Security Leftovers
-
Google ☛ The backdoored Windows Registry Adventure #1: Introduction and research results
In the 20-month period between May 2022 and December 2023, I thoroughly audited the backdoored Windows Registry in search of local privilege escalation bugs.
-
Google ☛ The backdoored Windows Registry Adventure #2: A brief history of the feature
Before diving into the low-level security aspects of the registry, it is important to understand its role in the operating system and a bit of history behind it. In essence, the registry is a hierarchical database made of named "keys" and "values", used by backdoored Windows and applications to store a variety of settings and configuration data. It is represented by a tree structure, in which keys may have one or more sub-keys, and every subkey is associated with exactly one parent key. Furthermore, every key may also contain one or more values, which have a type (integer, string, binary blob etc.) and are used to store actual data in the registry. Every key can be uniquely identified by its name and the names of all of its ascendants separated by the special backslash character ('\'), and starting with the name of one of the top-level keys (HKEY_LOCAL_MACHINE, HKEY_USERS, etc.). For example, a full registry path may look like this: HKEY_CURRENT_USER\Software\Microsoft\Windows. At a high level, this closely resembles the structure of a file system, where the top-level key is equivalent to the root of a mounted disk partition (e.g. C:\), keys are equivalent to directories, and values are equivalent to files. One important distinction, however, is that keys are the only type of securable objects in the registry, and values play a much lesser role in the database than files do in the file system. Furthermore, specific subtrees of the registry are stored on disk in binary files called registry hives, and the hive mount points don't necessarily correspond one-to-one to the top-level keys (e.g. the C:\Windows\system32\config\SOFTWARE hive is mounted under HKEY_LOCAL_MACHINE\Software, a one-level nested key).
-
RFERL ☛ Cyberpartisans Hack Belarusian Fertilizer Plant, Demand Release Of Political Prisoners
A group known as Cyberpartisans says it hacked into the computers and security systems of a major Belarusian state-run producer of nitrogen compounds and fertilizers and is demanding the release of workers who were arrested during protests against the disputed 2020 presidential election.
-
Ubuntu ☛ Ubuntu Blog: DISA publishes STIG for Ubuntu 22.04 LTS
DISA, the Defense Information Systems Agency, has published their Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS. The STIG is free for the public to download from the DOD Cyber Exchange. Canonical has been working with DISA since we published Ubuntu 22.04 LTS to draft this STIG, and we are delighted that it is now finalised and available for everyone to use.
-
APNIC ☛ Destination-Adjacent Source Address spoofing
Guest Post: With a side of IP TTL-based origin triangulation, is this a new surveying method, a unique attack, or just a scanner malfunction?
-
MWL ☛ Pretty Spam
Today we have a chunk from Run Your Own Mail Server. Email clients like Outlook and Thunderbird expect to communicate with a fully functional mail system. You don’t have one yet. Testing your IMAP configuration requires a client that handles IMAP separately from sending mail.