/tech/ - Technology

Where proprietary software comes to die

Posting mode: Reply

Name
Email
Subject
Comment
Password
Drawing x size canvas
File(s)

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Expand All Images


ex/ploit/ General Anonymous 08/12/2016 (Fri) 23:28:49 [Preview] No. 6210
In an attempt not to bump off important threads from >>>/tech/ I hereby propose the first exploit general thread

Post any new and old exploits you would like to discuss.

For perfect RSS/ATOM digests in one thread


Anonymous 08/12/2016 (Fri) 23:29:40 [Preview] No. 6211 del
Samples: >>4409
0day vulnerability in ThinkPads
https://twitter.com/d_olex/status/737936305514893313
It's similar to https://support.lenovo.com/nl/en/product_security/smm_attack

Update:
1. https://twitter.com/d_olex/status/747963726314168320
>New article, “Exploring and exploiting Lenovo firmware secrets”:
>http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html … Code: https://github.com/Cr4sh/ThinkPwn #ThinkPwn

2. https://twitter.com/d_olex/status/748270900911300608
>Great news: it’s is not a Lenovo backdoor, it’s Intel reference code vuln from 2014 that was copy-pasted by OEM/IBV > https://kernel.googlesource.com/pub/scm/linux/kernel/git/jejb/Quark_EDKII/+/master/QuarkSocPkg/QuarkNorthCluster/Smm/Dxe/SmmRuntime/SmmRuntime.c#639
https://twitter.com/d_olex/status/748271177924120576
>So, it means that not only Lenovo machines affected, some other vendors also has this old vulnerable code for sure
https://twitter.com/d_olex/status/748273220730511360
Old EDK2 code from Intel vs code from ThinkPad firmware
https://pbs.twimg.com/media/CmJmha9UgAA3OhI.jpg:orig

3. https://twitter.com/d_olex/status/748286080214933505
>Unfortunately, I have no idea how old is this bug — vulnerable code was private for quite a while and only Intel has full commits history
https://twitter.com/d_olex/status/748289669201178625
>So different machines, so similar vulnerable firmware :)
https://pbs.twimg.com/media/CmJ1bsJUYAAEnHR.jpg:orig
https://twitter.com/d_olex/status/748483619660791812
>@rootkovska Lack of transparency strikes back :)

4. https://twitter.com/d_olex/status/748801296656850944
>It seems that Lenovo released some advisory for my System Management Mode vuln (no technical details, no links): https://support.lenovo.com/my/en/solutions/LEN-8324
https://twitter.com/d_olex/status/748801730364645376
>“Scope of Impact: Industry-wide” << yay)
https://twitter.com/d_olex/status/748802865485918208
>Lenovo is blaming it’s IBV, so, it’s 100% that there’s others OEM’s that have this vuln in their products
https://twitter.com/d_olex/status/748806692754714625
>Dear vendors, “give us your 0day vulnerability for free and don’t publish anything” — it’s not a cooperation request
https://pbs.twimg.com/media/CmRLtmmUcAAr7sI.png:orig

"Firmware exploit can defeat new Windows security features on Lenovo ThinkPads" http://www.infoworld.com/article/3091066/security/firmware-exploit-can-defeat-new-windows-security-features-on-lenovo-thinkpads.html … via @infoworld

WinBeta (On MSFT) ‏@onmsft Jul 2
Zero-day exploit bypasses Windows security features, affects Lenovo ThinkPads http://bit.ly/29kyPxS
"Firmware exploit can defeat new Windows security features on Lenovo ThinkPads" http://www.pcworld.com/article/3091104/firmware-exploit-can-defeat-new-windows-security-features-on-lenovo-thinkpads.html … via @pcworld

https://twitter.com/d_olex/status/756752172818112513
>Intel NUC is officially pwned: 0day vuln in SMM driver from AMI and neat tricks to bypass SMM_Code_Access_Chk [1/2]
https://pbs.twimg.com/media/CoCGFY8VMAAZ06A.png:orig
https://twitter.com/d_olex/status/756752236026269696
>Vendors are aware about this and others security issues and working on patch [2/2]

https://twitter.com/d_olex/status/756759296998723584
>@spyblog @SecureDrop It's AMI vulns, so, lots of other computers with AMI Aptio based firmware affected
https://twitter.com/d_olex/status/756759762427981824
>@spyblog @SecureDrop Vulnerability is quite old, 6 years ago or smth. like that till newest Skylake machines
https://twitter.com/d_olex/status/756771910998855680
>@jimbo1qaz OS to System Management Mode priv. esc. that leads to flash write protection bypass and full control over platform firmware


-----
Iow: Thanks Intel!
https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

Fav. Ouches:
https://twitter.com/matalaz/status/748815046138925056
>@d_olex they should ask themselves why they have to contact an independent security researcher instead of auditing their shit themselves...


Android Extracting Qualcomm's KeyMaster Anonymous 08/12/2016 (Fri) 23:31:32 [Preview] No. 6212 del
https://twitter.com/laginimaineb/status/748486726700699648
>New blog post: https://bits-please.blogspot.com/2016/06/extracting-qualcomms-keymaster-keys.html … Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption!
https://twitter.com/laginimaineb/status/748487256273453056
>@laginimaineb Full exploit source code: https://github.com/laginimaineb/ExtractKeyMaster … I've also written python scripts to bruteforce FDE:


Microsoft & Windows Exploits Anonymous 08/13/2016 (Sat) 00:21:09 [Preview] No. 6213 del
Win10 specific exploits:
https://twitter.com/ExpSky/status/757407176499400704
HitCon 2016 《Windows 10 x64 edge 0day and exploit》:
https://github.com/exp-sky/HitCon-2016-Windows-10-x64-edge-0day-and-exploit/blob/master/Windows%2010%20x64%20edge%200day%20and%20exploit.pdf

https://twitter.com/j00ru/status/757508215223582722
>New blog post! Disclosing stack data (stack frames, GS cookies etc.) from the default heap on Windows. http://j00ru.vexillium.org/?p=2835

https://twitter.com/ProjectZeroBugs/status/757880803913113600
Microsoft GDI+ rendering of uninitialized heap bytes as pixels when handling malformed RLE-compressed bitmaps https://code.google.com/p/google-security-research/issues/detail?id=825

https://twitter.com/marcmaiffret/status/760952693259022336
>Windows 10 attack surface, store malware in Bash env, containers. New win10 ssh server (command prompt) etc new ways to live off the land.

https://twitter.com/hosselot/status/761463084913401856
>WINDOWS 10 SEGMENT HEAP INTERNALS:
https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals.pdf
https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf

https://twitter.com/aionescu/status/761613918674509824
>Presentation slides for my Black Hat talk on WSL/LXSS: "The Linux Kernel Hidden Inside Windows 10" are up at https://github.com/ionescu007/lxss

https://twitter.com/c7zero/status/761626851626266624
>Rafal's #bhusa16 Win10 VBS Attack Surface https://www.blackhat.com/docs/us-16/materials/us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security-wp.pdf … (paper) https://www.blackhat.com/docs/us-16/materials/us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security.pdf … (slides) Thanks for referencing us, Rafal!

https://twitter.com/CoreSecurity/status/763110111816671232
>MS16-039 – “Windows 10” 64 bits Integer Overflow exploitation by using GDI objects http://hubs.ly/H03Xy2q0
https://pbs.twimg.com/media/CpccmcXXgAAeHVr.jpg:orig

Windows UEFI key exposed:

Windows UEFI key exposed:
https://rol.im/securegoldenkeyboot/
https://pastebin.com/NammeCjw
https://archive.is/ipYYW
[^been waiting for this one, now we can DDoS all Win OSes in one go, esp. 10]


Anonymous 08/13/2016 (Sat) 00:23:07 [Preview] No. 6214 del
https://twitter.com/matalaz/status/761168053635805184
Absolutely awesome paper: "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector"
http://www.ieee-security.org/TC/SP2016/papers/0824a987.pdf


Anonymous 08/13/2016 (Sat) 00:23:33 [Preview] No. 6215 del
https://twitter.com/bcrypt/status/760920132763869184
tl;dr if u implement AES-GCM for TLS, don't reuse nonces & use a counter instead of random value
syan added,
Albert Kin-Ying Yu @yukinying
TLS attacks real demo in #BHUSA2016. Can't miss this. Paper in http://ia.cr/2016/475


ASUS delivers raw HTTP BIOS/UEFI updates Anonymous 08/13/2016 (Sat) 08:01:04 [Preview] No. 6217 del
>>6211
Expanding on this exploit: >>4705
>ASUS* LiveUpdate software is preinstalled on computers shipped by ASUS. It is responsible for delivering updates, new versions of the BIOS/UEFI Firmware and executables for use with ASUS software. Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the *Administrators* NT group (*Highest Permissions*** task scheduler). There is no verification or authentication of source or content at any point in this process, allowing trivial escalation to NT AUTHORITY\SYSTEM
https://archive.is/ZiLWJ


Arbitrary Code Execution Flaw Found in Chrome's PDF Reader Anonymous 08/13/2016 (Sat) 08:01:37 [Preview] No. 6218 del
From: >>4985
A Researcher at Cisco's Talos limb have discovered an arbitrary code execution flaw in PDFium, the PDF reader installed by default in Google's Chrome browser.
The flaw looks like it is down to a tiny error by Chrome's developers, as Nikolic writes[2] that An existing assert call in the OpenJPEG library prevents the heap overflow in standalone builds, but in the build included in release versions of Chrome, the assertions are omitted.
That omission means that when PDFium invokes the OpenJPEG library, it can create a buffer overflow. Once that's happened, bad guys can go to town with their own code.

https://soylentnews.org/article.pl?sid=16/06/10/2027225
http://7rmath4ro2of2a42.onion/article.pl?sid=16/06/10/2027225

>>5003
As one of the commentators put it, it seems more a OpenJPEG bug and I wonder how Chrome's sandboxing relates to this.

Proxy link to the original article:
https://archive.is/http://www.theregister.co.uk/2016/06/09/chromes_pdf_reader_has_arbitrary_code_execution_flaw/
>PDF that includes an embedded jpeg2000 image can trigger an exploitable heap buffer overflow
Proxy link to CVE
https://archive.is/https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1681

>Heap-based buffer overflow in the opj_j2k_read_SPCod_SPCoc function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before 51.0.2704.63, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document

Reminder that ghostscript reads but doesn't write jpeg2000 and that PDF/A-1 doesn't allow for it as well.


iceweasel/firefox-esr security update Anonymous 08/13/2016 (Sat) 08:03:28 [Preview] No. 6219 del
>>4987
>Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or spoofing.

http://seclists.org/bugtraq/2016/Jun/48

>>5029
>https://github.com/fanglingsu/vimb


Java Virtual Machine remotely exploitable Anonymous 08/13/2016 (Sat) 08:07:47 [Preview] No. 6220 del
>>4047
Buffer overflow in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) allows remote attackers to execute arbitrary code via unspecified vectors.

>java
>secure
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0264

>>4781
>Yet another JVM vulnerability:
>The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30
allows remote attackers to obtain sensitive information or inject data by invoking non-public interface methods.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5041


Backdoor Hides In a Tiny Slice of a Computer Chip Anonymous 08/13/2016 (Sat) 08:24:27 [Preview] No. 6222 del
>>4532
It's a hardware backdoor, directly on processor. "[T]hat silicon backdoor is invisible not only to the computer's software, but even to the chip's designer".
"[This backdoor has been] showed that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system".
https://archive.is/oQmNC

>>4543
>I thought this was common knowledge...
http://www.theverge.com/2013/12/29/5253226/nsa-cia-fbi-laptop-usb-plant-spy
http://www.forbes.com/sites/erikkain/2013/12/29/report-nsa-intercepting-laptops-ordered-online-installing-spyware/
https://www.eff.org/nsa-spying/how-it-works
http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html

>>4550
>It's called Tailored Access Operations (TAO)
Digested article: https://www.techdirt.com/articles/20140518/17433327281/cisco-goes-straight-to-president-to-complain-about-nsa-intercepting-its-hardware.shtml

>>4614
https://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/
https://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/
I am trying to find where I read that they were already implanting silicone chips in the actual computer chips themselves. I know I've seen this technique before, esp. on USB.

Anyways, the only defense against this is to:
1. Build your own computer
2. Make replicable verifiable computers & chips (see Novena, Risc-V?, MIPS)
3. Microscan your entire setup, if unclean fix or destroy.

It's why I barely buy anything used, it's usually tampered with. Also, USB is a no go. ATA or GTFO.

This reminds me of
http://hackaday.com/2015/06/08/hard-drive-rootkit-is-frighteningly-persistent/
http://thehackernews.com/2015/02/hard-drive-firmware-hacking.html

I couldn't hope for raw MMCards to return. SD cards already compromised architecturally. HDs are fine, but their drivers and architecture need to be open, or make your own.
>>4615
>oh lol, paste failure: http://thehackernews.com/2015/02/hard-drive-firmware-hacking.html

>>4618
>I just did, right now, after replicating the article. here's my thoughts:
>a physical hack that takes advantage of how the actual electricity flowing through the chip’s transistors can be hijacked to trigger an unexpected outcome. Hence the backdoor’s name: A2, which stands for both Ann Arbor, the city where the University of Michigan is based, and “Analog Attack.”
This is the "innovation" your talking about. We've called it power cycling/tampering for years.

>“We need to establish trust in our manufacturing, or something very bad will happen.”
That's been destroyed the last decade, Austin. It's like these researchers never read news, e.g.:
http://www.eteknix.com/expert-says-nsa-have-backdoors-built-into-intel-and-amd-processors/
http://www.infowars.com/intel-ceo-refuses-to-answer-questions-on-whether-nsa-can-access-processors/
http://wccftech.com/intel-possibly-amd-chips-permanent-backdoors-planted-nsa-updated-1/
http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
https://www.popularresistance.org/new-intel-based-pcs-permanently-hackable/

>>4733
>http://www.tgdaily.com/hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-pcs-compliments-of-intels-vpr

http://www.pcmag.com/article2/0,2817,2369110,00.asp

Intel vPro thing is not the same as the Intel AMT thing.

>>4742
>Think some further.
Imagine some godlike built-in backdoor in all devices.
If that backdoor becomes public and exploits start to sprout, that product or even the producing company is dead.
Maybe this gives some hope.

Maybe you can patch your router or something to scan for such exploits before they reach your machine but then you enter a rat race ...
Well, never mind.

[Please see >>6211 ]
[It's a reality]


A 15-year-old Kernel HeapOverFlow Vulnerability in iOS Anonymous 08/13/2016 (Sat) 08:32:12 [Preview] No. 6223 del
>>5110
>From:
http://en.wooyun.io/2016/06/12/54.html

Apple just released iOS 9.3.2 and fixed one kernel heap overflow in IOHIDFamily. We independently found this bug several month ago. The vulnerable code was imported in Mac OS X 10.2 (released in 2002) and it affects almost all Apple devices (e.g., MacBook, iPhone, iPad, Apple Watch) for 15 years.

>vulnerabilities every month
>fbi "can't get into iphone"

>>5112
>I never worked on Mac OS X kernel before but it seems like IOHID interface family is provided to access touch screen or physical buttons of device.

https://developer.apple.com/library/mac/documentation/Darwin/Reference/IOKit/index.html

Not exactly convenient to exploit if target's phone's already locked.

>>5127
>Reminds me of a lulzy man-page

http://linux.die.net/man/3/ev

OS/X AND DARWIN BUGS

The whole thing is a bug if you ask me - basically any system interface you touch is broken, whether it is locales, poll, kqueue or even the OpenGL drivers.

"kqueue" is buggy

The kqueue syscall is broken in all known versions - most versions support only sockets, many support pipes.

Libev tries to work around this by not using "kqueue" by default on this rotten platform, but of course you can still ask for it when creating a loop - embedding a socket-only kqueue loop into a select-based one is probably going to work well.

"poll" is buggy

Instead of fixing "kqueue", Apple replaced their (working) "poll" implementation by something calling "kqueue" internally around the 10.5.6 release, so now "kqueue" and "poll" are broken.

Libev tries to work around this by not using "poll" by default on this rotten platform, but of course you can still ask for it when creating a loop.

"select" is buggy

All that's left is "select", and of course Apple found a way to fuck this one up as well: On OS/X , "select" actively limits the number of file descriptors you can pass in to 1024 - your program suddenly crashes when you use more.

There is an undocumented "workaround" for this - defining "_DARWIN_UNLIMITED_SELECT", which libev tries to use, so select should work on OS/X .


Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Anonymous 08/13/2016 (Sat) 08:37:06 [Preview] No. 6224 del
>>5273
>Abstract: Rowhammer attacks have exposed a serious vulnerability in modern DRAM chips to induce bit flips in data which is stored in memory. In this paper, we develop a methodology to combine timing analysis to perform the hammering in a controlled manner to create bit flips in cryptographic keys which are stored in memory. The attack would require only user level privilege for Linux kernel versions before 4.0 and is unaware of the memory location of the key. An intelligent combination of timing Prime + Probe attack and row-buffer collision is shown to induce bit flip faults in a 1024 bit RSA key on modern processors using realistic number of hammering attempts. This demonstrates the feasibility of fault analysis of ciphers using purely software means on commercial x86 architectures, which to the best of our knowledge has not been reported earlier. The attack is also relevant for the newest Linux kernel in a Cross-VM environment where the VMs having root privilege are not denied to access the pagemap.
https://eprint.iacr.org/2016/618


FSF: Intel & ME, and why we should get rid of ME Anonymous 08/13/2016 (Sat) 09:01:01 [Preview] No. 6225 del
[more on intel >>6211]
>>4979
>http://www.fsf.org/blogs/licensing/intel-me-and-why-we-should-get-rid-of-me


>Leah Woods of GNU Libreboot states that the "Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored." At this time, developing free replacement firmware for the ME is basically impossible. The only entity capable of replacing the ME firmware is Intel and its OEM partners. And, since the ME is a control hub for your machine, you can no longer simply disable the ME like you could on earlier models, such as the Libreboot X200 laptop

>>5193
>Here's another article on the topic: https://archive.is/fQfzz


XMPP man-in-the-middle via tor Anonymous 08/13/2016 (Sat) 09:14:00 [Preview] No. 6226 del
>>5540
https://tech.immerda.ch/2016/03/xmpp-man-in-the-middle-via-tor/

We saw some wide-spread XMPP man-in-the-middle via malicious tor exit nodes during the last 24h. The attacks where only targeting starttls connections on port 5222. The mitm served forged self-signed certificates for various Jabber domains, one of them being our imsg.ch. The attack was orchestrated between multiple exit nodes acting in sync. All of them served the same set of forged certificates, allegedly created around midnight March 2nd to 3rd, using common names tailored to various XMPP servers.


Linux Kernel local privilege escalation and out of bounds memory access Anonymous 08/13/2016 (Sat) 09:14:55 [Preview] No. 6227 del
>http://article.gmane.org/gmane.comp.security.oss.general/19838?utm_content=bufferfff05&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer


Risk: High

Impact: Kernel memory corruption, leading to elevation of privileges or kernel code execution. This occurs in a compat_setsockopt() call that is normally restricted to root, however, Linux 3/4 kernels that support user and network namespaces can allow an unprivileged user to trigger this functionality. This is exploitable from inside a container.

>>5552
>Linux 3/4 kernels that support user and network namespaces can allow an unprivileged user to trigger this functionality.

The stock kernels of most distros do not support user namespaces.

Also

>local privilege escalation


Google's version of the W3C's video DRM has been cracked Anonymous 08/13/2016 (Sat) 09:15:48 [Preview] No. 6228 del
http://boingboing.net/2016/06/24/googles-version-of-the-w3c.html

Google's [Content Decryption Module] is Widevine, a technology it acquired in 2010. [Researchers] discovered a vulnerability in the path from the CDM to the browser, which allows them to capture and save videos after they've been decrypted.

Widevine is also used by Opera and Firefox (Firefox also uses a CDM from Adobe).

[...] it was likely present in the browser for more than five years, but are nevertheless the first people to come forward with information about its flaws.


Forging Wireless Timing Signals to Attack the NTP server Anonymous 08/13/2016 (Sat) 09:16:56 [Preview] No. 6229 del


Anonymous 08/13/2016 (Sat) 09:23:45 [Preview] No. 6230 del
[Got angsty and for original threads]
>>6227 from >>5541
>>6228 from >>5542
>>6229 from >>5548

[It also appears >>6212 was already discussed in >>5745]
>>5748
>What you get is only the password hash.

The simplest way to crack a hash is to try to guess the password, hashing each guess, and checking if the guess's hash equals the hash being cracked. If the hashes are equal, the guess is the password. The two most common ways of guessing passwords are dictionary attacks and brute-force attacks.

https://en.m.wikipedia.org/wiki/Hashcat

With a strong password you can defend yourself.

https://en.m.wikipedia.org/wiki/Password_strength

With this attack you dont see a password as plain text.
>>5751
>Attack works only with:
Qualcomm Snapdragon 800 MSM8974 ( ARM-based SoC for tablets and smartphones).
https://source.android.com/security/bulletin/2016-05-01.html

A fix exist for NEXUS devices.


"New" HTTPS exploit Anonymous 08/13/2016 (Sat) 09:29:09 [Preview] No. 6231 del
>>6070
>http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/
New attack steals SSNs, e-mail addresses, and more from HTTPS pages
The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit.
Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly.

Today on "if you'd just disabled JavaScript globally this wouldn't have happened".

[And I think that's all of current >>>/tech/ regarding exploits which can now be pruned. Did it in honor of thread >>5567]
[Repost post and files if you want, only did it to amass them all in one thread. e.g. like files in >>4550, etc.]


Anonymous 08/16/2016 (Tue) 02:22:11 [Preview] No. 6282 del
>>6216
Damn that's scary


Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers Anonymous 08/31/2016 (Wed) 20:31:22 [Preview] No. 6590 del
> In this paper, we present Fansmitter, a malware that can acoustically exfiltrate data from air- gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans' speed in order to control the acoustic waveform emitted from a computer. [...] We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour.

I have to walk outside.


Anonymous 09/22/2016 (Thu) 12:29:13 [Preview] No. 6805 del
>>6590
must be easy being a Jew and have access to how proprietary CPU truly works


Anonymous 11/21/2016 (Mon) 01:37:33 [Preview] No. 7455 del
EXPL0IT G3NER@L IS THE ONLY ONE THAT SHOULD BE STICKEDDDDDDDD


DRAMA: How Your DRAM Becomes a Security Problem Anonymous 12/09/2016 (Fri) 09:18:22 [Preview] No. 7599 del
https://youtube.com/watch?v=lSU6YzjIIiQ [Embed]
https://www.blackhat.com/docs/eu-16/materials/eu-16-Schwarz-How-Your-DRAM-Becomes-A-Security-Problem.pdf

>In this talk, we will present our research into how the design of DRAM common to all computers and many other devices makes these computers and devices insecure.
>Since our attack methodology targets the DRAM, it is mostly independent of software flaws, operating system, virtualization technology and even CPU.
>These side channel attacks allow an unprivileged user to gain knowledge and spy on anybody sharing the same system even when located on a different CPU or running in a different Virtual Machine.


Anonymous 12/17/2016 (Sat) 11:24:03 [Preview] No. 7648 del
>>6222
Strange a backup hasn't been made for the forbes article.
https://archive.is/4oXVm
>Russian security experts reportedly uncovered state-created spyware hidden in the hard drive firmware of more than dozen of the largest manufacturers brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi.
>including Cisco, Juniper Networks, Dell, Seagate, Western Digital, Maxtor, Samsung, and Huawei. Many of the targets are American companies.

new shit expanding on it:
http://www.zerohedge.com/news/2016-08-22/evidence-points-another-snowden-nsa
NSA Advanced Network Technology (ANT) catalog
>Among the tools targeting Apple was one codenamed DROPOUTJEEP, which gives NSA total control of iPhones. "A software implant for the Apple iPhone,” says the ANT catalog, “includes the ability to remotely push/pull files from the device. SMS retrieval, contact-list retrieval, voicemail, geolocation, hot mic, camera capture, cell-tower location, etc.”
>IRATEMONK, is, “Technology that can infiltrate the firmware of hard drives manufactured by Maxtor, Samsung, Seagate and Western Digital.”
>BANANAGLEE and JETPLOW. These can be used to create “a persistent back-door capability” into widely used Cisco firewalls, says the catalog.
https://en.wikipedia.org/wiki/NSA_ANT_catalog
>Apple,[14] Cisco, Dell, Juniper Networks, Maxtor, Seagate, and Western Digital, although there is nothing in the document that suggests that the companies were complicit.[1][15
>DEITYBOUNCE: Technology that installs a backdoor software implant on Dell PowerEdge servers via the motherboard BIOS and RAID controller(s).[23][24]
>SWAP: Technology that can reflash the BIOS of multiprocessor systems that run FreeBSD, Linux, Solaris, or Windows.


ASLR&SGX pwnd Anonymous 03/03/2017 (Fri) 21:23:47 [Preview] No. 8152 del
3 New hardware vulnarabilities:
ASLR⊕Cache(AnC) Attack:
https://archive.is/https://www.vusec.net/projects/anc/
Software Grand Exposure: SGX Cache Attacks Are Practical
https://arxiv.org/abs/1702.07521
Malware Guard Extension: Using SGX to Conceal Cache Attacks
https://arxiv.org/abs/1702.08719


Anonymous 03/07/2017 (Tue) 05:02:18 [Preview] No. 8162 del
>blackhat.com
>archive.is
pls stop posting cloudflare links it triggers mee


Intel AMT, ISM, & SBA VULN Published Anonymous 05/02/2017 (Tue) 01:33:50 [Preview] No. 8425 del
https://web.archive.org/web/20170502010511/https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
Intel ID: INTEL-SA-00075
Product family: Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: May 01, 2017
Last revised: May 01, 2017
Summary:
There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs.

Description:
There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.
• An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
◦ CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
◦ CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products:
The issue has been observed in Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel® Active Management Technology, Intel® Small Business Technology, and Intel® Standard Manageability. Versions before 6 or after 11.6 are not impacted.

Recommendations:
Step 1: Determine if you have an Intel® AMT, Intel® SBA, or Intel® ISM capable system: https://communities.intel.com/docs/DOC-5693. If you determine that you do not have an Intel® AMT, Intel® SBA, or Intel® ISM capable system then no further action is required.

Step 2: Utilize the Detection Guide to assess if your system has the impacted firmware: https://downloadcenter.intel.com/download/26755. If you do have a version in the “Resolved Firmware” column no further action is required to secure your system from this vulnerability.

Step 3: Intel highly recommends checking with your system OEM for updated firmware. Firmware versions that resolve the issue have a four digit build number that starts with a “3” (X.X.XX.3XXX) Ex: 8.1.71.3608.

Step 4: If a firmware update is not available from your OEM, mitigations for provided in this document: https://downloadcenter.intel.com/download/26754

For assistance in implementing the mitigations steps provided in this document, please contact Intel Customer Support (http://www.intel.com/content/www/us/en/support/contact-support.html#@23); from the Technologies section, select Intel® Active Management Technology (Intel® AMT).

Intel manageability firmware,Associated CPU Generation,Resolved Firmware X.X.XX.3XXX
6.0.xx.xxxx,1st Gen Core,6.2.61.3535,
6.1.xx.xxxx,,6.2.61.3535
6.2.xx.xxxx,,6.2.61.3535
7.0.xx.xxxx,2nd Gen Core,7.1.91.3272
7.1.xx.xxxx,,7.1.91.3272
8.0.xx.xxxx,3rd Gen Core,8.1.71.3608
8.1.xx.xxxx,,8.1.71.3608
9.0.xx.xxxx,4th Gen Core,9.1.41.3024
9.1.xx.xxxx,,9.1.41.3024
9.5.xx.xxxx,,9.5.61.3012
10.0.xx.xxxx,5th Gen Core,10.0.55.3000
11.0.xx.xxxx,6th Gen Core,11.0.25.3001
11.5.xx.xxxx,7th Gen Core,11.6.27.3264
11.6.xx.xxxx,,11.6.27.3264

Acknowledgements:
Intel would like to thank Maksim Malyutin from Embedi for reporting this issue and working with us on coordinated disclosure.

Revision history:
Revision,Date,Description
1.0,01-May-2017,Initial Release
1.1,01-May-2017,Detection update

CVE Name:
CVE-2017-5689


Anonymous 05/02/2017 (Tue) 13:09:42 [Preview] No. 8431 del
>>8425
>arc processor
>running minix
lol!



Top | Return | Catalog | Post a reply