BlueFrag: The Android Bluetooth exploit

I posted about a back in February about a new Android bug in the Bluetooth stack (CVE-2020-0022). This is a nasty bug that affects Android 8-10 devices and requires no user interaction the attack just needs to be in proximity to any Android device that has Bluetooth enabled. In Android 8 and 9 it’ll gain remote code execution and in Android 10 it’ll just crash the Bluetooth stack. BlueFrag is the name of the exploit that takes advantage of this vulnerability.

Links:

The next generation Direct Kernel Object Manipulation techniques

Direct Kernel Object Manipulation (DKOM) is a technique that allows for software to “hook” in with the Windows operating system at the kernel level. This video is from the INFILTRATE 2019 conference and is titled “DKOM 3.0: Hiding and Hooking with Windows Extension Hosts.” Where they take advantage of a Windows subsystem introduced in Windows 7 to hook the kernel.

Links:

Persistence via device firmware

I was reading an article published by SANS, which lead me down a rabbit hole of modifying firmware to have a persistent implant and all the research that has been done on the topic. Firmware runs on a majority of the devices in a modern day computer systems, ranging from a laptop to a cell phone. This includes components such as the track pad, HDD/SSD, network card, USB hubs, GPUs, etc. Doing this research I stumbled on the fact that PCI devices can directly talk to one another with NO OS supervision. So things like antivirus programs or even host based firewalls won’t be able to observe what is going on. This is due to the device directly communication across the PCI/PCIe bus and by modifying the firmware you can achieve persistence and could potentially be platform agnostic.

Links:

A great presentation on building a custom exfil system using software defined radios

Paul Clark, who literally wrote the book on using software defined radios, gave a presentation on how he built a custom data exfiltration box using software defined radios (SDRs) for Black Hills Information Security (BHIS). By all accounts this capability could be very challenging to spot especially because listing on a single MHz of the RF spectrum would generate 8MB of data per second and if you do frequency hopping it significantly increases the complexity. He also goes through how GNURadioCompanion (GRC) actually generates Python code from the flow graphs that you build the user interface. At the tail end of the presentation Paul discusses the work of Josh Conway and how he built a device he calls the SigInt Tablet for about $150 that will allow for sampling of the RF spectrum and also how he found he could actually transmit data simply by applying voltage to a GPIO pin which could potentially used to interfere or even jam a RF transmission.

Links:

How to disable LLMNR

Update 20191226: In the latest updates for Windows 10 and Windows Server 2019 these steps are slightly different. You need to disable two local GPOs policies. The first is labeled as “Turn off smart multi-homed name resolution” and the second is “Turn off multicast name resolution”.

Many of you are probably already familiar with what Responder does. It takes advantages of protocols such as LLMNR to spoof responses to Windows auto proxy discovery. Black Hills Information Security has just published a blog post on how to disable LLMNR. This protocol has no security, is a broadcast layer 2 protocol and was designed to be used for DNS resolution when there is no DNS server in the network. Nice right? It is also how Windows performs it’s proxy discovery since Windows Vista and it can be spoofed from any node on the broadcast domain. This has been used by hackers to send the user to a proxy server they control to steal user credentials for websites such as online banking and also exploit the browser itself.

BHIS Blog Post: http://bit.ly/2RHtBAZ