Thursday, January 1, 2015

2014 - the infosec year in review - part 6

This is part 6 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014. I'll wrap the series up this week so it doesn't drag too far into 2015.

Item: November 2014 Patch Tuesday

What is (or was) it?  A horrible time to be a systems admin and a great time to be an attacker.

Why it's significant? Microsoft released several critical patches in November 2014.  MS14-068 is the one most people have heard the most about - that's the one that allows an attacker to write their own kerberos golden ticket - Willy Wonka style.  Using any domain account, you could take domain admin.  It is the ultimate in privilege escalation and there's already proof of concept code available. Almost makes penetration testing boring :).

Note: technically, MS the patch for MS14-068 was not released on Patch Tuesday, it was released the week after in an out-of-band update.  But it was originally scheduled to be released then, so it still counts.

The second bug that was news worthy was the "God Mode" bug for VBScript (MS14-064).  This got lots of coverage as a "unicorn vulnerability," presumably because the press was reaching for a way to sensationalize complicated topics.  I was particularly excited about this bug since it offers attackers an easy method to bypass ASLR.

The third bug, MS14-067, got almost no press.  But any other month it would have been the "must patch" bug of the month.  That's how bad November was for systems admins.  This bug offered attackers remote code execution through core XML services.  I noted something with this bug that I suspect most system admins missed.  Microsoft usually creates multiple code changes to help obscure their patches.  This doesn't work very well, most competent reverse engineers see right through this (so it's not particularly effective).  It doesn't prevent reversing the patch, but it is supposed to make it just a little harder.  But Microsoft had a hard month prepping for the patch releases and in this patch only made changes to two functions.  Notice the extra conditional on the left?  Yeah... that's the condition you want to violate in the unlatched code :)

MS14-067 Graphical Patch Diff (BinDiff)

A final note is that Microsoft notified defenders to be ready for a critical Exchange server patch in November as well, but that patch was pulled for QA reasons.  I don't think it was QA at all - MS realized how bad November sucked for system admins and had a heart.

Could it have been prevented? Not applicable here - but if you haven't applied these patches, get on it quick.  MS14-068 is being exploited in the wild.  My recommendations don't matter though - we'll see it on penetration tests for some time to come.

Stay tuned for more installments in the Infosec year in review.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.