This Week In Security: A Digital Café Américain, The Linux Bugs That Weren’t, The Great Nation, And More

A government is going after a human rights activists in Morocco. It sounds familiar, but I don’t think Humphrey Bogart is running the gin joint this time around.

Questionable Casablanca references aside, Amnesty International has reported another attack against human rights workers. In this case, a pair of Moroccan activists were targeted with what appears to be NSO’s Pegasus malware suite. Researchers identified text message phishing that led to malicious web pages, as well as HTTP man in the middle attacks against their mobile devices. Once the target was successfully directed to the malicious site, A collection of zero-day vulnerabilities were used to compromise the phone with the NSO malware.

NSO is an Israeli company that specializes in building malware and other cybersecurity tools for governments. As you can imagine, this specialization has earned NSO the scorn of quite a few organizations. NSO claims to have a policy framework in place that allows them to evaluate and terminate the use of their software when it is deemed illegal or abusive, but due to the nature of their contracts, that process is anything but transparent.

Sudo Vulnerability

A problem in sudo was disclosed this week, that allowed users to run commands as root even when they don’t have permission to do so. Sudo allows a user to specify a numeric user ID instead of a username. It was discovered that specifying -1 as the user did something unexpected, it failed. Trying to switch to user -1 fails, but sudo runs the rest of the command anyway, as root instead of user -1. I was excited to test this simple vulnerability on a slightly out-of-date system. I created an unprivileged user, ran the sudo command, and got the expected security error, but no root access.

There’s an xkcd for everything.

The actual exploit requires a very specific, and unusual system configuration. A user has to be added to the sudoer file, and have permission to run as any user except root. This effectively means that any user ID but 0 is allowed. The user ID of -1 passes the test of anything but 0 (root), but then causes the fail when trying to switch users, running the command as root.

Giving a user access to everything but root itself is not a great security strategy, to say the least. To point out the most obvious, if any other user has permission to run commands as root via sudo, the less privileged user could simply use sudo to run sudo as that administrator’s account.

In some ways a similar story, a problem in the Linux Kernel’s Realtek driver was found on Monday. At first glance, it’s another terrifying vulnerability that affects every Linux user with a Realtek wireless card. It’s appears to be a standard buffer overflow, where the length of a field is checked in one way, but not checked to be under the maximum length. A longer than expected data field will overflow the buffer and cause problems. A code execution exploit has not yet been discovered, but it’s likely to be eventually found.

The catch with this bug is that before the vulnerable code is called, the driver checks whether the card is currently connected in p2p mode. Here’s the check in question if you’re interested. This means that rather than being vulnerable to attack any time your Realtek is powered on, you aren’t actually at risk unless you’re talking to another device using the p2p WiFi mode. In all the Linux WiFi work I’ve done over the years, I don’t think I’ve ever used p2p mode on a wireless card under Linux.

It’s good these bugs were found, and even better that they are getting fixed. That said, these are both very niche cases that have been oversold in some reporting.

Study The Great Nation

Red Team Lab, part of the Open technology Fund, partnered with Cure53 to do a detailed study of a Chinese mobile app, “Study the Great Nation”. This application is sponsored by Chinese government, particularly the Chinese Communist Party. At first glance, it seems to be a rather straightforward education tool, teaching students about Chinese history, and encouraging competition through quizzes and a public leaderboard.

Image: The Independent

The audit uncovered more devious activity than a simple educational tool. The app collects data from the phone, including information about what other apps are installed, calls that have been made, and even the device’s current location. This data is uploaded, presumably to the Chinese government.

Some of the more sensational stories claim that this app contains a superuser backdoor aimed at rooted phones. At the very least, the app does attempt to determine if the phone it is running on has been rooted. Looking at the code snippets, I don’t see anything that would bypass root management software like SuperSU or the like. There is a function that is designed to run commands as root, but without an exploit, this would still be user controlled, so long as the rooted device has SuperSU or a similar utility installed.

The app also requests microphone and camera access, reportedly for integration with other apps. It doesn’t take a great leap of the imagination to understand how those permissions could be abused.

Cure53’s report pointed out that the Java code that comprises this app is heavily obfuscated, and not all of the code was successfully de-obfuscated. There may still be nasty surprises lurking.

Hacking the Terminal

A Mozilla funded audit of iTerm2 turned up a surprising vulnerability. iTerm2 is an open source terminal replacement for MacOS that adds many features including built-in tmux integration. It was discovered that certain terminal output would be interpreted as tmux commands, leading to code execution on the machine running the terminal.

This leads to an interesting scenario, where the act of connecting to a remote server over SSH or Telnet would allow exploiting this bug. The default behavior of Curl is to output the downloaded file directly to the terminal, which could also trigger the bug.

Hacking Back

A question the security industry often has to field is why we don’t simply hack the hackers. This has been an ongoing debate for years, but occasionally someone decides to take matters into his own hands. [Tobias Frömel] was stung by the Muhstik ransomware, and coughed up the 0.09 bitcoin to get his files back. This must have left a sour taste in his mouth, because [Tobias] tracked down the command and control server, and discovered it was a legitimate server that had been compromised and co-opted to run the ransomware campaign. He discovered a remote access shell that the original attackers left behind, and used that to gain access to the server himself. From there, he dumped the database containing the keys, and released it to the world.

It’s a noble gesture, but also still illegal. I would guess (and hope) that [Tobias Frömel] is a pseudonym, and this digital vigilante is keeping his real name to himself. In any case, Bleeping Computer reported that many of the Muhstik victims have been able to recover their data as a result. I’m not sure whether [Tobias] is the hero we deserved, or just the hero we needed, but he was certainly a hero to Muhstik victims.

16 thoughts on “This Week In Security: A Digital Café Américain, The Linux Bugs That Weren’t, The Great Nation, And More

  1. I bought some robotic tech toys^H^H^H^tools a few months ago. Similar to LEGO Boost (snap together pieces, battery case, motors, LEDs, bluetooth/microprocessor). But in order to make them work, I’d have to download the app from China onto a smart phone/tablet, and give it permissions.
    No thank you.
    I’ll check again soon to see if some has hacked their app.

  2. Is anybody surprised about this spying app? Really, i am not, and not only because it’s chinese. Probably every app spies on you, more or less, as does google with android, microsoft, facebook, the nsa, … It’s f***ing scary.

    And about this back-hacking story, yeah, i really hope this is a pseudonym. This guy (sounds german?) could get in big trouble.

  3. “The app collects data from the phone, including information about what other apps are installed, calls that have been made, and even the device’s current location.”

    How about an OS that doesn’t even give that information?

  4. “the less privileged user could simply use sudo to run sudo as that administrator’s account.”

    Except if sudo requests password for that administrator account, as it typically would.

    1. sudo requests the password of the user that runs the command. If you can run commands as this user you can change the password before. Of course this will be a visible change but it should work.

  5. Regarding The First Article: People think when a Chrome or IOS bug sales for a bounty to some third party it just goes straight to a vendor for patching… It’s nice that you run fully patched IOS and Chrome though…

    Meanwhile the researchers selling them get away with acting cool and passive on twitter and blogs.. I know of some famous researchers in the social space who are the reason the FBI and NSA and CIA can load unsigned drivers remotely on your Windows 10 or Gentoo box without your interaction…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.