View this newsletter online

Thanks for subscribing to the HonestRepair Newsletter!

Yet another good month of steady Software Updates, with more progress on the HRCloud2 refactor. I even delivered on my promise to roll out some of the refactor changes to HRConvert2.

Without further adieu, I am proud to announce the release HRScan2, our own self hosted and open source virus and malware scanning server. HRScan2 harnesses the power of ClamAV and PHP-AV into a no-sql file scanning server that's easy to install and maintain.

In addition HRScan2 I am also introducing the HRScan2-based Quick Scan feature on the HonestRepair website. Much like Quick Convert, the new app with a similar name aims to scan user uploaded files regardless of logged-in status. It also securely deletes uploaded files regularly, so there's no need to worry about infringing on intellectual property when using it. It also serves as a reference installation for HRScan2.

So that's the good news. The bad news is that our featured content (the blog post that premieres in our Newsletter and gets added to the blog afterwards) was supposed to be "Un-Google Your Life - Part II," but the deadline for sending this newsletter is approaching and the project behind the article isn't done yet. Look for it on the HonestRepair Blog before next month's newsletter to catch the sequel. I'll link it in next month's newsletter too, just-in-case.

Whats New?

HRCloud2 (Github) - This month I kept the re-factor going, removing or condensing over 300 lines of code. App developers can also now set the noStyles, minStyles, maxStyles, and allStyles variables to the API via POST or GET inputs, making it easier to specify stylesheet declarations in dynamic and programmatic ways. Lastly there were some changes to PHP-AV, bumping it to v3.7 and again to v3.8 and it's AV definitions to v4.6. This added hundreds of indicators of infection, and was probably one of the most significant commits to virus.def. I also removed .phar file upload support and added it to the dangerousFiles array. This is a precution related to a recently disclosed vulnerability in the PHP programming language related to .phar handling. HRCloud2 was tested and IS NOT VULNERABLE anyway, but I wanted to double-down on protection for users of the platform.

HRConvert2 (Github) - The README.md was updated to remove links to the YouTube channel and the installation instructions were updated to remove some unnecessary steps and fix some typos.

Atoner (first-person shooter game) - Nothing to report from last time. 

HonestRepair Network - Going strong. Bot traffic has been trending up lately. We have tested our website and our apps for vulnerability to a recently disclosed PHP exploid relating to .phar archives and found that no apps on the Valkerie platform (HRCloud2+App Pack, HRConvert2, HRScan2) are vulnerable to this exploit. Additionally our WordPress installation don't seem vulnerable either. Just to be safe I updated HRCloud2 to v2.9.2 which removed .phar archive upload support.

Other Stuff - On a personal note, my refridgerator, washer, and car all died and needed to be replaced this month. That's gotta be some kind of record, right? Luckily all of those things have been sorted out and things are looking much good. Maybe by next month's newsletter I'll have remembered that my refridgerator handle is on the other side of the door now... but probably not. I'll be grabbing for an imaginary door handle for probably the next 8-10 years.

In The News

Snapchat source code somehow wound up on Github this month, with Snapchat submitting a DMCA takedown request to Github with a rambling all-caps message. Source: https://gizmodo.com/snapchat-files-all-caps-dmca-takedown-after-the-source-1828170154

Apple becomes a trillionaire. It's hard to believe that in 1997 Apple was on the verge of bankruptcy and it took a $150m investment from Microsoft to solidify a future for the struggling company.  Source: https://www.theguardian.com/technology/2018/aug/02/apple-becomes-worlds-first-trillion-dollar-company

Google can't make up their mind about their role in China. On the one hand, they have an exclusive opportunity to potentially the largest market on Earth. On the other hand, Google would have to give up some of it's core principals to take the plunge. The question on everyone's mind is if Google will censor the truth and adhere to China's strict cyber laws or if they will back out of the deal. Many Googlers have voiced their opposition of the deal, citing the companies slogans including "Don't be evil" and more recently, "Do the right thing."   Source: https://www.seattletimes.com/business/economy/behind-the-fight-over-googles-china-project-a-battle-for-the-companys-soul/

Microsoft requested that over 70 domains related to the Russian "Fancy Bear" hacking group be revoked in US court, essentially dismantling many of the groups command and control servers. Microsoft cited targeted spearphishing attempts against US political players as the reason for the legal movements.  Source: https://www.wired.com/story/microsoft-russia-fancy-bear-hackers-sinkhole-phishing/

Un-Google Your Life - Part II Coming Soon!

Sorry for the delay. I promise to make this a really, really good one.

Windows Accessibility Tools... For Hackers Too???

I enjoy listening to the Darknet Diaries podcast by Jack Rhysider. In a recent episode a guest of the show was telling a story about how he managed to compromise a computer network while in prison for... You guessed it! Hacking.  Anyway, the story of the hack isn't what I wanted to discuss with you in this blog post. Instead, I wanted to talk about the hack itself, the vulnerability that it exploits, and how you can stop it with some simple scripting.

Setting The Stage

The hack involves the accessibility tools built into Windows. An attacker with physical access to your machine can abuse them at your Windows logon screen to do pretty much whatever they want. I know what you're thinking, "But if the attacker already has physical access, why bother?"You have a point. Most attackers who have physical access to a machine will be able to gain control over that machine. This is true in almost every scenario. An attacker with physical access can almost always find some workaround to undermine your security. Whether they use a removable devices, brute force attacks, or just plain-old-taking the cover off and making off with the disk drives... You'd be hard pressed to beat an attack when the attacker has your equipment and you don't.
But there are circumstances where a potential attacker has physical access but still lacks the time, privacy, or tools to pull off an attack. Like in prison, where you have to be covert or guards will spot you. Or at work, where your co-workers might ask how you managed to get into the BIOS of a company computer, or at school where the librarian might ask why you're taking her computers apart. These are all places where internal attacks become too risky and/or time-consuming to pull off. The Accessibility Tools hack is one where you need to enter the BIOS of the machine and reboot several times. That takes a while, and although the skill level of the attack is low, it's still a very dangerous proposition to have an attacker with local admin access on your network. Lets setup a sandbox scenario...You're a domain administrator named Bob with 50 machines on your network. Someone has pulled off an Accessibility Tools hack on a machine and has local admin rights whenever they want. They install a keylogger on the machine and forget about it until 3 days later you get a ticket to take a look at the machine because someone can't get into their email. You log on remotely but nothing is broken. You sip your coffee and work up the nerve to go teach this person how to use their email. You make your way to the machine and, without thinking twice, blast your domain admin credentials into their machine in the process of helping them. Now the attacker has your domain admin credentials, and they don't even need physical access anymore.
The Hack
So, back to the attack. You start off with a USB thumb drive. Install your favorite flavor of Linux Live onto it so you can boot straight into a root shell. I like the Trinity Rescue Kit for this type of thing, because it comes with tons of tools like Windows password resetting, ClamScanning, and tons more.
Next, boot the target machine to the USB stick where you installed Linux. If you have it boot right into a shell, great! If not, get to a shell, and make it root! Next mount the local Windows filesystem somewhere and use cp or rm to get "/Windows/System32/Magnify.exe" out of the way. Then cp or mv "/Windows/System32/cmd.exe" to "/Windows/System32/Magnify.exe." The commands you use depend on stealth/time constraints and how much the you care about putting things back later. You can also use any of the other accessibility tools to achieve the same attack.

Next reboot the machine and load the accessibility tool that you replaced with cmd.exe. You now have a SYSTEM command prompt. Because the file is owned by TrustedInstaller, it's extremely difficult to modify this in a production domain environment with a standard user account, but if you can find a computer with USB ports enabled and an unprotected BIOS this should be relatively easy to pull off.
The Defense
There are several prerequisites that need to be in-place for this attack to work.
  1. BIOS password disabled.
  2. USB ports enabled.
  3. Removable storage (CD/USB/floppy) set before primary OS boot device in BIOS.
  4. Accessibility Tools at logon screen enabled by Group Policy Management or Local Group Policy Editor.
If number 4 from the list above combines with number 1 or 3 then the conditions exist for Accessibility Tool exploits. So the easiest way out of this mess for might just be to flip-the-switch on numbers 1 and 3 using built-in Windows functionality, or disable number 4 either on a standalone machine using the Local Group Policy Editor, or on a domain network using Group Policy Management.
Of course the easiest way isn't always the best way. The Accessibility Tools do provide valuable features. I can't tell you how many times the on-screen-keyboard has helped me fix laptops that took spills, or get around dead keyboard batteries, or diagnose machines with wonky drivers. Group Policy can control which machines get which policies, so it's possible to be selective... but I'd rather just leave them on incase someone needs them. We can figure out a programmatic solution for this problem.
The Script
We need to develop a script for detecting this attack. As far as attacks go, this one is pretty noisy. Moving around Windows files in the System32 directory is the hacker equivilent of sticking your head out of the trenches. Since we know specifically which files are going to be affected we should be able to simply diff some hashes and check for file existence to be sure there was no tampering. Other possible metrics to use for tamper detection include filesize caching/diff'ing and date modified caching/diff'ing. By checking, caching, or simply hardcoding a predicted filesize or date modified we can compare the cache or hardcoded data with the current ecosystem. If things aren't exactly the way we left them, we know someone's tampered with the system.
Option Explicit

dim oShell, oFSO, dangerousExes, exe, cmdHardCodedHash, cmdDynamicHash, strComputerName, strUserName, strLogFilePath, strSafeDate, _
 strSafeTime, strDateTime, strLogFileName, strEventInfo, objLogFile, cmdHashCache, objCmdHashCache, dangerHashCache, _
 dangerHashData, mailFile, objDangerHashCache, oFile

Set oShell = WScript.CreateObject("WScript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")
dangerousExes = Array("Magnify.exe", "Narrator.exe", "osk.exe", "sapisvr.exe", "control.exe", "utilman.exe")
cmdHardCodedHash = "db 06 c3 53 49 64 e3 fc 79 d2 76 31 44 ba 53 74 2d 7f a2 50 ca 33 6f 4a 0f e7 24 b7 5a af f3 86"
cmdDynamicHash = ""
strComputerName = oShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
strUserName = oShell.ExpandEnvironmentStrings("%USERNAME%")
strLogFilePath = "\\server\Logs"
strSafeDate = DatePart("yyyy",Date) & Right("0" & DatePart("m",Date), 2) & Right("0" & DatePart("d",Date), 2)
strSafeTime = Right("0" & Hour(Now), 2) & Right("0" & Minute(Now), 2) & Right("0" & Second(Now), 2)
strDateTime = strSafeDate & "-" & strSafeTime
strLogFileName = strLogFilePath & "\" & strComputerName & "-" & strDateTime & "-Accessibility_Defender.txt"
cmdHashCache = "C:\cmdHashCache.dat"
dangerHashCache = "C:\dangerHashCache.dat"
mailFile = "C:\Accessibility_Defender_Warning.mail"

'A function to clear the previous dangerCache and create a new one.
Function clearCache()
  If oFSO.FileExists(dangerHashCache) Then
  End If
  If Not oFSO.FileExists(dangerHashCache) Then
  End If
End Function

'A function to create the CMD Hash Cache file.
Function getCmdHash()
  If oFSO.FileExists("C:\Windows\System32\cmd.exe") Then
    oShell.run "cmd /c CertUtil -hashfile ""C:\Windows\System32\cmd.exe"" SHA256 | find /i /v ""SHA256"" | find /i /v ""certutil"" > " & cmdHashCache, 0, TRUE
  End If
End Function

'A function to hash each of the hardcoded files and cache the value.
Function getDangerHash()
  For Each exe In dangerousExes
    If oFSO.FileExists("C:\Windows\System32\" & exe) Then
      oShell.run "cmd /c CertUtil -hashfile ""C:\Windows\System32\" & exe & """ SHA256 | find /i /v ""SHA256"" | find /i /v ""certutil"" >> " & dangerHashCache, 0, TRUE
    End If
End Function

'A function to read the CMD hash cache.
Function cmdHashData()
  If oFSO.FileExists(cmdHashCache) Then
    Set objCmdHashCache = oFSO.OpenTextFile(cmdHashCache)
    cmdHashData = objCmdHashCache.ReadAll()
  End If
End Function

'A function to read the Danger hash cache and compare it to the CMD hash cache and hardcoded CMD hash.
Function hashMatch()
  hashMatch = FALSE
  If oFSO.FileExists(dangerHashCache) Then
    Set objDangerHashCache = oFSO.OpenTextFile(dangerHashCache)
    Do While Not objDangerHashCache.AtEndOfStream
      dangerHashData = objDangerHashCache.ReadLine()
      If dangerHashData = cmdHashData() Or dangerHashData = cmdHardCodedHash Then
        hashMatch = TRUE
      End If
  End If
End Function
Obviously, like all good programmers, we're going to want to log the results of our script. I like to keep a centralized log location for all my network wide scripts so that I can breeze through it every few hours to spot problems.
'A function to create a log file.
Function createLog(strEventInfo)
  If Not (strEventInfo = "") Then
    Set objLogFile = oFSO.CreateTextFile(strLogFileName, True)
  End If
End Function
Ok, so we have a good idea of how we can detect and keep track of these issues. But how can we stop it? The damage has already been done. We need an administrator to come investigate. A lot of old school Windows script blogs will tell you to use the deprecated Microsoft schemas for sending emails with Windows scripting languages, but I prefer Fake Sendmail For Windows by Byron Jones. It's small, lightweight, and easy to use. Especially programmatically. I like to write my emails to a file and then execute sendmail on the file. That way there's an intrinsic logging process built-in when the script leaves the sent mail message file behind. You will need to download this program and copy all of its files to your project folder.
Function createEmail()
  If oFSO.FileExists(mailFile) Then
  End If
  If Not oFSO.FileExists(mailFile) Then
  End If
  Set oFile = oFSO.CreateTextFile(mailFile, True)
  oFile.Write "To: IT@COMPANY.com" & vbNewLine & "From: server@COMPANY.com" & vbNewLine & _
   "Subject: COMPANY Accessibility Defender Warning!!!" & vbNewLine & _
   "This is an automatic email from the Tru Form Network to notify you that a workstation was defended from Accessibility Tools exploitation." & _
   vbNewLine & vbNewLine & "Please log-in and verify that the equipment listed below is secure." & vbNewLine & _
   vbNewLine & "USER NAME: " & strUserName & vbNewLine & "WORKSTATION: " & strComputerName & vbNewLine & _
   "This check was generated by " & strComputerName & " and is performed when Windows boots." & vbNewLine & vbNewLine & _
   "Script: ""Accessibility_Defender.vbs"""
End Function

'A function for running SendMail.
Function sendEmail()
  oShell.run "cmd /c sendmail.exe " & mailFile, 0, TRUE
End Function
Now we've detected an exploit in-progress and notified our IT department. We still have an attacker on a vulnerable machine staring down the sights of a loaded root shell with our machine on the receiving end. The only thing we can really do is log what's happening to this machine and shut it down in the attackers face. He can always turn it back on, but it will just power off again once our script executes.
'A function to kill the machine.
Function killWorkstation()
  oShell.Run "cmd /c C:\windows\system32\shutdown.exe", 0, false
End Function
Awesome! Now we've created all of the functionality we need and it's all neatly organized into cohesive functions that we can call. It's now time to write the bread-and-butter of our script. This is going to control the flow of our application and run all of the functions we made in the desired order. Note the conditional statement that executes if one of the Accessibility Tools has been compromised.

If hashMatch = TRUE Then
  createLog("The machine " & strComputerName & " just attempted to execute an Accessibility Tools exploitation!")
End If
The Victory Lap
Now our attacker is a deer in the headlights. He's staring at a broken shutdown loop that he probably realizes he created, and IT is probably on the way. Typically when I write scripts that write data to the log directory I like to add the username that generated the log as well, but in this case that's not possible because the script runs on machine startup, before a user has logged in.
And there you have it! We've just written our own heuristic tool for determining when someone is messing around on our network. You should still seek to password protect the BIOS's in your organization and remove all the boot devices except for the primary OS drive. If possible, consider disabling unpopulated USB ports. If that's impossible without creating mutiny, try to make a script of your own to detect when someone plugs in a USB device. I made one that sends me an email and writes a log whenever someone plugs in a storage device. It could easily be modified to reject certain devices, or quietly scan them in the background for large file changes or sensitive data your business doesn't want exfiltrated. That's a project for another day. When you're an administrator you've got the best team in the entire company on your side.... The equipment. Don't work hard, work smarkt... And make your equipment work hard for you.
Rowley MA, USA
All work licensed under GPLv3.
To change your subscription, click here.