Weaponized Comic Sans | TechSNAP 254

Weaponized Comic Sans | TechSNAP 254

A common vulnerability is impacting Firefox, LibreOffice, and others, the 7 problems with ATM security, and the Enterprise grade protection defeated with a batch script.

Plus some great questions, our answers, a rockin roundup, and much much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

The 7 problems with ATM security

  • Kaspersky presents a list of the 7 reasons why ATMs are so easily compromised, based on a talk given at the SAS2016 conference
  • “Automated teller machines (ATM) have always a been a big target for criminals. In the past hunting for ATMs included some heavy tools like a cutting torch or explosives. However with the dawn of the Digital Age, everything has changed. Nowadays culprits can ‘jackpot’ an ATM without such special effects.”
  1. ATMs are basically just computers (PCs)
  2. That PC is likely running an old operating system (in early 2014, 95% of all ATMs still ran Windows XP)
  3. The software other than the OS is also likely vulnerable. Many ATMs still have the bundled version of flash that came with stock Windows XP, which now has 9000 known vulnerabilities
  4. ATMs have no software integrity control, no antivirus solutions, no authentication of an app that sends commands to cash dispenser.
  5. Weak physical security for the PC part of the ATM. While the deposit box and cash dispenser are armored against attack, the PC is usually only hidden behind some thin plastic. “There is no money in that part of the ATM”
  6. ATM control PCs have standard interfaces, that are not secured. Let me just plug this USB stick into your ATM, now it is my ATM
  7. ATMs are increasingly directly connected to the Internet. You can find ATMs on Shodan
  • ATMs are not replaced very often, so upgrades to the physical protections of the PC component will likely not happen very soon
  • When was the last time you saw an ATM down for software updates?
  • Maybe if the criminals keep stealing large amounts of money, the banks will be more interested in replacing the ATMs
  • This of course doesn’t cover the private ATMs you often see in convenience stores

FireEye Detection Evasion and Whitelisting of Arbitrary Malware

  • Researchers at Blue Frost Security have developed a way to evade the dynamic analysis of the FireEye suite of security appliances
  • The FireEye appliance works by starting untrusted binaries and applications in virtualization and observing what they do
  • If the application is found to be malicious, it is blocked
  • Only applications allowed by the FireEye device can be run on the protected computers
  • “The analysis engine evasion allows an attacker to completely bypass FireEye’s virtualization-based dynamic analysis on Windows and add arbitrary binaries to the internal whitelist of binaries for which the analysis will be skipped until the whitelist entry is wiped after a day”
  • “FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from “malware.exe” to its original file name.”
  • “No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.”
  • Let’s take the filename FOO%temp%BAR.exe which results in:
  • copy malware.exe “%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe”
  • The filename, directory name, or volume label syntax is incorrect.
  • “The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.”
  • “Afterwards the behavioral analysis inside the virtual machine is started which is running for a certain amount of time looking for malicious behavior. Since the binary was not started in the virtual machine in the first place, an empty virtual machine will be analyzed and no malicious behavior will be detected.”
  • “Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.”
  • The issue was reported to FireEye on September 14th, and responded quickly
  • FireEye released updates for some of its products on October 5th and 15th
  • On December 31st FireEye published their Q4 security advisory
  • FireEye Security Advisory
  • On January 14th, FireEye asked that BFS delay publication of the vulnerability for another 30 days, as too many clients had not yet installed the update

Libgraphite Vulnerabilities Impact Firefox, OpenOffice, and Others

  • Talos is releasing an advisory for four vulnerabilities that have been found within the Libgraphite library
  • Which is used for font processing in Linux, Firefox, OpenOffice, and other major applications.
  • The most severe vulnerability results from an out-of-bounds read which the attacker can use to achieve arbitrary code execution.
  • A second vulnerability is an exploitable heap overflow.
  • Finally, the last two vulnerabilities result in denial of service situations.
  • To exploit these vulnerabilities, an attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities.
  • Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts).
  • Graphite is a package that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors.
  • Basically Graphite’s smart fonts are just TrueType Fonts (TTF) with added extensions.
  • The issues that Talos identified include the following:
  • An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.
  • A specially crafted font can cause a buffer overflow resulting in potential code execution.
  • An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.
  • If a malicious font is provided then an arbitrary length buffer overflow can occur when handling context items.
  • The first denial of service issue results from a NULL pointer dereference.
  • The second denial of service issue results from an out of bounds read that can not only cause a DoS, but it can also cause a leak of information. When reading an invalid font where the local table size is set to 0, an out of bounds read will occur.

  • Known Vulnerable Versions:

  • Libgraphite 2-1.2.4

  • Firefox 31-42
  • Firefox ESR before 38.6.1


Make sure you patch your linux machines for the glibc vulnerability

Round Up:

Question? Comments? Contact us here!