nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Security research tool had security problem

Plugin for popular disassembler OllyDbg allowed man-in-the-middle diddle

By Darren Pauli, 20 Oct 2016

Security researchers and the networks they rely on were at risk of breach by the hackers they investigate, thanks to now mitigated man-in-the-middle holes in a popular plugin for analysing debugger OllyDbg.

The debugger disassembles binaries, making it a handy way to understand an application's workings without having access to source code. Those abilities mean OllyDbg is often found in malware investigators' toolkits.

ForcePoint special investigations head Andy Settle found two man-in-the-middle holes within the StrongOD anti-evasion OllyDbg plugin that is installed on some 750,000 machines, writing the findings in the paper The Freeman Report [PDF].

Identified users include researchers at US-based Carnegie Mellon University, the campus IT shop for Britain's University of Warwick, and Australia's University of New South Wales.

The vulnerabilities aren't terrifying, as users will need to accept an update before the dodgy plugin can do its worst. The mere offer of an update will be suspicious to dedicated OllyDbg users as the application has not been refreshed since 2012.

The attack will also struggle because seasoned researchers run malware analysis within clean virtual machines that are isolated from hosts which are wiped clean on reboot and are sandboxed from the underlying operating system.

Some users however are students and amateur researchers learning the reverse engineering tradecraft and so may run OllyDbg in a standard operating system.

A buffer overflow also allows suitably-placed attackers to execute shellcode.

Further, the man-in-the-middle vector restricts the attacks to those sitting on the same network as researchers or, more feasibly, have control of cracklife.com.

"As theoretical as this research may sound, through the action of acquiring the domain cracklife.com and sinkholing it, Forcepoint has prevented a malicious threat actor from compromising the members of the security research community across the globe," Settle says.

"Another reason for publishing this research is that those who are most at risk are those who endeavour to protect us.

"This research demonstrates that no-one is invulnerable and that everyone needs to be vigilant."

All instances of the StrongOD plugin call back to the since dead website, meaning anyone who registered the site would have the opportunity to compromise scores of researchers.

Settle bought cracklife.com, thereby sinkholing the scores of requests and shuttering the vector.

He then analysed the requests finding information including the location and number of pings each user made to the site.

Some 75 per cent of users were located in China, according to Settle, with others distributed across all other countries.

"If software is not used, then remove it," Settle says. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing