The CIA Hacktivists have launched a sort of ransomware campaign against the Belarusian rail system, but instead of cryptocurrency, they want the release of political prisoners and removal of Russian soldiers. This could be called an example of cyber-terrorism, though there is a reasonable theory that this is a state-sponsored hack, masquerading as hacktivism. What does seem certain is that something has interrupted rail transit, and a group on Twitter has produced convincing proof of a breach.
Your Antivirus Now Includes a CryptoMiner
Don’t look now, but your latest update of Norton 360 or Avira may have installed a cryptocurrency mining module. The silver lining is that some sanity has been retained, and you have to opt-in to the crypto scheme before your machine starts spending its spare cycles on mining. For users who do, they’re put into a mining pool, making for small payouts for most hardware. Norton, naturally, takes a 15% fee off the top for their trouble.
The State of Linux Malware
There used to be an adage that Linux machines don’t get malware. That’s never really been quite true, but the continued conquest of the server landscape has had the side effect of making Linux malware an even greater danger. Crowdstrike has seen a 35% increase in Linux malware in 2021, with three distinct categories leading the charge: XorDDoS, Mozi, and Mirai.
And speaking of Linux, a pretty severe Linux vulnerability was just announced, and a working exploit has already been released. The problem is a simple one in the
Polkit binary, which for this purpose, can be thought of as a
sudo alternative. The important part is that it’s a setuid binary, one that elevates its own privileges to root when executed by an unprivileged user. “Now wait,” I hear you say, “That sounds like a terrible security problem!” It can be, when it goes wrong. But the simple truth is that there are times when a user needs to perform an action that would otherwise require root privileges. A simple example,
ping, needs to open a raw network socket in order to function. These binaries are carefully designed to only allow limited actions, but sometimes a bug allows escaping this “sandbox”.
So what’s the story with
argv. OK, Linux programming 101 time. When a program is launched on Linux, it’s passed two parameters, normally named
argv. These are an integer, and an array of char pointers respectively. If you’re not a programmer, then think of this as the number of arguments, and the list of arguments. This information is used to parse and handle command line options inside the program.
argc is always at least one, and
argv will always contain the name of the binary as executed. Except, that isn’t always the case. There’s another way to launch binaries, using the
execve() function. That function allows the programmer to specify the list of arguments directly, including argument 0.
So what happens if that list is just NULL? If a program was written to account for this possibility, like
sudo, then all is well.
pkexec, however, doesn’t include a check for an empty
argv or an
argc of 0. It acts as if there is an argument to read, and the way the program initialization happens in memory, it actually accesses the first environment variable instead, and treats it like an argument. It checks the system PATH for a matching binary, and rewrites what it thinks is it’s argument list, but is actually the environment variable. This means that uncontrolled text can be injected as an environment variable in
pkexec, the setuid program.
That’s interesting, but not immediately useful, because
pkexec clears it’s environment variables soon after the injection happens. So what sneaky trick could we use to actually exploit this? Throwing an error message.
pkexec will use the
gconv shared library to print an error message, and it starts by looking for the
gconv-modules configuration file. This file defines which specific library files to open. The environment variable
GCONV_PATH can be used to specify an alternate config file, but this environment variable is blocked when running a setuid binary. Ah, but we have a way to inject an environment variable after this happens. That’s the exploit. Prepare a
payload.so that contains our arbitrary code, a fake
gconv-modules file that points to the payload, and then use the NULL argv trick to inject the
GCONV_PATH environment variable. Whoami? Root.
There’s a couple fascinating twists to this story. First, [Ryan Mallon] came painfully close to discovering this vulnerability in 2013. And secondly, way back in 2007, [Michael Kerrisk] reported the NULL
argv quirk as a Linux kernel bug.
Attacking Random Passwords
The most secure password is one that’s randomly generated, right? Yes, but what if that random generator isn’t quite as random as it seems? Now we’re not talking about intentional backdoors this time, but the seemingly insignificant patterns that sometimes make a big difference. The enigma machine, after all, was cracked in part because it would never encode a letter as itself. [Hans Lakhan] from TrustedSec took a look at a million passwords generated by LastPass, and tried to generalize something useful from the data. Most of these passwords have either 1 or 2 digits. Note this isn’t a weakness in the algorithm, but simply the expected result of the available characters. Would there be an advantage to brute-forcing passwords with the rule that each guess must contain either one or two digits? It would certainly decrease the attack space, but it would also miss passwords that don’t fit the pattern. Would the trade-off be worth it?
The answer isn’t clear-cut. In certain circumstances, there is a slight advantage to gain from using the suggested rules. But that advantage disappears as the brute-force process continues. Either way, it’s a fascinating attempt at applying statistics to password cracking.
WordPress and Backdoor-ed Themes
One of the larger producer of WordPress themes and plugins, AccessPress, suffered a breach of their website that took an ugly turn. The problem was discovered by researchers at Jetpack, who were doing a post-mortem of different compromised site, and found malware embedded in an AccessPress theme. The initial breach happened in September 2021, so be suspicious of any content from AccessPress if downloaded between September and mid-October 2021. Note that if installed from the WordPress.org directory, these themes were safe. A list of known infected plugins and themes are available at the link above, as well as other indicators of compromise.
Bits and Bytes
There’s yet another secret token that’s being accidentally disclosed in source code, the Twitter access token. Github already does automated scanning for credentials accidentally included in repositories, but this doesn’t include Twitter tokens. [IncognitaTech] wrote a quick scanner, and found approximately 9,500 valid tokens.(Insert over 9000 meme here.) How to inform so many people of the problem? Create a bot, make a tweet, and then use the tokens to retweet. That’s sure to capture some attention.
If you don't remember retweeting this, it means that you have leaked your Twitter Access Token in a public GitHub repository. Not the best practice, right?
For details, read our latest article: https://t.co/6WBC6DRNDS #InfoSec #CyberSecurity #GitHub
— PinataHub_Bot (@PinataHub_Bot) January 24, 2022
Sonicwall SMA 100 series hardware has a series of vulnerabilities that have now been patched and disclosed. The worst is an unauthenticated buffer overflow, rating a CVSS of 9.8. These devices are relatively popular for small businesses, so keep your eyes open for potentially vulnerable hardware, and get them patched if you can.
Crypto.com suffered a breach on January 17th. They initially downplayed the incident, but have since released a statement with further details. The attack was a two-factor-authentication bypass, allowing an attacker to initiate transactions without successfully completing the normally required 2FA process. They make the claim that they caught the problem early enough to prevent any actual loss of currency, which is actually rather impressive.
Google Chrome has released an update, and this one includes fixes for some expensive bugs. Six separate reports earned researchers more than $10,000 a piece, with the top two a sweet $20K. These six, as well as a seventh bug reported internally, all appear to have the potential to be quite serious, so go update!
And finally, in the things-that-won’t-end-well category, the UK is flirting with the idea of regulating security researchers, making security research a registered trade. The most worrying part of this scheme is the idea that any unregistered researcher might be subject to criminal charges in certain circumstances. This seems like a terrible idea for obvious reasons.