You are browsing the archive for Silly.

One – Cyber Version

July 5, 2018 in Silly

In the past I wrote two cyber covers for well-known songs Orgasmatron (Motorhead/Sepultura) and Enter Sandman (Metallica).

Today I present you the ‘One’ – it’s dedicated to all the AI-ML-NextGen security vendors 🙂

Now, the funny thing is that I originally thought of parodying either Metallica’s ‘One’, or U2’s one (pun intended). But… when I googled ‘One lyrics’ a completely different set of lyrics appeared. Not only they were neither Metallica nor U2, they were also not Ed Sheeran’s to whom they were attributed by Google. And when I read these lyrics I immediately had a cyber version of the song in my head lol. After further googling around I discovered the lyrics are from a song by George Jones & Tammy Wynette – I have no idea who they are, but apparently some old country music (?).

I found this whole experience really fitting as it almost feels like AI was leading me all the way to it…

So here it is…

I don’t know if it fits the music, but at least you get the cyber lyrics now 😉

One

If you want to hear a sales song
I could call you now
If you want to buy the Next-Gen Product
We could sell you one
If you need to catch a cybervillain
We could charge for one
If you want to QA our product
You could be the one

Now, you talk about threat hunting
I only see IOCs
There’re “AI and ML” motifs
We just use the ‘ifs’
If you believe in magic quadrant
We believe in Santa
If you want to QA our product
You could be the one

One and one, I’ve always heard
Defense in-depth
But one and one is only old tech
When that one is AV… meh
If you believe in magic quadrant
We believe in Santa
If you want to QA our product
You could be the one

WYSIWYDS – What You See Is What You Don’t See

July 2, 2018 in Anti-*, Silly

There is a lot of vulnerability research focused on bugs in APIs that work with fonts.

Today I came up with a slightly different type of a possible font vulnerability which I could not test in practice (although I tried). The idea is visual in nature and if it works, could be the case of a first font-based ‘rootkit’ 😉

I am kidding of course, but let me explain the idea.

We are so used to trust what we see on the screen that it’s very easy to fall a victim to various Unicode tricks (same looking letters in different languages have different Unicode codes, right-to-left override, etc.). I was wondering what would happen if instead of using all the old tricks, we actually changed the font itself and replaced some of its character definitions with our own (or added new ones). The new/modified characters could be then used to name malicious files and users would be none the wiser as the names of the files would mimic ASCII names that users are familiar with.

A kinda impersonation on a different level.

To test the idea I changed my console window font to Lucida, and then used FontForge to distort the letter ‘A’ just for a test. I then exported the result to a TTF file and replaced the c:\WINDOWS\Fonts\lucon.ttf with my new TTF.

I then restarted the system and started the cmd.exe.

To my horror, the screen looked like this:

Looks like FontForge corrupted the TTF file, so I should probably look for a better TTF editor…

I ran the test on Win7, so it’s a very limited scope, but one thing is for sure – I managed to replace the font, and have it assigned to the cmd terminal (even if it didn’t work); I guess that if it worked I would see that ugly, disfigured ‘A’ I modded.

The idea is lame, the test was unsuccessful, nothing else to report…

You may be wondering why even writing about it?

For starters, a possible ability to fool the user is one thing.

The other thing are security tools. While they scan the system and present the information, how can we be so sure that the information they present is exactly what it intended. Think of e.g. Task Manager or Autoruns. They use ‘MS Sans Serif’ and ‘MS Shell Dlg 2’ to show stuff. Say you name your program ‘\x6000\x6001\x6002\x6003\x6004\x6005\x6006\x6007\x6008\x6009\x6008’ and change the TTF characters to present the string as ‘svchost.exe’.

Who (except technical people) seeing such a well-known process name will suspect anything dodgy?

The strings printed on our screens are just a visual representations – what lies underneath can be a completely different story.

Bonus:

Looks like my toying around does trigger real-world vulnerabilities too; when I tried to toy around with the properties of the cmd window where my corrupted font was loaded I managed to cause the conhost.exe associated with my terminal process to crash. It was on an old, unpatched version of Windows 7 so it’s probably an old vuln, but my guess is… this could be yet another case that may be a result of trusting API functions w/o checking the results.

In terms of software that processes such modified data outside the system where the TTF is modified – this is obviously easy for them to spot – any EDR, or forensic suite will show weird characters in place where one would expect something readable…

And of of course, replacing system fonts requires admin privileges. The goal of the post is not to say it’s easy, more that it’s possible.

If you have better font editing skills/software and manage to successfully test the idea please let me know. Thanks.