So first off this week is something of a mystery. Microsoft released an out-of-cycle patch for Internet Explorer. The exploitability assessment from Microsoft indicates that this bug is under active exploitation, but not many details are available. Let’s take a look at what information has been released, and see what we can learn.
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.
It’s a remote code execution vulnerability, it affects Internet Explorer, it’s in the scripting engine, and it happens due to objects in memory being mishandled. We could take some guesses, but later in this document we’re given a few other clues. The workaround is to disable jscript.dll
, and the impact is limited, as jscript9.dll
is the default JavaScript engine. jscript.dll
is apparently a legacy JavaScript engine that a website can request.
“Jscript” is what Microsoft called their shameless copy implementation of JavaScript. The older jscript.dll
seems to be present in newer versions of Internet Explorer for compatibility reasons. So it’s a problem in how the older JavaScript library handles objects. Any website can request this legacy engine, so the attack vector is basically unlimited.
The urgency implied by the out-of-cycle patch, combined with the otherwise eery silence surrounding this patch, suggests this 0-day was possibly being used in a targeted attack. We hope the details will eventually be revealed.
CentOS 8 and CentOS Stream
CentOS 8 was released this week, the community repackage of Red Hat Enterprise Linux (RHEL) 8. In 2014, Red Hat announced that CentOS was officially becoming a Red Hat sponsored project. This week, CentOS Stream was also announced.
The Fedora distribution has long served as a test-bed for upcoming RHEL releases, with RHEL 8 being based on Fedora 28. CentOS Stream will serve as a “midstream” distribution, a rolling release that pulls updates from Fedora, and will eventually become future RHEL/CentOS releases. It remains to be seen exactly how far ahead of the main CentOS distribution Stream will stay. A long-standing problem with CentOS is that by the time a release hits end-of-life, some of the software versions are very old. Even though security fixes are quickly backported to these older versions, there are security issues that arise as a result. For example, CentOS 7 contains PHP 5.4 with no official path to installing a newer version of PHP. WordPress now requires PHP 5.6.20 as the oldest supported PHP version. Red Hat may backport fixes to PHP 5.4, but that doesn’t help the out-of-date installs of WordPress, running on otherwise up-to-date CentOS machines.
Hopefully CentOS Stream will provide the much needed middle-ground between the bleeding-edge pace of Fedora, and the frustratingly slow march of CentOS/RHEL.
Russian Surveillance
A Nokia employee accidentally backed up a company drive to his home storage device, which was unintentionally Internet accessible. The data contained on this drive was detailed information on Russia’s SORM (System for Operative Investigative Activities), the government’s wiretapping program. The amount of data revealed is staggering, 1.7 terabytes. Passwords, administrative URLs, and even precise physical locations were included. The breadth of information makes one wonder if it was actually an accident, or if this was intended to be another Snowden style data leak. Just an aside, it’s not clear that the revealed wiretapping effort is as broad or onerous as the one Snowden revealed.
PHPMyAdmin CSRF
Running PHPMyAdmin on one of your servers? You should probably go update it. Version 4.9.1 was released on Saturday the 21st, and contains a fix for CVE-2019-12922. This vulnerability is a Cross Site Request Forgery, or CSRF. A CSRF attack can be as simple as an image link on one site, that links to another site, and triggers an action on that second site. Let’s look at the PHPMyAdmin example:
img src=" http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"; style="display:none;"
A hidden image will actually trigger an HTTP GET request, which asks for the server’s page, and tries to remove the first entry. If a user is logged in to the PHPMyAdmin server that the link is targeting, the command will silently complete. This is one of the reasons that HTTP GET requests should never make state changes, and only ever retrieve information. An HTTP POST message is much harder to generate in this way, though not impossible.
I know CentOS has a lot of out-of-the-box cluster and proxy features but I’d much rather just put sandboxed Apache on “-hardened” Gentoo.. I put easy roll-out second to security though.. Anything su or ring-0 and CentOS is just owned with or without VM..
It’s annoying when you see one of these big in-the-wild browser zero-day headlines.. Do these people not know sandbox escapes and RCE are sold in volume by all these bounty programs? You think they pay six and seven figures for them because they just appreciate the researchers?
I love how the Tech Crunch article focuses on Russias human rights record an how they might be abusing lawful intercept features on Telco equipment but then glosses over how almost every single country has lawful intercept features as they are provided with the equipment running the services. Its also amusing how articles like that are used to white wash the US’ record on human rights abuses as well as the mass surveillance that is committed at a much deeper level than lawful intercept features.
Note: ive worked on SS7 routing software and i know that Lawful intercept is baked into every single piece of telco equipment that is shipped everywhere! and i mean absolutely every country that has telco equipment from any of the large companies providing such equipment has lawful intercept features. But hey, why miss out on the chance to beat the drum: Russia Bad!!!
AT&T use to have a special rooms at regional data centers(upstream from the SS7 switches) for feds and NSA to retrieve data. It was in a documentary years back. Companies like Tele2 in EU are even less regulated so I can’t see it being any better..
I managed blade cabinets at regional switch once. Now days they just upstream all the trunks to regional clusters that log and filter and handle accounting..
From where now can we download this 1.7TB?
I’m not aware of any public mirrors. It would certainly be interesting to soft through, though, if it were publicly available still.