Home > CVE-2014-6332

Winshock Exploits (MS-14-064) Gone Wild, Patch Now!

November 17, 2014 by

Recap

The MS-14-064 patch last week addressed several vulnerabilities that could allow for remote code execution in applications using the SChannel Security Service Provider. The vulnerabilities (including cve-2014-6332) affect distributions of Microsoft Operating Systems from Windows 95 IE 3.0 to Windows 10 IE 11. More background can be found in our earlier blog post and in summary, our advice was to patch your systems now without delay.

That was last week, where are we now?

Exploit: All The Things!

“As both security researchers and blackhats are inevitably working toward creating a workable exploit, enterprises need to apply the patch released to all applicable systems without delay.”

The promise of exploitation was kept by @yuange who released an exploit that allowed an attacker to remotely open notepad on a victim machine. This exploit was then adapted by Rik van Duijn. This adaptation executes Powershell in order to inject payloads directly into memory and as an added benefit, using Powershell maximises the chances of successfully bypassing anti-virus software (Powershell is often whitelisted as a trusted application).

The proof of concept code injected a “reverse_tcp” meterpreter payload into memory, resulting in a shell from which system commands could be executed.   Rik van Duijn has released this proof of concept as a Metasploit module to allow a multitude of further payloads to be delivered. This also has the associated impact of making the exploit easier to deliver, therefore increasing the overall likelihood that systems vulnerable to cve-2014-6332 will be targeted.

Meanwhile, another proof of concept has been published by Immunity Inc, this SChannel exploit using their CANVAS tool, may allow remote command execution(RCE) via the Windows remote desktop protocol(RDP).

Vulnerability Checking

Anexia have released a tool that will check if a Windows operating system is vulnerable. This tool conducts behavioural analysis based upon available SSL ciphers. Their script checks to see if the target system has been patched or not. It does this by checking if the system supports four new SSL ciphers that were introduced by MS14-066.

To run the tool you need to specify a target IP address and a port that with a service running that listens for connectable SSL connections. If the script takes too long or times-out then it is likely that a firewall is blocking the connection, you are connecting to the workstation indirectly or that no service is listening.

Example:

winshock test

 

Vulnerable System Result:

winshock vulnerable

Patched System Result:

winshock patched

 

Disclaimer

While testing in our labs was accurate, Anexia warn that the script may, in certain cases, generate false negatives/positives and should be used as a hint for further investigation, do not take results of this script on faith.

Inevitable XP Swansong

Microsoft have not indicated plans to patch Windows XP, therefore it would be wise to decommission any vulnerable machines or where this is currently not possible, segregate legacy environments to limit potential exposure.

 

Links

http://blog.beyondtrust.com/triggering-ms14-066

https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module/

http://itsecurityguru.org/microsoft-patches-winshock-flaw-amid-attack-reports/#.VGoZModLGiA

A WinShock Tale: The Patchable and Un-patchable

November 14, 2014 by

Introduction

On Tuesday Microsoft released several fixes bundled in a patch, MS14-066, to address several vulnerabilities in SChannel, the standard SSL library that ships with Windows. Affecting almost all versions of Microsoft operating systems, this vulnerability allows attackers to exploit a weakness in the TLS implementation service that forms windows server and desktop communication protocols.

‘Unicorn-like’

Cisco reports that the 19 year old bugs, covered in CVE-2014-6332, contain a complex ‘Unicorn-like’ bug found in code that IE relies on. Attackers exploiting the bug are able to sidestep the Enhanced Protected Mode sandbox in IE 11 and the anti-exploitation tool, the Enhanced Mitigation Experience Toolkit. The problem stems from the inclusion of VBScript in IE 3.0 and Cisco warn that more undiscovered bugs may still pose a threat.

Exploits Imminent

Not yet in existence, an inevitable exploit would allow attackers to run arbitrary code on targeted servers by sending “specially crafted” packets. Attackers may be able to deploy malicious code to vulnerable remote systems and Microsoft admits there are no workarounds or mitigating factors to employ against the vulnerability.

 

“Every major TLS stack: OpenSSL, GNUTLS, NSS, MS SChannel, and Apple SecureTransport has had a severe vulnerability this year,”

Tony Arcieri, Security engineer

 

This year it has become clear that attackers are choosing to attack and decipher the channels used to communicate between machines. These channels may contain usernames, passwords and financial details that are highly desirable to attackers.

“So in war, the way is to avoid what is strong, and strike at what is weak.”

Sun Tzu, The Art of War

It makes more sense to attack infrastructure that has remained relatively unchanged for many years than applications that are updated and made more secure on a regular basis.

The Un-patchable

Microsoft quickly issued patches for these vulnerabilities but neglected machines running Windows NT, 2000 or XP. As Microsoft no longer supports several of these older operating systems. Joe Barrett, senior security consultant with Foreground Security warns that due to this support expiration, we may be witnessing the first true “forever-day” vulnerability.   Microsoft’s stance on halting security patches for older operating systems, even in this case where it is clear the products were vulnerable at the point of sale, has resulted in enterprises knowing that some systems will end up exploitable-but-un-patchable. It is easy to forget that Windows XP still holds 17.18% of the market. Given how Microsoft has articulated this issue, it is clear they expect an exploit to be developed soon.

 

Plan of Action

While Microsoft have rightly been relatively quiet about vulnerability details, the patches released may help inform exploit creation by revealing the nature of the flaws being addressed. As both security researchers and blackhats are inevitably working toward creating a workable exploit, enterprises need to apply the patch released to all applicable systems without delay.   To prevent serious compromises, systems running un-patchable versions of Windows will need to be isolated and removed.  The most likely targets of this vulnerability are externally reachable SSL services such as Web and Mail Servers.

Johannes Ullrich, PhD of the Sans Technology Institute, has outlined several steps that should be taken to address the vulnerability:

1. Highlight for attention all SSL services, it may be useful to check your last external infrastructure scan to ensure all have been identified. It is advisable to repeat the scan on a regular basis.

2. Examine internal servers, only one infected operating system on the network could expose harder to reach systems.

3. Audit all devices, such as laptops, that leave the controlled perimeter. While they are unlikely to be listening for SSL connections, insufficient locking down mechanisms may have left vulnerable instant messenger software or older SSL VPN services exposed. A port scan should indicate the degree of vulnerability.

4. Patch in a controlled, verifiable and reproducible way. Good operations and procedures will offset the chance of vulnerable systems remaining after hurried and ill-conceived patching exercises. The system must also be rebooted after the patch is applied to be sure it takes effect.

5. Ensure you are aware of how to disable certain ciphers or SSL modes of operations in case Microsoft publish workarounds.

(An inventory of systems is essential to be prepared to treat vulnerabilities, formulate counter-measures and alternative emergency configurations)

Cisco Guidance

Cisco published a blog focusing on WinShock reporting multiple vulnerabilities bundled within the single CVE. The vulnerabilities range from buffer overflows to certificate validation bypasses. Also published were a number of Snort rules, SID 32404-3242.  For a technical breakdown of how a potential exploit may work see “IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows” by Robert Freeman.

 

Links

How bad is the SCHANNEL vulnerability (CVE-2014-6321) patched in MS14-066?

https://isc.sans.edu/diary/How+bad+is+the+SCHANNEL+vulnerability+%28CVE-2014-6321%29+patched+in+MS14-066%3F/18947

Microsoft Security Bulletin MS14-066 – Critical

https://technet.microsoft.com/library/security/MS14-066

IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows

http://blogs.cisco.com/security/talos/ms-tuesday-nov-2014

http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/#.VGXfJodLGiC

Market Share of Operating Systems

http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0