Search the Community

Summary COMSEC, a computer security group in Switzerland based out of the university ETH Zurich has discovered and released a new iteration of rowhammer exploits on DDR4 DRAM, dubbed Blacksmith. (1) Originally discovered in 2014 by Google security research team Project Zero (2), also releasing a newer variant earlier this year (3), rowhammer attacks take advantage "of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearby memory rows that were not addressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times." (4) Target Row Refresh (TRR) was implemented by DRAM manufacturers to mitigate these flaws, however Blacksmith is the latest discovery in rowhammer exploits proving that TRR protection is insufficient - resulting in potential escalation in kernel privileges. COMSEC confirmed "that DRAM devices acquired in July 2020 with DRAM chips from all three major DRAM vendors (Samsung, SK Hynix, Micron) are affected by this vulnerability [Blackmith]." (5) "There might be a light at the end of the tunnel, what with TRR being replaced by a new line of defense called "refresh management" in DDR5 DRAM modules, a mechanism that "keeps track of activations in a bank and issues selective refreshes to highly activated rows once a threshold has been reached." (1) CVE-2021-42114 Detail (6) COMSEC blog; Blacksmith Methodology (7) My Thoughts I would love to see LTT try to replicate these results. The exploit is available on Github. Sources (1) https://thehackernews.com/2021/11/new-blacksmith-exploit-bypasses-current.html (2) https://googleprojectzero.blogspot.com/search?q=rowhammer (3) https://thehackernews.com/2021/05/google-researchers-discover-new-variant.html (4) https://en.wikipedia.org/wiki/Row_hammer (5) https://vulners.com/cve/CVE-2021-42114 (6) https://nvd.nist.gov/vuln/detail/CVE-2021-42114 (7) https://comsec.ethz.ch/research/dram/blacksmith/

So I was running Ubuntu in virtual box. It had been awhile since I fired up this particular VM and so firefox was out of date and so was the copy of Ubuntu. I was on a website and I clicked on something accidentally that was very similar to an ad. Firefox immediately threw and error and froze, Ubuntu then threw a kernel error and Firefox then crashed Like 20 seconds passed and then it clicked in my head that everything in the VM was out of date, I just clicked on some random ad that crashed firefox in a way which could be through overloading the memory and caused kernel errors. I could literally have a kernel exploit being run. Or it could have just been a bug. Regardless due to the very systematic way things were throwing errors and crashing I killed the box after like 30 seconds. I don't think I gave it nearly enough time to do any real damage and the few accounts I had logged into on the VM all have two factor authentication. But my host PC is a different story, if it got out of the VM my life would be much more difficult. The virtualbox machine did have a NAT connection to my main PC, which was connected to the internet through a VPN. I may just be paranoid, but if it was some type of exploit how possible would it be for a sophisticated piece of malware to escape virtualbox?

Apple has released an emergency security patch for iPhones, iWatches, Macs, and iPads. The flaw exists in iMessage and is exploited by sending a specially crafted psd file and has been used by the NSO group to install Pegasus spyware. The exploit was discovered by a team of researchers analyzing phones of people who had the spyware and has now been patched. If you own an Apple product make sure it is up-to-date; as I'm sure it's just bound time before someone reverses it and tries a non-targets general attack. https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/ https://gizmodo.com/go-update-your-iphone-ipad-mac-and-apple-watch-right-1847667694 This doesn't really surprise me. It always seems as though it is the image processing that ends up being the target of exploits (so many things that can go wrong in an image file, and yet users expect that images should be displayed). I predict that there will be a day when one of these exploits (either Android or Apple...or worse both at once) are released for the sole purpose of disruption of the cell network (terrorist kind of attack). Imagine if this was used to make it self replicating, sends a message to all the person's friends contacts, and then all at once kill the device or flood the network. With our modern reliance on phones, this kind of attack could be used to severely disrupt commerce. This is also why I dislike auto-preview from unknown contacts...I'm surprised that more apps don't have the option to disable that.

CVE-2020-117087 is a zero-day discovered by Google's Project Zero, which can use buffer flow for privilege escalation. Google Project Zero discloses vulnerabilities publicly after 90 days. However, this is known to be actively exploited, so it is on a 7-day disclosure. Microsoft gave a generic sounding response when it went public: The vulnerability was expected to be patched on November 10th. It has also been confirmed that this is not suspected of being election-related. The bug has apparently existed since Windows 7, and still exists in Windows 10 1903 (64-bit), so be sure to update! Details further details on the exploit's workings: IOCTL is an abbreviation of input/output control. The actively used part of the exploit relied on a previous Chrome flaw, CVE-2020-117087, an issue in FreeType, which was fixed It was also featured on Techlinked. My thoughts It is important to keep devices on a secure, up to date version for this reason. Especially since there is evidence of it being actively exploited. If you have not updated after the FreeType flaw, you should ASAP. Sources https://arstechnica.com/information-technology/2020/10/googles-project-zero-discloses-windows-0day-thats-been-under-active-exploit/ https://bugs.chromium.org/p/project-zero/issues/detail?id=2104

Over the last few hours, Microsoft has announced they have patched a remote code execution in the Windows (server) DNS server. (CVE-2020-1350). There are already patches and workarounds, these need to be applied ASAP. You can find the article on the MSRC page here TLDR; If you cannot apply the patch you can quickly deploy a registry workaround which will mitigate the risk until you can fully patch it. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters DWORD = TcpReceivePacketSize Value = 0xFF00 NOTE: this requires a DNS service restart. Edit: Specify that it only affects the server variants. Edit2: Take this with a grain of salt but there seems to be someone claiming responsibility for it over on twitter.

source: https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/ why I say again? because another XSS exploit was discovered 2y ago: https://steamdb.info/forum/292/why-an-xss-exploit-on-steamcommunitycom-is-scary/ enable your two-factor auth people, and stay away from profile pages .. any profile page it's good that ValvE notified users as soon as possible about the security risk --- edit: exploit has been fixed and profile pages are now safe to browse

Source: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ The blog post contains an easy fix for Firefox. My thoughts are that this is very severe and Google should deliver a fix for their browser asap. In the meantime you can use Firefox with the config tweak for important stuff. I'm not sure if this belongs here as it is more of a PSA.

Article CVE-2016-5195 This seems just as bad as heartbleed or the recent TCP exploit. Patch your kernels, yesterday. *edit* Google your distro along with the words "Dirty COW" to see where this vulnerability is fixed.

So you know how you can stream a program like a game from a pc to your laptop well its got some issues. So for a while now ive been able to stream a program from steam to my laptop and minimise the program to gain full control over the desktop... yep that's not meant to happen. Since valve hasn't fix this security flaw for some months since is discovered it I want to make it publicly known cause imagine if someone gain control over your steam account and could gain full control over your steam server through this exploit.

https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0 https://www.bleepingcomputer.com/news/security/39-percent-of-all-counter-strike-16-servers-used-to-infect-players/ The CS client isn't secure, and has been targeted by malicious servers, growing a bot net from CS players, and promoting servers to play on that further infect more users. This was so easy to do that it constituted 39% of CS servers for a while. This has currently been partially mitigated by shutting down some of the distribution methods of the trojan by disabling select domain names, but can easily spring back up again unless the client is actually patched. Unfortunately, CS has been EOL (end of life) without further support for some time now, so that is unlikely. This is different from a previous similar attack where the user was asked to download the files, as this is silent.

Ok, so last night around midnight I was playing with some friends and my RDP session ended because 'Someone else logged into that device'. I immediately got suspicious but thought it could have been my phone connecting, it wasn't. So I unplugged the server's connection to the network and left it because it was too late for me to care to go downstairs and reboot it to see what happened. (I am powering a HDD via an external PSU, so I thought maybe corruption or my password expired or something.) After I went to check on it today there is a new account (with Administrator rights) called 'support', I have a bunch of weird software on the server from when I was trying to host a music steaming thing and from trying to find one god damn piece of software that can clone hdds in windows SERVER because everyone I use thinks it is an enterprise environment and wont launch. Anyway, I decided to check if they user the popular Utilman exploit to get in and sure enough, they did. But they were not as dumb I as figured and actually made a small bat file to password protect cmd on the lock screen. Too bad they weren't that smart because they left the bat file in the C:\Windows folder and all they did was add +s +h (I always have show system and show hidden files on so all I did was sort by date to find it). The bat file had the password that allowed me to re-Utilman exploit my way back into it. IDK what their plan was, all of my game servers and the nas RAID array are untouched. So PSA: UPDATE YOUR SHIT DON'T INSTALL OBSCURE SOFTWARE UNLESS YOU ACTUALLY KNOW IT IS LEGITIMATE Oh and IDK how they got access, the Administrator password was a 9 charcater password with symbols, capitals, numbers etc. So somewhat secure. That is the only account with remote access and the only Administrator account, ports for SMB, RDP, and 6669,6969,69111 are open (last 3 are for game servers), all SMB traffic should be encrypted (and no one uses Admin creds for SMB anyway), My only guess is RDP somehow leaked the creds because it should have been encrypted but maybe it wasn't...) For anyone who wants info on the actual specific attack, here is the bat file and login details they used for CMD, I don't know the support user password (it wasn't the same as the CMD thing), overall I give it a 10/10 for 14 year old me (totally didn't use the Utilman exploit on someone elses machine when I was 14). Anyway here is the login and bat file: Username: support Password Hadi!! @Echo OFF Title Login COLOR 03 Echo. Echo Cmd Login Echo ========== Echo. SET /P "bx32276160702692518614=username:" GOTO b38571219614275885 :b38571219614275885 SET /P "d24912142241730026224=password:" GOTO d149912152960521466 :d149912152960521466 IF \"support\"==\"%bx32276160702692518614%\" (GOTO bd557224172739122727) Else (GOTO db1626212052760527041) >nul 2>&1 :bd557224172739122727 IF \"Hadi!!\"==\"%d24912142241730026224%\" (GOTO bb43921855998985577) Else (GOTO db1626212052760527041) >nul 2>&1 :db1626212052760527041 Exit GOTO :dd1049154811817421201 :bb43921855998985577 COLOR 07 & Title Command Prompt CD "C:\Windows\System32" CLS CMD.EXE /D :dd1049154811817421201 131326553247352173111730010.bat

Sources: CRN Bleeping Computer TL;DR The IoT once again is wide open to another attack. This one affecting almost half a billion devices. With IoT devices potentially not even being updated, a large attack like Mirai that brought down Github, Reddit, Netflix, and other large companies could only be a short time away. Media: Quotes/Excerpts: My Opinion: We really need a 3rd party certification company or some sort of regulation to force smart devices to be audited before they reach the consumer as well as ensuring they receive security patches for at least X years. We're basically mass marketing back doors into people's homes now-a-days.

Hi Linus Media Staff, today the renewal of my Floatplane Club subscription for a whole year went through (26€). Minutes later somebody made several purchases amounting to ~450€. Fortunately my credit card institute noticed these purchases and blocked my card. Is there a exploit in the floatplane purchasing process? Please look into that! Sincerely ThoSap

Ok so I read a topic (in an other forum) about a guy hoping that he could find a GTX 1050 ti 4GB @ 150 euro... I was like "he must be confused or something" but upon looking on the interwebs for this cheap entry level bicycle of a card I found out that he was right... retailers have gone mad AF... the card costs as if it was able to play the most demanding games on ultra settings at 1080p @over 60 FPS!!! There was a time not long ago when people saw this excuse of a pcb https://geizhals.de/zotac-geforce-gtx-1050-ti-low-profile-zt-p10510e-10l-a1589782.html?hloc=at&hloc=de followed by price tag of 70 euro not 170. Thats essentially an avit office card... The sole fact that it can be made in such a small PCB proves that it is over simplistic and not worth it for a gamers prospective...... Where is our society going to? Yes I know miners supply and demand blahblahblah but it seems to me that manufacturers just like the situation as it is and overexploit it, demand can be met by supply and I think they can increase their supply. Also the designing companies like AMD and Nvidia dont give a rats @@@ either.. Gamers made them what they are today if gamers wouldnt support them they would not be on map! And instead of recognizing they just mock us by ignoring this travesty. Make separate products for miners or increase the supply instead of asking midrange + level money for an entry level card!!! But most of all I think we as the consumers are at fault too because instead of shaming them for doing so we just accept the situation and overpay for their garbage... lol

News flash! Intel f*cked up again and 3 generations of intel CPUs are apparently vulnerable to an exploit which either gives the hacker full access to your computer or failing that gives them critical system information. The bug affects Windows and Linux, and in a unique way to say the least, the Linux kernel team expressed their dissapointment with intel with this statement: As explained in The Verge, (https://www.theverge.com/2018/1/3/16844630/intel-processor-security-flaw-bug-kernel-windows-linux) the kernel has complete control over the entire system and there is a flaw with intel CPUs that lets attackers bypass the security measures put in place to protect the kernel. This basically means you're f#cked. The worst part is that this isn't just it. Investigations on the kernel vulnerabilities have shown that the bug could be present in intel CPUs manufactured over the last 10 years if they are 8t, 7th or 6th generation processors and if it's runnin gon Windows or Linux. Intel themselves have released a tool named Intel-SA-00086 which you can download here (https://downloadcenter.intel.com/download/27150?v=t) to perform an inspection on your CPU to see if it is vulnerable. Several teams are working to create a patch for the bug as we speak, but the patch could decrease the CPUs performance by up to 30%. Let's put it this way: you have an Intel Core i7 7700K at 4.2Ghz. A 30% decrease in performance means only 2.94Ghz of those initial 4.2 are available for usage. That is RIDICULOUSLY LOW. As The Verge says it: AMD has confirmed that this does not affect their CPUs as Tom Lendacky, an AMD engineer explains here: Some people on twitter, such as a popular spanish youtuber "Alexelcapo" have manifested their disappointment with intel and threat with "switching to ryzen without looking back". Here I have translated it for you: Translated: The bug that has been discovered in every intel CPU is very serious. The CEO sold his shares of the company back in november (ehm) and it affects every CPU old or new down to Pentiums. No joke. The patch that is in the making for windows causes a notable loss in performance. Translated: If it is confirmed that the patch causes a loss in performance in a 5% to 30% range I'm switching to Ryzen to never go back. Sources: The Verge: https://www.theverge.com/2018/1/3/16844630/intel-processor-security-flaw-bug-kernel-windows-linux Intel: https://downloadcenter.intel.com/download/27150?v=t Twitter: https://twitter.com/EvilAFM/status/948576700325138433

I was able to get all HTML code, scripts etc to autorun on floatplane. I see this as a huge concern for people who are malicious and have different intent.

Intel’s Management Engine was exploited affected cpu list download this tool from intel website to check if yours is vulnerable and then update your bios with the patched one Resources from system/motherboard manufacturers sources: https://www.gamersnexus.net/industry/3137-how-to-check-intel-cpu-for-security-exploit-vulnerability https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/ https://www.engadget.com/2017/11/22/intel-security-flaw-core-processors/

Google researchers discovered a Windows exploit involving local system privileges being combined by attackers with a separate Google Chrome security flaw patched last Friday. While the Chrome exploit is inactive after Google rolled out a security update, Windows users running old versions are still at risk. "The flaw, which resides in the Windows win32k.sys kernel driver, gives attackers a means to break out of security sandboxes that Chrome and most other browsers use to keep untrusted code from interacting with sensitive parts of an OS. Attackers combined an exploit for this vulnerability with an exploit for CVE-2019-5786, a use-after-free bug in Chrome’s FileReader component. The Windows vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when the NtUserMNDragOver() system call is called under specific circumstances." - Ars Technica While Google released a patch for chrome a week ago the update requires a browser restart to take effect unlike the previous chrome exploit involving the Adobe Flash plug-in which did not require a restart. Clement Lecigne, a member of Google’s Threat Analysis Group advises that all Windows users upgrade to version 10. (source - https://arstechnica.com/information-technology/2019/03/attackers-are-actively-exploiting-a-serious-windows-zeroday-in-the-wild/)

http://arstechnica.com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones/ As a huge proponent of rooting one's phone, I also recognize the dangers root access can represent. Thankfully, rooting is convoluted enough that most of our non tech-savvy family and friends simply won't do it, keeping themselves safe from accidental bricks and unfriendly instructions. The fact that some apps available from Google Play can just straight-up force root access is scary, even if it is theoretically for useful features. While I'm sure the AOSP team will patch these exploits very quickly, the ecosystem fragmentation means that people will be open to yet another attack for years to come. One Ars commenter put it succinctly: "Android is a big Petri dish. Surprise! It's mouldy."

Over one Billion Android powered Phones at risk?!? according to WCCFtech: http://wccftech.com/security-exploits-put-snapdragon-powered-devices-at-risk-of-hacking/

so i've been set the challenge to gain access to the local Administrator account on my school computers and to get an Administrator level account onto the domain but this brings another challenge. as we need cmd as the SYSTEM user account we need to rename cmd to Utilman to open it on the login screen but the problem is the startup repair feature has been disabled as well as boot from usb so we need a way to access the domain from our own laptops or gain access to the C drive to run the commands we need. we are quite stuck at this point and any advice would be helpful.

Another major flaw has been found in Adobe's flash plugin, and it's reccomended that you disable or uninstall it until a fix comes out, which apparently will be next week some time. http://thenextweb.com/apps/2015/10/15/an-adobe-flash-bug-affecting-all-computers-is-another-reminder-to-uninstall-now/ http://bgr.com/2015/10/15/adobe-flash-player-security-vulnerability-warning/

Apparently the exploit was reported last July but just patched in the last 24 hours. It's a remote code execution exploit so this can be nasty over the next few days. SOURCES: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/ For those interested, these are the patched versions of glibc on Debian and CentOS (along with how to check): Command to check for CentOS: rpm -qa | grep glibc CentOS 6 = glibc-2.12-1.166.el6_7.7 CentOS 7 = glibc-2.17-106.el7_2.4 Command to check for Debian: dpkg -s libc-bin | grep Version Debian 6 = 2.11.3-4+deb6u11 Debian 7 = 2.13-38+deb7u10 Debian 8 = 2.19-18+deb8u3 Debian Sid = 2.21-8

http://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-severe-bug-that-allows-malware-distribution/ A bypass was found in eBay's listing configuration that can allow a poster to inject a script into an otherwise legitimate webpage. Ars goes on to show some concrete examples, including a screenshot of code that can actually do what is being described. eBay respond to Ars saying: "We have not found any fraudulent activity stemming from this incident." If I'm reading this correctly, eBay just said they have absolutely nil in terms of proactive security measures, preferring to fix issues only after someone has been affected. I'd recommend alerting your less tech-literate bargain-searching friends to NEVER INSTALL something they are asked to install by a website (rather than seeking out and installing themselves). Sure, this should be done anyway, but just another spesific example why.

UPDATE: Note: NOT ALL GAMES ARE FIXED YET PLEASE READ MORE BELOW The following is an update from the OP from a moderator on the /r/steam subreddit: Note: This is ONLY a Source 2013 update, and people who run mods and host servers still have to manually opt into the beta branch. Updates for games like CS:S weren't released yet. I'd also like to remind everyone that the only patched Source games SO FAR are TF2, CS:GO and Dota 2. I recommend that you play on Valve/trusted servers only until this is resolved. If you want another way to fix it, watch the video below. Please be careful. Stay safe, -Newton Update Youtube Video: Original Post: Note: I will edit this post once the exploit is fixed in all source games/mods. The following is a PSA by a moderator of the /r/steam subreddit: Please also note that Counter Strike Source has also been affected and that modern, non-modded, titles have been patched (vanilla TF2, CS:GO and DOTA 2) This also doesn't just affect Source 2013 games. ALL unpatched Source games should be considered vulnerable. Normally I wouldn't quote the entire message, but because this may result in a VAC ban, as well as losing your entire steam inventory, I believe this is an exception to the standard news rules. For more information about the how it was discovered check out the Youtube video below by a channel dedicated to news on Valve. Source: https://www.reddit.com/r/Steam/comments/3jja73/source_2013_mp_base_file_upload_and_execution/ Youtube Video: