A government is going after a human rights activists in Morocco. It sounds familiar, but I don’t think Humphrey Bogart is running the gin joint this time around.
Questionable Casablanca references aside, Amnesty International has reported another attack against human rights workers. In this case, a pair of Moroccan activists were targeted with what appears to be NSO’s Pegasus malware suite. Researchers identified text message phishing that led to malicious web pages, as well as HTTP man in the middle attacks against their mobile devices. Once the target was successfully directed to the malicious site, A collection of zero-day vulnerabilities were used to compromise the phone with the NSO malware.
NSO is an Israeli company that specializes in building malware and other cybersecurity tools for governments. As you can imagine, this specialization has earned NSO the scorn of quite a few organizations. NSO claims to have a policy framework in place that allows them to evaluate and terminate the use of their software when it is deemed illegal or abusive, but due to the nature of their contracts, that process is anything but transparent.
A problem in sudo was disclosed this week, that allowed users to run commands as root even when they don’t have permission to do so. Sudo allows a user to specify a numeric user ID instead of a username. It was discovered that specifying -1 as the user did something unexpected, it failed. Trying to switch to user -1 fails, but sudo runs the rest of the command anyway, as root instead of user -1. I was excited to test this simple vulnerability on a slightly out-of-date system. I created an unprivileged user, ran the sudo command, and got the expected security error, but no root access.
The actual exploit requires a very specific, and unusual system configuration. A user has to be added to the sudoer file, and have permission to run as any user except root. This effectively means that any user ID but 0 is allowed. The user ID of -1 passes the test of anything but 0 (root), but then causes the fail when trying to switch users, running the command as root.
Giving a user access to everything but root itself is not a great security strategy, to say the least. To point out the most obvious, if any other user has permission to run commands as root via sudo, the less privileged user could simply use sudo to run sudo as that administrator’s account.
In some ways a similar story, a problem in the Linux Kernel’s Realtek driver was found on Monday. At first glance, it’s another terrifying vulnerability that affects every Linux user with a Realtek wireless card. It’s appears to be a standard buffer overflow, where the length of a field is checked in one way, but not checked to be under the maximum length. A longer than expected data field will overflow the buffer and cause problems. A code execution exploit has not yet been discovered, but it’s likely to be eventually found.
The catch with this bug is that before the vulnerable code is called, the driver checks whether the card is currently connected in p2p mode. Here’s the check in question if you’re interested. This means that rather than being vulnerable to attack any time your Realtek is powered on, you aren’t actually at risk unless you’re talking to another device using the p2p WiFi mode. In all the Linux WiFi work I’ve done over the years, I don’t think I’ve ever used p2p mode on a wireless card under Linux.
It’s good these bugs were found, and even better that they are getting fixed. That said, these are both very niche cases that have been oversold in some reporting.
Study The Great Nation
Red Team Lab, part of the Open technology Fund, partnered with Cure53 to do a detailed study of a Chinese mobile app, “Study the Great Nation”. This application is sponsored by Chinese government, particularly the Chinese Communist Party. At first glance, it seems to be a rather straightforward education tool, teaching students about Chinese history, and encouraging competition through quizzes and a public leaderboard.
The audit uncovered more devious activity than a simple educational tool. The app collects data from the phone, including information about what other apps are installed, calls that have been made, and even the device’s current location. This data is uploaded, presumably to the Chinese government.
Some of the more sensational stories claim that this app contains a superuser backdoor aimed at rooted phones. At the very least, the app does attempt to determine if the phone it is running on has been rooted. Looking at the code snippets, I don’t see anything that would bypass root management software like SuperSU or the like. There is a function that is designed to run commands as root, but without an exploit, this would still be user controlled, so long as the rooted device has SuperSU or a similar utility installed.
The app also requests microphone and camera access, reportedly for integration with other apps. It doesn’t take a great leap of the imagination to understand how those permissions could be abused.
Cure53’s report pointed out that the Java code that comprises this app is heavily obfuscated, and not all of the code was successfully de-obfuscated. There may still be nasty surprises lurking.
Hacking the Terminal
A Mozilla funded audit of iTerm2 turned up a surprising vulnerability. iTerm2 is an open source terminal replacement for MacOS that adds many features including built-in tmux integration. It was discovered that certain terminal output would be interpreted as tmux commands, leading to code execution on the machine running the terminal.
This leads to an interesting scenario, where the act of connecting to a remote server over SSH or Telnet would allow exploiting this bug. The default behavior of Curl is to output the downloaded file directly to the terminal, which could also trigger the bug.
A question the security industry often has to field is why we don’t simply hack the hackers. This has been an ongoing debate for years, but occasionally someone decides to take matters into his own hands. [Tobias Frömel] was stung by the Muhstik ransomware, and coughed up the 0.09 bitcoin to get his files back. This must have left a sour taste in his mouth, because [Tobias] tracked down the command and control server, and discovered it was a legitimate server that had been compromised and co-opted to run the ransomware campaign. He discovered a remote access shell that the original attackers left behind, and used that to gain access to the server himself. From there, he dumped the database containing the keys, and released it to the world.
It’s a noble gesture, but also still illegal. I would guess (and hope) that [Tobias Frömel] is a pseudonym, and this digital vigilante is keeping his real name to himself. In any case, Bleeping Computer reported that many of the Muhstik victims have been able to recover their data as a result. I’m not sure whether [Tobias] is the hero we deserved, or just the hero we needed, but he was certainly a hero to Muhstik victims.