Running Chrome or a Chromium-based browser? Check for version 98.0.4758.102, and update if you’re not running that release or better. Quick tip, use
chrome://restart to trigger an immediate restart of Chrome, just like the one that comes after an update. This is super useful especially after installing an update on Linux, using
dnf, or the like.
CVE-2022-0609 is the big vulnerability just patched, and Google has acknowledged that it’s being exploited in the wild. It’s a use-after-free bug, meaning that the application marks a section of memory as returned to the OS, but then accesses that now-invalid memory address. The time gap between freeing and erroneously re-using the memory allows malicious code to claim that memory as its own, and write something unexpected.
Google has learned their lesson about making too many details public too early, and this CVE and associated bug aren’t easily found in in the Chromium project’s source, and there doesn’t seem to be an exploit published in the Chromium code testing suite.
Cassandra is a popular distributed database built on the NoSQL paradigm. It’s vulnerable to CVE-2021-44521, a potentially nasty RCE ranking an 8.4 CVSS. The saving grace here is it’s a non-default configuration that’s vulnerable, requiring three specific configuration flags to be changed from defaults to be vulnerable. On the other hand, those flags all relate to Cassandra’s User Defined Functions (UDFs), something of a killer feature for the project. Those three flags are:
enable_scripted_user_defined_functions set to true, and
enable_user_defined_functions_threads set to false.
Let’s break that down a bit, and understand what’s going on here. First,
enable_user_defined_functions_threads, is set to true by default, and forces those UDFs to run on separate threads. Most importantly, these threads run with a security manager set with no special permissions.
Setting that boolean to false means that each function runs in the main program thread. What isn’t apparent is that this means that the security manager settings are inherited from the main program, too. One of those settings simply allows the security manager to be disabled. From there, the simplest escape is to call
this.engine, which has functions to execute non-sandboxed code, including a Java
A very clever attack went awry at Pwn2Own, and we’re lucky enough to get a write-up about it. It’s the Western Digital My Cloud Pro, and the vulnerability is a command injection resulting from an HTTP response being included in a shell command. The device does an HTTP call every five minutes, checking for internet connectivity. The response is eventually logged used the
analyticlog binary, and of course simply includes part of the response in the system call. If you’re not familiar with this class of vulnerability, on Unix systems, the backtick
` character can be used to include an command as part of an argument. It’s extremely useful to include the output of
date in a filename, for instance, but a security nightmare in instances like this.
The twist to this story is that the attack failed at Pwn2Own. It was a simple exploit, just a Man-in-the-Middle attack against the HTTP Domain, sending a malicious command back in the response. The problem was that the attack did this by returning an attacker-controlled IP address, and they forgot to change this address for the Pwn2Own network layout. The timing just didn’t quite work out to allow for fixing the IP address and catching a connectivity check in the allotted time.
Proper PoC for Cisco
Last week we talked about the vulnerability in several of Cisco’s small business VPN gateways, and now a PoC has been published. It’s a simple pair of buffer overflows on incoming HTTP packets. The first happens when combining the HTTP headers and body into a 16k buffer. Because both the headers and body can be up to a max of 16k, and no further size checks are done, this can neatly overflow the packet buffer, but doesn’t cause a crash or exploit, as a second 16k buffer comes directly after it in memory. What does happen, is this is later copied into yet another 16k buffer, but this one doesn’t have accidental overflow protection. It’s a naive
memcpy() of null-terminated data, so the whole double-buffer worth of data is copied, smashing the stack and leading to exploitable corruption.
Bits and Bytes
Sanity wins in the Missouri “hacking” incident. We brought you the story of the researcher/journalist that found Social Security numbers embedded in a state website. After responsibly disclosing the find, the governor went off-script, and threatened the researcher with legal action. This week the state prosecutor assigned to the case released a statement, a portion of which is embedded here.
Upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means. As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case.
(Ed Note: That’s almost an apology, right?)
Google has turned up the incentives for certain exploitable 0-day bugs turned in to their Vulnerability Reward Program, particularly those involving the Linux Kernel, Kubernetes, and a couple other projects. The maximum payout for an exploit is now a whopping $91,337, and the rules for what is eligible for reward have been relaxed. If this is at all in your wheelhouse, now is the time to go bug hunting.
And finally, [Krzysztof Zając] has published a slew of WordPress plugin problems, found through his custom fuzzing framework. It doesn’t look like the code has been published, but it’s a detailed write-up of how he found well over 100 CVEs this way. It’s great inspiration for finding new ways to look for bugs.