A researcher accidentally roots Microsoft Azure’s Red Hat Update Infrastructure, newly discovered router flaw in-the-wild & hacking Windows 10 by holding down the shift key.

Plus your questions, our answers & a great round up!

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

Researcher accidently roots Microsoft Azure’s Redhat Update Infrastructure servers

  • “I was tasked with creating a machine image of Red Hat Enterprise Linux that was compliant to the Security Technical Implementation guide defined by the Department of Defense.”
  • “This machine image was to be used for both Amazon Web Services and Microsoft Azure. Both of which offer marketplace images which had a metered billing pricing model. Ideally, I wanted my custom image to be billed under the same mechanism, as such the virtual machines would be able to consume software updates from a local Red Hat Enterprise Linux repository owned and managed by the cloud provider.”
  • “Both Amazon Web Services and Microsoft Azure utilise a deployment of Red Hat Update Infrastructure for supplying this functionality.”
  • “There is only one Red Hat Update Appliance per Red Hat Update Infrastructure installation, however, both Amazon Web Services and Microsoft Azure create one per region.”
  • “Both Amazon Web Services and Microsoft Azure use SSL certificates for authentication against the repositories. However, these are the same SSL certificates for every instance.”
  • “On Amazon Web Services having the SSL certificates is not enough, you must have booted your instance from an AMI that had an associated billing code. It is this billing code that ensures you pay the extra premium for running Red Hat Enterprise Linux.”
  • “On Azure it remains undefined how they manage to track billing. At the time of research, it was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it all billing association seemed to be lost but repository access was still available.”
  • “On Azure to setup repository connectivity, they provide an RPM with the necessary configuration. The installation script it references comes from the following archive. If you expand this archive you will find the client configuration for each region.
  • The post goes over how the hostnames for all of the Update Appliances were discovered
  • “The build host is interesting rhui-monitor.cloudapp.net, at the time of research running a port scan revealed an application running on port 8080.”
  • “Despite the application requiring username and password based authentication, It was possible to execute a run of their “backend log collector” on a specified content delivery server. When the collector service completed the application supplied URLs to archives which contain multiple logs and configuration files from the servers.”
  • “Included within these archives was an SSL certificate that would grant full administrative access to the Red Hat Update Appliances”
  • So now, the researcher could access each Update Appliance with full administrative access, create new packages, or newer versions of common packages, that include a backdoor. Every Redhat VM on the entire cloud provider would then install this “important security update”, giving the attack full access to every machine
  • “Given no gpgcheck is enabled, with full administrative access to the Red Hat Enterprise Linux Appliance REST API one could have uploaded packages that would be acquired by client virtual machines on their next yum update.”
  • Even if gpgcheck was enabled, it is likely that the GPG key would be exposed to the administrator of the update appliance
  • “The issue was reported in accordance to the Microsoft Online Services Bug Bounty terms. Microsoft agreed it was a vulnerability in their systems. Immediate action was taken to prevent public access to rhui-monitor.cloudapp.net. Additionally, they eventually prevented public access to the Red Hat Update Appliances and they claim to have rotated all secrets.”

Newly discovered router flaw being hammered by in-the-wild attacks

  • “Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.”
  • “Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.”
  • “SANS Dean of Research Johannes Ullrich said in Monday’s post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland.”
  • “The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.”
  • “The attacks started shortly after researchers published attack code that exploited the exposed TR-064 service. Included as a module for the Metasploit exploitation framework, the attack code opens the port 80 Web interface that enables remote administration. From there, devices that use default or otherwise weak authentication passwords can be remotely commandeered and made to join botnets that carry out Internet-crippling denial-of-service attacks.”
  • Exploit Code
  • “To infect as many routers as possible, the exploits deliver three separate exploit files, two tailored to devices running different types of MIPS chips and a third that targets routers with ARM silicon. Just like the Metasploit code, the malicious payloads use the exploit to open the remote administration interface and then attempt to log in using three different default passwords. The attack then closes port 7547 to prevent other criminal enterprises from taking control of the devices”
  • “The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following commands:”
    • busybox iptables -A INPUT -p tcp –destination-port 7547 -j DROP
  • busybox killall -9 telnetd
  • “which should make the device “secure”… until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.”
  • So while exploited routers will stop being vulnerable to other attackers, they will be harder for the ISP to fix properly
  • ISPs could help protect their customers, and their own command-and-control of customers’ routers, by blocking inbound port 7547 from outside of their network

Hack Windows 10 by holding down Shift+F10

  • “Every Windows 10 in-place Upgrade is a SEVERE Security risk”
  • During the update process, when the computer boots into the updater, holding Shift+F10 will pop a command prompt, running as SYSTEM, the highest privilege level possible on windows.
  • What makes this worse, is that this happens after the volume encryption keys have been loaded, so even bitkeeper encrypted disks are vulnerable to access by unauthorized people
  • “This is a big issue and it has been there for a long time. Just a month ago I finally got verification that the Microsoft Product Groups not only know about this but that they have begun working on a fix. As I want to be known as a white hat I had to wait for this to happen before I blog this.”
  • “There is a small but CRAZY bug in the way the “Feature Update” (previously known as “Upgrade”) is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video.”
  • “The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine. And of course that this doesn’t require any external hardware or additional software.”
  • Additional Coverage: BleepingComputer
  • “In an email conversation with Bleeping Computer, Laiho reveals that because of certain defaults in Windows 10 configurations, computers might be forced to perform an update, even if a user is not present, or has logged on for a long period of time.”
  • “At some point, every computer that is not managed by WSUS/SCCM or such will force the installation of a new version of Windows. Microsoft has decided that these will be forced by default.”
  • “Laiho recommends that users not leave their computers unattended during a Windows 10 update and that users remain on Windows 10 LTSB (Long Time Servicing Branch) versions for the time being.”
  • “The LTSB-version of Windows 10 is not affected by this as it doesn’t automatically do upgrades”
  • “Furthermore, Laiho says that Windows SCCM (System Center Configuration Manager) can block access to the command-line interface during update procedures if users add a file named DisableCMDRequest.tag to the %windir%\Setup\Scripts\ folder.”
  • The Police could use this on seized laptops, just keep the machine offline until the next “feature update”, then pop a command prompt during the installation, and have unrestricted access to the encrypted disk.


Round Up:

Question? Comments? Contact us here!