writing security tools and exploits

An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. […] The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane. […] External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.

To explain.

Net-NTLMv2 authentication, which we’ll just call NTLM2 for short, works very roughly like this,:

Actually, there’s a fair bit more to it than that, because there are actually two keyed hashes, one mixing in the two 8-byte random-challenge numbers and the other mixing in additional data including your username, domain name and the current time.

But the underlying principle is the same.

Neither your actual password or the stored hash of your password, for example from Active Directory, is ever transmitted, so it can’t leak in transit.

Also, both sides get to inject 8 bytes of their own randomness every time, which prevents either party from sneakily re-using an old challenge string in the hope of ending up with the same the keyed hash as in a previous session.

(Wrapping in the time and other logon-specific data adds extra protection against so-called replay attacks , but we’ll ignore those details here.)

Sitting in the middle

As you can imagine, given that the attacker can trick you into trying to “logon” to their fake server (either when you read the booby-trapped email or, worse, when Outlook starts processing it on your behalf, before you even get a glimpse of how bogus it might look), you end up leaking a single, valid NTLM2 response.

That response is intended to prove to the other end not only that you really do know the password of the account you claim is yours, but also (because of the challenge data mixed in) that you’re not just re-using a previous answer.

So, as Microsoft warns, an attacker who can time things right might be able to start authenticating to a genuine server as you, without knowing your password or its hash, just to get an 8-byte starting challenge from the real server…

…and then pass that challenge back to you at the moment you get tricked into trying to login to their fake server.

If you then compute the keyed hash and send it back as your “proof I know my own password right now”, the crooks might be able to relay that correctly-calculated reply back to the genuine server they’re trying to infiltrate, and thus to trick that server into accepting them as if they were you.

In short, you definitely want to patch against this one, because even if the attack requires lots of tries, time and luck, and isn’t terribly likely to work, we already know that it’s a case of “Exploitation Detected” .

In other words, the attack can be made to work, and has succeeded at least once against an unsuspecting victim who themelves did nothing risky or wrong.

SmartScreen security bypass

The second zero-day is CVE-2023-24880 , and this one pretty much describes itself: Windows SmartScreen Security Feature Bypass Vulnerability .

Simply put, Windows usually tags files that arrive via the internet with a flag that says, “This file came from outside; treat it with kid gloves and don’t trust it too much.”

This where-it-came-from flag used to be known as a file’s Internet Zone identifier, and it reminds Windows how much (or how little) trust it should put in the content of that file when it is subsequently used.

These days, the Zone ID (for what it’s worth, an ID of 3 denotes “from the internet”) is usually referred to by the more dramatic and memorable name Mark of the Web , or MotW for short.

Technically, this Zone ID is stored in along with the file in what’s known as an Alternate Data Stream , or ADS , but files can only have ADS data if they’re stored on NTFS-formatted Wiindows disks. If you save a file to a FAT volume, for example, or copy it to a non-NTFS drive, the Zone ID is lost, so this protective label is not perrmanent.

This bug means that some files that come in from outside – for example, downloads or email attachments – don’t get tagged with the right MotW identifier, so they sneakily sidestep Microsoft’s official security checks.

Microsoft’s public bulletin doesn’t say exactly what types of file (images? Office documents? PDFs? all of them?) can be infiltrated into your network in this way, but does warn very broadly that “security features such as Protected View in Microsoft Office” can be bypassed with this trick.

We’re guessing this means that malicious files that would usually be rendered harmless, for example by having built-in macro code suppressed, might be able to spring into life unexpectedly when viewed or opened.

Once again, the update will bring you back on par with the attackers, so: Don’t delay/Patch it today .

What to do?

A little something for everyone on a patchwork Patch Tuesday

Follow @NakedSecurity on Twitter for the latest computer security news.

Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Sophos Firewall Home Edition

Sophos scan & clean, sophos cloud optix, 4 comments on “ microsoft fixes two 0-days on patch tuesday – update now ”.

Hello Paul and friends I got this warning from Firefox the other day : Search results for your ******@hotmail.com account have detected that your email may have been exposed. We recommend you act now to resolve this breach. I’m on Linux and use the Thunderbird client for several email accounts. Is it sufficient to log onto my micro soft account in a web browser and change the password? cheers Ralph

You might as well change your password (if you have a password manager it’s easy enough to invent and remember a new one)… and maybe consider turning on 2FA at the same time for a bit more protection?

The problem with those “your email is on a list” warnings is that they don’t really tell you much more than “some crooks have data that includes your email address and perhaps other data that may or may not be correct.” (Did they get a password to go with it? A phone number? An address? Was any of that additional data actually correct? Who can say?)

I already know that 100s or 1000s of crooks gave my email just from the quantity of spam, scam and phishing emails I get…

It’s true, I get more junk in my junk folder than regular mail, I suspect even my former bank doxxed my email address to all their partners. I’ve had hotmail since 1998, it was my first email account so over the years before all this cyber insecurity blossomed, it was my main account. It is going to take a while to change my email address with my banks etc. over to my gandi.net email. I hope gandi is reputable.

Why not just keep both addresses?

What do you think? Cancel reply

IMAGES

Writing Security Tools and Exploits
Writing Security Tools and Exploits: Buy Writing Security Tools and Exploits by Foster James at
ToolWar Provide You Updated, Released Hacking, Cracking, Exploits,Vulnerability Scanning
Writing Security Tools and Exploits by James C. Foster
[100% OFF] Writing Security Tools In Ethical Hacking
Writing Security Tools In Ethical Hacking

VIDEO

Warhammer Online Exploits + Hacks
NSA HACKING TOOLS PAYLOAD DEPLOYMENT 1
Warhammer Online Gameplay Cheats & Hacks
Exploit Development for Beginners
1- Introduction to Exploiting
Xploit #Cyber_Security Academy 👨🏻‍💻

COMMENTS

Writing Security Tools and Exploits
This item: Writing Security Tools and Exploits $41.21 $38.46 Sockets, Shellcode, Porting, and Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals James C Foster 13 Paperback 16 offers from $8.63 Buffer Overflow Attacks: Detect, Exploit, Prevent Jason Deckard 23 Paperback 15 offers from $2.47
Writing Security Tools and Exploits
Exploits are written from a local attacker's perspective and have the potential to escalate privileges, overwrite files, or compromise protected data. These types of exploits are difficult to write and successfully perform. It is a common practice to run a race condition exploit more than once, before a successful exploitation occurs.
Writing Security Tools and Exploits (Enhanced Edition‪)‬
Writing Security Tools and Exploits will be the foremost authority on vulnerability and security code and will serve as the premier educational reference for security professionals and software developers. The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. ...
Writing Security Tools and Exploits
The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. Unlike other security and programming books that dedicate hundreds of pages to architecture and theory based flaws and exploits, this book will dive right into deep code analysis.
Writing Security Tools and Exploits
Writing Security Tools and Exploits will be the foremost authority on vulnerability and security code and will serve as the premier educational reference for security professionals and software developers. The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction.
Writing Security Tools and Exploits
Writing Security Tools and Exploits 1st Edition, Kindle Edition by James C Foster (Author) Format: Kindle Edition 11 ratings ISBN-13: 978-1597499972 ISBN-10: 1597499978 Why is ISBN important? Share Add to book club Not in a club? Learn more Kindle $9.97 - $33.82 Paperback $35.60 - $37.78 Other Sellers from Buy $33.82 Rent $15.01 eBook features:
Writing security tools and exploits
Writing security tools and exploits by Foster, James C Publication date 2006 Topics Computer security -- Handbooks, manuals, etc, COMPUTERS -- Internet -- Security, COMPUTERS -- Networking -- Security, COMPUTERS -- Security -- General, Computer security Publisher Rockland, MA : Syngress Collection inlibrary; printdisabled; internetarchivebooks
Writing Security Tools and Exploits [PDF]
Download Writing Security Tools and Exploits PDF. Register for Free Membership to [email protected] Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder's Configuring ISA Server 2004, Brian Caswell and Jay Beale's Snort 2.1 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez's Ethereal Packet Sniffing.
Chapter 1. Writing Exploits and Security Tools
Abstract. This chapter describes the exploitation frameworks and discusses the reason for this exploits working against only service packs of Windows 2000. The complexity and impact of exploits is ...
Writing Security Tools and Exploits.
Writing security tools and exploits. Foster, James C. and Vincent Liu. Syngress Media, Inc. 2006 638 pages $49.95 Paperback QA76.9 Exploits are programs developed by hackers that take advantage of weaknesses in code. In this work Foster (executive director of global product development, Computer Sciences Corporation), Liu ("an IT security ...
Chapter 1: Writing Exploits and Security Tools
Writing Security Tools and Exploits Learn to read, analyze, modify, and write custom exploits and enhance security tools with little or no assistance with help from this authoritative text. TABLE OF CONTENTS
Writing security tools and exploits [electronic resource]
Writing Security Tools and Exploits will be the foremost authority on vulnerability and security code and will serve as the premier educational reference for security professionals and software developers. The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. Unlike other security and programming books that dedicate hundreds of ...
Writing Security Tools and Exploits by James C Foster
Writing Security Tools and Exploits will be the foremost authority on vulnerability and security code and will serve as the premier educational reference for security professionals and software developers. The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with...
Writing security tools and exploits (2006 edition)
Writing security tools and exploits by James C Foster, 2006, Syngress edition, in English
Writing Security Tools and Exploits
Writing Security Tools and Exploits. Learn to read, analyze, modify, and write custom exploits and enhance security tools with little or no assistance with help from this authoritative text. TABLE OF CONTENTS . Writing Security Tools and Exploits. Chapter 1: Writing Exploits and Security Tools.
Writing Security Tools and Exploits (2006 edition)
Writing Security Tools and Exploits by James C. Foster, 2006, Elsevier Science & Technology Books edition, in English
9781597499972: Writing Security Tools and Exploits
Writing Security Tools and Exploits will be the foremost authority on vulnerability and security code and will serve as the premier educational reference for security professionals and software developers. The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. ...
9781597499972: Writing Security Tools and Exploits
Writing Security Tools and Exploits will be the foremost authority on vulnerability and security code and will serve as the premier educational reference for security professionals and software developers. The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. ...
Microsoft fixes two 0-days on Patch Tuesday
SmartScreen security bypass. The second zero-day is CVE-2023-24880, and this one pretty much describes itself: Windows SmartScreen Security Feature Bypass Vulnerability. Simply put, Windows ...