ISSSource White Papers

Posts Tagged ‘Python’

Tuesday, August 18, 2015 @ 08:08 AM gHale

Apple released security updates last week for OS X, iOS, Safari and OS X Server, which take care of over 100 vulnerabilities, including the local privilege escalation Zero Day.

OS X Yosemite 10.10.5 addresses a total of 135 security holes, according to an advisory published by Apple. The list includes issues affecting components such as Apache, Bluetooth, bootp, Data Detectors Engine, the date/time preferences pane, the Dictionary app, DiskImages, FontParser, groff, ImageIO, the kernel, QuickTime, sudo, Python, PostgreSQL, and various libraries.

Leveraging OS X Zero Day
Workaround for .NET Bug
Zero Day for Apple App Store, iTunes
Mobile IE Zero Days

Apple also went to fix the local privilege escalation vulnerability (CVE-2015-3760) reported privately to the company a few months ago by the researcher known as “beist.” The Zero Day ended up disclosed publicly in July by German researcher Stefan Esser. The company said the flaw is a path validation issue in the dynamic linker dyld.

The flaw, related to the DYLD_PRINT_TO_FILE environment variable, has been undergoing exploitation.

Apple fixed the vulnerability in the upcoming OS X 10.11, also known as El Capitan, but not in current releases. The advisory said the patch available for OS X Yosemite v10.10 to v10.10.4 addresses the bug through “improved environment sanitization.”

Apple also patched 71 vulnerabilities in iOS, including ones leveraged for jailbreaks. The security bugs fixed by iOS 8.4.1 affect various components, including Air Traffic, Backup, bootp, code signing, the kernel, ImageIO, Safari, and WebKit.

Some of the flaws addressed with the release of iOS 8.4.1 are the same as those patched in OS X.

Twenty-six WebKit-related vulnerabilities have also been patched with the release of Safari 8.0.8, 7.1.8, and 6.2.8.

Apple also updated OS X Server. Version 4.1.5 released to address the denial-of-service (DoS) vulnerability affecting the BIND DNS software.

Tuesday, July 16, 2013 @ 03:07 PM gHale

While out of the attack malware piece for quite awhile, there is now a piece of malicious software targeting Mac devices.

An interesting aspect to Backdoor:Python/Janicab.A is the file that hides the malware uses the right-to-left override (RLO) character to mask its extension, said researchers at F-Secure.

Win 8 CAPTCHA Malware
Trojan Speaks Local Languages
Trojan Takes Over Google Docs
Trojan Uses Fake Adobe Certificate

The Unicode RLO character supports languages written right to left, such as Hebrew or Arabic. However, malware developers have been abusing it to mask the extensions of malicious files.

In the case of the Mac malware analyzed by F-Secure, the malicious file has the .app extension ( However, because the RLO trick is in play, the Unicode character ends up placed before the “f,” the file becomes RecentNews.ppa.pdf.

Once launched, the malware drops a decoy document. In the meantime, it creates a cron job for its launch point, and a hidden folder where it stores its components.

The malware gets its command server’s address from YouTube videos and other websites.

Its main goal is to take screenshots and record audio by using a third-party application called SoX.

Janicab.A’s code in Python, it uses py2app for distribution, and it ended up signed with an Apple Developer ID.

Tuesday, August 7, 2012 @ 06:08 PM gHale

As if it wasn’t already abundantly clear, XYSEC Labs security experts developed the Android Framework for Exploitation (AFE), an open source project meant to demonstrate the existence of security holes in the popular mobile operating system.

The framework can easily create malware and botnets, find vulnerabilities, use exploits, gain access to apps, steal sensitive data, and execute arbitrary commands on infected devices, said researchers Aditya Gupta and Subho Halder.

APT Targets Android
Apps Access Data Without Permission
Android OS: No Permissions Required
Platform-Specific Java Attack

“Most of the part of the framework has been built in Python, however there are other languages involved as well,” Gupta said.

“For the start, we have built some pre-defined templates, in which the malware services could be injected, and the apk would be built. We have kept in mind that, it should be easy to use. The user just needs to input his local IP, and the features he would like to have in his malware, and just build it. That’s it. No programming needed,” he said.

A wave of spam messages received by Android users started talk in the security community, many professional pointing the finger at the first-ever Android botnet.

It later turned out that it wasn’t the case, but with the Android Framework for Exploitation the experts want to demonstrate that an Android botnet is certainly possible.

AFE’s botnet module includes options that allow the malicious element to remain hidden from the victim, the capability of re-launching itself in case of a crash, and an automatic startup feature on device boot.

The project is open source because the experts want to allow other developers to pitch in their ideas and enhance AFE’s capabilities.

AFE is constantly undergoing improvement by Gupta and Halder, but after its public release in September, the experts are counting on the community’s support in making the framework as complex as possible.

Friday, June 8, 2012 @ 11:06 AM gHale

Hacking group UGNazi took down a string of sites including HostGator in live tests of a new Denial of Service (DoS) attack tool.

The tool, dubbed #TheHolocaust, targeted undisclosed vulnerabilities and had crippled HostGator in seconds from a machine with 2Gb of RAM, via a 10Mbps/2Mbps link, the group said in a published report.

Google Rolls Out Attack Warning
Google: Web Sites Hacked
Focus to Fix Sign-On Flaws
Hackers Expose Site’s Security Hole

HostGator and payments company remained offline until they resolved the issue.

The hackers wrote the DoS tool in Python and C++ and targeted vulnerabilities that would be easy to patch, group member named the “Godfather” said.

“We do not want to show the DOS Tool #TheHolocaust to the public yet as it is in development,” they said in the published report. “It affects the connection of the [targeted] server, as well as the [targeted] webserver.”

Not so long ago, UGNazi hacked cloud provider WHMCS through a social engineering attack against HostGator.

The perpetrator, named Cosmo, ended up arrested by the FBI. UGNazi in a later hack changed the DNS records of image board 4Chan pointing visitors to the hacking group’s Twitter account.

The latter hack was possible after they gained access to the personal Gmail account of CloudFlare’s chief executive Matthew Prince. The DoS protection company said the hackers navigated past Google’s two factor authentication exploiting a now fixed “subtle recovery flaw” and bypassed his AT&T voicemail PIN.

UGNazi claimed that hack was worse than what the CloudFlare led on they “got into their main server” and accessed customer account information including name, IP address and payment data.

Friday, April 13, 2012 @ 05:04 PM gHale

Python developers released updates for Python 2.7 and 3.2 with changes that address several security issues, including two fixes for hash collision problems.

The flaw allows attackers to create key/value data crafted so the hashes for the keys are more likely to collide. This forces the system to spend much more time when creating key/value hash tables and can then work in a denial of service attack.

A+ Discovery: Student Finds Zero Day
Socially Engineered Emails a Threat
IT Security: Physical, not Just Cyber
McAfee: Abundant Gaps in Security

A user can avoid the issue by using a randomized hash function, now implemented in the four versions of currently supported Python. One fix corrects Python’s own hashing, while another fix corrects the same issue in the C-based Expat XML parsing library embedded in Python.

Python developers said to avoid breaking applications which rely on the order of dictionary iteration, they have made the hash randomization disabled by default. This is despite the Python language making no guarantees on order of dictionaries and sets but they have not changed for some time and a number of applications may rely on them say the developers. To enable hash randomization, users must add -R to the python command line or set the environmental variable PYTHONHASHSEED to “random.” The expat XML parsing library is hash randomized by default.

Also fixed: An unrelated denial of service issue in the Simple XML-RPC Server with Python, where excessive CPU could occur if requests were begun but the connection closed before the request body completely sent. Finally, a countermeasure against the CBC IV attacks on SSL 3.0 and TLS 1.0 incorporated into OpenSSL is now back on in Python, after officials discovered the coders had inadvertently disabled the countermeasure when setting options.

Further details on the fixes in Python 2.7.3, the current stable Python 2.x version, and Python 3.2.3, the current stable Python 3.x version, are available. Windows and Mac OS X installers and source code for both these versions are available for download. The fixes are also available for Python 2.6.8 which is in source-code-only security-fix-only mode ahead of its retirement in October 2013, and Python 3.1.5, which is in the same mode and due for retirement in 2014.

Archived Entries