CyRC Case Study: Exploitable memory corruption using CVE-2020-25669 and Linux Kernel

This in-depth analysis explores CVE-2020-25669, a vulnerability that exploited a memory corruption issue in Linux Kernel.

Aims and challenges of memory corruption research

One of the primary goals of the Synopsys Cybersecurity Research Center (CyRC) is to determine the extent to which vulnerabilities can be exploited. Publicly available advisories often describe the impacts of vulnerabilities in general terms, with boilerplate scores applied to vulnerabilities based on their type. Memory corruption bugs, however, are challenging to exploit on modern systems due to exploit mitigation mechanisms such as Address Space Layout Randomization and Pointer Authentication. Proof-of-concept “exploits” that are included in the advisories for memory corruption vulnerabilities will usually cause the affected application to crash, demonstrating an availability impact. Proof-of-concept exploits that demonstrate more severe impacts, such as arbitrary code execution, are rarer. 

In the modern world, advanced threat actors are a fact of life—a fact many of our customers are all too familiar with. Many software bugs, especially those involving memory corruption, can be leveraged in ingenious ways to achieve the total subversion of the target application. Determining the level of exploitability of specific vulnerabilities is an art shrouded in mystery to the untrained eye. In the course of our work, we often find vulnerabilities for which our team’s knowledge and experience cast doubt on their reported impacts. 

This blog post highlights an interesting vulnerability and some of our analysis methods. Vulnerability CVE-2020-25669 involves a memory corruption issue within the Linux kernel. One of the most important factors with regards to the kernel’s stability and security is the safe management of dynamically allocated memory resources. It is very important that objects that exist in dynamically allocated portions of memory are not accessed by a kernel component once it has released that portion of memory for use by other kernel components. To do so constitutes a so-called use-after-free event. Use-after-free bugs can have very serious security implications, as attackers can leverage them for powerful exploit primitives.

Summary of CVE-2020-25669

On November 5, 2020, an advisory was published on the oss-security mailing list detailing a vulnerability within the Linux kernel’s Sun Microsystems keyboard driver (located at drivers/input/keyboard/sunkbd.c). This advisory, which includes a proof-of-concept exploit, describes how a use-after-free event can occur in the sunkbd_reinit() function. The proof-of-concept exploit reliably triggers the use-after-free event but does not demonstrate any impact beyond a potential denial of service. Some of the publicly available advisories that describe CVE-2020-25669 state that the vulnerability could potentially be leveraged to achieve privilege escalation, but this guidance appears to have been issued on general terms. (As previously stated, this is common with advisories that discuss memory corruption vulnerabilities.) Until recently, there were not any publicly available resources about how the vulnerability could be exploited to carry out such an attack. Now though, Black Duck® Security Research (part of CyRC) has demonstrated that an attacker in possession of a suitable reallocation gadget could leverage this vulnerability to gain control of the instruction pointer. A local attacker could potentially use this execution redirection primitive as part of a chain to construct a full-fledged privilege escalation exploit.

Vulnerable code analysis

The Sun Microsystems keyboard driver uses a structure (struct sunkbd) to describe a keyboard device. Instances of this structure are used to store information relating to each device’s state. The structure is defined as follows:

struct sunkbd { 
unsigned char keycode[ARRAY_SIZE(sunkbd_keycode)];
struct input_dev *dev;
struct serio *serio;
struct work_struct tq;
wait_queue_head_t wait;
char name[64];
char phys[32];
char type;
bool enabled;
volatile s8 reset;
volatile s8 layout;
};

What’s New: Cequence Unified API Protection SIEM Integration

The Cequence Unified API Protection cumulative release (v5.2 to v5.4) adds new capabilities to enhance the export, categorization, and the prioritization of security events. In addition, there is enhanced rationalization of API endpoint discovery when multiple endpoints are found. These added capabilities further ensure the discovery and compliance of all your APIs, along with attack detection, prevention, and testing – as APIs are constantly added into your infrastructure.

Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals

Introduction

Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico and Spain that work across a variety of different industry verticals such as Automotive, Chemicals Manufacturing and others. In this campaign, the threat actors impersonate government officials from the Attorney General’s Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute “Grandoreiro” a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America. Grandoreiro is written in Delphi and utilizes techniques like binary padding to inflate binaries, Captcha implementation for sandbox evasion, and command-and-control (CnC) communication using patterns that are identical to LatentBot.

How to Get Your Cloud Analytics Project Approved by Security and Compliance Teams

Cloud-based analytics tools are taking the world by storm. Across multiple jurisdictions and verticals they’re unlocking value from corporate data to help teams make better business decisions. By minimizing data silos, lowering costs and enhancing collaboration, cloud technologies are democratizing and enhancing capabilities previously only available to the largest enterprises. Business leaders now realize that, if they don’t have a data analytics initiative, they may be on the fast-track to irrelevance.

Honeypot Attack Summaries with Python, (Thu, Aug 18th)

This diary was contributed by Jesse La Grew

Looking through Cowrie [1] data on a DShield honeypot [2] can be a bit of a challenge sometimes. Great tools like jq [3] can make this much easier but adding some context can be useful. We are lucky to have a variety of tools available to enrich existing honeypot data, but also automate that enrichment. I put together a script to try and help myself achieve a simple goal. That goal was to have the capability to review attacks seen on my honeypot from a tablet without needing to type any complicated commands. 

How to detect suspicious activity in your AWS account by using private decoy resources

As customers mature their security posture on Amazon Web Services (AWS), they are adopting multiple ways to detect suspicious behavior and notify response teams or workflows to take action. One example is using Amazon GuardDuty to monitor AWS accounts and workloads for malicious activity and deliver detailed security findings for visibility and remediation. Another tactic is to deploy decoys, also called honeypots, as an effective way to detect suspicious behavior.

Nvidia’s CTO on the Future of High-Performance Computing

So where will we turn for future scaling? We will continue to look to the third dimension. We’ve created experimental devices that stack atop each other, delivering logic that is 30 to 50 percent smaller. Crucially, the top and bottom devices are of the two complementary types, NMOS and PMOS, that are the foundation of all the logic circuits of the last several decades. We believe this 3D-stacked complementary metal-oxide semiconductor (CMOS), or CFET (complementary field-effect transistor), will be the key to extending Moore’s Law into the next decade.