Jump to content

Security research tool had security problem


Batu69

Recommended Posts

Plugin for popular disassembler OllyDbg allowed man-in-the-middle diddle

Security researchers and the networks they rely on were at risk of breach by the hackers they investigate, thanks to now mitigated man-in-the-middle holes in a popular plugin for analysing debugger OllyDbg.

 

The debugger disassembles binaries, making it a handy way to understand an application's workings without having access to source code. Those abilities mean OllyDbg is often found in malware investigators' toolkits.

 

ForcePoint special investigations head Andy Settle found two man-in-the-middle holes within the StrongOD anti-evasion OllyDbg plugin that is installed on some 750,000 machines, writing the findings in the paper The Freeman Report [PDF].

 

Identified users include researchers at US-based Carnegie Mellon University, the campus IT shop for Britain's University of Warwick, and Australia's University of New South Wales.

 

The vulnerabilities aren't terrifying, as users will need to accept an update before the dodgy plugin can do its worst. The mere offer of an update will be suspicious to dedicated OllyDbg users as the application has not been refreshed since 2012.

 

The attack will also struggle because seasoned researchers run malware analysis within clean virtual machines that are isolated from hosts which are wiped clean on reboot and are sandboxed from the underlying operating system.

 

Some users however are students and amateur researchers learning the reverse engineering tradecraft and so may run OllyDbg in a standard operating system.

A buffer overflow also allows suitably-placed attackers to execute shellcode.

 

Further, the man-in-the-middle vector restricts the attacks to those sitting on the same network as researchers or, more feasibly, have control of cracklife.com.

 

"As theoretical as this research may sound, through the action of acquiring the domain cracklife.com and sinkholing it, Forcepoint has prevented a malicious threat actor from compromising the members of the security research community across the globe," Settle says.

"Another reason for publishing this research is that those who are most at risk are those who endeavour to protect us.

"This research demonstrates that no-one is invulnerable and that everyone needs to be vigilant."

 

All instances of the StrongOD plugin call back to the since dead website, meaning anyone who registered the site would have the opportunity to compromise scores of researchers.

 

Settle bought cracklife.com, thereby sinkholing the scores of requests and shuttering the vector.

He then analysed the requests finding information including the location and number of pings each user made to the site.

 

Some 75 per cent of users were located in China, according to Settle, with others distributed across all other countries.

"If software is not used, then remove it," Settle says.

 

Article source

Link to comment
Share on other sites


  • Replies 1
  • Views 554
  • Created
  • Last Reply

Man in the middle attacks are now easier than ever with the new electronic devices that are available to some.  I can sit in a coffee shop that provides wifi and have my device emulate the coffee shops network device, so you are logging into me instead of the coffee shop router.  It then records everything you do, including your logins and passwords.  It has worked on up to 38 people at one time, recording their browsing and logins.  It is not OS specific since it records data from Linux and MacOSX, as well as Android and IOS.  Of course it does the most insecure OS in the world, Windows.  I can even carry the device walking down the street and it will allow devices to connect to it, thinking it is a standard wifi connection, at which time they try to login and check email accounts, etc.  The best advice is to turn off wifi and bluetooth on all your portable devices and never use public wifi for anything.  I use my phone data to create a hotspot that only my computer can access, as this is the only secure means of connecting outside the home or business.  You never know who will be 'listening'.  This is really a no brainer for anyone who has the money and access to purchase these devices.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...