Windows security issues caused by unsafe drivers are nothing new, but This one is a bit special. Plug in the Razer mouse, tell the installation dialog that you want to install to a non-standard location, and then press Shift+right-click on the Explorer window. Choose a powershell, then boom, you now have a SYSTEM shell. It is not as impressive as RCE, it requires hands-on operation of the machine, but due to its simplicity, it is beautiful.
The problem is a compound problem. First, when the Razer device is plugged in, Windows 10 and 11 will automatically download and start the installation of Razer Synapse. Please note that it’s not just Razer, any branded apps that are automatically installed like this can be attacked in the same way. The installation process runs as a system, and because it starts automatically, an administrator account is not required. The second half of the problem is that the installer itself does not take any precautions to prevent users from spawning other processes. There is no obvious way to prevent Powershell from being launched from the FolderPicker class, so the installer running as SYSTEM must spare no effort to remove permissions to make it a safe process. The real solution is that Microsoft says no to the GUI installer bundled with the WHQL signed driver.
Scale RCE
Researchers from Sector 7 as part of Computest conducted an impressive hacking attack on Pwn2Own, which achieved RCE via Zoom clientIt is important to note that the attacker must be accepted as a contact, either manually or through the same organization. The core vulnerability is CVE-2021-30480, which is a heap buffer overflow, which is the result of allocating a static buffer for the string generated by the connected remote client. Although overflow is a very powerful vulnerability, it takes considerable effort to turn it into a complete vulnerability.
In order to achieve this goal, the researchers discovered a data leakage vulnerability based on URI obfuscation in image links. Incorrectly formatted contact requests may be sent with strange member image links. In normal use, pic_relative_url
The field will start with “/” and will appear in the marketplacecontent.zoom.us
field.In the strange contact request they made, they used a relative URL. The URL did not start with the leading slash, but with part of the domain name, for example example.org
. When the Zoom client tries to download the remote image, it ends up from marketplacecontent.zoom.usexample.org/...
, The domain that an attacker can control. This URL obfuscation error can be combined with the overflow mentioned above to leak data about the current memory state of the victim machine.
The last vulnerability used seems trivial, and the maximum message size limit can be avoided by sending GIFs from GIPHY. In addition, sending multiple copies will not trigger multiple downloads, but will cause multiple copies to be created in memory. Pushing these copies into memory allows researchers to build their exploit chain, and when limited to the 5-minute limit of the game, the success rate of a complete attack is about 50%.
Second opinion on Pegasus
Citizen Lab release Amnesty International’s external review of the work of NSO Group Pegasus Spyware program. Their investigation found that the technical aspects of Amnesty International’s findings were correct-infection analysis, IOC, and established infrastructure seemed to be correct. The biggest problem raised by the Amnesty International report is completely unresolved: a list of goals. The source and authenticity of the document remain completely unproven.
Long-term Windows Defender bypass
The research team APtortellini published Their guide to defeating Windows DefenderSome commenters sneered at this particular article in the first step and promoted it to SYSTEM. You might even wonder, if you have destroyed a machine to the point of becoming a root user, what is the point? Gaining SYSTEM access is only the beginning of the actual malicious activity. This research is about how to disable Windows Defender without actually disabling it.
The first thing to know is that the modern Windows system uses many elements from Unix and fixes the legacy of Windows on it.To illustrate this point, please note that the Windows 10 C: drive is actually located at DeviceHarddiskVolumeX
, Through a series of symbolic links to make the C: symbol work.One of the links is SystemRoot
, Which points to DeviceBootDeviceWindows
. Even for SYSTEM, the link cannot be modified, but it can be deleted and recreated. This particular path happens to be part of the location where Windows Defender loads its back-end drivers. WdFilter.sys
.
The technique mainly includes remapping SystemRoot
Go to the fake Windows directory and restart the Windows Defender service to reload the driver from the fraudulent location. The replacement driver must still be signed, but this still leaves a lot of leeway.In writing, they used RWEverything driver. Re-create the original symbolic link, and you will have a placebo Defender that appears to be working properly, and is running an arbitrary but signed driver.
610 million USD recovered
Poly Network is a decentralized financial protocol. I won’t go into the depth of what this means, because this is a security column, not this week in the blockchain. Just know that it is a blockchain platform and it uses smart contracts to accomplish things similar to banks or investment companies.Poly Networks encountered a problem earlier this month in which Just over $600 million was transferred to a range beyond their control. This feat seems to be the result of loopholes in the smart contract itself.Look Slow mist for more technical details.
The new news is [Mr. White Hat] In fact, control of all stolen funds has been returned to Poly Networks.The whole story is bizarre and reminiscent of Attack on DAO many years ago.
More suspicious activity in Iran
After a hacking group targeting Iranian infrastructure, we have a story Another group broke into the security camera system of Evan Prison In Tehran, video evidence detailing the treatment of prisoners was released. Part of the dump is a security camera that shows the monitor in the main security room. This is really a case of imitating art in real life.
This segment of the security control room of Iran’s most notorious prison was closed by hackers directly from the film.
Hackers are now leaking stolen CCTV from the other side of Avon Prison to highlight the abuse of prisoners, every @Associated Press.pic.twitter.com/Ts2jbKmoqL
-Ed Klaus (@EdClowes) August 24, 2021
An organization calling itself “Ali’s Justice” claimed the attack. At some point, a question must be asked whether these attacks are really grassroots efforts by independent hackers. It is easy to imagine that these are just front lines managed by Western intelligence agencies.
T-Mobile update
Remember the vulnerability of T-Mobile? [John Binns] Credit applied And apparently provided enough evidence to convince the Wall Street Journal’s statement. He claimed that he found an insecure router by scanning the Internet and used this foothold to access the internal data center network. This may mean that he is scanning a trivial RCE that we have discussed in the past few months and found a gateway that has not been updated. His past history reads like a terrible spy novel, and about half of it is credible. It is unclear whether he actually sold the data to anyone.