Blog

Archive for July 6th, 2021

Microsoft Releases Patches for CVE-2021-34527, (Wed, Jul 7th)

Microsoft today released patches for CVE-2021-34527, the vulnerability also known as “printnightmare”. Patches are currently available for these versions of Windows:

  • Windows 10 Version 21H1 (32-bit, x64, ARM64)
  • Windows 10 Version 2004 (32-bit, x64, ARM64)
  • Windows 10 Version 1909  (32-bit, x64, ARM64)
  • Windows 10 Version 1809  (32-bit, x64, ARM64)
  • Windows 10 (32-bit and x64)
  • Windows RT 8.1
  • Windows 8.1 (32-bit and x64)
  • Windows 7 SP1 (32-bit and x64)
  • Windows Server, version 20H2 (ARM, 32-bit, x64, Server Core)
  • Windows Server, version 2004 (ARM, 32-bit, x64, Server Core)
  • Windows Server 2019 (including Server Core)
  • Windows Server 2012 R2 (including Server Core)
  • Windows Server 2008 R2 SP1 and SP2

Patches for other versions will follow shortly. Please apply them as soon as they are released. This will affect  Windows 10 version 1607, Windows Server 2016, and Windows Server 2012.

Applying the update will also patch the older CVE-2021-1675 vulnerability.

For details, see Microsoft’s updated advisory:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Python DLL Injection Check, (Tue, Jul 6th)

They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it’s a common anti-debugging or evasion technique implemented by many malware samples. If you’re interested in such techniques, they are covered in the FOR610[1] training. The detection relies on a specific API call GetModuleFileName()[2]. The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the OpenProcess()[3] API call must use the following access flag (0x0410 – PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).

Today, I found a Python script that implemented this technique. Note that the script just borrows and obfuscates a snippet of code available on github.com[4] for a while. The list of DLLs is a bit outdated but remains valid.

import win32api
import win32process
LRazMCgmBIhqNsJ= []
wqeltyA = ["sbiedll.dll","api_log.dll","dir_watch.dll","pstorec.dll","vmcheck.dll","wpespy.dll"]
eDbscqrrt= win32process.EnumProcesses()
for mbPLkF in eDbscqrrt:
    try:
        mhEIFoBo = win32api.OpenProcess(0x0410, 0, mbPLkF)
        try:
            JoKxLLHnpg= win32process.EnumProcessModules(mhEIFoBo)
            for qGvSyMSQH in JoKxLLHnpg:
                XFUQQonQDUFW= str(win32process.GetModuleFileNameEx(mhEIFoBo, qGvSyMSQH)).lower()
                for yeksLrlmxhewfzF in wqeltyA:
                    if yeksLrlmxhewfzF in XFUQQonQDUFW:
                        if XFUQQonQDUFW not in LRazMCgmBIhqNsJ:
                            LRazMCgmBIhqNsJ.append(XFUQQonQDUFW)
        finally:
            win32api.CloseHandle(mbPLkF)
    except:
        pass
if not LRazMCgmBIhqNsJ:

If the array LRazMCgmBIhqNsJ is still empty, no suspicious (from a malware point of view) DLL has been found and the execution continues…

The sample received a nice VT score of 4/59 (SHA256:b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334)[5]. Another good example of Python integration with the Windows API!

[1] http://for610.com
[2] https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea
[3] https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
[4] https://github.com/Arvanaghi/CheckPlease/blob/master/Python/check_all_DLL_names.py
[5] https://www.virustotal.com/gui/file/b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →