This Week In Security: NSO, Print Spooler, And A Mysterious Decryptor

The NSO Group has been in the news again recently, with multiple stories reporting on their Pegasus spyware product. The research and reporting spearheaded by Amnesty International is collectively known as “The Pegasus project”. This project made waves on the 18th, when multiple news outlets reported on a list of 50,000 phone numbers that are reported as “potential surveillance targets.” There are plenty of interesting people to be found on this list, like 14 heads of state and many journalists.

There are plenty of questions, too. Like what exactly is this list, and where did it come from? Amnesty international has pointed out that it is not a list of people actively being targeted. They’ve reported that of the devices associated with an entry on the list that they have been able to check, roughly 50% have shown signs of Pegasus spyware. The Guardian was part of the initial coordinated release, and has some impressive non-details to add:

The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.

Amazon’s AWS was named as part of the C&C structure of Pegasus, and in response, they have pulled the plug on accounts linked to NSO. For their part, NSO denies the validity of the list altogether.

It’s no secret that NSO tools are used to spy on people all over the world. The real questions here are whether those tools are being abused to spy on particularly inappropriate targets, whether NSO knew about it, and what they will do now, if these claims are true. If you suspect your device might be compromised by Pegasus, take a look at the Mobile Verification Toolkit, developed by Amnesty International.

More Print Spooler Fun

At this point, it should be obvious that we should turn off the print spooler for any Windows machine that doesn’t really need it. Yet another flaw has been announced, CVE-2021-34481. This one is a bit odd. According to Microsoft, this bug is totally unrelated to the previous Print Nightmare bugs, and was discovered by [Jacob Baines] back in June. What makes it particularly strange is that it was publicly disclosed weeks before the researcher’s deadline, and hasn’t yet been patched. Their advisory indicates that it isn’t being exploited in the wild, but it seems they are acting as if it has already been made public.

If Print Spooler EoP bugs aren’t enough, how about a world-readable Security Account Manager (SAM) file? This flaw is related to the shadow copy service, and on Windows 10 and 11 machines, allows any user to read the entire SAM, SYSTEM, and SECURITY files. What can you do with that? Jump from an unprivileged user straight to System, for a start.

Debugging Backdoor in KiwiSDR

Thanks to [jpa] for pointing this out last week in the comments. The KiwiSDR is a BeagleBone cape, together with a customized BeagleBone image, that captures radio data and puts it online for anyone to listen to. Before we get to the security issue, I have to say that this is a really nifty project. Check out the list of nodes online around the world.

The problem is that the project included a root web shell built in with a hardcoded password, and it wasn’t particularly well documented — a couple brief mentions in the forum doesn’t really count. The SHA256 encoded password would be difficult to crack, but as Ars points out, any connections happen over HTTP, so a single instance of packet sniffing would reveal the password. To the developer’s credit, he has now put up a warning on the site’s main page, that previous versions have a security vulnerability. A brief discussion in the latest commit on Github indicates that a more complete disclosure is coming. (You may need to scroll to the bottom of the page to find the comments.) Ironically, I don’t think any of the users would have had a problem with this, so long as it had been well documented, opt-in, and implemented a bit better.

Linux Filesystem Vulnerability

This is an odd one. As far as the public disclosure goes, it starts with the news that a logged-in user can crash a Linux system via a SystemD flaw involving a very long path name. That’s an annoying bug, but it gets weirder. The researchers at Qualsys found it by accident, while trying to pull off a full jump to root exploit. That exploit is one where an integer can be overflowed by a very long path. The path string needs to be a whopping 1 GB long. By mounting and then deleting something on that crazy path, the overflow allows an out-of-bound write. A PoC is available, so make sure to get the latest kernel offered by your distro.

0-day Campaigns This Year

Google’s Threat Analysis Group has released a report with a bit of insight into a trio of campaigns using 0-day vulnerabilities they’ve discovered in active use this year. The first is an email campaign that seems to be based in Armenia using CVE-2021-21166 and ​​CVE-2021-30551, both bugs in Chrome. In what may have been part of the same campaign, victims were sent Microsoft Office documents that used either ActiveX or VBA Macros to launch IE 11 and trigger CVE-2021-33742.

The last campaign discussed is a bit more interesting, as it used a Safari 0-day to infect the browser on iOS. This one is thought to be from the Russian APT29, and targeted officials in Western Europe via LinkedIn messages. The exploit wasn’t coupled with a sandbox escape, but just runs in the confines of the browser, grabbing information from every page accessed.

Windows Hello Fooled by Photo

Windows Hello. It’s not unique, the iPhone also has the capability to unlock via facial recognition, and some Android phones have picked up the feature as well. There’s a fundamental difference between a Windows machine, and a phone. The camera on the phone is a known and trusted entity. Any device can claim to be a webcam on a desktop or laptop. Windows Hello accepts any webcam device, and that leads to some obvious security problems. The system uses infrared imaging, so one simple bypass is to present an infrared picture of the user. It sounds like further attacks should be possible, like a device that presents itself as a webcam, but replays captured images of the target’s face. This is sure to be an interesting topic for further research.

REvil Decryptor

After REvil has mysteriously taken down their shingle (AKA, disappeared and gone out of business), a new development has emerged in the Kaseya ransomware story. A universal decryptor has been obtained “from a trusted third party”, and is being used to recover data. No word on who the third party is, and involved parties have declined to confirm whether any ransom was paid as part of the deal. Hopefully further news will leak out about how the decryptor was obtained, and what is going on with the REvil group.

22 thoughts on “This Week In Security: NSO, Print Spooler, And A Mysterious Decryptor

  1. > I don’t think any of the users would have had a problem with this, so long as it had been well documented, opt-in, and implemented a bit better.
    And maybe get a professional security audit.

    1. “maybe get a professional security audit.”
      What does this even mean? Humans are proven over and over again to be useless at finding security flaws. Google, Firefox etc perform “security audits” on a regular basis and it doesn’t even slow down the blizzard of CVE reports.
      Anyone claiming to be a “professional” at this stuff is no more than a professional grifter.

      1. “maybe get a professional security audit.” you pay to have it checked for basic security mistakes, or at the very least run your code through any or all of the publicly available “Code-audit tools”.

        I download the distributed OS image file for kiwisdr from dropbox and the source code from github. I spent a little over 2 minutes checking for some very basic security faux pas and saw enough (same ssh private keys on probably all installs, use of strcpy and strncpy) to start ringing alarm bells. No wide open barn door, but enough low hanging fruit to suggest that the code has never been looked at anyone from a security angle.

  2. Seems like interesting security news to be fair.
    The print spooler and related is interesting, wonder how it traces back into older systems like Windows 8, 7, etc…

    Then there is the Linux flie system exploit. Here one might have to ask, who would actually need a file path that takes up more than even a couple of kB to be fair? Going past a MB seems utterly stupendous and going to a GB is just unrealistic.

    Why not put in some hard limit instead of supporting infinity and all of its potential quirks? A hard limit can still be utterly gigantic beyond even unreasonable needs, like 100KB.

    Just to point out how utterly stupendously gigantic 100KB is for a file path, at one byte per character, that is longer than even long books, and sorting things into folders who’s names are 100 characters long, where each only contains 2 subfolders, then by the 300’th sub folder, we can sort more files than the estimated subatomic particle count for the whole universe if each of these folders only contained 1 file each… And by this point, we still have a name space sufficient for another 700 such sub folders…

    Now, think of a file path that is 1GB or more, why would you need that?

    So why support something that is practically infinity?
    Honestly, a lot of computer bugs happens due to people trying to support far more than what is actually reasonable.

      1. Firstly, not that many typos to be fair. Other than the flies system and the incorrect prefixes.
        Though, the abnormal concentration of commas might throw you off… As well as the slightly different word structure than what you might be use to. (English and its various dialects apparently means that people speak and write differently between different regions.)

        But I didn’t mean to come across as pedantic. I can though agree about the excessive use of emphasis.
        And the longwinded explanation is more to come across clearly, instead of getting knee jerk reactions barking up one’s tree. As is so often the case here on the internet.

        But thanks for the input and far from constructive criticism. Hopefully you at least understood the point of the message.

      1. An error that the file path name is too long and therefor can’t be created nor reached.

        Systems that already mange to have file paths beyond that would obviously have to do something about their names before switching over to a newer system. But for the vast majority, 100kB is already so huge that it shouldn’t be an issue.

        I see it as a simple solution, since realistically a file path should never be that long in practice.

          1. To a degree yes, but no.

            There is a difference between supporting actual infinity and practical infinity. (Though, I do suspect that Linux likely has some actual limit to file path names, but if it supports multiple GB, then it is likely way too large to be fair…)

            100kB file path names is stupendously huge and no one should under realistic scenarios even approach a meaningful percentage of that. So it isn’t like it is a really low hard limit that would actually annoy people.

            There is reasons for why I didn’t say 1kB, since that would likely impact people, 10kB is unrealistic to impact anyone, but maybe some get up there, but lets go to 100kB to be really safe, but nothing stops us from putting such a hard limit at 1MB if people really feel uneasy about a hard limit.

            But as long as it is somewhere, since then we can avoid infinity and all its potential issues. Since having a known limit means that it is much easier to prepare buffers and similar, unlike infinity where it can always be larger.

            A rather basic part of system security is to know edge cases and have a controlled fashion of handling them.

          2. Alexander Wikström Said:

            > A rather basic part of system security is to know edge cases and have a controlled fashion of handling them.

            ^^^ This!

    1. The linux file systems have limits for the length of filenames, paths, and the amount of files they can have. The flaw is in systemd which is a configuration/resource manager, a different bit of the kernel…

  3. Exploiting the Print spooler was one of my favorite zero-days against draconian and over-zealous corporate IT. I used it many times in the XP days (for good not evil). Microsoft plugged one hole, though that was easy to get around. I haven’t had occasion to do those shenanigans since, and I’m a little suprised that the print spooler continues to run under and elevated account.

  4. Maybe I didn’t make my skepticism obvious enough. Yeah, it’s sketchy. I tried to cover just the facts. It’s definitely news that AI is making the claim, and that’s what we covered.

    If you’re an insider, and want to pass along some information, I’ll cover that too.

  5. Device (or driver code) in the middle attacks will always undermine biometric security. Even if you had a brainwave challenge and response type authenticator a neural network could be trained to mimic a human if you first collect enough samples by intercepting the legitimate data going through the interface. The whole issue of “provably virtuous hardware” will be increasingly important as people wise up to the threats that are out there. 

  6. Are print spoolers relevant today?

    I once bought a used one around 1995. A Z80, and all of 256K of RAM, I think room for expansion. I never got around to using it, the buffer in my dot matrix printer was good enough.

    When I got a used HP-4P laser printer about 2003, it had more memory, plus room for 3 SIMMs, easy to fill because by then SIMMs were mostly in the past.

    My Brother from two years ago probably has better storage, but it’s also faster.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.