Going Phishing, Stopping Buffer Overflows, and Traveling Back in Time
G

SecPro #55: Going Phishing, Stopping Buffer Overflows, and Traveling Back in Time.

Welcome again to another issue of the SecPro, something that I’ve been looking forward to all week. As we are hurriedly scurrying around to finish up our latest observations on the world of cybersecurity, hopefully you’re settling down for a peaceful weekend (or maybe only a peaceful few minutes). That’s why we’ve been writing about some new tools and ways to defend yourself against the new emerging threats that are appearing on the horizon.

If you enjoyed our newsletter, be sure to send it out to your friends in the industry. We’d love to hear back from all of our readership, especially now that we’re embarking on another round of investigation. What will we find this time? Well, whatever you’re willing to share with us.

Cheers!
Austin Miller
Editor-in-Chief

Blue Team

The 3 Types of Buffer Overflow Attacks and Prevention Tips

By Nazifa Alam

Types of Buffer Flow Attacks

The various types of buffer overflow attacks listed below are some common methods attackers may use to target an organisation:

  1. Stack-based attacks – Which is the most common form of a buffer overflow attack. This form of attack involves the attacker(s) sending a data packet embedded with a malicious code to an application which is then stored into a stack buffer. The data already present on the stack is then overwritten by the malicious code causing the control of the device to be transferred to the attacker.
  2. Heap-based attacks – This type of attack is more difficult to execute as it involves flooding a program’s memory space. This line of attack is also more time consuming and expensive to commit.
  3. Format string attack – This form of attack involves an application processing input data as a command. Due to this, the attacker is able to read data in the stack, execute a code or cause segmentation faults in the application.

What Programming Languages are more Susceptible?

The two languages that are more vulnerable to buffer overflow attacks are C and C++ due to their absence of inbuilt safeguarding features against overwriting or illegitimate access of data in their memory. Mac OSX, Windows and Linux all use C and C++ languages. A buffer overflow in Assembly, C, C++ or Fortran is more likely to lead to a compromised system at the hands of an attacker.

Languages including PERL, Java, JavaScript and C# are less vulnerable to buffer overflow attacks due to their in-built safety features.

Detecting Buffer Overflow Attacks

The important practice is to keep note of where buffers are used, modified and accessed. More specifically, the functions dealing with the input provided by the user or an external source would be the more likely area to be exploited by an attacker.

For example, highlighted below, a command that requires a simple yes or no input will have reserved a small buffer space only for a for a single word answer.

If the user inputs ‘maybe’, the program will instead stop working rather than allowing the user another chance to enter a valid answer. The original, invalid answer is stored into the buffer, regardless of its length. If the user enters an answer that takes a certain number of bytes followed by a valid address in memory, the program’s return address will be changed. This will then enable the attacker to force an exit at a different point in the code than originally intended, leading to high levels of instability.

Other examples of buffer overflow attacks

A simple buffer overflow attack as a result of a ‘gets()’ function being externally sent to a stack buffer:
 “…
char buf [BUFSIZE]
gets(buf);
…”
The data cannot be limited and therefore, there is a reliance upon users entering fewer characters than ‘BUFSIZE’ characters.

In some cases, buffer overflow attacks rely on the user input to control functions and then cause errors through ‘memcpy()’, the memory function. The destination buffer, source buffer and the amount of bytes needed to copy is then enabled and the input buffer can be filled with the ‘read()’ command in addition to a specific allocation of bytes for ‘memcpy()’. Below is a display:
 “…
char buf[64], in[MAX_SIZE];
printf(“Enter buffer contents:\n”);
read(0, in, MAX_SIZE-1);
printf(“Bytes to copy:\n”);
scanf(“%d”, &bytes);
memcpy(buf, in, bytes);
…” 
Another instance of a buffer overflow attack could be the case of the data lacking local verification. The function ‘lccopy()’ is responds to a string with uppercase letters in place of lowercase letters. Bound checking is not executed as ‘str’ is expected to be smaller that ‘BUFSIZE’. Due to this, the attacker can change the expected size according to their wish or bypass the code.

An example of this instance is as followed:
 “char *lccopy(const char *str) {
char buff[BUFSIZE]; char *p;

strcpy(buf, str);
for (p=buf; *p; p++) {
if (isupper(*p)) {
*p=tolower(*p);
   }
}
Return strdup(buf);
}” 
Buffer overflow attacks can also occur when the code is too complex for a prediction to be made. The code below is an example from the linPNG image decoder which is programmed into the browsers Mozilla and Internet Explorer. The example shows a safe, legitimate code becoming more complicated due to the execution of a ‘png_ptr->mode’ review. To reduce the waste of memory, the complexity of the code should be kept at minimum.
 “if (!(png_ptr->mode & PNG_HAVE_PLTE)) {
/*Should be an error, but we can cope with it */
png_warning(png_ptr, “Missing PLTE before tRNS”);}
else if (length > (png_uint_32png_ptr->num_palette) {
png_warning(png_ptr, “Incorrect tRNS chunk length”);
png_crc_finish(png_ptr, length);
return;
}

png_crc_read(png_ptr, readbuf, (png_size_t)length);” 

Preventing Buffer Overflow Attacks

One of the simplest measures against these exploits is simply to use a programming language that does not allow them. As mentioned earlier in this article, C and C++ both contain increased vulnerability rates however Java, Python and .NET do not.

Upon initial observation, using strn- which only writes to the maximum size of the target buffer may seem like a viable option. This however, may lead to more problems as if the buffer limit is reached without a terminating character being placed before the buffer limit, difficulties will arise. Below is an example of this:

When ‘foo’ is entered into (normal_buffer), it is null terminated due to additional buffer space. With the case of (full_buffer) however, where there is no available buffer space for the entry, the results are as followed:

Although the entry in (normal_buffer) has been correctly printed, an extra character has been printed in (full_buffer). If the next bytes were composed of a printable string, the print function would have continued until the terminating character.

OpenBDS provides the use of strlcpy and strlcat which although provides similar functions to the strn-functions, terminates the string one character early to allow space for the null terminator. Microsoft provides safety alternatives to commonly exploited functions such as strcpy_s, strcat_s and sprint_s.

The safer alternatives are as followed:

  • strlcpy*, strcpy_s*
  • strlcat*, strcat s*
  • snprintf*, sprint_s*
  • fgets

Nowadays, modern operating systems are equipped with runtime protection. Nevertheless, it is beneficial to adopt the following practices for protection:

  • Address Space Randomisation (ASLR) –Buffer overflow attacks are commonly successful due to the attacker’s previous knowledge concerning the locality of the executable code and by randomising address spaces, the attacks become limited.
  • Data Execution Prevention – Which determines certain areas of memory as executable or not, preventing a code from being ran in a non-executable region.
  • Structured Exception Handler Overwrite Protection (SEHOP) – This is a built-in function which oversees hardware and software anomalies. Therefore, SEHOP prevents an attacker from having the ability to perform the SHE exploitation which involves overwriting the system.

Threat Intelligence

Using Waybackurls to find flaws

By Indrajeet Bhuyan

It is said that once you put something on the internet, it’s there forever. It’s valid to a large extent and services like web archives make it possible. In this tutorial, we will learn about a tool that takes advantage of old web details and helps us find flaws in our targets.

What is the Way Back Machine?

Way back machine is a part of the Internet Archive. It was first introduced in 2001, this tool lets you go back in time to see what websites looked like at a certain point in time. The Wayback machine features more than 690 billion web pages at the time of writing and it keeps adding more each year. The Wayback Machine downloads all publicly accessible information and data files on web pages through its crawl mechanism.

Want to find out how to use Waybackurls? Click here to find out!

Threat intelligence


Phishing with 2Fa bypass

By Indrajeet Bhuyan

Phishing is still one of the most popular ways to hack into users, organizations, etc. It plays an important role in Red teaming operations. Humans are the weakest link in cyber security and in any company hackers try to hack into employees by phishing and then get access to internal networks. Hence phishing simulations within the company are a very important security exercise that every organization must perform.

What is Phishing? 

Phishing is an attack where an attacker sends malicious emails/links designed to trick people into falling for a scam. Often attacker makes a look-alike of popular apps and website login pages and sends them to victims. The intent is often to get users to reveal financial information, system credentials, or other sensitive data.

Here is an example of a phishing page that looks exactly like the real website’s login page and it often tricks users into giving a username and password.

Recent Phishing scams 

  1. Covid 19 test kits

Cybercriminals are acting as if they are with a Healthcare authority and requesting the user to get a COVID test. These messages come in the form of text messages and emails and state that someone in their network has contracted COVID.

  1. Receipts for Large purchases

Cybercriminals are sending receipts for fake online purchases and product renewals. The large price tag and time limit for refund are causing this attack to be successful.

2. Payment errors

Threat actors are luring users into providing bank and credit payment information to receive a refund to resolve a fake payment error.

3. NFT Marketplace Impersonations

Threat actors are impersonating NFT marketplaces like OpenSea to steal digital assets and crypto-wallets. They are using phishing emails and malvertising campaigns on Google Ads to track users.

Need some tips on stopping phishing attacks? Click the link below!

Why not check out this week’s free articles?

Top 10 Penetration Tools Currently on the Market

Gartner’s Top 12 Technological Advances for 2022

Secret Knowledge: Building Your Security Arsenal

Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.

Open-Source Pentesting toolkit
 

  • takuzoo3868/penta: Open source all-in-one CLI tool to semi-automate pentesting. 
  • knownsec/pocsuite3: pocsuite3 is an open-sourced remote vulnerability testing framework developed by the Knownsec 404 Team. 
  • byt3bl33d3r/WitnessMe: Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier. 
  • mhaskar/Octopus: Open source pre-operation C2 server based on python and powershell. 
     

Open-Source Phishing toolkit

  • dionach/PhEmail: PhEmail is a python open source phishing email tool that automates the process of sending phishing emails as part of a social engineering test 
  • mdsecactivebreach/o365-attack-toolkit: o365-attack-toolkit allows operators to perform oauth phishing attacks. 
  • gophish/gophish: Gophish is an open-source phishing toolkit designed for businesses and penetration testers.
  • Modlishka:/drk1wi: Modlishka is a powerful and flexible HTTP reverse proxy. 

 

Web Application Security Testing  

  • debasishm89/burpy: Portable and flexible web application security assessment tool.It parses Burp Suite log and performs various tests depending on the module provided and finally generate a HTML report. 
  • navikt/mock-oauth2-server: A scriptable/customizable web server for testing HTTP clients using OAuth2/OpenID Connect or applications with a dependency to a running OAuth2 server (i.e. APIs requiring signed JWTs from a known issuer) 
  • wallarm/gotestwaf: An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses 
  • TheHackerDev/race-the-web: Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline. 

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.