HNNEpisode205

From Paul's Security Weekly
Jump to: navigation, search

Recorded January 29, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
    • Join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Stories

    1. Researchers Release Tool That Finds Vulnerable Robots on the Internet - Written in Python 3, Aztarna is basically a port scanning tool with a built-in database of fingerprints for industrial routers (including Westermo, Moxa, Sierra Wireless, and eWON), and robotic technologies and components, as well as patterns that power the tool to test those devices against various known vulnerabilities and security misconfigurations. You can download the source code here: https://github.com/aliasrobotics/RSF
    2. New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide - If the connectivity and security of your organization rely on Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then you need to immediately install the latest firmware update released by the vendor last week. Cyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities in the wild after a security researcher released their proof-of-concept exploit code on the Internet last weekend. The vulnerabilities in question are a command injection flaw (assigned CVE-2019-1652) and an information disclosure flaw (assigned CVE-2019-1653), a combination of which could allow a remote attacker to take full control of an affected Cisco router...Researchers from cybersecurity firm Bad Packets said they found at least 9,657 Cisco routers (6,247 RV320 and 3,410 RV325) worldwide that are vulnerable to the information disclosure vulnerability...
    3. OpenBMC caught with 'pantsdown' over new security flaw | ZDNet - The bug, CVE-2019-6260, has been nicknamed "pantsdown" according to Software Engineer at the IBM Linux Technology Center Stewart Smith, who published a technical write-up on the security issue...Smith says that the vulnerability lies in how the ASPEED ast2400 and ast2500 BMC implement Advanced High-performance Bus (AHB) bridges, which permit arbitrary read/write access to the BMC's physical address space from the host, or from the network if the BMC console uart is attached to a serial concentrator. In case you were wondering what the heck OpenBMC is: The OpenBMC project is a Linux Foundation collaborative open-source project whose goal is to produce an open source implementation of the Baseboard Management Controllers Firmware Stack
    4. WordPress sites under attack via zero-day in abandoned plugin | ZDNet - WordPress site owners using the "Total Donations" plugin are advised to delete the plugin from their servers to prevent hackers from exploiting an unpatched vulnerability in its code and take over affected sites...Defiant (the company behind the Wordfence firewall plugin for WordPress) says that all attempts to contact the plugin's developer have been unfruitful. The developer's site appears to have gone inactive around May 2018
    5. Microsoft Exchange vulnerable to 'PrivExchange' zero-day | ZDNet - Microsoft Exchange 2013 and newer are vulnerable to a zero-day named "PrivExchange" that allows a remote attacker with just the credentials of a single lowly Exchange mailbox user to gain Domain Controller admin privileges with the help of a simple Python tool. According to the researcher, the zero-day isn't one single flaw, but a combination of three (default) settings and mechanisms that an attacker can abuse to escalate his access from a hacked email account to the admin of the company's internal domain controller
    6. Did you know? Monday was Data Privacy Day. - If you missed it, you didn't miss much. It was a day like any other day, without meaningful privacy except for those offline and unobserved by the global surveillance panopticon. The non-profit National Cybersecurity Alliance marked the occasion, observed since 2007, with a gathering of corporate privacy policy wonks at LinkedIn's San Francisco, California, headquarters. One must wonder if Facebook or Google attended....
    7. Apple turns off group FaceTime after discovery of eavesdropping bug - A newly discovered FaceTime bug could pose an eavesdropping problem, and Apple says it will have a fix out later this week. The bug allows iPhone users to call another device via the FaceTime video chat service and hear audio on the other end before the recipient has answered the call. That is, it can turn any iPhone into a hot mic without the user's knowledge. Make sure you turn off Facetime on all of your Apple devices, iPhones, iPads and your Apple Mac computers, instructions here: https://www.cnn.com/2019/01/29/tech/facetime-bug-how-to-deactivate-scli-intl/index.html

    Expert Commentary:

    Abusing Exchange: One API call away from Domain Admin

    I know Paul covered this already in the news section, but I thought this issue with Exchange was worth a little bit deeper coverage for our listeners. You may find yourself being asked whether or not this affects you and what can be done. The blog post and proof of concept code were released by Dirk-jan Mollema on Jan 21. First, the issue affects the default configurations of Exchange 2013, 2016, and 2019. At this point, you can be fully patched and be vulnerable. The issue occurs due to the combination of the following:

    • Exchange Servers have the WriteDacl permission in the domain
    • NTLM authentication does not have signing enabled
    • Exchange push subscriptions will send the NTLM credentials to workstations (any system, actually)

    This means that Exchange’s service account has default permissions that allow it to change account permissions in the domain.

    Push subscriptions allow someone with regular credentials to subscribe to an Exchange event, such as an email being delivered so that a client is notified when something changes.

    NTLM signing not being enabled has been an issue for a long time, but basically, you open yourself up to relay attacks when it’s not turned on.

    You can probably already start to see the issue here, but the flow goes like this:

    1. The attacker subscribes to an Exchange PushSubscription.
    2. Exchange sends a notification to the client via HTTP and sends along it’s NTLM credentials for authentication. After all, it needs to prove that it really is Exchange.
    3. The attacker turns around and relays those credentials over to the domain controller over LDAP
    4. The attacker modifies their access level using Exchanges WriteDacl permissions and does what they would like.

    In the researcher’s code, he implemented hash dumping to prove the issue out. This is obviously something that a basic domain user cannot do on their own. However, by stringing together the chain of events that Dirk-jan has it become possible. The hash dumping is something that he implemented for POC only, so keep in mind that the impact really is that the attacker has the ability to take over your domain with these permissions. They could give their account domain admin privileges instead. Or do something else that is more stealthy.

    Oddly enough, if you are still running Exchange 2010, you are not vulnerable to this because its default settings require NTLM signing. This breaks the whole process. Mitigations for the issue include:

    • Enable NTLM signing
    • Prevent Exchange from initiating network sessions with workstations on arbitrary ports
    • Remove Exchange’s high level of domain privileges.

    Obviously, you want to test this out heavily before implementing. I’ve included links to Dirk-jan’s blog post as well as a SANS ISC write up on the issue. If you’ve got Exchange running in your environment, you need to check this out.

    Sans Internet Storm Center link - Relaying Exchange’s NTLM authentication to domain admin (and more)


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+