500px-xen_hypervisor_logo_black-svg
Security Techniques

Xen exploitation part 3: XSA

Xen exploitation part 3: XSA: This is the last part of our blogpost series about Xen security [1] [2]. This time we write about a vulnerability we found (XSA-182) [0] (CVE-2016-6258) and his exploitation on Qubes OS [3] project.

We first explain the methodology used to find the vulnerability and then the exploitation specificity on Qubes OS.

We would like to emphasize that the vulnerability is not in the code of Qubes OS. But since Qubes OS relies on Xen hypervisor, it is affected by this vulnerability. More information is provided by Qubes’ security bulletin #24 [8].

Standard
500px-xen_hypervisor_logo_black-svg
Security Techniques

Xen exploitation part 2: XSA

Xen exploitation part 2: XSA: This blog post describes the exploitation of Xen Security Advisory 148 (XSA-148) [1] (CVE-2015-7835). It has been discovered by Shangcong Luan of Alibaba and publicly disclosed in October 2015. At the time, we were working on writing an exploit and no public proof of concept nor exploit were available. Today, the security researcher responsible of the vulnerability disclosure has given a public talk [6] and will give conferences explaining his approach [7]. We decided to publish this blogpost anyway because our exploitation strategy is a little bit different.

Standard
500px-xen_hypervisor_logo_black-svg
Security Techniques

Xen exploitation part 1: XSA

Xen exploitation part 1: XSA: This blog post describes the exploitation of Xen Security Advisory 105 (XSA-105) [1] (CVE-2014-7155). This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5.

We are not aware of any public exploit for this vulnerability, although Andrei Lutas wrote excellent articles [2] [3] [4] describing the root cause of the vulnerability and how to trigger it. This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5 (it probably works with many others versions).

Standard
500px-xen_hypervisor_logo_black-svg
Security Techniques

Advanced Exploitation: Xen Hypervisor VM Escape

Advanced Exploitation: Xen Hypervisor VM Escape: The Xen is a widely used virtualization platform powering some of the largest clouds in production today.

For the purpose of cloud platform security reinforcement, our team have looked into the implementation of Xen hypervisor and found a series of  highly critical vulnerabilities that could be used to exploit the host machine. For example, the XSA-148/CVE-2015-7825, a 7 year old bug disclosed by our team two months ago, is one of the worst vulnerabilities ever hit to the Xen Project.

This presentation will center around the Xen hypervisor and exploitation technologies and covers the following topics:

1. The story of the awesome XSA-148/CVE-2015-7825 Xen vulnerability.

2. Xen Hypervisor internals – In this section, we will dive deep into the hypervisor and talk about a mass of runtime details which have not been previously disclosed.

3. Exploitation vectors in Xen environment – After exploring the Xen implemention, we will look into the various Xen exploitation vectors and how to bypass Xen security machanisms

4. VM Escape and Dom0/DomN r00t shell in reality – At last, we will expand on the XSA-148 exploitation technique and show root shells of the host machine and other guest virtual machines. XSA-148 exploitation is a well-chosen generic exploitation method and could be directly used in any other vulnerabilities like XSA-148 to perform VM escape.

With the exception of  the XSA-148 vulnerability itself, all other contents have never been published before. These details could help researchers start their virtualization security research work and also help cloud services providers enhance their products’ security or detect VM escape attacks.

Standard
yahoo
Security News

Yahoo secretly scanned customer emails for U.S. intelligence

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence: Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Standard
website-security
Hacks and Incidents

Tokopedia: Unrestricted Deletion to All of People’s Bank Account

Tokopedia – Unrestricted Deletion to All of People’s Bank Account: The simplicity in receiving payment from the online sales is certainly a dream for every seller. For actualizing this simplicity, Tokopedia has launched a feature which is “Tambah Rekening Bank” (Adding Bank Account) that could be used to receive the sales payment after every transaction processes to the buyer is conducted (in this case, after the buyer receive the item and confirm the reception of the related item). In the process, this feature itself could be used by the user to add more than one account that could be used as payment “receiver”.

Standard
unlock
Hacks and Incidents

Opera server breach incident

Opera server breach incident: Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.

 

[..]

The total active number of users of Opera sync in the last month is 1.7 million, less than 0.5% of the total Opera user base of 350 million people.

Standard
dropbox
Hacks and Incidents

Dropbox Hacked: More Than 68 Million Account Details Leaked Online

Dropbox Hacked — More Than 68 Million Account Details Leaked Online: Hackers have obtained credentials for more than 68 Million accounts for online cloud storage platform Dropbox from a known 2012 data breach.

Troy Hunt verified the leak too: https://www.troyhunt.com/the-dropbox-hack-is-real/

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that “someone has cobbled together a list of credentials that work on Dropbox” hacked either, but proper hacked to the tune of 68 million records.

 

Standard
unlock
Hacks and Incidents

Ubuntu Forums hack exposes 2 million users

Ubuntu Forums hack exposes 2 million users: The company that builds Ubuntu, a popular Linux distribution, has said its forums were hacked Thursday. Canonical, which develops the operating system, said in a statement on Friday that two million usernames, email addresses, and IP addresses associated with the Ubuntu Forums were taken by an unnamed attacker.

The single best way to protect yourself against credit card fraudThe attacker was able to exploit an SQL injection vulnerability in an add-on used by older vBulletin forum software.That gave the attacker access to the forum’s databases, but the company said that only limited user data was accessed and downloaded.

The statement stressed that no code or repository data was accessed, and the attacker couldn’t write data to the database or gain shell access. The attacker also didn’t gain access to any other Canonical or Ubuntu service.Since the breach, the servers were wiped, rebuilt, and hardened, passwords were changed, and the forum software was fully patched.

Standard