CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem

This article discloses exploitation of CVE-2019-18683, which refers to multiple five-year-old race conditions in the V4L2 subsystem of the Linux kernel. I found and fixed them at the end of 2019. I gave a talk at OffensiveCon 2020 about it (slides). Here I’m going to describe a PoC exploit for x86_64 that gains local privilege escalation from the kernel thread context (where the userspace is not … Continue reading CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem

Intel x86 Root of Trust: loss of trust

The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME). This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms. The problem is not only that it is … Continue reading Intel x86 Root of Trust: loss of trust

Turkish tricks with worms, RATs… and a freelancer

The Positive Technologies Expert Security Center has detected a malicious campaign active since at least mid-January 2018. The operation most focused on users from Brazil, Germany, Hungary, Latvia, the Philippines, Turkey, United Kingdom, and the USA. The long operation included use of a number of tools and techniques for infecting and controlling victim PCs. Here we will detail the stages of infection, utilities and network … Continue reading Turkish tricks with worms, RATs… and a freelancer

Malware creators trying to avoid detection. Spy.GmFUToMitm as an example

Image credit Unsplash Specialists from PT Expert Security Center found an interesting specimen of malware distributed in the Chinese segment of the Internet. Among other things, this malware is used for MITM attacks. Its main peculiar feature is that it combines various techniques of evading detection. We analyzed those to demonstrate how malware creators hide malware activity. How it all began Network traffic analysis system … Continue reading Malware creators trying to avoid detection. Spy.GmFUToMitm as an example

Finding Neutrino

In August 2018, PT Network Attack Discovery and our honeypots began to record mass scans of phpMyAdmin systems. Scans were accompanied by bruteforcing of 159 various web shells with the command die(md5(Ch3ck1ng)). This information became the starting point of our investigation. Step by step, we have uncovered the whole chain of events and ultimately discovered a large malware campaign ongoing since 2013. Here we will … Continue reading Finding Neutrino

How analyzing one critical DHCP vulnerability in Windows 10 led to discovery of two more

Image credit: Unsplash  As described in our earlier article about CVE-2019-0726, sometimes a search for details of a known vulnerability leads to discovery of a new one. Sometimes even more than one. The article touched upon two functions of the library dhcpcore.dll: UpdateDomainSearchOption, mentioned in passing, and DecodeDomainSearchListData which is called by the first function and was described in more detail. As always happens when … Continue reading How analyzing one critical DHCP vulnerability in Windows 10 led to discovery of two more

DHCP security in Windows 10: analyzing critical vulnerability CVE-2019-0726

Image credit: Pexels When January updates for Windows got released, the public was alarmed by news of critical vulnerability CVE-2019-0547 in DHCP clients. A high CVSS score and the fact that Microsoft did not release an Exploitability Index assessment right away, which made it more difficult for users to decide whether they needed to update their systems immediately, stirred up the heat. Some publications even … Continue reading DHCP security in Windows 10: analyzing critical vulnerability CVE-2019-0726

Advanced attacks on Microsoft Active Directory: detection and mitigation

Attacks on Microsoft Active Directory have been a recurrent topic of reports on Black Hat and Defcon during the last four years. Speakers tell about new vectors, share their inventions, and give recommendations on detection and avoidance of these vectors. I believe that the IT department is capable of creating a secure infrastructure, which can be monitored by the security department. High-quality monitoring, in its … Continue reading Advanced attacks on Microsoft Active Directory: detection and mitigation

Machine learning: good for security or a new threat?

Machine learning is no novelty anymore. On the contrary: every self-respecting startup feels compelled to apply machine learning in its offerings. The hunt for scarce developers has been superseded by a scramble for machine learning experts. Fortunately, many machine learning tasks are similar enough that it is possible to save time and money by using pre-trained models. Open-source models are also available free of charge. … Continue reading Machine learning: good for security or a new threat?

Pegasus: analysis of network behavior

Source code for Pegasus, a banking Trojan, was recently published online. Although the Carbanak cybercrime gang was referenced in the archive name, researchers at Minerva Labs have shown that Pegasus actually is the handiwork of a different group known as Buhtrap (Ratopak). The archive contains an overview of the Trojan, its source code, description Russian banking procedures, and information on employees at a number of … Continue reading Pegasus: analysis of network behavior