WikiLeaks: #Vault7 CIA Leak (Year Zero)

cia-vault-7

“I will splinter the CIA into a thousand pieces and scatter it into the wind” ~ John F Kennedy

Click Here to see all 8,000+ CIA Documents from Year Zero

—————————————————————————-

—————————————————————————-

BBC News

CIA hacking tools: Should we be worried?

March 8, 2017

Thousands of documents said to detail the CIA’s hacking tools were published by Wikileaks on Tuesday. They included allegations that the CIA had developed ways to listen in on smartphone and smart TV microphones. The CIA has been criticised by civil rights groups who say the agency “stockpiled” security flaws in devices to use them for its work, but left the population at risk by doing so. “Our digital security has been compromised because the CIA has been stockpiling vulnerabilities rather than working with companies to patch them,” said Nathan White, from the civil liberties group Access Now.

“It’s not a surprise that people who have a mission to find bad guys and protect nations are using every means at their disposal to gather intelligence on a focused target,” said Don Smith from cybersecurity firm SecureWorks. “If the CIA doesn’t have capabilities for eavesdropping, it’s not doing its job.” Alan Woodward, a security researcher who advises Europol and previously advised UK spy agency GCHQ, said the public should be “encouraged” by the information published. “Most of the leaked documents are about targeted attacks. This is not about mass surveillance and vacuuming up a haystack of data to search for a needle,” he told the BBC.

Visit source for more on this story

SOURCE = BBC News

—————————————————————————-

—————————————————————————-

Microsoft

Windows 10 update “Microsoft – WPD – 2/22/2016 12:00:00 AM – 5.2.5326.4762.”

Strange update released a few days after WikiLeaks reveals Vault7. This update is no longer showing now and does not appear in the Updates History. Either the update is hidden or Microsoft pulled it.

Strange Update.png

Source = Microsoft

—————————————————————————-

—————————————————————————-

Wikileaks

Vault 7: CIA Hacking Tools Revealed

Image File Execution Options

This registry key can be used to redirect the execution of any application to a different executable. It is likely monitored by many PSPs. The specified “debugger” application will be called with a path to the original program as the first argument.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe

Key: notepad.exe
Value: Debugger (REG_SZ) : "C:\windows\system32\calc.exe"

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

RT

WikiLeaks’ #Vault7 is ‘millennials’ fault says former CIA, NSA chief Hayden

March 8, 2017

Michael Hayden, former director of both the CIA and NSA, has blamed the recent WikiLeaks #Vault7 CIA release on millennials, citing Chelsea Manning and Edward Snowden as examples of the younger generation having no loyalty or sense of secrecy.

“In order to do this kind of stuff [intelligence work], we have to recruit from a certain demographic,” Hayden told the BBC. “And I don’t mean to judge them at all, but this group of millennials and related groups simply have different understandings of the words loyalty, secrecy and transparency than certainly my generation did.”

“And so we bring these folks into the agency, good Americans all, I can only assume, but again, culturally, they have different instincts than the people who made the decision to hire them and we may be running into this different cultural approach that we saw with Chelsea Manning, with Edward Snowden, and now perhaps with a third actor,” he said.

Visit source for more on this story

SOURCE = Russia Today

—————————————————————————-

—————————————————————————-

Wikileaks

(Microsoft) Windows FAX DLL Injection

This is a simple DLL hijacking attack that we have successfully tested against Windows XP,Vista and 7. A DLL named fxsst.dll normally resides in \Windows\System32 and is loaded by explorer.exe. Placing a new DLL with this name in \Windows results in this being loaded into explorer instead of the original DLL. On Windows Vista and above, the DLL‘s reference count must be increased by calling LoadLibrary on itself to avoid being unloaded.

This achieves persistence, stealth, and (in some cases) PSP avoidance.

Issues

On Windows Vista and Windows 7 the \Windows directory is protected by UAC. This requires system privileges to install and/or delete the DLL without triggering a UAC prompt.

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

Reuters

Wikileaks’ CIA hacking dump sends tech firms scrambling for fixes

March 8, 2017

Tech companies must rapidly step up information-sharing to protect users from prying eyes, a security software executive said on Wednesday after WikiLeaks released a trove of data purporting to show that the CIA can hack all manner of devices. Dozens of firms rushed to contain the damage from possible security weak points following the anti-secrecy organization’s revelations, although some said they needed far more information on what the U.S. intelligence agency was up to before they could thwart suspected but previously hidden attacks. Sinan Eren, vice president of Czech anti-virus software maker Avast, called on mobile software makers Apple (AAPL.O) and Google (GOOGL.O) to supply security firms with privileged access to their devices to offer immediate fixes to known bugs. “We can prevent attacks in real time if we are given the hooks into the mobile operating system,” Eren said in a phone interview from Silicon Valley, where he is located.

“If we can drive a paradigm shift where mobile platforms don’t shut off access, we’ll be better able to detect when hackers are hiding in a mobile (phone)”, he said. Avast, which counts more than 400 million users of its anti-virus software worldwide, was named in the WikiLeaks documents as one of the security vendors targeted by the CIA in a leaked page labeled “secret” but lacking further details. The leaks – which WikiLeaks described as the biggest in the Central Intelligence Agency’s history – had enough technical details for security experts and product vendors to recognize that widespread compromises exist. However, they provided few specifics needed to offer quick fixes. Reuters could not immediately verify the validity of the published documents, but several contractors and private cyber security experts said the materials appeared to be legitimate.  (reut.rs/2mEIxjU) The 8,761 leaked documents list a wealth of security attacks on Apple and Google Android smartphones carried by billions of consumers, as well as top computer operating systems – Windows, Linux and Apple Mac – and six of the world’s main web browsers.

Visit source for more on this story

SOURCE = Reuters

—————————————————————————-

—————————————————————————-

Wikileaks

Shell Extension Persistence

Windows Explorer (explorer.exe) supports various types of extensions that can be used to add functionality to the default Windows shell. For example:

  • Context menu handler
  • Drop handler
  • Icon handler
  • Property sheet handler
  • Icon overlay handler
  • Column handler

Each of these extensions takes the form of a COM DLL that gets loaded into Windows explorer. While any of these handlers could be used to provide persistence for an implant, there are reasons why some are better suited for this than others. For example, the context menu handler and icon handler are only loaded into explorer when they are needed (and are then typically unloaded). This means that they cannot be relied on to load at the beginning of a user’s session (or at any time). The icon overlay handler is loaded into explorer at the beginning of a session, making it a good option for persistence.

Windows explorer will unload any extension that does not comply with the appropriate shell extension COM interface. In Windows XP this verification process is taken further with the VERCLSID application which loads extensions prior to EXPLORER and then forceably terminates them if they do not adhere to the correct interface. To avoid having to implement the required interface, we can use code that will pretend to support the desired interface when being tested with VERCLSID, but will return a E_NOTIMPL when queried by explorer. This results in a DLL that can be used as any type of shell extension.

This technique achieves persistence, stealth, and (in some cases) PSP avoidance.

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

bloomberg

CIA Listed BlackBerry’s Car Software as Possible Target in Leak

March 8, 2017

BlackBerry Ltd.’s QNX automotive software, used in more than 60 million cars, was listed as a potential target for the Central Intelligence Agency to hack, according to documents released by WikiLeaks. CIA meeting notes mention QNX as one of several “potential mission areas” for the organization’s Embedded Devices Branch. The same branch also worked with U.K. spy agencies to develop tools to break into Apple iPhones, Google’s Android system and Samsung smart TVs, according to some of the 8,761 documents WikiLeaks posted Tuesday. The meeting notes that mention QNX, dated Oct. 23, 2014, said the company hadn’t yet been “addressed” by the branch’s work. The documents don’t say if the CIA ever moved forward with QNX as a hacking target. Spokeswomen for BlackBerry and QNX did not respond to requests for comment.

Visit source for more on this story

SOURCE = Bloomberg

—————————————————————————-

—————————————————————————-

Wikileaks

(Secret advice for CIA agents visiting Frankfurt US Embassy) EDG Familiarization TDY

Before You Go…

  • Talk to CCIE/Engineering about your planned TDY timeline. Consider US/German holidays, current Base activities, USG shutdowns, world events, etc.
  • CCIE can provide you with a list of hotels that you can choose from for your TDY.  Try not to stray from this list; these hotels are pre-approved by Frankfurt Base.
  • Write your own cable requesting TDY concurrence.  Seriously, if you have never written a cable in your entire career, do it yourself. Learn to write a cable: believe it or not, it’s a handy skill.
  • Learn/create your cover-for-action story.  There will be a slight difference based on your own cover status.  Talk to CCIE/Engineering.
  • Have your Point-of-Contact information on your person.  There will be a slight difference based on your own cover status.  Talk to CCIE/Engineering.
  • Have a travel credit card. You will need the PIN to get a cash advance.  Advance and conversion fees are accountable on your TDY voucher.  Government Travel Cards work great for this (built-in accounting).
  • You are allowed write checks for euros at the Consulate Cashier if you are in TDY status.  So if you would rather get cash that way, remember your checkbook.
  • If you are using a personal credit card, be sure to call your credit card company and notify them of your travel to Germany.
  • Oh, did I mention to “Talk to CCIE/Engineering?”

During Your Flight…

  • Flying Lufthansa: Booze is free so enjoy (within reason)!    Flying United:  My condolences, but at least you are earning a United leg towards a status increase.
  • If you have an overnight flight (most likely), try and get some sleep.  It will help you adjust faster to the time difference. (6-7 hours ahead!)

When You Arrive…

  • Breeze through German Customs because you have your cover-for-action story down pat, and all they did was stamp your passport.
  • Get some Euros from a DeutscheBank ATM (not a Travellex machine… not the same thing). (You remembered your credit card w/ its PIN, right?)
  • Get a cab to your hotel from the airport.
  • Check in, drop off your bags, shower (you probably need one).
  • Do not leave anything electronic or sensitive unattended in your hotel room.  (Paranoid, yes, but better safe then sorry.)
  • If you arrive on a Sunday morning…  expect to find most businesses (grocery stores especially) are closed. Some restaurants may be open.  Gas stations are not recommended for fine dining.
  • If you arrive on a Monday morning… expect that they might not have a room ready for you at your hotel.  Get checked in, decompress, then head into the Consulate.

First Day…

  • Bring all personal or work electronic devices with you to the Consulate.    There is a holding area outside of the SCIF for personal electronics.
  • Depending on where you are staying in the city, you might have to take the U-Bahn (subway) to the Consulate.  Find the U5 towards Preungesheim.  The Consulate is at the stop Gießener Straße (phonetically: “Gee-ssen-err Shtrah-sseh“)
  • You should buy a ticket for public transport that is good for a long period of time, either a week or a month.  (3 week tickets is cheaper than a month)
  • From the Gießener Straße stop, walk south towards the Consulate.
  • Enter at CAC4 (the big entrance)
    • Present your Black passport if that’s all you have, and you will get a yellow vistor’s badge.  You can trade this for a blue visitor badge at Post 1.
    • Present your white State ID if you have one. You will be buzzed right through the doors.
  • Follow the signs for the “Employee Entrance”, walking alongside the Consulate building on the left side. Show your badge (yellow or white), and you will be buzzed into the Consulate.
  • Follow the signs for Post 1.  You will know you’re in the right place when a large heavy door closes behind you, and you realize you are trapped in a large room with a Marine behind a glass window.
  • If you have a yellow badge, ask the Marine to give you a blue visitor badge.
  • Use the phone at Post 1 to call your POC.  You can just dial the last four numbers since it is the extension.

During Your TDY…

  • Meet everyone at Base, including other TDYers. Talk to them and find out about what they do.  Build that network!
  • If you have never been overseas before (for work or at all), let folks know.
  • Have a free weekend?  Ask for advice on day trips and places to visit.
  • Provide Base a briefing on newly delivered or burgeoning capabilities.  You can prepare something ahead of time, or you can wait to see what needs Base has and present to those gaps.  That being said, please no Death By Powerpoint!

Setting Expectations…

  • Be flexible with Base needs and operational tempo.  Help out wherever/whenever you can. “Duties as assigned.”
  • Be aware that your coworkers here are all under cover. While cover seems like an administrative thing back home, it is vital in the Field.
  • Help protect everyone’s cover. Avoid using terms outside of the SCIF that could betray that people are not “State Department” employees.  Better to keep work discussions at work.
  • Respect that while efforts can be made to involve you in social activities, it may not always be possible because of cover concerns.

Before You Leave…

  • Work with CCIE/Engineering to draft a TDY Wrap-up cable.  Cable traffic or it didn’t happen.
  • Buy something in Duty Free, because you’re awesome and you deserve it! (Might I recommend a travellers’ edition single malt whisky?)
  • Leave with as few Euros in your pocket as possible.  Current record is held by User #524297 at 0.52 € !

TDY

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

Recode

Apple says it’s working to fix security holes revealed by the WikiLeaks release of CIA documents

March 8, 2017

Apple says it’s working to fix any holes the CIA may have exploited in what appears to be a number of spying programs the agency employed. Yesterday, the whistleblowing website WikiLeaks released a cache of more than 8,000 documents that detail classified CIA cyberspying programs. According to the leaks, the CIA has a trove of malware that can undermine security and encryption measures on Apple’s iPhones, Mac OS operating system and AirPort routers, as well as Google Android phones, machines running Windows operating systems, Samsung smart TVs and other connected devices. Apple responded late yesterday and said it plans to fix any vulnerabilities:

“Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

Apple made headlines last year for its principled stance against helping the FBI break the encryption on an iPhone used by a suspect in the San Bernardino shooting. The FBI eventually dropped its case after it claimed to have purchased a solution for hacking into the suspect’s locked iPhone. It appears the CIA had also amassed tools for undermining iPhone security features, according to the WikiLeaks documents. The leaks actually reveal 14 different iOS exploits that the CIA could use to hack into Apple products, many of which were shared with the GCHQ, the U.K.’s spy agency. The exploits had all kinds of bizarre, secret spy code names like Elderpiggy, Wintersky, Persistence and Rhino.

Visit source for more on this story

SOURCE = Recode

—————————————————————————-

—————————————————————————-

Wikileaks

(Samsung F8000 Smart TV) – Weeping Angel (Extending) Engineering Notes

maxresdefault

SECRET // REL USA,UK

Accomplishments during joint workshop with MI5/BTSS (week of Jun 16, 2014)

  • Discovered delete and download keyfiles are sensitive to any newline characters.
  • Found configuration file and setting that manages automatic updates.
  • Added feature to periodically re-acquire alsa (audio) device while in Fake-Off mode.
  • Suppress LEDs to improve look of Fake-Off mode.
  • Ported and modified TinyShell to provide shell, command execution, file transfer.  This version is known as pshell since it’s shell functionality is really a wrapper around popen() calls to emulate shell like functionality.
  • Added feature to prevent updates (an iptables rule — ported iptables application to this platform).
  • Received sanitized source code from UK with comms and encryption removed.
  • Tested on firmware versions 1111, 1112, and 1116 and characterized various recording qualities (wrt file size) and noise cancellation.

Factory reset:  With TV powered off, enter the following key presses on the remote:

{{MUTE}} 182 {{POWER}}

ToDo / Future Work:

  • Build a console cable
  • Turn on or leave WiFi turned on in Fake-Off mode
  • Parse unencrypted audio collection
  • Clean-up the file format of saved audio.  Add encryption??
  • Streaming audio
  • Video capture / Video snapshots
  • Samsung offers remote support – is this an area of functionality to investigate?
  • Is the browser or any default apps vulnerability to MitM attacks?
  • Disable auto-upgrade by changing the configuration file

Noted Anomalies or Limitations

  • Updating firmware over internet may remove implant (not tested) or portions of the implant
  • Firmware version 1118+ eliminated the current USB installation method
  • Blue LED on back remains powered when in Fake-Off mode
  • WiFi interface is disabled in Fake-Off mode
  • Max possible storage usage is 700MB (of 1.6GB).  Increasing requires a change to (& recompile of) the source.
  • In Fake-Off mode, the Samsung and SmartHub logos are not shown.

Development Notes:

  • Build environment uses Ubuntu 12.10 and g++-4.7 compiler due to dependencies (on DEVLAN, use 10.6.5.73)
  • Current build system references compilers without the version number.  To accommodate, create the following symbolic links:
    • /usr/bin/arm-linux-gnueabi-g++ -> /usr/bin/arm-linux-gnueabi-g++-4.7
    • /usr/bin/arm-linux-gnueabi-gcc -> /usr/bin/arm-linux-gnueabi-gcc-4.7
  • use “unset VD_PRINT_DISABLE;” when running commands through telnet; otherwise, output to stdout may not be displayed
  • per.zip provides Persistence
  • start is the same as empDownload
  • Update/data/files.zip/files contains busybox and dreamhost.
  • gcc-arm-linux-gnu-abi used to cross compile tools.
  • Detailed Notes regarding Samsung F8000 Smart TV networking

Installer Notes:

  • Installation process is similar to a standard Samsung app
  • UEP.b -> app killer that checks signatures on installed apps
  • UEP.d -> kills UEP.b and kills it when it restarts (every 15-20 minutes)
  • UEP.f -> hooking one of the main Samsung apps by injecting a shared object (libt.so)
  • empDownload -> the binary that downloads other apps or adverts and is executed by the system
  • empDownload is replaced by our binary that we need to be executed.  The installer backsup the real empDownload and then replaces it with our’s.  The installer uses the API to initiate a download which then causes our empDownload to execute.  After installation, the original empDownload is restored.
  • AutoStart -> file put in moip/engines
  • start -> binary is very similar to empDownload.  Both, initially look for the “block” file which is an encrypted shell script.
  • libt.so -> shared object used by UEF.f and injected into one of the main threads to hook several functions of interest
  • dreamhost -> telnet server.  same as remshd
  • busybox -> fully featured version to include an FTP server
  • when Extending starts, it looks for dreamhost and busybox, and if they exist, starts them.
  • After Extending installed, the system must reboot.
  • For system power up, the control flow is roughly: AutoStart > libDownload.so > start > block > UEF.*

System Details:

  • Some of the primary Samsung applications are exe, exeApp, and exeDSP
  • Linux 3.0.33 SMP armv71
  • libc-2.14.1
  • compiled with gcc 4.6.4
  • /mtd_rwcommon – writable partition
  • /mtd_rwarea – writable partition
  • /mtd_rwcommon/widgets/normal – apps stored here
  • /mtd_rwcommon/tempS – audio stored here
  • /bin – busybox
  • /dtv – tempoary directory clear upon reboot
  • /mtd_swu/stb – SmartHub configuration file (STANDBYDOWNOFF = 0 -> turns off automatic updates)
  • /webkit/webbrowser/settings.db – browser sqlite database. may contain credentials.

Audio Processing:

  • During initial development, a rough approximation of bit rates for different audio quality settings were made.  Quality 1 settings required 100 kB/minutes.  Quality 5 settings required 250 kB/minutes.  Quality 7 settings required 350 kB/min.  Quality 5 seemed to provide very nice results and is usually used.
  • All audio files saved are speex encoded files encapsulated within an Ogg header structure.  The Ogg headers are not all properly filled out.  All audio files are named fileUVWXYZn where UVWXYZ are random alphanumeric characters and n is a one up counter that starts at 1.  It is believed that the 1 up file counter is used to maintain audio sequence information and this explains why some ogg headers appear incorrect or corrupt when speex decoded and the granular time increments have not been set.
  • A linux bash script named “processAudio.bsh” will process all audio files within the same directory as the script.  It concatenates all audio files into one contiguous speex encoded file named speexfile_timeStamp.spx where the timeStamp is pulled from the system time running the script.  It subsequently performs speex decoding at a 32000 Hz sampling rate to yield a wave file named processedFile_timeStamp.wav with all speex decoding output placed within the logFile_timeStamp.log file.  It then uses aplay to play the processedFile_timeStamp.wav file.

Time and Clock:

Related articles

Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.

(‘contentbylabel’ missing)

SECRET // REL USA,UK

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

guardian logo

Smartphones, PCs and TVs: the everyday devices targeted by the CIA

March 7, 2017

The trove of information on alleged CIA hacking tools released by Julian Assange’s WikiLeaks organisation, which reveals that the agency maintains the capability to hack consumer devices, will raise many questions for users and technology companies alike. Everyday consumer devices including smartphones running iOS and Android operating systems, Windows and Mac computers, and even smart TVs made by manufacturers such as Samsung have all been targeted by the CIA. The release, dubbed “Vault 7” by Wikileaks, shows that the agency ensures it maintains the technical capability to hack as many popular devices as it can. The vulnerabilities described in the thousands of published documents come in all shapes and sizes: some, such as an attack which can be used to take control of older iPhones, were discovered by independent security researchers and published to encourage technology firms to fix weaknesses; others, such as one which takes control of Android phones via older versions of the Chrome browser, were apparently discovered by the intelligence agency itself, or by partner organisations such as GCHQ.

Many of the hacking tools detailed by the leak, which appears to date to mid-2016, have since been patched by the vendors, meaning that a user with a fully up-to-date device would be safe from those avenues of attack. But some, such as attacks on version 9.0 of iOS, the operating system for iPhones and iPads, seem to have been unfixed at the time the documents were made. If the CIA has continued to discover and stockpile vulnerabilities (something the US government has denied doing, insisting that it reports such software flaws to manufacturers for fixing), the agency appears likely to have similarly up-to-date hacking tools today, which would leave it able to break into even fully-patched devices. The fixed weaknesses detailed in the Vault 7 leak include many of the iOS exploits, such as one known as “Earth/Eve”, apparently purchased by the NSA from an unnamed researcher, and shared with the CIA, as well as GCHQ. The Earth/Eve exploits only work on iPhones and iPads running iOS versions 7 and 8, and were fixed when iOS 9 was released in September 2015.

Visit source for more on this story

SOURCE = The Guardian

—————————————————————————-

—————————————————————————-

Wikileaks

(Apple Airport Extreme / Time Capsule) HarpyEagle

Project Objective:

To gain root access on an Apple Airport Extreme and Time Capsule via local and/or remote means to install a persistent rootkit into the flash storage of the devices.

Table of Contents:

Project Members:

  • User #11628962’s Home – Project Lead

Attachments:


Sub-Pages:

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

guardian logo

With the latest WikiLeaks revelations about the CIA – is privacy really dead?

March 9, 2017

In the week that WikiLeaks revealed the CIA and MI5 have an armoury of surveillance tools that can spy on people through their smart TVs, cars and cellphones, the FBI director, James Comey, has said that Americans should not have expectations of “absolute privacy”. “There is no such thing as absolute privacy in America: there is no place outside of judicial reach,” Comey said at a Boston College conference on cybersecurity. The remark came as he was discussing the rise of encryption since Edward Snowden’s 2013 revelations of the NSA’s mass surveillance tools, used on citizens around the world. Both the Snowden revelations and the CIA leak highlight the variety of creative techniques intelligence agencies can use to spy on individuals, at a time when many of us are voluntarily giving up our personal data to private companies and installing so-called “smart” devices with microphones (smart TVs, Amazon Echo) in our homes.

So, where does this leave us? Is privacy really dead, as Silicon Valley luminaries such as Mark Zuckerberg have previously declared? Not according to the Electronic Frontier Foundation’s executive director, Cindy Cohn. “The freedom to have a private conversation – free from the worry that a hostile government, a rogue government agent or a competitor or a criminal are listening – is central to a free society,” she said. While not as strict as privacy laws in Europe, the fourth amendment to the US constitution does guarantee the right to be free from unreasonable searches and seizures. That doesn’t mean citizens have “absolute privacy”. “I don’t think there’s been absolute privacy in the history of mankind,” said Albert Gidari, director of privacy at the Stanford Center for Internet and Society. “You walk out in public and it’s no longer private. You shout from one window to another and someone will hear you in conversation.”

Visit source for more on this story

SOURCE = The Guardian

—————————————————————————-

—————————————————————————-

Wikileaks

(Linux Keystroke collection) Sparrowhawk

Goal

Collect user-entered keystrokes from any system terminal, and collate in a unified format across multiple Unix platforms.

Supported Target Platforms and Architectures

Keystroke

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

Mashable

Wikileaks mastermind says he wants to share CIA secrets with tech companies

March 9, 2017

Wikileaks mastermind Julian Assange says he wants to help tech companies block the CIA’s hacking techniques. “We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out,” he said during a Facebook Live news conference on Thursday.

SEE ALSO: WikiLeaks document dump alleges the CIA can hack almost everything

Assange said tech companies have asked for more details about CIA hacking methods since Wikileaks released 8,761 apparently real documents on Tuesday that exposed the power of the agency’s hacking operations. The documents, allegedly part one in a series of document dumps to come, said the CIA has long been in a bureaucratic battle with the NSA. Tired of being beholden to NSA intelligence, the CIA built up its own hugely powerful hacking unit, which has since found ways around encrypted chat apps such as Signal and WhatsApp, devised ways to turn smart TVs into covert microphones, and has tried to figure out how to hack cars.

Visit source for more on this story

SOURCE = Mashable

—————————————————————————-

—————————————————————————-

Wikileaks

2014-10-23 Branch Direction Meeting notes

Date

Oct 23, 2014

Attendees

Goals

  • To address Branch concerns over personnel reallocation and possible requirements adjustments
  • To determine future goals and direction for Embedded Devices Branch
  • To better position the Branch to meet future operational needs
  • To discuss how the Branch can adapt/improve to meet these needs
  • To discuss how the Branch can work as a team to meet these goals

Discussion items

Meeting

Reference

  • Discussion of Branch Organization with User #71455
    • User #71459, User #71460, and User #71457 (also User #71458) will be relocated to ESD/CNB.
    • Slots will likely be kept in EDB (2 of 3)
  • Discussion of other potential options for reorganization with User #71455 (CNB, AIB, EDB)
  • Potential Mission Areas for EDB
    • Firmware Targets
    • Software Targets
      • Linux/Unix
      • BSD
      • Solaris
      • VxWorks – not addressed by any EDB work
      • QNX – not addressed by any EDB work, big player in VSEP
    • Software Capabilities
      • Exploitation
      • Access
      • Persistence
      • Network
      • Implant
  • “Advertising” the Branch
    • Do we have a flagship product?
    • Do we need to define “embedded systems” for management and customers?
      • Technical:  A single-purpose device that has a firmware running a software operating system.
      • Non-technical:  A computer serving a singular function that doesn’t have a screen or keyboard.
      • Really non-technical:  “The Things in the Internet of Things”
  • Discussion of need for generic implant for Linux-based Embedded Systems, applicable to future
    • A flagship product to enable the branch to better position for operations
      • Working for subset of target platforms. Once a new/similar platform is encountered, effort is decreased to focus on important problems (e.g. access, persistence)
      • Address need to pre-position for future CONOPS/requirements like  Weeping Angel (Extending) Engineering Notes
    • When do we seek customer buy-in?  How do we know what target platforms are seen day-to-day?
      • Perhaps when we have demonstrable capability, easier to ask “Where do you want us to go from here?” than “Where do you want us to start?”
    • Seek to develop modular “library” of capabilities to unify across platforms, require only necessary components
      • Multiple solutions for individual capabilities
        • e.g. When providing stealth: kernel level, via process injection, or in plain sight …
        • e.g. When providing persistence:  GRUB, initrd …
  • Discussion of Team development
  • Some discussion of need for Working Agreement – for future:
    • Mapping Values to Work – Scrum Values (excerpt from http://www.scrumalliance.org/why-scrum/core-scrum-values-roles) ?
      • Focus – Because we focus on only a few things at a time, we work well together and produce excellent work.  We deliver valuable items sooner.
      • Courage – Because we work as a team, we feel supported and have more resources at our disposal.  This gives us the courage to undertake greater challenges.
      • Openness – As we work together, we express how we’re doing, what’s in our way, and our concerns so they can be addressed.
      • Commitment – Because we have great control over our own destiny, we are more committed to success. We strive to deliver what we promise.
      • Respect – As we work together, sharing successes and failures, we come to respect each other and to help each other become worthy of respect.

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

NewsMax

UN Expert: CIA Leaks Bolster Case for Privacy Treaty

March 9, 2017

Revelations about the CIA’s use of hacking tools by anti-secrecy group WikiLeaks show the risks of mass surveillance and bolster the case for international regulation, the United Nations’ independent expert on privacy said. WikiLeaks published on Tuesday what it said were thousands of pages of internal Central Intelligence Agency discussions about hacking techniques used over several years. The CIA, which is the United States’ civilian foreign intelligence service, has declined to comment on the authenticity of the purported intelligence documents. Cyber security experts say the documents appear to be authentic. Joe Cannataci, the U.N. Special Rapporteur on the right to privacy, a job created in 2015 after Edward Snowden’s revelations about U.S. surveillance, said he was not surprised by the CIA’s capabilities, but that the case highlighted the growing security risks and the need for effective oversight.

“Probably the real story here (is) that somebody was able to get into the CIA’s supposedly secure spaces, extract and publish this stuff,” he told Reuters. Cannataci reported to the U.N. Human Rights Council this week and urged states to work towards an international treaty to protect people’s privacy, saying traditional safeguards had become outdated in the digital era. The WikiLeaks release has strengthened the case for evaluating intelligence oversight mechanisms and reinforcing them globally, he said. “The WikiLeaks CIA hacking techniques story is yet more proof, if any were needed, that intelligence agencies and the data they gather are often just as vulnerable as everybody else and that they should not be taking the risk of gathering huge amounts of data about all of us in an indiscriminate manner.”

Visit source for more on this story

SOURCE = NewsMax

—————————————————————————-

—————————————————————————-

Wikileaks

(Microsoft) Windows API Keyloggers

Overview

The following techniques are user-land Windows API methods of logging keystrokes:

GetRawInputData API

Regsiter a device to receive raw input including keyboard events. (not yet evaluated)

GetKeyboardState/GetAsyncKeyboardState API

Another user-space technique that does not involve using hooks is to continuously make calls to GetKeyboardState(). The problem with this approach is the high CPU utilization that will be incurred by spinning in this loop. It may be possible to use this method in a more targeted fashion, for example, only when a particular windows has the focus (e.g. password entry).

Another potential issue with this approach is that there are a couple “caches” of key state data (Kaspersky’s SecureList blog has a nifty post which discusses this), an asynchronous one, shared by all threads and a per-thread thread one that is updated to reflect reality whenever Windows feels like updating it.  This makes it complicated if, say, one is trying to get key(board) data when a different thread, which is likely in another process, is updating said data.

Component Reuse

None


Comments:

  • 2015-09-02 16:36 [User #71473]:I agree, but then again, this isn’t historical just yet.  It hasn’t been released
  • 2015-09-01 04:17 [User #524297]:It’s almost as if this historical tool technique information should be documented somewhere… like some sort of tool pedigree database or something…
  • 2015-08-31 20:27 [User #71473]:Just FYI, we’ve used the RawInput API to implement a liaison-releasable keylogger called Basic Bit SECRET.  This was based on a Proof-of-Concept one of our co-ops (User #20873348) did last summer called Night Stalker.

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

The Independent

WikiLeaks to make CIA cyber weapons publicly available online, Julian Assange says

March 9, 2017

WikiLeaks is to publish all of the CIA’s cyber weapons online, Julian Assange had suggested. The organisation has posted what appears to be the biggest ever leak of CIA spying secrets ever, but had previously refrained from publishing the details of the US spying agency’s weapons. Mr Assange had argued that it would be dangerous to do so, since anyone could use them once they are made public. But he has now announced that it will put those previously redacted weapons online. First, Mr Assange will give technology companies exclusive access to those weapons, so that they can be defended against. While companies like Apple and Google have claimed to have defended against the weapons revealed in the ‘Vault 7’ files, others have said that they would not be able to do so fully until the details of the weapons are revealed to them.

Once those companies have had some time to look at the details, they will be made public, Mr Assange said on a live stream that he posted online and appeared to be hosting from his room in the Ecuadorian embassy. That will presumably mean that all of the CIA’s weapons held onto by WikiLeaks will either be made useless or – if they are not properly neutralised by technology companies – will be available for anyone to use. When the Vault 7 files were published online, WikiLeaks said that it would wait until people had decided whether those weapons were made available. He said he initially refrained from doing so for fear they would find their way into the wrong hands.

Visit source for more on this story

SOURCE = Independent

—————————————————————————-

—————————————————————————-

Wikileaks

(Microsoft Windows) Shell Extension Persistence

Windows Explorer (explorer.exe) supports various types of extensions that can be used to add functionality to the default Windows shell. For example:

  • Context menu handler
  • Drop handler
  • Icon handler
  • Property sheet handler
  • Icon overlay handler
  • Column handler

Each of these extensions takes the form of a COM DLL that gets loaded into Windows explorer. While any of these handlers could be used to provide persistence for an implant, there are reasons why some are better suited for this than others. For example, the context menu handler and icon handler are only loaded into explorer when they are needed (and are then typically unloaded). This means that they cannot be relied on to load at the beginning of a user’s session (or at any time). The icon overlay handler is loaded into explorer at the beginning of a session, making it a good option for persistence.

Windows explorer will unload any extension that does not comply with the appropriate shell extension COM interface. In Windows XP this verification process is taken further with the VERCLSID application which loads extensions prior to EXPLORER and then forceably terminates them if they do not adhere to the correct interface. To avoid having to implement the required interface, we can use code that will pretend to support the desired interface when being tested with VERCLSID, but will return a E_NOTIMPL when queried by explorer. This results in a DLL that can be used as any type of shell extension.

This technique achieves persistence, stealth, and (in some cases) PSP avoidance.

Source

Based on internet code

Component Reuse

  • StepStool 1.0

SOURCE = WikiLeaks

 

—————————————————————————-

—————————————————————————-

EuroNews

WikiLeaks: CIA ‘devastatingly incompetent’, says Assange

March 9, 2017

WikiLeaks founder Julian Assange has accused the CIA of “devastating incompetence” and says he will provide details of the intelligence agency’s hacking tools to technology companies. It follows the anti-secrecy group’s disclosure of documents appearing to outline secret CIA phone- and gadget-hacking devices. Assange claims the handover of information is to allow the companies to patch software flaws. “We have decided to work with them to give them some exclusive access to additional technical details we have so that fixes can be developed and pushed out so people can be secure,” he said in a live statement on the Internet.

In response, CIA spokesman Jonathan Liu said: “As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity. “Despite the efforts of Assange and his ilk, CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorist, hostile nation states and other adversaries.” Experts say the leaked documents about hacking techniques used between 2013 and 2016 appear to be authentic.

Visit source for more on this story

SOURCE = EuroNews

—————————————————————————-

—————————————————————————-

Wikileaks

(Microsoft Windows) VBR Persistence

Overview

The Volume Boot Record (also known as the Partition Boot Record) contains code called Initial Program Loader (IPL).  This code is responsible for eventually launching NTLDR/WINLOAD for Windows OS partitions.  The code here is 16/32 bit assembly code (asm) which is running in a very limited context, generally having only BIOS interrupts (INT) available.

Running code here, however, can give the attacker the ability to hook Windows boot/kernel code as it is loaded, before features like PatchGuard come online.  If done correctly, custom IPL code can maintain persistence throughout the boot process of a Windows partition.  In the example used by StolenGoods 2, the end result is a stub driver that is loaded during the boot process, which can then perform tasks such as launching payload DLLs and drivers.  The stub driver does not have to be signed if the IPL persistence code is done correctly.

Sample code/Explanation

Stolen Goods 2.0 contains the VBR IPL components used to maintain persistence throughout the boot process.  The VBR IPL components were taken from Carberp, a Russian organized crime bootkit which had its source code published online.  The components work on Windows XP (32 bit) and Windows 7 (32 and 64 bit).  While Carberp advertised compatibility with Win 8, testing has shown that this is not the case currently.  The catch is that the stub driver to be loaded needs two separate DriverEntry points: One for when the IPL code calls into the stub driver, and one for when Windows calls into the stub driver.  The below sub sections will discuss some of the details.  To see a working example, check out the Stolen Goods 2.0 project.

First entry point (IPL code calls)

This entry point is called in a very limited context.  According to Carberp comments, this entry point is called from nt!KiSystemStartup. No IDT, interrupts are disabled, only 1 CPU is enabled, no PatchGuard, and IRQL is DISPATCH.  Debugger is not available, and SSE/2 “should be used very carefully, since no SSE state was saved before the call”.  The stub driver can tell the IPL called this entry point as it will not be given an Driver object (NULL param).  The sole goal of the stub driver during this first call is to inject itself into the boot driver/module list, which is in the NT Loader Block (accessed by the IPL and sent to the stub driver).  Carberp would simply copy information from another driver in the list (typically ‘nt’) and use the NULL service registry entry for the stub driver.  Once the stub driver has inserted itself into the boot list, it returns from DriverEntry and waits for the OS to call back in again.  It’s at this point that Stolen Goods 2.0 saves off other information related to payloads that it sends from the IPL to the first DriverEntry call

Second entry point (Windows calls)

This time DriverEntry is called like a normal driver.  A Driver object is given, along with a registry path (‘Null’ service registry path). Anything a driver would/could normally do in a DriverEntry can be done at this time.  In Stolen Goods 2.0, the stub would then install process/thread/image notify routines, create a device object, and set up dispatch callbacks.  From here on out, the persistence method has finished its work, and it is up to the driver developer to perform any functionality they wish.

Things you can do in the stub driver

  • Memory load a driver (unsigned is fine)
    • You obviously can’t load an unsigned driver using the normal Windows method (unless you have an exploit already).  However, using modified memory load code will allow you to memory load/execute a driver, which does not have to be signed. Stolen Goods 2.0 has code for this.
  • Install thread/image/process notify hooks
    • Get notified via callback whenever a thread or process is created, or when an image is loaded.  This allows for certain types of process injection.
  • Register dispatch routines
    • Filter file system activity, communicate with user-land processes, and more.

Component source/Reuse

Carberp is the original malware where the VBR IPL hook components were taken from.  The source is available online in a github repository.  Just google ‘carberp source’ or ‘carberp github’.

Stolen Goods 2.0 used these components, with modifications, to gain persistence on a system.

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

inquisitr

Julian Assange: Ecuador Under Intense Pressure to End WikiLeaks Founder’s Asylum

March 9, 2017

Wikileaks founder, Julian Assange, has been living in the Ecuadorian embassy in London since June of 2012. Assange applied for political asylum at that time, and his request was granted in August of 2012. According to BBC News, chief among Julian Assange’s concerns in requesting asylum is not the charges he faces in Sweden over sexual assault allegations (which he denies), but rather a worry over possible deportation to the United States, where Assange may be brought up on charges that could earn him a death sentence. It is for this reason that Ecuador has historically justified providing asylum to Assange.

The potential charges Assange could face if extradited to the United States stem from a series of leaks of official United States documents beginning with the infamous 2010 Afghanistan war logs leaked to WikiLeaks by Chelsea Manning, who was recently granted a commutation of her sentence for the crime by former President, Barack Obama, as previously reported by the Inquisitr.Now, after this weak’s headline-grabbing release of internal CIA spying documents by Wikileaks, known as “Vault 7,” Ecuador is again facing intense pressure to end asylum at its London embassy for Julian Assange. Advocates for Assange contend that he and WikiLeaks are doing a public service in releasing information to the public about what they see as misdeeds by the American government. Assange’s opponents see him as a villain interested only in doing harm to the national security interests of the United States and its allies.

Visit source for more on this story

SOURCE = The Inquisitr

—————————————————————————-

—————————————————————————-

Wikileaks

SECRET//NOFORN

Capture The Flag

(‘excerpt’ missing)

Setup

On the share (\\FS-01\share\NewDeveloperExercises\CaptureTheFlag) there is a VM titled “New Developer CTF Windows 8.1 x64.zip”. Copy the zip to your local machine and extract the VM. If VMWare asks, you copied it. The CTF snapshot sets the baseline for the challenge. If you ever run into issues with the state of the VM you can always revert to this snapshot and continue the challenges. Next, you will want to register on the CTF website. Once you have finished registering, you can submit flags as well as view the current scoreboard.

Submitting Answers

To submit answers, go to the CTF website and copy the SHA-256 string into the flag submission form. If the SHA-256 is correct you’ll see your score updated. If it is incorrect, you’ll be notified of the invalid submission.

Challenge 1: Survey

For this challenge you will be collecting information about the target machine (CTF VM). This is useful for understanding future deployments against a machine. Surveys can reveal many things about a machine and its network.

Challenge 1: To capture this flag you will need to collect the following information about the CTF VM. All strings should be wide character.

  1. Machine GUID
  2. User Name
  3. Computer Name
  4. Installed Applications (Display Name)
  5. Network Card MAC Addresses
  6. List of all mounted volumes
  7. Process List

Now, have your tool output the survey data (raw) into a file in Desktop\Results\Survey\Survey.txt. Shortly after, you’ll have your first flag!

Challenge 2: File Collection

File Collection is also an important part of what we do. Remember the main goal is to enable the collection of FI. In this line of work we run into limitations that aren’t always a problem for normal software developers. Unfortunately, we often run into bandwitdth and/or time constraints when trying to retreive information from a target computer. Thus, when designing or configuring a tool, compression, throttling, collection prioritization, and file flattening are things you should consider.

Challenge 2: Collect all of the files from User #?‘s user directory (C:\Users\User #?) with the extensions *.doc, *.docx, *.xlsx, and *.pdf. You will then need to reconstruct the collected files in the Results\File Collection folder on the Desktop. Maintain all file timestamps.

For example, let’s say I collected the following files:

C:\Users\User #?\Desktop\Passwords.xlsx

C:\Users\User #?\Pictures\MyContacts.docx

C:\Users\User #?\AppData\Local\Temp\WhereIKeepMyNukes.pdf

 

Then, the folder structure in the Results\File Collection directory would look like this:

_C

Users

User #?

Desktop

Passwords.xlsx

Pictures

MyContacts.docx

AppData

Local

Temp

WhereIKeepMyNukes.pdf

**NOTE** Notice that the the results folder on the Desktop is underneath C:\Users\User #?. Therefore, you will need to make sure you exclude the Results folder from your file collection.

Do not compress or encrypt any of the collected files. When you are done, signal the watcher that all files are collected by setting an event with the name {DEC334AC-E1E3-4582-9D4D-75A6201F053B} (See MSDN: OpenEvent and SetEvent). After your files are validated, your second flag should then appear!

Challenge 3: Compression and Encryption

Almost all of our tools utilize some combination of compression and encryption. Whenever we’re sending data back over the internet, or storing the data for later exfil, it needs to be protected. The type of compression and encryption used is dependent upon many factors and should be decided on a per tool basis. SecureBuffer (or the buffer library) is a library of readily available compression and encryption algorithms (there should never be a need to roll your own compression or encryption – these are very signaturable things). So, for this challenge you will need to download the attached files (ImprovedDummy.exe, PubKey.pem).

Challenge 3: Compress and encrypt the dummy payload to retrieve the flag.

  • Download the attached files (ImprovedDummy.exe, PubKey.pem)
  • Use SecureBuffer/Buffers Library) to compress the binary using ZLIB compression.
  • Encrypt the buffer using RSA 4096/AES 256 and the supplied public key
  • Dump the buffer into a file (raw) named ImprovedDummy.exe.enc in Results\Compression and Encryption

 

The watcher on the wall will give you the third flag upon completion.

ImprovedDummy.exe | publicKey.pem

 

Challenge 4: Payload Deployment

Many of our tools utilize other processes on the machine (sometimes our own). Since we develop tools to do specific tasks, it is important that many of our tools have the ability to load/kick off other tools.

Challenge 4: Use Windows Management Instrumentation to execute a command.

  • See MSDN Win32_Process and Win32_ProcessStartup
  • Take a look at some of the examples of WMI online
  • Now, execute the process C:\Test\CTF\Dummy.exe with the args Give Me The Flag (4 args) using WMI. You must also execute the command with the Error Mode (Win32_ProcessStartup -> ErrorMode) set to 1 (SEM_FAILCRITICALERRORS).
  • Upon executing correctly, your flag should appear.

Challenge 5: System Monitoring & Manipulation

Sometimes our implants need to react to what is happening on target. This could be recording actions the target is taking or changing what the implant itself does (only exfil data when the target is browsing the internet). Windows often utilizes messages and events to notify stakeholders of certain actions (like if a removable media device has been plugged in).

Challenge 5: Set up a notification hook for HKEY_CURRENT_USER\Software\CTF.

  • Set up a notification hook to receive notifications for any new subkeys
  • Every 30 seconds a subkey is generated and is deleted 5 seconds later
  • Once you receive the notification, enumerate the CTF subkeys to find a new value on one of the keys with the key name of “FLAG”. The flag is the default value of the FLAG key.

Challenge 6: Persistence

To maintain access to a machine we want to modify the target machine in a way that our code/binary is re-run after it has been stopped (reboot, logoff, possibly even wiped). To do this we can take advantage of mechanisms that Windows itself uses as well as flaws found in the startup process.

Challenge 6: Use the Task Scheduler, a well-known persistence mechanism, to persist ImprovedDummy across logon/logoff.

  • See MSDN ITaskScheduler (v1.0)
  • The ITaskScheduler is a COM interface (a big part of Windows object-oriented design).
  • Create a scheduled task that persists C:\Users\User #?\AppData\Roaming\Persist.exe
  • Name the task CTF
  • Create a trigger so that the command is run everytime a logon event occurs for User #?.
  • Although not required, try to go through and understand all that is happening with the COM calls that are required.

To retrieve the flag, restart the VM.

Challenge 7: Data Transfer

Once we have taken our surveys and collect our files the next step is getting that data back to IOC. There is no common interface for transferring data. Sometimes it’s storing data on removable media and sometimes it’s mimicking web traffic. In some cases, we can send data to another process so that it can exfil.

Challenge 7: Assume that the watcher process has a cool technique for mimicking web traffic. Anything that it receives over its named pipe it will forward to the LP (listening post) via the internet to an IOC LP.

  • Use the survey code from Challenge 1.
  • Connect to the named pipe \\.\pipe\{5A426ADB-11B3-4492-8602-380317833226}
  • Send the survey data over the named pipe in a single buffer (no need for multiple writes).

Once the data is received by the LP, the first half of the flag will appear.

To obtain the second half of the flag you will use the Windows Sockets API to send the survey data to a real LP.

  • Read through the Windows Sockets API (Specifically WinSock2)
  • Connect and send data to 127.0.0.1 port 27015 (TCP)
  • Once verified, the LP will send you “tasking” the tasking is the second half of the flag.

Challenge 8: PSP Evasion

Since our code is malicious in nature, PSPs (personal security products) are looking for us. There are many different types of signatures that PSPs use to try to determine whether a binary is attempting to do something malicious. In many cases, we can evade detection by PSPs by understanding how they catch us and creating workarounds that accomplish the same tasks.

Challenge 8: Modify the source of our program so it no longer is caught by the PSP

  • Download the attached project, open and compile it.
  • Take the compiled release version of the binary and put it on the CTF VM and run it. Note that it is caught by Windows Defender immediately.
  • Modify the source (to complete the same goal), and bypass the Windows Defender sandbox.
  • Once you have passed all of the PSPs checks, running the program should cause your flag to appear.
  • Note: It is often simple to defeat PSPs. Especially if you can pinpoint what exactly it is they are flagging you for.

NOTE: Ensure that you build the binary Release_Static

PSPEvasion.zip

Challenge 9: Execution Vectors

Gaining execution on a machine can be one of the most difficult aspects of a computer operation. Sometimes we’ll have exploits that let us gain access without any target interaction and other times we will engineer scenarios in which we can bait the target into allowing us access.

Challenge 9: In this scenario you will perform a DLL Hijack on a portable third-party application.

  • Grab a copy of the Sumatra PDF application (attached)
  • Analyze the application using PEBear and/or ProcMon to find the vulnerable DLL name (find a DLL that is looked for in the local/current directory first and has only a few imports).
  • Generate your own DLL to use as a hijack for the application.
  • Your DLL should also drop and run C:\Test\CTF\DummyDLL.dll using the attached DummyDLL file. Run the DLL by calling LoadLibrary inside of the Sumatra PDF application.
  • Embed Dummy DLL in your Hijack DLL by placing it in the resources (Raptor) or as a byte array in a header file (Melomy).
  • Run the Sumatra PDF application to receive your flag

SumatraPDF.exe | DummyDLL.dll

Challenge 10: Privilege Escalation

Depending on our execution vector, the context our code is running in when we first gain access to a target may be at a privilege level that blocks us from doing things or obtaining information. That means that we’ll need to pair our execution vector with another “exploit” to get us to the privilege level we need.

Challenge 10: In this challenge you will be given background information that describes a vulnerability (known and unpatched by Microsoft) that allows you to bypass UAC (go from User level privileges to Administrator level privileges without notifying the user). Use your new-found knowledge of the vulnerability to have your User privileged code gain Administrator privileges.

Background Information

UAC Bypasses: When working with UAC Bypasses for Windows 7+ there are a couple of requirements for the target machine. The first requirement is that the user your code will be running as is an Administrator user (not limited, and not a guest), The second requirement is that the UAC (User Account Control) level must be at default or below. You will note that both these things are true on the CTF VM.

 

Auto-Elevated Processes: Since Windows Vista, Microsoft made modifications to the security process in an attempt to reduce the number of UAC prompts. One of the ways it did this was by allowing some processes to be automatically elevated. These auto-elevated process were limited to a select few Microsoft processes. These process must be signed by a specific Microsoft certificate, must specify auto-elevation in their manifest, and must reside in a specific set of locations. When executed by the user, the processes automatically are given Administrator privileges. The user calling the process does not get a return handle to the process it just created (they didn’t want to make it that easy).

 

Artillery

To implement the Artillery UAC Bypass (In-House name) we take advantage of the Windows Update Standalone Installer (wusa.exe). This is an auto-elevated process provided to us by Microsoft in System32. The wusa.exe allows for command line options, one of which allows you to extract a CAB file to an arbitrary location. With a little research, we have also discovered that if printui.exe (another auto-elevated process) is moved from System32 to another directory, it has a vulnerability in its DLL loading process. When looking for CryptBase.dll the auto-elevate process looks in its local directory first before looking in System32.

Putting this together we know we can do the following to get the auto-elevated process to load our shim DLL:

  1. Write our shim to a user accessible location
  2. Write a copy of printui.exe to a user accessible location
  3. Call makecab to put each of these files into a cab format
  4. Call wusa.exe to extract both files to System32\MUI
  5. Call System32\MUI\printui.exe

Now, to complete the challenge:

  • Download a copy of the “Shim” DLL
  • Embed the shim in your tool – Keep it as a byte array in a header file (Melomy) or in your binary’s resources (Raptor)
  • Using your knowledge of the vulnerability, move the shim and any other required files to there appropriate locations
  • Execute the privilege escalation to see your flag.

PrivEscShim.dll

 

Finishing Up

 

SECRET//NOFORN


Comments:

  • 2015-05-21 12:37 [User #524297]:I keep mine at your mom’s house.  Shhh.
  • 2015-05-20 15:04 [User #71473]:

    WhereIKeepMyNukes.pdf

    Best. filename. EVAR.


Attachments:

SOURCE = WikiLeaks

—————————————————————————-

—————————————————————————-

VideoLAN
Internets, March 9th, 2017
On Tuesday, the 7th of March 2017, the Wikileaks organization released a new series of documents code-named “Vault 7” that are allegedly acquired through a leak from the U.S. Central Intelligence Agency. These documents reveal the existence of a malware arsenal, including “zero days” exploits, against a wide range of products (some of them being mainstream devices and software).
One revelation(1) concerns a tool that exploits a modified old version of VLC media player.
The described tool gathers documents from a computer or network and, in order to hide its activity, runs inside VLC Portable 2.1.5 on Microsoft Windows platforms. Such modified software provides a legitimate appearance (plays media files) while scanning the computer or the network for its intelligence purpose.
VideoLAN is taking these revelations very seriously but it is important to note that the leaked document does not describe a vulnerability that is remotely exploitable, nor is present in a normal VLC installation. The technique used is a modification of the software’s manifest in order to force the loading of a fake dynamic library “psapi.dll”,
instead of using the official Windows version. This DLL contains the malware’s
executable code. The attack described in the leaked document requires:
•physical access to the targeted computer,
•Microsoft Windows XP or later host system,
•and execution of the tool allegedly developed by the CIA (provided on “thumbdrive”, but notexclusively).
We would like to bring to your attention that this exploit is nothing different than installing a trojaned software from an untrusted source. The only safe source for getting VLC media player is the official VideoLAN website(2).
Security of our users data is of prime importance. As a consequence, we have taken counter-measures to prevent malware from hiding their activity behind VLC media player. The used attack vectormodification will not be possible starting from the next minor release, 2.2.5. We are also working on hardening the VLC security for the next major releases (3.x.x).
VLC media player is a free and open-source multimedia player that is being used by millions of people worldwide. It is made by the VideoLAN non-profit organization which is run by volunteers. All its members strongly believe in open source and standards
.
The VideoLAN team

 

SOURCE = VLC (VideoLan)

—————————————————————————-

—————————————————————————-

Wikileaks

6. Basic Forensics

SECRET//NOFORN

 

String and Data Obfuscation

When building a tool you will almost inevitably have to use some set of strings or sensitive data. When security products or professionals scan a system we don’t want to make it easy for them to find something malicious by just doing a string search. Thus, in order to obfuscate what the tool is doing we obfuscate the strings or data being used. You should also scan the binary you deliver against usernames and names of people on the project as many times mistakes are made and PDB strings (file paths that often inculde usernames) are left in the final binary. There are many products we use to help us automate portions or all of string/data obfuscation. For example, take a look at Marble Framework Home SECRET to see how the framework uses Visual Studio to help automate obfuscation during build time.

Memory vs On Disk

So you may already have a good idea of where we’re going with this. Memory refers to the volatile memory on the machine while the disk is non-volatile. This difference is important when developing malicious software. As a development shop we tend to do most of our work in memory and rarely leave unencrypted artifacts on disk. That being said, all persistence is gained by writing to a non-volatile location on the machine. Thus, it is good to keep in mind that anything on disk shouldn’t contain anything too cool for school. Also, on disk artifacts are more likely to be detected by Personal Security Products (PSPs).

Secure Delete and Self-Delete

When we do end up needing to leave artifacts on disk we most often require that the tool is securely deleted. As you may already know, when you delete a file you merely remove the reference to it in the file system and you don’t actually wipe the appropriate bytes on disk. Self-delete refers to the set of techniques in which the executing code is able to delete itself from disk. Sometimes this is done insecurely but the risk of doing this is managed by the customers. You can vist 9. Tradecraft to see the standard for secure deletion.

Obfuscation vs Encryption

It is important to understand the differences between how we use obfuscation vs encryption. Obfuscation usually applies to strings/data that we wish to protect from automated scans. Encryption applies to data we wish to protect from our adversaries. That being said, any data that can be recovered with some light reverse engineering is merely obfuscated. When developing a tool it is important to identify which parts need to be encrypted or obfuscated.

Forensics Exercise

(‘section’ missing)

 

(‘section’ missing)

(‘section’ missing)

 

(‘section’ missing)

 

(‘section’ missing)

 

(‘section’ missing)

 

(‘section’ missing)

SECRET//NOFORN


Attachments:

SOURCE = WikiLeaks

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s