cookies are hard to delete and are used to track users across multiple websites.
“We believe that the computer profiling data gathered by the WITCHCOVEN script, combined with the evercookie that persistently identifies a unique user, can – when combined with basic browser data available from HTTP logs – be used by cyber threat actors to identify users of interest, and narrowly target those individuals with exploits specifically tailored to vulnerabilities in their computer system,” the FireEye researchers said in their report.
The company has not detected any follow-up exploitation attempts against its customers so far, but this could be because the attackers use a highly-targeted approach to victim selection.
The subsequent exploits could be embedded in malicious documents attached to email spear phishing messages and not necessarily be served through a browser. The gathered information could also be used to assist in traditional spying operations.
Some of the compromised websites suggest that the attackers may have a particular interest in individuals associated with a major Russian energy company, Russian cultural organizations, Russian embassies, Ukraine’s security services and border guards and a media organization in the Republic of Georgia, the FireEye researchers said.
Researchers uncover fundamental USB security flaw, no fix in sight
A pair of security researchers from SR Labs have uncovered a fundamental flaw in the way USB devices work. It affects every single USB device out there and worse yet, there’s no line of defense short of prohibiting USB stick sharing or filling your USB ports with superglue.
The flaw that security researchers Karsten Nohl and Jakob Lell plan to present next week at the Black Hat security conference in Las Vegas runs deeper than simply loading a USB drive with malware. Instead, it’s built into the core of how the technology works.
After spending several months reverse engineering the firmware that handles the basic communications functions of USB devices, they were able to reprogram the firmware to hide malicious code. This firmware is present on every USB device within the controller chip – the component that facilitates communication between the USB device and the computer it’s plugged in to.
By loading malicious code on the firmware, it’s essentially hidden from sight. Anti-virus scanners can’t pick it up and formatting won’t help, either.
To prove their point, the team created a piece of malware called BadUSB that can be used to completely take over a PC, alter files invisibly and even redirect a user’s Internet traffic.
And just to be clear, we aren’t talking about just USB flash drives but any device that connects via USB: keyboards, mice, smartphones, tablets, you name it. Worst yet, it’s nearly impossible to determine if a device has been tampered with. The researchers say there isn’t even any trusted USB firmware to compare code against.
Matt Blaze, a computer science professor at the University of Pennsylvania, speculates the attack may already be common practice for the NSA. He points to a spying device called Cottonmouth that was mentioned in one of Edward Snowden’s many leaks. Exact details of the device weren’t mentioned but the leak claimed the tool hid in a USB peripheral plug.
via Researchers uncover fundamental USB security flaw, no fix in sight – TechSpot.
One-click/key attack forces IE and Chrome to execute malicious code
A researcher says he has uncovered a security weakness that can easily trick people into executing malicious code when they use the Microsoft Internet Explorer and Google Chrome browsers to visit booby-trapped websites.
The attack was recently presented at the Hack in the Box security conference by independent security researcher Rosario Valotta. It exploits weaknesses in the way browsers notify users when they execute operating-system-level commands, such as printing or saving. He said the attack works against Windows 7 and Windows 8 users running IE versions 9 and 10 when they enter either one or two characters while visiting a malicious website. Windows 8 machines running Chrome can be forced to execute malicious code when users click on a single HTML button on a malicious page, such as “Play” for a video or a Facebook “Like.” Windows provides some protection against this social engineering attack, but Valotta said attackers can often bypass those defenses.
When a user visits the attack website, it opens a pop-under window that in most cases will remain invisible. The hidden window immediately begins downloading a malicious executable file without notifying the user or requiring any kind of permission. When the website is visited using IE, the file can be executed when English-speaking Windows 7 users type “r” and when Windows 8 users enter the tab key followed by the r key. The keystrokes, which can be invoked by asking the visitor to solve a CAPTCHA puzzle used to filter out bots, send a Windows command to the pop-under window instructing it to run the recently downloaded file. Clicking a booby-trapped HTML button while visiting the page in Chrome similarly executes the malicious file.
Security researchers have long viewed the ability to invoke powerful operating-system commands as one of a browser’s more dangerous features. While this ability provides convenience to users, it can also be exploited to force a machine to expose or delete sensitive data or, as in this case, execute code of an attacker’s choice.
“The integration between the browsing environment and the operating system to actually execute system-level commands is a pretty terrible design,” said Robert Hansen, director of product management at White Hat Security. “As a security researcher, almost every time you see something like that, you know that there’s some way to exploit it. Every time there’s these weird hooks into system-level DLLs that are used both by the operating system and by the browser, it’s almost always going to have some dangerous thing about it.”
For their part, Microsoft officials said in a statement that they don’t consider the behavior a vulnerability.
“We are aware of this industry-wide social engineering technique that requires user interaction to run a malicious application,” the statement said. “This is not a vulnerability, as someone must be convinced to visit a malicious site and take additional action, such as using a keyboard shortcut to execute the malicious application. Smart Screen will help mitigate the risk for customers running Internet Explorer. We continue to encourage customers [to] exercise caution when visiting untrusted websites.”
The attack is by no means foolproof since Windows 7 and 8 both provide protections designed to prevent the execution of malicious files. One defense, known as User Access Control, requires a user to approve the running of any file that needs high-level “administrator” privileges from the operating system. Another, known as Smart Screen, checks webpages and downloaded files for signs they’re malicious.
But Valotta said Smart Screen protections can be bypassed in some cases by using shortened URLs that link to malicious executable files. He found that about 20 percent of them will get through. Smart Screen can also be bypassed when malware is digitally signed by a genuine extended validation certificate or a “trusted” signing certificate that’s already been used to validate benign applications. Valotta said malware frequently doesn’t need an end user to approve administrator access through User Access Control. HTML content injection, keylogging and autostart, and other malicious functions can all be carried out with non-administrative privileges because they rely on so-called “userland” programming interfaces, according to Valotta.
While it’s troubling to see an attack with the potential to do so much damage with so little user interaction, it’s important to note that the defenses Microsoft puts into recent versions of Windows go a long way to making these types of exploits less reliable. The user notifications and the Smart Screen filtering will often completely shut down an attack before it’s able to succeed. These protections may also limit the damage that can be done and the amount of effort required when an attack does work. Security professionals call this layered approach “defense in depth.” Still, it’s surprising to read Microsoft’s statement saying it’s not a vulnerability when a user is one or two clicks away from an attack that has a statistically significant chance of successfully executing malicious software. This weakness may not be the highest priority for Microsoft’s security team, but I do think it’s worth an eventual fix.
via One-click/key attack forces IE and Chrome to execute malicious code | Ars Technica.