Git released an update on Tuesday, fixing an issue that could result in leaking credentials. The vulnerability was in how Git handles an HTTP URL containing a newline. Looking at the commits in 2.26.1, we can find an example of an attack:
url = "https://one.example.com?%0ahost=two.example.com/foo.git"
So doing a git pull
against this repository will connect your git instance to an attacker’s server, but using the credentials from an arbitrary server. It seems like this could potentially be used to steal Github credentials, for instance. So go make sure you have an updated Git client.
Commercial VPNs and Open Source
Commercial VPN providers are a dime-a-dozen these days, and they’re not all exactly reputable. Rather than report on the bad actors, today we’re looking at a provider who’s doing something right. IVPN has open-sourced their client software, and has gone through the process required to get their Android client hosted on F-Droid. F-Droid, by the way, is an open-source only 3rd party app store for Android. (See my FLOSS Weekly interview for more info.)
IVPN even has plans to open-source their server-side software. While having a fully open-source stack doesn’t absolutely guarantee good behavior by a provider, it goes a long way to demonstrate good intentions, and buys a lot of community goodwill.
Patch Tuesday
Remember the Windows 0-days we’ve talked about the last few weeks? Patch Tuesday is finally here, and three actively exploited bugs are finally getting fixed. Two of those flaws were RCEs in a DLL used to render fonts, and the third a local privilege escalation flaw in the Windows kernel.
Another important bug in Internet Explorer was fixed this week, too: CVE-2020-0968. This one is a remote execution bug that can be triggered simply by visiting a malicious page. In some places this is being called a 0-day, but Microsoft claims that they haven’t found evidence of it being exploited in the wild.
The last bit of related news is that the security researcher known as [SandboxEscaper] is now working at Microsoft, and is responsible for some of the bugs fixed in the last few months.
Anti-Cheat
Riot Games has rolled out a new anti-cheat system, Vanguard, for their recently released game, Valorant. Vanguard is apparently attracting some attention, as it installs a kernel-level driver as part of the anti-cheat measures. On one level, it’s understandable that a really robust anti-cheating solution needs more than just user-level system access. At the same time, a vulnerability in that driver means the entire system is exposed, not to mention the possibility of intentional misbehavior.
One could observe that the other ubiquitous anti-cheat solutions like BattlEye and EAC also use kernel drivers to function. (And as a result, have been a huge hindrance to running games on Linux through Wine.) I haven’t been able to confirm this, but word is that Vanguard is different in that it is always loaded, rather than only loading while the game is running. One humorous tidbit is that antivirus applications have a tendency to mark anti-cheat software as malicious applications.
Windows COM Vulnerability and Documentation
This vulnerability isn’t particularly dire, and is a few months old, but the write-up just released, and has a really interesting wrinkle. First, the Windows Component Object Model (COM) is essentially just part of the Windows API. (I know that’s not quite technically correct, but it’s a useful simplification for our purposes.) [Phillip Langlois] and [Edward Torkington] of nccgroup discovered a flaw in a COM interface related to program installations. By creating a symlink and then calling the vulnerable interface, an under-privileged user could trick the system into creating a readable copy of any file on the system.
As expected, Microsoft was responsive and pushed a patch fixing the issue within 90 days. Doing a followup check on vendor patches is always a good idea, and something strange was noticed — The original exploit still worked on a patched machine! After some decompiling and double-checking, the culprit turned out to be a Windows function, “GetFileAttributesW”. A quick check of the MSDN documentation shows that in the case of a symlink, this function returns information about the link instead of the target. In practice, however, the function was following the link and reporting on the target file.
Documentation is super important when tracking down security problems, and incorrect documentation can cause all sorts of headaches like this. This also highlights the importance of double-checking by actually running the code, rather than just depending on your understanding of the problem. And finally, if you report a security vulnerability that gets fixed, make sure to re-visit the issue to make sure it was actually fixed!
Odds and Ends
A Juniper virtual router image was accidentally shipped with root level credentials. While that’s obviously a problem, this isn’t nearly as bad as some of the previous stories we’ve covered. First off, this isn’t a hidden or unchangeable password, and it’s recommended to set the root password during initial setup. The other difference is that Juniper researchers found this issue themselves, and fixed it without any in-the-wild abuse. On the other hand, those credentials have been present in Juniper’s VM for 3 years.
Firefox 75 has been released, with yet another set of bugs being fixed. None of them have been found in the wild, but a couple bugs are considered high impact and likely to be exploitable. A new Firefox ESR release was also made, fixing some of the same bugs. That update has triggered both a Tails update and a Tor browser update.
Google Chrome has finally made their next release, jumping to Chrome 81. This contains 32 security fixes, with a handful of those being high importance fixes.
The next entry in “Don’t Connect Your Management Interface to the Internet” comes from Dell, as their iDRAC (integrated Dell Remote Access Controller) was just updated to fix a nasty buffer overflow flaw. This flaw is accessible without authentication, and could likely be used to execute arbitrary code.
Zoom just can’t catch a break, as the latest word is that a pair of exploits have been found, one of which is on sale for a cool $500,000. This exploit is a full RCE for Windows, while the other is a less useful Mac only flaw.
i have a theory that game devs are actually in cahoots with cheat software developers. sure the ban hammer comes down every now and again but im sure if i flashed a 5 or 6 figure check at a game company they would just hand over the info to write cheat software. and thats assuming they are different entities.
Considering Riot Games is making billions of dollars in revenue every year, a mere six figures might not get them interested. Cheats do have a real cost in making other players less likely to play. Of course game companies do sell cheats themselves, but that’s called pay-to-win.
more a thing i see with low budget f2p games. they make a big deal about mass bannings once and it never happens again. just seems fishy.
I would think that at least some of the cheats hook cheat code put in by the games coders to use for development testing, and thence inadequately disguised or disabled. Therefore some of the cheats may be based on info let slip or deliberately passed on by coders.
Very unlikely. There’s almost no incentive for it; the market for good games is considerably larger than the market for cheating, and players react very negatively to cheating.
Anti cheat is a game of cat and mouse. Making the anti cheat mechanism a kernel module means that that local system has to have “integrity”. However, you could run that local system as a virtual machine and make whatever modifications to the live “local” system externally (from the hypervisor level) as desired. It really is turtles all the way down!
Management interfaces from the likes of Dell etc have become pretty powerful, but did any of them ever have integration with Remote Desktop such that this..
https://itstillworks.com/update-bios-settings-remotely-7459650.html
.. ever had a hope of hell in working on anything at all? because it sounds like complete BS to me.
does one have to accomplish a cheat using a camera pointed at the screen and servos moving the mouse and pressing keys before these companies GTFO and stop ignoring Linux “because they don’t let us load our shit into the kernel”….
Windows and stuff that doesn’t belong into kernel is a lost cause tbh