Environment variable expansion for injecting commands

Command Injection/Elevation – Environment Variables Revisited

Windows environment variables can be used to run commands and can also be used to bypass UAC, allowing an attacker with limited privileges to take complete control of the system.

This code leverages a rather unusual scenario within Windows OS.

This is a continuation of our research as described in a previous post:
Elastic Boundaries on BreakingMalware.com


Elastic boundaries - Elevation by environment variable expansion

Elastic Boundaries – Elevating privileges by environment variables expansion

Even though any process is provided variables from its environment – they are often overlooked by users, developers and sometimes even the OS itself.

Environment variables are an essential part of any decent operating system, including but not limited to all flavors of Unix (Linux, BSD), Windows and OS X.

In the world of Microsoft operating systems they existed in the first version of DOS, made their way into the first appearance of Windows and are naturally still around in current versions as well.


Captain Hook: Pirating AVs to Bypass Exploit Mitigations

tl;dr: We found 6(!) different common security issues that stem from incorrect implementation of code hooking and injections techniques. These issues were found in more than 15 different products. The most impactful discovery was that 3 different hooking engines also suffer from these kind problems, including the most popular commercial hooking engine in the world – Microsoft Detours (scheduled patch, August 2016). Practically it means that thousands of products are affected.
The full security issues will be presented at Black Hat 2016. For the eager reader, we’ll start already with some background info.


CFG Exceptions

Documenting the Undocumented: Adding CFG Exceptions

TL;DR Microsoft’s Control Flow Guard (CFG) is a security feature that prevents the abuse of indirect calls from calling addresses that are not marked as safe. CFG can cause problems for anyone trying to execute malicious memory manipulations on Windows. In such cases, this can be bypassed by adding an exception to the CFG bitmap (a mapping of all the “safe” addresses). How can we add such an exception? There are actually two ways: one documented, the other undocumented. In this post, we’ll walk you through both while analyzing the undocumented syscall in depth.


Analyzing Furtim: Malware that Avoids Mass-Infection


Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal service.

It is not yet known who is behind this malware, and as no string in the file disclosed its original name we code-named it “Furtim”, which is the Latin translation for “stealthy”. In fact, Furtim, as we’ll show, goes through great lengths to avoid being caught by security parties. For example, Furtim won’t install itself if it identifies on the target machine one of an extensive list of security products (both common and esoteric), sandbox or virtualization environments.

These threat actors would rather give up on a target, than take the chance of being exposed.

Given these interesting facts, we decided to perform a deep analysis of this new malware sample.


Sedating the Watchdog: Abusing Security Products to Bypass Mitigations

tldr; design issues in various security products, such as anti-virus, make it significantly easier for threat actors to bypass exploit mitigations. In particular, we found a prevalent flaw where anti-virus products allocate memory with RWX permissions at a predictable address.

We released a tool that checks whether your computer is likely to be vulnerable to exploitable constant, RWX addresses. Download AVulnerabilityChecker here – https://github.com/BreakingMalware/AVulnerabilityChecker