This Week In Security: F5, Novel Ransomware, Freta, And Database Woes

The big story of the last week is a problem in F5’s BIG-IP devices. A rather trivial path traversal vulnerability allows an unauthenticated user to call endpoints that are intended to be restricted to authenticated. That attack can apparently be as simple as:

'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

A full exploit has been added to the metasploit framework. The timeline on this bug is frighteningly quick, as it’s apparently being actively exploited in the wild. F5 devices are used all over the world, and this vulnerability requires no special configuration, just access to the opened management port. Thankfully F5 devices don’t expose the vulnerable interface to the internet by default, but there are still plenty of ways this can be a problem.

Freta

Microsoft has made a new tool publicly available, Freta. This tool searches for rootkits in uploaded memory snapshots from a Linux VM. The name, appropriately, is taken from the street where Marie Curie was born.

The project’s namesake, Warsaw’s Freta Street, was the birthplace of Marie Curie, a pioneer of battlefield imaging.

The impetus behind the project is the realization that once a malicious actor has compromised a machine, it’s possible to compromise any security software running on that machine. If, instead, one could perform a security x-ray of sorts, then a more reliable conclusion could be reached. Freta takes advantage of the VM model, and the snapshot capability built into modern hypervisors.

As you might imagine, the idea of sending snapshots of your Linux VMs to Microsoft for scanning has been met with some skepticism. That said, the primary use case for Freta will likely be the Azure cloud, so it’s reasonable to see this as just another tool for that ecosystem. It will be interesting to see this technology mature, as there seems to be great potential.

Vulnerability Compatibility in IE11

Earlier in the year, yet another jscript.dll vulnerability was found and fixed in Internet Explorer. As a quick recap, jscript.dll is the javascript engine from IE8. The continual presence of IE8 compatibility mode means that this old codebase still persists in modern Windows versions. Were IE8 only accessible by user intervention, this would be much less of an issue, but a website can request this compatibility mode, meaning that simply visiting a malicious website could enable an attack.

What we have this week is a detailed look at CVE-2020-1062, the bug in question. It’s a use after free, and it’s triggered by freeing an object in an overridden callback of that object. In the example code, the exploit defines the “toString” function, and manages to free the parent object in that function. As is almost always the case, finding a crash is the easy part, but turning it into a working exploit is much harder. The use-after-free bug doesn’t in itself allow for code execution, but results in code execution jumping to a location controlled by the attacker. Using the Binary Ninja tool, the researchers found an existing function that they could jump to, and from there pull off remote code execution. The full story is more involved than we have space here to cover, so go check it out for the full details.

Citrix Bug Detailed

Earlier this year, we covered CVE-2019-19781, another path transversal vulnerability, but this one is in Citrix products. Now, six months have passed since the initial disclosure, and Mikhail Klyuchnikov has written up a more detailed report on the flaw.

At it’s core, the vulnerability is simple. On a Citrix gateway, “/vpn/” hosts the login page for remote users. The url isn’t properly sanitized, so something like: /vpn/../vpns/portal/scripts/[scriptName].pl
doesn’t require authentication, but does actually execute the Perl script at the given location. The ability to interact directly with these scripts as an unauthenticated user would be problem enough, but the newbm.pl script actually allows writing data to arbitrary locations. Between the ability to execute Perl scripts, and the ability to write to the file system, it’s rather trivial to install a remote shell using this vulnerability.

Ransomware Hitchhikes on USB Drives

Try2cry is a new ransomware, spreading itself through USB flash drives. In the old days, this sort of worm would simply use the autorun feature of Windows to automatically infect a machine when plugged in. On modern machines, with autorun disabled, malware authors have to be more creative in order to spread their wares. Try2cry copies it’s installer to the root of the flash drive, marks all the existing files and folders as hidden, and then creates shortcuts in place of the hidden files. These shortcuts all point back to the malware installer, and the hope is that a user won’t notice the change, and installs the malware when trying to access the files.

Apparently this ransomware is little more than a copy-and-paste of the open source “stupid” ransomware, available on GitHub. The good news is that it can be decrypted with available tools.

MongoDB Ransomware

Yes, even more ransomware. MongoDB databases are quite popular, with something like 45,000 of them exposed to the internet. The problem is that half of those are configured without a password. Anyone can connect to, read, and write to them. Yes, many of those are probably just for testing, but inevitably some of them have live data as well. Apparently some aspiring blackhat realized that all those unprotected databases were a prime target, and launched an attack.

Each database is wiped, and a ransomware note is added in place. As far as ransomware goes the .015 BTC that is requested is rather cheap, valued at $138 at time of writing. The worst part of the attack might be the threat attached: to leak the stolen data, and then file a GDPR complaint on behalf of those whose data was exposed.

And Finally…

Samba announced a pair of bugs recently. So far, it appears that neither problem can lead to RCE, but they’re rather simple to launch DoS attacks. One attack is a variation on the zip bomb, where a DNS name composed of 8127 dots causes Samba to lose its mind. The other flaw is a code softlock triggered by a UDP packet with an empty data message. Both flaws require netbios to be enabled in an Active Directory configuration.

IBM’s Db2 database software has a remotely exploitable buffer overflow. This issue can result in arbitrary code execution as root, so make sure to get this patched if you’re running big blue.

 

5 thoughts on “This Week In Security: F5, Novel Ransomware, Freta, And Database Woes

  1. > The worst part of the attack might be the threat attached: to leak the stolen data, and then file a GDPR complaint on behalf of those whose data was exposed.

    Uhm, okay – leaking the data is bad but then filing a GDPR complaint is kinda great.
    Politicians and oversight entities don’t do that enough with big players.

  2. The English language includes these wonderful things called metaphors.

    I’ve removed the errant apostrophe, thank you for pointing it out. I shall endeavor to avoid such drooling and snorting in the future.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.