GhostHook: A Kernel-Level Threat in 64-Bit Windows Systems

ghosthook

GhostHook is a new attack technique which allow hackers to bypass kernel protections of Windows 10 PatchGuard and plant rootkits within systems. PatchGuard is a software tool that has been designed to forbid the kernel of 64-bit versions of Windows operating systems from being patched, preventing attackers from executing malicious code or running rootkits at the kernel level.

According to the researchers at CyberArk, GhostHook is neither an elevation nor an exploitation technique but a post-exploitation attack where the attacker has control over the compromised system. It provides the hacker with the ability to hook almost any piece of code running on the system.

How does GhostHook work?

The GhostHook target only those systems that running Intel PT (Processor Trace), which are designed to provide support in debugging operations and hunting malicious code.

The attacker makes use of a hacking exploit or malware first to compromise a target machine and then deploy GhostHook. Once compromised, the attacker can install a rootkit in the machine’s kernel, which would be completely undetectable to 3rd party anti-virus and security products and invisible to Microsoft’s PatchGuard itself.

Is there a patch for this?

CyberArk researchers believes that the GhostHook may be extremely difficult for Microsoft to patch, as the technique uses hardware to gain control of critical kernel structures. According to Microsoft, this technique involved hackers present on an already compromised system, it would not treat it as a security flaw.

“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows.”   – Microsoft

Microsoft has not yet discovered a patch for this, but told that they may address in a future version of Windows.

 

PHP-7 for EasyApache3

850_c37ba64941e8a0a2b41ac71074cbbbbb

The latest versions of cPanel come with EasyApache 4 which provides a lot of new features like PHP 7 support, native support for multiple PHP versions, etc. So it is recommended to migrate to EasyApache 4 to utilize these features. However, if you cannot migrate EasyApache 4 due to some reason (Example: Tomcat support), you will have to compile the PHP 7 manually from source to use it with EasyApache3.

PHP7 manual installation

Note: The PHP handler should be SuPHP to get this working.

1. Download the required PHP-7 distribution Go to php.net site to find the latest version.
2. Unpack the downloaded file.
3. Now build it.

In order to compile PHP from source, you should provide the ./configure options and choose which modules do you want to install.

For example,

# ./configure –enable-bcmath –with-bz2 –enable-calendar –with-curl –enable-exif –enable-ftp –with-gd –with-jpeg-dir –with-png-dir –enable-gd-native-ttf –with-imap –with-imap-ssl –with-kerberos –enable-mbstring –with-mcrypt –with-mhash –with-mysql –with-mysqli –with-openssl –with-pdo-mysql –with-zlib-dir –with-regex –enable-sockets –with-xmlrpc –enable-zip –with-zlib –enable-mbregex –enable-fpm –prefix=/usr/local/php

The above command will enable basic extensions like ftp, GD, ftp, IMAP, PDO, MySQL etc

Then execute the below commands:

# make
# make install

4. After compiling from source, copy the default PHP configuration file to the installation directory.
5. Verify the installation:

# /usr/local/php70/bin/php -v
PHP 7.0.22 (cli) (built: Aug 5 2017 01:56:23) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
with Zend OPcache v7.0.22, Copyright (c) 1999-2017, by Zend Technologies

6. Now link our new PHP 7 installation with Apache web server by generating a new PHP config for PHP7 and adding handler to SuPHP.
7. Add our custom PHP configuration file to EasyApache list so that the changes will not be lost future in EasyApache builds.
8. Restart Apache.

You are done!

In order to configure your website to use PHP7, add the following code to the .htaccess file located within the site’s document root.

AddType application/x-httpd-php7 .php7 .php

Do note that the PHP handler should be SuPHP for the above steps to work.

How to perform fsck on a ploop container?

Due to various reasons like system crash, incorrect replication level etc, the file system in a ploop container will get corrupted that can result in data loss. So it is necessary to check the filesystem in a ploop container for consistency to avoid this loss of data.

Error

~# vzctl start 123

Starting container…

Opening delta /vz/private/123/root.hdd/root.hdd

Adding delta dev=/dev/ploopxxxxx img=/vz/private/123/root.hdd/root.hdd (rw)

/dev/ploopxxxxxp1: UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.

(i.e., without -a or -p options)

Error in e2fsck (fsutils.c:315): e2fsck failed (exit code 4)

Failed to mount image: Error in e2fsck (fsutils.c:315): e2fsck failed (exit code 4)

Resolution

1. Stop the container

2. Mount the container’s ploop image.

3. Run fdisk -l for the ploop device reported by the previous command.

4. Perform a file system check for the partition reported in the previous command’s output.

5. Unmount the ploop image

6. Start the container.

 

Done! You should be good to go now!