The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.
curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
The Day The Internet Stood Still
You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale.
how much? https://t.co/fH0zXw7rV9
— jack⚡️ (@jack) October 4, 2021
Facebook has put up a blog post with all the details, and Cloudflare has a nice write-up on the fallout from their perspective. An unintentional BGP update was sent to the entire Facebook network, knocking their internal backbone network offline. Facebook’s DNS servers keep constant tabs on the connectivity to the internal network, and stop advertising inaccessible routes in an effort to automatically route around problems in normal cases. In this case, that automated behavior led to the entire network disappearing, making the problem worse.
With both BGP and DNS offline, many of the tools and techniques engineers would use to troubleshoot and fix the problem were also unavailable. Humorously, even physical access controls were affected, meaning that FB engineers were locked out of the very datacenters they needed to access to resolve the problem.
Cloudflare has some interesting insights from their 1.1.1.1 DNS resolver. Namely, when Facebook.com stopped responding, DNS traffic exploded, and global DNS queries for Facebook multiplied thirty-fold. If other domains were timing out or acting strange, it was probably because of that unintentional DDoS on DNS. What caused it? Too many applications written without error handling for facebook.com’s disappearance. Or to quote Cloudflare:
This happened in part because apps won’t accept an error for an answer and start retrying, sometimes aggressively, and in part because end-users also won’t take an error for an answer and start reloading the pages, or killing and relaunching their apps, sometimes also aggressively.
There has been speculation that a couple of other stories are related, namely the offered 1.5 billion user records being offered on the dark web. As far as anyone can tell, these stories are completely unrelated, and the latest data set for sale is simply the results of more scraping.
Twitch Leaks Everything
Twitch, on the other hand, has a more serious problem on its hands. Source code, payment records, and internal tools were released in a torrent labeled “part one”. Twitch has confirmed the validity of the data, citing a server misconfiguration as the cause. There were a couple of surprises in the dump, like an in-progress Steam competitor. Also included is the source code with commits going back basically to the beginning of the service. Time will tell if more data is coming. Either way, Twitch has a mess on its hands.
REvil Arrests — Maybe
This week a pair of arrests happened in Ukraine, with a few hints that it’s related to REvil. Ukrainian officials have stated that the actor had been operating since March 2020, and demanding ransoms as high as $70 million. It would be quite ironic if it turns out that the most famous “Russian” malware gang was actually operating out of Ukraine.
Open Source Bug Bounties
The Linux Foundation and Google’s Open Source Security Team have worked together to create Secure Open Source Rewards. The new program is an open ended bounty for developers making security improvements to open source projects. This effort is a bit different from other bug bounties, as the emphasis isn’t on finding vulnerabilities, but work to prevent problems. Examples are things like adding continuous integration testing to a project, or adding code signing and verification.
To be a valid target for payable work, the project being improved needs to be widely used or considered critical. Follow the link for more information on those details. With potential payouts over $10,000, the potential payoff is worth the work. The big advantage to this project over conventional bug bounties is that less luck is involved here. Rather than hoping to find a vulnerability, there is no shortage of projects that need better testing and verification.
The Ultimate Rickroll
[WhiteHoodHacker] has posted his write-up of Rickrolling his entire school district, in what must be the best senior prank of all time. It all started when our aspiring hacker was a freshman, and started scanning the district’s IP space. The result was a whole bunch of devices, many with improper security, like security cameras that could be viewed with no passwords. Those were eventually secured, but there was an IPTV system in place, and it was ripe for messing with.
The idea for a senior prank seemed to die with the COVID pandemic, but fate intervened, and in-class instruction resumed just in time. [WhiteHoodHacker] and his team dubbed the idea “The Big Rick”, and put together an impressive operation to pull it off. A combination of default passwords and vulnerable IPTV equipment allowed them to stream their bootleg video over multicast, and tell every TV and projector in the system to turn it on at the same time. The embedded video is glorious:
Now. As the write-up points out, this prank was technically a computer crime and it would have been all too easy for the school district to press charges. Becoming a felon because of a prank is a terrible way to start adult life. Thankfully, the district administration responded well, and this story ends happily.
Followups
Apple has responded to [Denis Tokarev], who released iOS zero days out of frustration with the Apple security team. Unfortunately Apple’s response doesn’t include fixes or workarounds, but just more assurances that they “are still investigating these issues”. In other words, nothing much has changed, and many security researchers are still frustrated.
OpenOffice has released 4.1.11, containing the fix for CVE-2021–33035, which we discussed last week. Just a reminder, that means that this vulnerability was available as a 0-day for about a week before this release.
Its comical how fragile the networks really are… like eggshell’s stacked on eggshells… just the slightest misstep and it all breaks. Its a testament to the true level of ineptitude of programmers. Epic failure is the normal.
And yet many people were utterly unaffected. Is it Really a big thing when a blog site goes down? Get a life.
Did you never spot the “login with facebook” option on various apps and websites? And yes, that’s a bad idea from a privacy perspective, so perhaps this incident helps a little.
Helpdesk of many ISP was affected because people kept calling that internet is not working because for some peope internet is only whatsapp, facebook and tweeter. That is really sad and scarry.
Yep, it is fragile. Amazing it really works as well as it does when you think about it. Of course around here we didn’t lose any sleep over Facebook as we don’t use any social network sites unless you count forums (again no biggie if go away). Waste of time.
Life is fragile. network3rks are not! What I feel we are witnessing is an “Oh Shit” moment where the little issues we ignored year after year w network hardware, phones, personal computers and any device in our home…. can and will be used against you if deamed necessary. Personally…. I’m still going through that shit and the more I see of this kind of thing….. the more I feel it will get fixed. I don’t like the way certain groups basically doxed everyone with no regard….
Should be interesting the further down this road we go.
the test above for the Apache CVE returns a 400 Bad Request on all the machines i’ve checked so far, including ones i’ve just patched today. i assume this is all good?
As long as you don’t run 2.4.49 or 2.4.50 (yep, it wasn’t completely fixed in that version) you’re safe for this vulnerability
As much as I dislike the song, I must admit that this is one of the greatest Rickrolls ever.
It’s good that the school administration decided to be actual human beings for once and saw a harmless prank as just that, a harmless prank.
>saw a harmless prank as just that, a harmless prank.
You misspelled “Free well-documented pen test” (in the writeup). If they’d just trashed stuff it wouldn’t have been viewed that way.
“A few days after sending the report through the anonymous email account, we received an email response from D214’s Director of Technology. The director stated that because of our guidelines and documentation, the district would not be pursuing discipline. In fact, he thanked us for our findings and wanted us to present a debrief to the tech team! Later, he revealed the superintendents themselves reviewed and were impressed by our report!”
This is how you do it, from both sides.
i pretty much had unfettered access to my school district’s network. i didn’t use it for anything more malicious than using it to make sure all the computers had the full library of pirated games on them.
I was the sysadmin of the Novell network during HS Jr and Sr year and I got academic credit for doing that role. This was because an HDD crashed about 6 weeks into my Jr year and their (freeish) technology volunteers didn’t really want to mess with Novell 2.15 (or have a highschool student looking over their shoulder). I got their system back up and running using the old HDD and restored backups, then when they purchased a new HDD I did a full install and setup of Novell 2.15 and restored everything onto the file server. I was out of classes for about a week and was considered the champion by all the staff and revered by students wanting me to change their grades! Fortunately, I’ve always been ethical and never abused my privilege. I got a recommendation letter from the Vice Principal that I was able to present when applying for my first full-time job. I also got a bunch of free computer swag out of that gig, I still have a couple Compaq Portable III computers I got then.
This news is already outdated. There’s a new CVE for Apache 2.4.50 because the fix wasn’t entirely correct, so anyone running either 2.4.49 or 2.4.50 should immediately upgrade to 2.4.51:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013