This Week In Security: BGP Bogons, Chrome Zero Day, And Save Game Attacks

Our own [Pat Whetman] wrote about a clever technique published by the University of Michigan, where lasers can be used to trigger a home assistant device. It’s an interesting hack, and you should go read it.

Borrowing IP Addresses

We’ve lived through several IPv4 exhaustion milestones, and the lack of available addresses is really beginning to show, even for trolls and scammers. A new approach takes advantage of the weak security of the Border Gateway Protocol, and allows bad actors to temporarily take over reserved address blocks. These particular providers operate out of Russia, operating network services they advertise as “bulletproof”, or immune to takedown requests. What better way to sidestep takedowns than to use IP addresses that aren’t really yours to begin with?

BGP spoofing has been at the center of other types of attacks and incidents, like in 2018 when a misconfiguration in a Nigerian ISP’s BGP tables routed traffic intended for Google’s servers through Chinese and Russian infrastructure. In that case it appeared to be a genuine mistake, but little prevents malicious BGP table poisoning.

Chrome Zero-day

Google released an update to Chrome on the 31st that addresses two CVEs, one of which is being actively exploited. That vulnerability, CVE-2019-13720, is a race condition resulting in a potential use-after-free. Kaspersky Labs found this one being actively used on a Korean news site. The attack runs entirely from Javascript, and simply visiting a malicious site is enough for compromise, so update Chrome if it’s installed.

Anti-anti-doping

What do you do when you feel you’ve been unfairly targeted by an anti-doping investigation? Apparently hacking the investigating agency and releasing stolen information is an option. It seems like this approach is more effective when there are shenanigans revealed in the data dump. In this case, the data being released seems rather mundane.

Firefox Blocking Sideload Extensions

Mozilla made a controversial announcement on the 31st. They intend to block “sideload” browser extensions. Until this change, it was possible to install browser extensions by copying them to a particular folder on the computer. Some legitimate extensions used this installation method, but so did malware, adware, and other unwanted software. While this change will block some malicious add-ons, it does present a bit of a challenge to a user installing an extension that isn’t on the official Mozilla store or signed by Mozilla.

As you might imagine, the response has been… less than positive. While making malware harder to install is certainly welcome, this makes some use cases very difficult. An example that comes to mind is a Linux package that includes a browser extension. It remains to be seen exactly how this change will shake out.

Save Games as Attack Vector

An oddball vulnerability caught my eye, published by [Denis Andzakovic] over at Pulse Security. He discovered that a recent indy game, Untitled Goose Game, can be manipulated into running arbitrary code as a result of loading a maliciously modified save file. The vulnerability is rooted in a naive deserialization routine.

If you’re interested in a deeper dive into .net deserialization bugs, a great paper was submitted to Blackhat 2012 discussing the topic. The short version is that if a programmer isn’t careful, the deserialization routine can overwrite variables in unexpected ways, potentially leading to code execution.

At first glance, a vulnerability triggered by a malicious save file seems relatively harmless. The level of access needed to modify a save file on a hard drive is enough to compromise that computer in a multitude of better ways. Enter cloud save synchronization. Steam, for instance, will automatically sync save games across a user’s install locations. This is a very useful feature for those of us that might play the same game on a laptop and a desktop. Having the save game automatically synced to all your devices is quite useful, but if an attacker compromised your Steam account, your save games could be manipulated. This leads to the very real possibility that an attacker could use a save game vulnerability to turn a Steam account compromise into an attack on all your machines with Steam installs.

24 thoughts on “This Week In Security: BGP Bogons, Chrome Zero Day, And Save Game Attacks

  1. “While [Mozilla] making malware harder to install is certainly welcome, this makes some use cases very difficult. An example that comes to mind is a Linux package that includes a browser extension.”

    That sounds like something that would be fairly easy to get signed, then, thus making it a nonissue?

    1. Why the hell should I sign somewhere things I run on MY computer? Why should I report to Mozilla that I install something? It is just a new round of spying on users.

      Really there is a huge problem with all that telemetry crap. Just open about:config and enter “url”. You will be shocked with endless list of different services URL’s Mozilla use to collect infrormation about you.

      Also there is a very interesting question about Mozilla’s own spy and malware extensions preinstalled in /usr/lib/firefox/browser/features – they are even hidden in extension list and to disable them you have to delete files as root. Fortunately, Mozilla does work without them, but on next update you have to remove them again. If we are talking about “malware extensions” and “protecting users”, why that preinstalled crap, most users don’t even know about, is out of discussion?

      In addition to the surveillance enhacement this step with extensions looks like step forward to wiping out adblockers like uBlockOrigin and others. First remove an ability to install non-Mozilla approved third-party extensions by hand, than just wipe out adblockers or, say something like “Google Search Link fix”.

      Increasing complexity of source code makes modern browser closed-source de-facto. Nobody now could take a sources and, say, just delete all telemetry. Interesting that nearly half of that complexity have nothing to do with browser and it’s engine – it is all that telemetry-spying-useless_services-malware crap thoroughly interlaced with useful code.

      I hope some another project like NetSurf will eventually evolve to something with minimum required web standards support and we will finally get really open-sourced browser.

      1. Yeah… I did delete quite a few urls in about:config and not only Mozillas one, there is Google to (to prevent acces to malware sites or whatever they claim). Thank you, i don’t want it.

  2. Johnathan Bennett can you clarify/confirm “naive serialization”? I can see that would make sense as a term, but it is really close to “native” and both words appear in non-clarifying contexts in the whitepaper…

    1. Yes, naive deserialization. In this case, the code that loads save games just assumes that the data is trustworthy and nothing could go wrong. This is a naive assumption.

  3. Why the world hasn’t switched over to IPv6 is only becoming a better and better question with each passing day.
    My own ISP for an example doesn’t even provide IPv6 addresses to their users at all…

    I understand that a full on switch would be a fairly complicated endeavor, but there really isn’t too much issue in using both systems in parallel. (as the world somewhat already do.)

    Maybe some day we will finally not be stuck to the somewhat tiny 32 bit address space that IPv4 uses. I though understand that 4 billion addresses sounds like a lot from the perspective of the early 80’s. A time when the “internet” were only a handful of computers, in practically 1 country.

    IPv6 on the other hand were drafted in the late 90’s, and it didn’t take until 2017 for it to get accepted.

    Why did it take practically 2 decades to say “yes, 32 bits is a bit insufficient.” Were the organizations making the decision having internal arguments over if they should use 64, 128 or 256 bit addresses or what? What reasonable explanation is there to stall for 20 years for something as simple as increasing an address space…. Especially since it is a new address space, handled along side IPv4 for the time that they both are active.

    1. I really wish ipv6 had mapped ipv4 as part of its address space, as it seems that would have greatly helped the transition. Instead of 4 octets, make it 8, and map ipv4 to 0.0.0.0.*.*.*.*
      It’s been suggested that at some point, new web sites and services will be have to be ipv6 only, and when one of those gets popular enough, the rush to IPv6 will begin in earnest

          1. >RFC 4291, how have I never heard about it?
            >Does it work?
            Last time I tested, mostly.
            * Linux was fine.
            * windows I think required a lot of work to get to mostly working.
            * OpenBSD explicitly does not support it.

  4. “It’s a lovely morning in the serialization routine, and you are a horrible cracker.” Honk honk honk honk!
    I do hope this requires local access to the machine, insofar as everyone in my house is madly playing this game.

      1. Huh, that’s a really good question. We play it through Steam. Yeah, if the save game is In The Cloud on somebody else’s computer, this is a big security issue. I’ll do some research.

  5. Mozilla has been dropping the ball repeatedly ever since they decided to ape Chrome’s gimped extension API/framework/whatever, so I’d be lying if I said I was shocked or surprised BUT I’m still dissapointed.

    And tinkered save games are a known trick for softmodding certain consoles, especially the OG Xbox.

  6. we need an open source browser with no telemetry and proper cookie control.. Without javascript etc it would be easy, the trouble is most web sites won’t run without all the crap nowdays..

  7. “it does present a bit of a challenge to a user installing an extension that isn’t on the official Mozilla store or signed by Mozilla.”
    You are not up to date. The ability to run unsigned extensions (or lastly to make Firefox accept them by hacking some internal files) has gone a long time ago. Today the only way i know would be hacking the source code and compile it again. I tried once inside a VM and failed – not enough disk space available…
    Of course this is for spying uhh i mean user protection. Afaik you can make Mozilla sign your own private extensions, but for this you have to upload them… No, i won’t.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.