This Week In Security: Text Rendering On Windows, GNU Poke, And Bitsquatting

Project Zero just unrestricted the details on CVE-2021-24093, a potentially nasty vulnerability in Windows 10’s DirectWrite, a text rendering library. The flaw got fixed in this month’s patch Tuesday roundup. The flaw is accessible in all the major browsers on Windows 10, as they use DirectWrite for font rendering. The trick here is to use a malicious font that uses some nonsense values. Those values result in a buffer allocation that is too small for complex characters such as Æ.

Because the vulnerability is a Windows library, it’s possible that an exploit would automatically work as a sandbox escape, but I haven’t seen confirmation either way. Let us know if you have some insight there.

Via Bleeping Computer

GNU Poke

The good folks at GNU have minted the 1.0 release of poke, a new binary editing tool. The real killer feature of poke is that it can interpret binary data, decoding it back into readable data structures. If you’re familiar with the way Wireshark can decode packets and give useful, organized output, it seems that poke will provide a similar function, but not limited to network traffic.

It looks like it could become a useful tool for getting a look inside otherwise opaque binaries. What poke brings is a system where you can write pretty-printing templates on the fly, which should be very useful when mapping out an unfamiliar binary. Distros will likely pick up and start packaging poke in the coming weeks, making it even easier to get and play with.

Legitimate Malware Makers?

The chickens may be coming home to roost for The NSO Group. So quick review, NSO makes complex spyware. NSO produced malware targeting Whatsapp users around the world. NSO makes the case that they simply make the tools and sell them legally to governments, and can’t be held liable for what those governments do with those tools. Well, the US Department of Justice isn’t convinced, and has slowly been working on a case against NSO.

The case has the potential to be an important one, as it will set precedent for whether a malware maker is liable for how that malware is used. Some very big names, like Google and Microsoft, have thrown their weight behind the potential prosecution. Their stance is that immunity granted to a spyware maker will result in poorer security for everyone. I do wonder what such a ruling would mean for a security researcher releasing a proof-of-concept for a vulnerability. If a malware campaign went on to adapt and use research code, is that a liability?

Cisco Vulnerabilities

Cisco just recently released a set of patches and vulnerabilities, and a handful of them are really serious. First up is CVE-2021-1393, a bug in the Cisco Application Services Engine. The vulnerability is described as “insufficient access control” on a specific service. An unauthenticated attacker can connect to the service over TCP and make system changes. The description is quite vague, but this could be something like a debug port that was accidentally enabled in production. A very jaded and cynical guess would be that they simply left a telnet port wide open.

Next up is CVE-2021-1388, a similar bug in Cisco’s ACI Multi-Site Orchestrator. In this case, it’s an API that can be fooled into providing a administrator token. Once in possession of this token, one can access the entire API as an administrator, all without having a login at all.

And finally, CVE-2021-1361 is a file system management service that was unintentionally exposed to the outside network on port 9075. A vulnerability in that service means that an attacker can make arbitrary file creation, deletion, or modification.

Exchange 0-days

Microsoft Exchange just got patched for a set of vulnerabilities that were discovered because of active exploitation. Microsoft has attributed attacks to Hafnium, a group believed to be in the employ of the Chinese government.

Volexity seems to have been the firm that first discovered the attack. They have network monitoring services in place for various customers, and that service detected mass data exfiltration on two seperate customer networks. After tracking down the odd traffic, they discovered compromised Exchange servers, and were able to identify the 0-day that was used to compromise the machines.

Xerox

If you happen to discover a vulnerability in something made by Xerox, the appropriate response is apparently to release it anonymously online, as Xerox will send you a cease-and-desist order for anything else. [Raphaël Rigo] was scheduled to give a talk February 18th on a set of Xerox printer vulnerabilities, as part of the Infiltrate security conference. The day the talk was scheduled, Infiltrate announced that it had been canceled due to a legal threat from Xerox. The vulnerabilities were disclosed to Xerox back in 2020, so it’s not as if they didn’t have sufficient time to fix the problems.

Bitsquatting

Cosmic rays get blamed for the occasional computer problem. The theory is that a cosmic ray can hit a memory location and actually cause individual bits to flip. I don’t know whether cosmic rays are always to blame, but I do know that RAM problems are fairly common, and can cause hard-to-troubleshoot problems. We’ve talked about Rowhammer and associated attacks, where manipulating certain ram bits can cause changes in physically nearby bits. One of the security talks about unintentional bit flips suggested that the world’s computers see something like 600,000 mis-flips every day.

Now, bitsquatting is essentially a form of typosquatting. Typosquatting is picking a name a human is likely to accidentally mis-type, like “goggle.com”. Bitsquatting is selecting names likely to be reached through a bit flip. I was introduced to this idea through the work of [remy], who decided to finally test the theory of bitsquatting using the windows.com domain. I’ll use his research to demonstrate how this works. The string “windows” translates into binary as 01110111 01101001 01101110 01100100 01101111 01110111 01110011. A single bit flip can change that second character from 01101001, an “i”, to 01101000, an “h”. Suddenly your computer is looking for “whndows.com” for updates, or to get the current time, etc.

How often do connections intended for the windows domain end up at a bitsquatted domain instead? [remy] calculated that there are 32 such valid domains, and was able to purchase 14 of them — just under half. He set up wildcard DNS so that “*.whndows.com” would also resolve to the IP address where he was listening for traffic. On his 14 domains, in a two week period, he received 199,180 NTP requests. Those came from 626 discrete addresses.

There was one event that was of particular interest. A computer on a Chinese IP address made an HTTP request to time.wiodows.com, which may have been a typo made by a human, as this wasn’t actually an NTP request. The odd thing is that soon after this request came in, a second request arrived from the Baidu search spider, to the same bogus domain. [remy] found it odd, but I believe I know exactly what this is. The “Great Firewall of China” is known to detect HTTP connections to unknown domains, and follow with a connection of its own, scraping the new site’s content. This unexpected connection was almost certainly the GFW’s probing.

An earlier experiment ran for much longer, on a different set of bitsquatting domains. In this case, [Artem Dinaburg] observed the domains for just over seven months, and averaged 59 different IP addresses per day, trying to connect to the bogus domains. He points out that some of these connections are likely typos rather than bit flips. One other observation is that he found mobile devices to be overrepresented in connections to his bitsquatted domains. I can think of two possible explanations for this. First, it’s possible that mobile devices are more susceptible to bit flips, possibly because they are used outside so often. Alternatively, I suspect that mobile on-screen keyboards are just easier to typo on. In any case, bitsquatting is a very clever technique that really does have real-world impact.

27 thoughts on “This Week In Security: Text Rendering On Windows, GNU Poke, And Bitsquatting

  1. “I do wonder what such a ruling would mean for a security researcher releasing a proof-of-concept for a vulnerability. If a malware campaign went on to adapt and use research code, is that a liability?”

    It had better not, as that suddenly means security research is dead, or nearly so. Which only makes life better for the bad actors… And probably the big tech companies, as they suddenly need care even less about the quality of their products, nobody can hold them to account on the shoddy practices…

    1. It’s going to be pretty easy to draw a legal distinction between someone who openly releases a PoC, with the intent of bettering security, and someone who keeps their knowledge of the bug secret, weaponizing it, and selling it to the highest (shady or not shady) bidder.

      I think this is a non-issue.

      1. Its only a non-issue if the muppets that run legal departments don’t decide a precident has been set, and that some security researcher harmed our brand by revealing a flaw PoC, that then maybe got used by somebody else because our technical team didn’t bother to do anything about it…

        It should be a non-issue, but one can’t expect it to be – just look at the daftness of laws around automotive, bicycles (electric and non), burglars getting harmed by the occupant… Lots of evidence that common sense doesn’t apply to the world of law…

        1. Indeed. As much as I despise spyware creators, a legal ruling holding them accountable to malicious use by customers could set legal precedent holding manufacturers (of anything) accountable for malicious acts perpetrated with their products. Of course, they’ve been trying that for the past 30 years with the firearms industry.

        1. This law will almost certainly result in researchers not being able to releas PoC’s when companies refuse to fix vulnerabilities. It is a pretty small step from “Tried to profit by selling it to the highest bidder” to “Tried to blackmail us by threatening to release it if we didn’t fix it in 90 days”.

      2. I can recall a while back when malware authors- rather than released a compiled binary of their weapon- avoided liability by publishing the source code knowing that someone else somewhere would compile it and unleash it. To further protect themselves, they might introduce one or two easily found and corrected bugs to the published code.

  2. “Some very big names, like Google and Microsoft, have thrown their weight behind the potential prosecution.”
    Trying to kill the competition! Everyone knows those companies already make legal spyware. Wait until facebook/twitter join the calls for prosecution and we’ll hit full hypocrisy!

    1. What’s the argument going to be “They get the same kind of data we do, then undercut us on pricing, we’re hard working Americans with overheads like buying politicians….” ??? ;-)

    1. Although I consider selling malware as either source or binary is wrong, when you compare it to what you have just so plainly pointed out, I reconsider.

      How often do you hear of a weapons manufacturer being sued/fined because a weapon they produced was used to harm or kill someone? About never?

  3. IMHO researchers that search for security flaws are crooks. They get paid to find the flaws, and then they release the code.
    There is a direct effect of releasing the code to the next generation of sophisticated attacks.

    We’re all spending way too much time on security protection because of these so-called security research animals. Block the publication of the code that shows how to exploit the hole and we will all be better off.

    1. The reason it’s done the way it is — when researchers didn’t make it all public, companies didn’t fix their bugs. Full disclosure after 90 days has come about to ensure that bugs get fixed.

      1. And in almost all cases if the company is communicating with the researcher and trying to fix it, but needs longer the researchers sit on it longer than 90days, its not like they open up the software to attack on a whim…

        Its essential things are released, as if one at least moderately smart person can find the exploit by looking, than others who can make fortunes through using such exploits will too, but those that are trying to protect systems can’t possibly spend enough time on it, alongside fixing and maintaining the systems they run (and are in Cluso99’s world not allowed to tell anybody the flaws they have found, so all that duplicated effort). Which as history shows the companies won’t ever patch their code (without the naming and shaming), and generally haven’t open sourced it – so nobody else can either, means every system out there is open to attack… So should such things come to pass, excuse me while I go back to learning about those archaic Z80 and the like, something simple enough I can hope to understand everything its doing in any program in a reasonable time (or more seriously sticking with the open source world – as it will probably be immune from this stupidity)…

        Just have to look at how often something like the sql injection method, an attack vector known about since before I was playing with computers (unsupervised at least), but it keeps coming up again through lazy programming – the point being the methods to find such vulnerabilities are almost never new, so its not hard to find these repeats of past mistakes if you are actually looking. (though in fairness to the programmers the multilayered complexity, with multiple developers that is so common in modern computing does make full understanding of every layer rather tricky, so these traps are bound to be fallen into sometimes – it is far to easy to assume the library used does something it does not, of the other programmer was going to do that part etc.)

        Though I do not mean to imply there are not some great minds in security coming up with previously completely overlooked flaws, as there are – and they deserve credit too – having probably spent several times longer achieving nothing in their noodling around, without giving up before having that happy accident or correct lateral thinking moment… But most flaws turn up along common theme, so are relatively easy to find and should be trivial to fix (and shouldn’t have happened in the first place)…

Leave a Reply to Bare Metal Programmer Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.