This Week In Security: 11,000 Gas Stations, TrustZone Hacks Kernel, And Unexpected Fuzzing Finds

Automated Tank Gauges (ATGs) are nifty bits of tech, sitting unseen in just about every gas station. They keep track of fuel levels, temperature, and other bits of information, and sometimes get tied into the automated systems at the station. The problem, is that a bunch of these devices are listening to port 10001 on the Internet, and some of them appear to be misconfigured. How many? Let’s start with the easier question, how many IPs have port 10001 open? Masscan is one of the best tools for this, and [RoseSecurity] found over 85,000 listening devices. An open port is just the start. How many of those respond to connections with the string In-Tank Inventory Reports? Shodan reports 11,113 IPs as of August of this year. [RoseSecurity] wrote a simple Python script that checked each of those listening IPs came up with a matching number of devices. The scary bit is that this check was done by sending a Get In-Tank Inventory Report command, and checking for a good response. It seems like that’s 11K systems, connected to the internet, with no authentication. What could possibly go wrong?

Tricky JavaScript Tricks

[Gareth Heyes] has put together an impressive guide to JavaScript weirdness. And weird might be an understatement, so hold on tight. The first part of this write-up is from 2016, and shows off a technique to run JS code without any parenthesis or alpha-numeric characters. +!+[] is a clever way to write a 1. How? The magic in this code is that the + operator has a unary use. We normally use it in a statement like 1+2, where the operator takes two inputs and sums them. The unary version just returns the numeric representation of the object. +2 equals 2, and +"2" equals 2. Pull up your browser’s JS console and try it out. So the example above, the square brackets define an empty array, and the plus sign converts to a number, 0. ! is the not operator, which silently converts the value to a boolean (false), and inverts it (true). Then we numericalize the boolean value to a 1. That’s a lot of work to get a 0 and a 1, but with those, addition gets us any other number.

The next trick is that [][[]] returns undefined. That’s essentially an empty array as the index of an array, hence undefined. Now what’s interesting is that [][[]]+[] uses the addition operator, and returns the string, “undefined”. There’s an extra trick needed to make that usable, where we put this string in an array, and then refer to the first index of that array: [[][[]]+[]][+[]]. All this gives us the ability to treat this string like an array, and get individual letters using an index. And as we have “undefined” to work with, we can put “find” together. And since “find” is a function, executing this without parenthesis returns “function find() { [native code] }”. Use the same trick, and you have more characters to work with. To actually execute this cobbled-together string, we can use a template literal to get actual execution, Function`alert(1)```. Now before we cover the newer post, what’s the point of this convoluted JS? Cross-Site Script execution (XSS). If you can sneak enough JS code into the right place on a website, when another user views the result, you may be able to run your code in their browser. Sites are carefully constructed to prevent this, but tricks like these can be used to work around those protections.

And, so, that brings us to the most recent post, The seventh way to call a JavaScript function without parentheses. And here it’s template functions with template literals as arguments. Take a look at x`x${y}x`. The ${} construction, in a template literal, will run the expression inside the curly brackets and substitute the results into the string. This bit of code is doing something else, using a tag function. And what’s interesting is when a tag function is called in this way, it gets the string as its first argument, but the raw results of the expressions as its remaining arguments. This, too, can be used to run code. In the end, it looks like []`${alert}1337`. It’s something of a novelty for now, but I wouldn’t be particularly surprised to see obfuscated JS using these techniques in the future.

Android Hacking Via The TrustZone

[Tamir Zahavi-Brunner] has stumbled upon a clever Android exploit, using the Qualcom Trusted Execution Environment (QTEE) to compromise the running kernel. You may also see this called QSEE, an older name for the tech. It’s standard trusted execution — a separate kernel runs on the hardware parallel to the Linux kernel, and these two kernels communicate using the qseecom Linux kernel module. That module sends a serialized combination of data and pointers, that gets picked up by the trusted execution side, and acted upon by a trustlet. The idea being that the trustlet writes the results back to the given pointer, and the Android process can read it back. The problem is that those shared buffers are allowed to overlap, and the trustlet ends up writing arbitrary data over the header of another buffer. This sort of memory corruption is always bad, and very often exploitable. Here it can be used to redirect another trustlet’s output to an arbitrary location in memory, like overwriting kernel functions.

The saving grace here is that sandboxed apps aren’t given permission to talk directly to the qseecom module, so a second exploit would be needed. On the other hand, once that permission is gained, this leads to a repeatable kernel exploit. The bug was reported in October of 2020, and not patched by Qualcomm till September 2021, which is worrying in itself.

Bits and Bytes

Let’s Encrypt is about to push the big red button labeled “Certificate Revocation Lists“. This new feature is part of the effort to fix the badly broken certificate revocation process. They’ve really worked to make this future proof, even asking the question of how a worst-case event would turn out. If they had to revoke every current certificate, the resulting list would weigh in at 8 GB, so the master list has been split into 128 shards.

Microsoft Teams can be leveraged as a communications channel to run a remote shell, all through the use of GIFs, hence GIFShell. This isn’t an exploit to gain control over a machine, but a series of seven weaknesses that make the stealthy channel possible. Microsoft has deemed this “great research”, but doesn’t consider it a vulnerability.

Google’s OSS-Fuzz does automated fuzzing on about 700 projects that have been dubbed critical. A bug in TinyGLTF was recently found, CVE-2022-3008, a command injection vulnerability. That’s worth noting — a fuzzing project found a logic flaw, and it wasn’t related to memory corruption. Google is working to expand the sorts of problems their fuzzing project can find, and are even paying a very nice $11,337 for contributions that lead to bug finds.

FishPig has had a rough couple months, with an unknown attacker having breached their distribution server back in August. They provide a paid integration module for running Magento 2 on WordPress sites, and it’s estimated that upwards of 200,000 sites use these modules. Those modules were distributed after the breach, and included a stealthy backdoor. So far there hasn’t been any observed malicious actions taken by whoever controls that backdoor, but it’s still recommended for FishPig users to scan for problems.

6 thoughts on “This Week In Security: 11,000 Gas Stations, TrustZone Hacks Kernel, And Unexpected Fuzzing Finds

  1. Is the ATGs thing an issue? If they just report data, it’s not a serious one, though it might allow a competitor to monitor their sales. If the “gauge” can control pumps or something then that’s an issue, but that’s beyond what I’d call a gauge.

    1. That probably could have used another sentence to define the possible problem. There are some test functions defined in the device, that can simulate problems. If the pumps are monitoring the gauge, they may do an emergency shutdown when running certain commands.

      1. ^ this, making 11,000 gas stations suddenly believe they’ve run dry simultaneously is definitely enough to start a mass panic, as we saw here in the UK when a few BP stations ran low because of a shortage of truck drivers – cue a week of utter idiocy for absolutely no reason.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.