BlueFrag: The Android Bluetooth exploit

I posted about a back in February about a new Android bug in the Bluetooth stack (CVE-2020-0022). This is a nasty bug that affects Android 8-10 devices and requires no user interaction the attack just needs to be in proximity to any Android device that has Bluetooth enabled. In Android 8 and 9 it’ll gain remote code execution and in Android 10 it’ll just crash the Bluetooth stack. BlueFrag is the name of the exploit that takes advantage of this vulnerability.


ADV200006: Yet more bugs in the Windows font subsystem

Microsoft announced on Monday March 23rd that they observed two exploits being used in the wild that target the font rendering subsystem in Windows. There is NO patch for these vulnerabilities as of this posting. These require the user to open up a document or a web page that has a font in it that will then exploit the Adobe Type Manager subsystem in Windows (all versions) to gain remote code execution. Typically these types of vulnerabilities gain execution in the Windows kernel where the font subsystem code is run. This means a hacker would have SYSTEM access to a Windows target, which, you know, is not good!


SMBGhost: New unauthenticated RCE SMB v3 bug found in modern Windows

CVE-2020-0796, better known as SMBGhost, was accidentally announce by Microsoft during March 2020’s Patch Tuesday. This bug is in their implementation of compression in SMB v3 and is both unauthenticated and remote and will result in remote code execution on the target machine with no user interaction. This gives it potential to be turned into a worm that will spread through a Windows Active Directory network like wild fire.


Persistence via device firmware

I was reading an article published by SANS, which lead me down a rabbit hole of modifying firmware to have a persistent implant and all the research that has been done on the topic. Firmware runs on a majority of the devices in a modern day computer systems, ranging from a laptop to a cell phone. This includes components such as the track pad, HDD/SSD, network card, USB hubs, GPUs, etc. Doing this research I stumbled on the fact that PCI devices can directly talk to one another with NO OS supervision. So things like antivirus programs or even host based firewalls won’t be able to observe what is going on. This is due to the device directly communication across the PCI/PCIe bus and by modifying the firmware you can achieve persistence and could potentially be platform agnostic.


New bug found in sudo discovered

CVE-2019-18634 is bug affects the tool named “sudo” versions less than 1.8.26 on both Linux and macOS that gives non-root users the ability to run commands as though they are root. The feature of sudo that has the stack overflow is the password feedback, which is thankfully disabled on a majority of Linux distributions, such as Ubuntu. However Mint and Elementary are two distros that have enabled this feature. macOS has this feature enabled, but Apple already has a patch for it.


Android has a CRITICAL bug in it’s Bluetooth implementation

If you are an Android user you should update your phone/tablet RIGHT NOW! Google has patched a very serious bug (CVE-2020-0022) in their Bluetooth service that, get this, can be exploited remotely with no user interaction and has the potential to be turned into a worm! If your device doesn’t receive updates then get a new one or switch to using an iPhone/iPad (which I believe is far more secure). Even the latest version of Android (10) still has the bug, but it’ll only crash the Bluetooth daemon (for now).


How to disable LLMNR

Update 20191226: In the latest updates for Windows 10 and Windows Server 2019 these steps are slightly different. You need to disable two local GPOs policies. The first is labeled as “Turn off smart multi-homed name resolution” and the second is “Turn off multicast name resolution”.

Many of you are probably already familiar with what Responder does. It takes advantages of protocols such as LLMNR to spoof responses to Windows auto proxy discovery. Black Hills Information Security has just published a blog post on how to disable LLMNR. This protocol has no security, is a broadcast layer 2 protocol and was designed to be used for DNS resolution when there is no DNS server in the network. Nice right? It is also how Windows performs it’s proxy discovery since Windows Vista and it can be spoofed from any node on the broadcast domain. This has been used by hackers to send the user to a proxy server they control to steal user credentials for websites such as online banking and also exploit the browser itself.

BHIS Blog Post: