Git Vulnerability Retreaded
CVE-2021-21300 is an issue where a malicious git repository can execute a script during the cloning proceedure. The limitations are that the clone must be located on a case-insensitive filesystem, Git must allow symlinks, and clean/smudge filters have to be enabled. That combination just happens to default in the case of Git for Windows. Sound familiar? Git for Windows had a nearly identical vulnerability a few months back, CVE-2020-27955. This is probably an instance where the first vulnerability inspired more research into the attack type, uncovering more problems. In any case, don’t do a Git clone from an untrusted repository.
DuckDuckGo Extension Insecurity
DuckDuckGo makes a browser extension, “DuckDuckGo Privacy Essentials”. It’s fairly straightforward, blocking some tracking approaches, and automatically redirecting to the HTTPS version of sites. [Wladimir Palant] did a brief audit of the extension, and found a couple ironic problems. The first is that like many other anti-fingerprinting solutions, the extension is a fingerprint in itself. Those extensions usually depend on a series of hacks to work at all, and it’s often possible to figure out the real data anyway. Example: an anti-fingerprinting extension might set
screen.width = 1280;. A simple fingerprinting script might simply accept that value, but a more clever script would take the set value, then call
delete screen.width; and check the value again. The failure of the anti-fingerprinting extension made the user even more distinctly identifiable. Note that this example is not specifically from the DuckDuckGo extension, but part of [Wladimir]’s explanation of how these extensions can go wrong.
Specific to DDG’s Privacy Essentials, there are a couple of more serious issues. First off, one of the extension’s scripts used
window.postMessage() to communicate between different instances. That function is a bit dangerous, particularly in an extension, as it doesn’t segregate messages between the extension and loaded page. If the scripts on a page determined that the visitor was using the vulnerable version of the DDG extension, it could send some commands directly, using that function.
The other problem is a snippet of code that uses
tabs.executeScript(). That call uses data pulled from the DuckDuckGo servers, without proper sanitization. If malicious code was ever hosted where the extension was pulling this data from, the browser extension would have happily executed it on every site you visited. [Wladimir] notified DDG privately about the issues he found, and they’ve been fixed. He does note that at least part of the blame for insecure extensions falls on the extension API itself. In many cases, writing secure extension code is far more difficult that it should be.
Hackintosh for Researchers
Doing either research or app development for the Apple ecosystem is something of a pain. If you’re like me, then you have no interest in running a Mac as your daily driver. The cost of a Mac just for research and development is a bit steep, too. The standard solution for many is the Hackintosh — installing the MacOS on generic hardware or in a VM. Our old friend, [Sick Codes], has a project that makes the Apple system much more approachable: Docker-OSX. Need a MacOS system to run Xcode on? Deploy the docker image and start Xcode, hosted right on your Linux or Windows machine. Want to do security research on an Apple binary? Yep, run it right there and dive in.
Now, one might wonder about these solutions: are they legal? Doesn’t Apple’s Terms of Service make it clear that we’re not licensed to run MacOS on any hardware not produced by Apple? Well, [Sick Codes] took a look at that question, too. As far as I know, he is not a lawyer, so take this with that grain of salt. The Apple Security Bounty has terms that override the normal terms of service, so long as you are doing good-faith security research.
This and That
Ever wanted to get into Linux kernel hacking and exploitation, but didn’t know where to start? [Jordy Zomer] just published part one of a series of articles about that very subject. It’s a quick intro to writing kernel drivers, pointing out the security flaw in that driver, and then a step-by-step guide to exploiting that flaw. This looks like a space to pay attention to, particularly if more installments follow.
Your Netgear smart switch just might be very hackable. Ncc Group released their set of vulnerabilities from a Prosafe Plus switch. The worst appears to be the accessibility of a debug interface by an unauthenticated user. You might not have either of the exact switches from the report, but it’s safe to assume that some of these vulnerabilities are present in other devices, with minor variations.
Ever wonder what happens when you click on the obviously fake sponsored search results from a Google search? The guys at SUID wanted to know, and they wrote up a very detailed report on their results. The short answer is that Malvertising campaigns will try to snarf saved credentials and other private data from your machine, if you’re unfortunate enough to let them install their payload.
And finally, Nettitude Labs is doing a walkthrough of techniques an attacker might use to determine if the target is a virtual machine, and what platform it is. Part one is all about the memory layout of the virtual hardware, and part two discusses fingerprinting the driver behavior of each VM platform. We sometimes use VMs to run dangerous binaries and visit suspicious websites, so it’s useful to be familiar with some of the detection and escape tactics.