LILIN DVRs and cameras are being actively exploited by a surprisingly sophisticated botnet campaign. There are three separate 0-day vulnerabilities being exploited in an ongoing campaigns. If you have a device built by LILIN, go check for firmware updates, and if your device is exposed to the internet, entertain the possibility that it was compromised.
The vulnerabilities include a hardcoded username/password, command injection in the FTP and NTP server fields, and an arbitrary file read vulnerability. Just the first vulnerability is enough to convince me to avoid black-box DVRs, and keep my IP cameras segregated from the wider internet.
Windows Under Attack
Code in a font-rendering library, shared between multiple Windows versions, was discovered to be vulnerable to a malicious Adobe Postscript font. A document can be constructed that uses this vulnerability to run arbitrary code when opened, or even shown on the preview pane, which sounds a bit familiar.
Microsoft acknowledges the bug, as well as the fact that it’s being exploited in the wild in “limited, targeted attacks that attempt to leverage this vulnerability.” As has been pointed out, that sort of language is generally means that an exploit is being used in a government sponsored campaign. Microsoft plans to wait for April’s patch Tuesday to fix this bug, mainly because it’s the now-unsupported Windows 7 where this is a more serious problem.
One further note, the Windows 7 patch for this one will be limited to extended support customers only. There are a few listed mitigations, including de-registering the vulnerable DLL. Another suggested course of action, disabling the preview pane, is probably a good preventative measure for vulnerabilities to come, too.
Another event forced online by Coronavirus, Pwn2Own 2020 wrapped up last week. While it’s disheartening to see conferences canceled, online events end up being more accessible to the rest of us.
Multiple impressive attacks were shown off, like the two-stage compromise in Adobe Reader and Windows, where opening a PDF led directly to SYSTEM level compromise. Another impressive demonstration was the virtual machine escape, where an attacker could compromise a Virtualbox VM from the inside, and gain access to the bare metal OS. Taking the “Master of Pwn” title were Richard Zhu and Amat Cama of Fluoroacetate.
Android on an iPhone
Remember Linux on the iPhone, from 2010? They’re back in the form of project Sandcastle. Android running on an iPhone 7 is quite a trick, and the devs credit access to high quality hardware simulation as the primary enabler for this awesome hack.
Hand-in-hand with Project Sandcastle is the news that Checkrain now has expirimental support for iOS 13.4.
checkra1n 0.9.9 experimental prerelease – experimental 13.4 support, please test on other firmwares also. to run on 13.4, tick the 'allow untested iOS versions' checkbox in the options view – https://t.co/dmdZNMHbJh
— qwertyoruiop (@qwertyoruiopz) March 18, 2020
If you need to brush up on iOS security, we covered the underlying checkm8 bug when it was announced last year. It’s a bug in the burnt-in bootloader on Apple devices, allowing jailbreaking with nothing more than a USB tether.
Tesla and Chromium
Chrome/Chromium is everywhere, and even toppled the once mighty IE. In the wide landscape of browsers, there is essentially Chromium derived browsers, and Firefox. Safari exists, yes, but even that shares a common heritage with Chromium. What’s the downside to everyone using the same shared codebase? Now the bugs are write once, run everywhere too!
A Chromium bug first reported way back in 2016 was still lurking in the Tesla Model 3 firmware. It’s a simple attack — a series of calls to
history.pushState() locks and eventually crashes the browser. In the Tesla, however, the crashing browser brought down a host of other functions, including the speedometer and turn signals. It’s fixed in the latest firmware release, but perhaps this should be a cautionary tale about putting all our eggs in one codebase basket.
Cloud Enabled Routers
I distinctly remember advising several of my customers to throw their routers in the trash, after an automatic update brought always-on cloud connectivity. It might be “useful” to be able to update settings by logging into your Linksys account from anywhere, but it also means that your router is one password away from compromise. The payload is simple, just change the DNS settings on the router to servers controlled by the attacker. If your network is suddenly acting strange, checking your router’s DNS settings is another step to add to the troubleshooting list. If you are able to restrict admin actions to a wired ethernet port, or even the local WiFi, you should do so.
Netflix and Bugcrowd Update
I would be remiss to not update you on the Bugcrowd story from last week. Undoubtedly as a result of the publicity garnered, Netflix has intervened and declared the bug to be valid after all. The researcher has been paid a bounty, and Netflix has already deployed a fix for the issue he found.
So far there’s no word on whether Bugcrowd is revisiting their policy of enforcing non-disclosure for out-of-scope bugs.