Researcher Reveals Multiple Flaws in Verizon Fios Routers — PoC Released

A cybersecurity researcher at Tenable has discovered multiple security vulnerabilities in Verizon Fios Quantum Gateway Wi-Fi routers that could allow remote attackers to take complete control over the affected routers, exposing every other device connected to it.
Currently used by millions of consumers in the United States, Verizon Fios Quantum Gateway Wi-Fi routers have been found vulnerable to three security vulnerabilities, identified as CVE-2019-3914, CVE-2019-3915, and CVE-2019-3916.
The flaws in question are authenticated command injection (with root privileges), login replay, and password salt disclosure vulnerabilities in the Verizon Fios Quantum Gateway router (G1100), according to technical details Chris Lyne, a senior research engineer at Tenable, shared with The Hacker News.
Authenticated Command Injection Flaw (CVE-2019-3914)
When reviewing the log file on his router, Chris noticed that the “Access Control” rules in the Firewall settings, available in the router’s web interface, was not properly sanitizing the “hostname” parameter while passing the values as part of a command to the console.
So, it turned out that injecting a malicious input as hostname can manipulate the Firewall command, eventually allowing an attacker to execute arbitrary code on the affected device.
“Notice the iptables command being issued. Clearly, I must have entered tenable [keyword] in here at some point. That got me thinking… I wonder if I can inject an OS command into this,” the researcher said in a blog post.
“Clearly, this has to do with Access Control rules in the Firewall settings. I investigated the web interface to see if I could find tenable anywhere.”
However, it should be noted that to exploit this vulnerability (CVE-2019-3914) the attacker first needs to access the router’s web interface, which itself reduces the attack surface unless the victims are not relying on the default or weak passwords.
hacking router password
Also, affected routers don’t come with remote administration enabled by default, which further reduces the threat of Internet-based attacks.
“There are two attack scenarios that enable an attacker to execute commands remotely. First, the insider threat would allow an attacker to record the login sequence (salted hash) using a packet sniffer. Either through legitimate access (a house guest) or social engineering (customer support scam), an attacker could obtain the target router’s administrator password from the sticker on the router and public IP address. They can then either turn remote administration on, confirm it is enabled, or use the same social engineering ruse to have the victim enable it,” Chris told The Hacker News in an email interview.
“Then, the attacker can exploit CVE-2019-3914 remotely, from across the internet, to gain remote root shell access to the router’s underlying operating system. From here, they have control of the network. They can create back doors, record sensitive internet transactions, pivot to other devices, etc.”

As shown in the video demonstration, since the Verizon router also supports Java because of Embedded JVM (Java Virtual Machine), an attacker can simply upload a Java-based payload to get a reverse shell with root privileges to launch further attacks.
To execute a Java reverse shell, the attacker only needs to upload and run a Java class, as the researcher said, “I accomplished this by programming the HTTP listener to return a Base64-encoded, compiled Java class in the response body. Additionally, the Java code was compiled for the target JVM (Java SE 1.8).”
Login Replay And Password Salt Disclosure Flaws
Besides details and video demonstration, the researcher has also released the proof-of-concept exploit code for this vulnerability.
The second vulnerability, identified as CVE-2019-3915, exists because the web administration interface of router relies on the insecure HTTP connection.
It allows network-based attackers to intercept login requests using a packet sniffer and replay them to gain admin access to the web interface.
The third flaw, identified as CVE-2019-3916, allows an unauthenticated attacker to retrieve the value of the password salt by simply visiting a URL in a web browser.
Since the router firmware does not enforce HTTPS, it is possible for attackers to capture a login request containing salted password hash (SHA-512), which can then be used to recover the plaintext password.
Tenable responsibly reported these vulnerabilities to Verizon, who acknowledged the issues and addressed them in new firmware version 02.02.00.13, which will be applied automatically.
“However, they’ve [Verizon] since advised that they are still working to push auto updates to a small fraction of devices. Users are urged to confirm that their router is updated to version 02.02.00.13, and if not, contact Verizon for more information.”
At the time of writing, a simple Shodan search revealed that nearly 15,000 Verizon Fios Quantum Gateway Wi-Fi routers with remote administration were accessible on the Internet. However, it’s unknown how many of them are running the patched firmware version.

Hackers Found Using A New Code Injection Technique to Evade Detection

While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird, being used by at least three different sophisticated malware that helped attackers evade detection.
As its name suggests, Early Bird is a “simple yet powerful” technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.
The Early Bird code injection technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected,” the researchers said.
The technique is similar to the AtomBombing code injection technique that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.

Early Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.
Here’s a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.
Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.
According to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.
“TurnedUp” backdoor, developed by an Iranian hacking group (APT33)
A variant of “Carberp” banking malware
“DorkBot” malware
Initially discovered by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.
early-bird-malware-code-injection-technique
Dates back to 2012, DorBot is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users’ credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims’ computers.
Researchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.

About Censys

 

 

 

 

Censys is a search engine that enables researchers to ask questions about the hosts and networks that compose the Internet. Censys collects data on hosts and websites through daily ZMap and ZGrab scans of the IPv4 address space, in turn maintaining a database of how hosts and websites are configured. Researchers can interact with this data through a search interface, report builder, and SQL engine. Details on the Censys architecture and functionality are available in our research paper.

https://www.censys.io/

 

 

Don’t count on STARTTLS to automatically encrypt your sensitive e-mails TLS stripping and DNS attacks allow eavesdropping on protected messages

ars

Researchers have some good and bad news about the availability of secure e-mail. Use ofSTARTTLS and three other security extensions has surged in recent months, but their failure rate remains high, in large part because of active attacks that downgrade encrypted connections to unencrypted ones.

That conclusion, reached in a recently published research paper, means that a significant chunk of e-mail continues to be transmitted in plaintext and with no mechanism for verifying that a message hasn’t been tampered with while it travels from sender to receiver. The downgrades are largely made possible by the simple mail transfer protocol used by many e-mail services. Because it wasn’t originally designed to provide message confidentiality or integrity, it relies on later-developed extensions including STARTTLS, domainkeys Identified Mail, sender policy framework, and domain-based message authentication that often don’t work as intended.

The researchers wrote:

This security patchwork—paired with opportunistic encryption that favors failing open and transmitting messages in cleartext, so as to allow incremental adoption—enables network attackers to intercept and surveil mail. In one such attack, network appliances corrupt STARTTLS connection attempts and downgrade messages to non-encrypted channels. We identify 41,405 SMTP servers in 4,714 ASes and 193 countries that cannot protect mail from passive eavesdroppers due to STARTTLS corruption on the network. We analyze the mail sent to Gmail from these hosts and find that in seven countries, more than 20% of all messages are actively prevented from being encrypted. In the most severe case, 96% of messages sent from Tunisia to Gmail are downgraded to cleartext.

The findings are based on Gmail SMTP connection logs spanning from January 2014 to April 2015 and a snapshot of SMTP server configurations from April 2015 from the Alexa top million domains. The Gmail data showed that incoming messages protected by transport layer security encryption grew 82 percent in one year, peaking to 60 percent of all inbound mail by the end of the study. Outgoing messages increased 54 percent, with 80 percent of messages protected. The improvement was largely the result of Yahoo, Outlook, and a small number of other large e-mail providers updating their servers to use STARTTLS.

Offsetting that progress was a finding that about 770,000 SMTP servers associated with the Alexa top million list still failed to properly secure their systems. Only 82 percent of them supported TLS, and of those, only 35 percent were properly configured to allow one server to cryptographically authenticate itself to another.

STARTTLS corruption

The researchers also found evidence of widespread corruption that prevents STARTTLS from working as intended. Like many security mechanisms, STARTTLS is designed to “fail open” rather than “fail closed,” meaning that when certain errors happen, servers will simply send e-mail in unencrypted form rather than failing to send the message at all. Network actors can exploit this design by sending certain types of packets that trigger a fail open error. The overall fraction of Gmail messages that were downgraded was relatively small, but in Tunisia, TLS was stripped out of 96 percent of e-mail. Other countries with high rates included Iraq, Papua New Guinea, and Nepal.

“It is important to note that the devices that are stripping TLS from SMTP connections are not inherently malicious, and many of these devices may be deployed to facilitation legitimate filtering,” the paper states. “Regardless of intent, this technique results in messages being sent in cleartext over the public Internet, enabling passive eavesdropping and other attacks.”

The researchers also found evidence that domain name system records are routinely spoofed in a way that redirects e-mail to servers controlled by attackers rather than to the intended destination. The evidence included more than 178,000 publicly available DNS servers that provided invalid IP addresses or mail records for either gmail.com, yahoo.com, outlook.com, qq.com, or mail.ru.

The findings suggest that even as e-mail providers continue to deploy STARTTLS, there’s no guarantee that e-mail will be encrypted as it travels from one server to another on its way to the receiver. That leaves the truly paranoid with no other option than GPG or MIME to ensure the confidentiality of the messages they send.

DMCA Ruling Ensures You Can’t Be Sued For Hacking Your Car, Your Games Or Your iPhone

“This ‘access control’ rule is supposed to protect against unlawful copying,” said EFF staff attorney Kit Walsh. “But as we’ve seen in the recent Volkswagen scandal – where VW was caught manipulating smog tests – it can be used instead to hide wrongdoing hidden in computer code. We are pleased that analysts will now be able to examine the software in the cars we drive without facing legal threats from car manufacturers.”

Walsh expressed disappointment the exemption would not come into force for another year. There may also be a limitation on what tinkerers can do, as the exemption does not allow for modification of “computer programs primarily designed for the control of telematics or entertainment systems for such vehicle”, though security researchers should still be allowed to poke holes in them.

“This is a significant step forward for security research and acknowledges the value research plays in protecting consumers from risk of harm. There is still more work to be done – for example the exemption is limited in its application, and the Computer Fraud and Abuse Act still presents many challenges – but this represents an important shift in the discussion around security research at the Government level,” added Jen Ellis, vice president of community and public affairs at Rapid7, and one of the campaigners for the exemption.

“We look forward to continuing to collaborate with both Congress and the administration to build even greater understanding of, and protections for, security research.”

Tuesday, October 27, 2015