This Week In Security: Fail2RCE, TPM Sniffing, Fishy Leaks, And Decompiling

Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker to take over a machine by being blocked by Fail2ban. The problem is in the mail-whois action, where an email is sent to the administrator containing the whois information. Whois information is potentially attacker controlled data, and Fail2ban doesn’t properly sterilize the input before piping it into the mail binary. Mailutils has a feature that uses the tilde key as an escape sequence, allowing commands to be run while composing a message. Fail2ban doesn’t sanitize those tilde commands, so malicious whois data can trivially run commands on the system. Whois is one of the old-school unix protocols that runs in the clear, so a MItM attack makes this particularly easy. If you use Fail2ban, make sure to update to 0.10.7 or 0.11.3, or purge any use of mail-whois from your active configs.

Breaking Encryption by Sniffing the TPM

“All bets are off once you have physical access.” This seems to be a mantra proven true once again, even when modern techniques are at play to try to defeat it. This story starts when the red team at Dolos Group were sent a “stolen” laptop from their client. The challenge was to see whether an attacker with access to a company laptop could use it to break in to the protected corporate network. The laptop was locked down well, with full disk encryption via a Trusted Platform Module (TPM) and Bitlocker being the cherry on top.

That makes it impossible to make any progress, right? Not quite. The laptop wasn’t configured to require a password or PIN to boot. In this configuration, the TPM automatically sends the encryption key to the boot loader during boot. This key is sent over an SPI interface in plaintext. All that is needed is to probe the SPI bus during boot. While the TPM is physically small enough to make this quite difficult, the SPI interface is a bus, meaning that it connects to multiple chips on the board. One of which is a CMOS chip, with much larger pins. The capture was successful, and they soon had access to the filesystem on the encrypted drive. There wasn’t much of interest on this particular machine, aside from a VPN client.

To gain access to this client, the attackers opted to use a very old trick to bypass the Windows login — the sticky keys backdoor. If you’re not familiar with this clever hack, take notes. When you have access to a machine’s drive, but not a user account on the machine, you can copy cmd.exe over one of a handful of system binaries in order to bypass login. The virtual keyboard binary is a popular choice, but in this case Utilman.exe (sticky keys) was chosen. They booted the modified image as a virtual machine, and at the login screen, used the Windows + U key combo to launch their command shell. Since the machine itself was already connected via VPN, and logged in to the domain via a machine account, they had a toehold to play in the internal network. Uploading a file to the scanner directory on one of the servers was enough to score a win for the penetration test.

Fishy Clubhouse Dataset

Clubhouse, the trendy audio social network is the center of a new data scraping story. On one of the darknet forums, a user is offering to sell a database of 3.8 billion phone numbers, allegedly taken from Clubhouse servers. It’s odd, because all that the database consists of is the phone numbers. Clubhouse has announced that it is not a valid leak, and that they believe the numbers to have been randomly generated. The sheer amount of numbers, with basically no additional information, is enough to make the database useless even if it is real. There seems to be very little to worry about here.

Guessing Names at Linkedin

A scraping technique that isn’t all hype is the revealin tool, from [mxrch]. The tool takes the profile of a user with a hidden last name, and reveals the complete name one letter at a time. It’s a nifty tool, but you can do this yourself, by hand, on the Linkedin homepage. The problem is the Linkedin search function, which sends each keystroke to the server, to update the list of possible matches. The matching algorithm has access to the full last names, so you can figure out the name one character at a time. Take [Thomas H.] for instance. Type that much in, and the link to his profile shows up in the list. Add an “a” to it, and it disappears. Keep trying till you guess an “e”, and the profile is still there. Now you know the second letter is an “e”. Revealin does the exact same process, just much faster. I did test it out, and found that it worked until I started hitting Linkedin’s rate-limiting. Rinse and repeat on a thousand cloud instances? All told, it’s a clever little tool.

16 year old Bug

You probably have a vulnerable driver installed on your Windows machine. HP, Xerox, and Samsung printer drivers all install the SSPORT driver, and that contains CVE-2021-3438, a 16 year old vulnerability. Look for C:\windows\system32\drivers\ssport.sys. It contains a trivial buffer overflow that can be used for local privilege execution. The updated driver is available, or you can uninstall the driver if you no longer use a printer that relies on it.

Dependency Security

Supply chain attacks have been a big issue for a long time. The danger of an upstream package or library being compromised has played out a few times in recent history, like event-stream and the Dependency Confusion attacks. Gitlab and Github have both announced projects to try to improve the situation. Gitlab’s Package Hunter is a behavior profiling tool that assembles your code and dependencies in a sandbox, and puts it though its paces looking for odd behavior. The downside is that it’s currently limited to NodeJS and Ruby projects. Even at that, it should be a useful addition to a CI pipeline to find problems right away.

Github already has a handful supply chain security features, like the security advisory database entry we linked to in the Fail2ban story at the beginning of the article. The news is that they are bringing those features to Go. That includes the advisories, the dependency graph, automated alerts on announced vulnerabilities, and even automated pull requests to update the vulnerable dependency. It’s a useful set of tools, and great to see them available to yet another language.

Reverse Engineering for Dummies Beginners

You have a binary, and you need to know what it’s doing under the hood. Easy, just decompile it! Now that we have tools like Ghidra, it’s fairly easy to make that jmp into assembly. But if you’ve never done any assembly programming, the list of push, mov, and pop commands aren’t much more helpful than the raw machine code. Well, add this quick guide from [Sami ALAOUI KENDIL] to your reading list. He covers the basic assembly commands and patterns you should know to follow the flow of execution. Just like it says on the tin, it’s an excellent guide to reading decompiled code.

10 thoughts on “This Week In Security: Fail2RCE, TPM Sniffing, Fishy Leaks, And Decompiling

  1. I’m guessing Bitlocker is designed with TPM 1.2 instead of 2.0 feature set in mind an that’s why they weren’t using a session encryption key. Or maybe it’s designed to work with TPMs that don’t have ECDH support and don’t want to require an RSA session key be stored in the persistent objects, or spend half a minute waiting for the TPM to generate one.

    1. I might shift that a bit. With physical access all bets are off. Bus sniffing and decapping, and dumping rom and any number of physical exploits exist and will continue to be documented. Once you have physical access security is measured in time it is not a yes or no.
      This exploit may inform the time-to-wipe settings in the diligence of configuration as part of the cyber insurance you purchase. It’s not a failure of the TPM it is a new basis for the time calculation.

  2. There is a little problem with uninstalling the SSPort driver. Microsoft has signed the vulnerable drive and hasn’t revoked it yet.
    An attacker can just include a copy of the vulnerable driver and Windows will happily install it.

  3. “Just like it says on the tin, it’s an excellent guide to reading decompiled code.”
    It’s a guide to understanding disassembled code.

    Disassembling gets you assembly, decompilation gets you (usually very hard to read) high level like C.

    Ghidra and IDA have decompilation options but the guide doesn’t talk about that or how to clean it up.

    1. Try this to patch the config on LTS ubuntu/Debian boxes:

      cd /etc/fail2ban/
      grep -lir ‘mail -s’ *

      sed -i “s/mail -s/mail -E ‘set escape’ -s/g” action.d/complain.conf
      sed -i “s/mail -s/mail -E ‘set escape’ -s/g” action.d/dshield.conf
      sed -i “s/mail -s/mail -E ‘set escape’ -s/g” action.d/mail-buffered.conf
      sed -i “s/mail -s/mail -E ‘set escape’ -s/g” action.d/mail-whois-lines.conf
      sed -i “s/mail -s/mail -E ‘set escape’ -s/g” action.d/mail-whois.conf
      sed -i “s/mail -s/mail -E ‘set escape’ -s/g” action.d/mail.conf

      grep -lir ‘mail -s’ *
      systemctl restart fail2ban.service

      Note on legacy systems the “mail -s” part may be inline with a macro for the “mail” part in some configs.

      The package maintainers have already fixed the default configuration for new installations. However, if you have old rule-sets for things like asterisk enabled it may still pose an issue.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.