This Week In Security: Adblock For Security, ProxyNotShell Lives, And CVSS 10 To Not Worry About

The ubiquity of ransomware continues, this time with The Guardian announcing they were partially shut down from an attack. Staff are working from home as the incident is being investigated and data is recovered. Publishing seems to be continuing, and the print paper ran as expected.

There have been a couple reports published recently on how ransomware and other malware is distributed, the first being a public service announcement from the FBI, detailing what might be a blindly obvious attack vector — search engine advertising. A bad actor picks a company or common search term, pays for placement on a search engine, and then builds a fake web site that looks legitimate. For bonus points, this uses a typosquatted domain, like adobe[dot]cm or a punycode domain that looks even closer to the real thing.

The FBI has a trio of recommendations, one of which I whole-heartedly agree with. Their first suggestion is to inspect links before clicking them, which is great, except for the punycode attack. In fact, there are enough lookalike glyphs to make this essentially useless. Second is to type in URLs directly rather than using a search engine to find a company’s site. This is great so long as you know the URL and don’t make a typo. But honestly, haven’t we all accidentally ended up at website[dot]co by doing this? Their last recommendation is the good one, and that is to run a high-quality ad-blocker for security. Just remember to selectively disable blocking for websites you want to support. (Like Hackaday!)

Exchange Still Targeted

And the other report, a PDF from Prodraft, details the activities of FIN7, who have added ransomware to their criminal portfolio. These attacks are launched through multiple means, including malicious USB drives and using known Exchange vulnerabilities, such as CVE-2020-0688 and the ProxyShell family of problems.

And speaking of which, ProxyShell/ProxyNotShell isn’t dead, as there’s been another bypass found in-the-wild. This isn’t an effective bypass against the November 8th patch, but does bypass the rewrite rules that were touted as an effective mitigation. The reason is that this attack doesn’t use the autodiscover endpoint, but applies the same technique to the OWA (Outlook Web App) endpoint instead.

Password Manager Fail

LastPass isn’t the only password manager in the news, and the problems found in Passwordstate makes the recent LastPass issues seem like the most minor of inconveniences. Passwordstate is an enterprise solution for password management. Researchers at modzero started with the browser extension, that allows a user to access saved passwords. To authenticate, a token is generated and sent to the server. Turns out, that token is just the username and other user information, XOR’d with a static, universal key. And on the server side, the only check that happens is on the username. So on any Passwordstate install anywhere, if you can talk to the API, and know a valid username, you can pull every password accessible to that account.

That same API has another problem, any user can write to any other user’s stored passwords, including the login URL for a given password. And since the whole interface is web-based, Cross-Site Scripting attacks are the way to go. There is, of course, insufficient sanitisation. An administrator can use the API to run Powershell scripts. So spray the malicious link into other user’s URLs, and wait for an admin to use the interface to login somewhere. The powershell script runs, starting a reverse shell. And because the stored passwords aren’t usefully encrypted (AES encrypted, but the key is stored, obfuscated, on the same machine as the database), this allows an attacker to abscond with the entire database of passwords. The vulnerabilities have been fixed in release 9.6 Build 9653, though seeing the severity of issues and other problems, one has to wonder how effectively these problems were dealt with.

Linux Does the Samba (Badly)

There’s a perfect 10 vulnerability in the Linux kernel. CVE-2022-47939 is a problem in the ksmbd driver, that was added last year for the purpose of faster SMB performance. SMB here meaning the Server Message Block, the primary file-sharing protocol for Windows machines. The problem is a dangling pointer, allowing for a use-after-free. The solution is a one-line patch that sets the pointer to null upon close.

Now as scary as a CVE scoring a severity score of 10 seems, I’m pretty sure you have nothing to worry about, even if you are a Linux user or manage a Linux server. Why? Because while ksmbd is officially in the kernel, hardly any distros are compiling it into their official kernels, the Samba project isn’t using any of the vulnerable code, and it’s already a horrible idea to expose any SMB service to untrusted connections. Or put another way, if you’re making use of the ksmbd driver, you did it on purpose.

The Kernel config option is CONFIG_SMB_SERVER, and you can check your current config in either /proc/config.gz or /boot/config-$(uname -r). Alternatively, use lsmod to search for the ksmbd module. The real place where this could be a real issue is in a NAS appliance that runs Linux under the hood, though my guess is that the kernel module is new enough that none of the popular appliances on the market are making use of it. Be sure to let us know if you’re aware of a major distro that compiles the module in by default, or a NAS that uses it.

Google Home Takeover

Google’s smart home devices are based on the same firmware as the Chromecast, and use a similar under-the-hood approach to authentication. [Matt] noticed this, and started wondering, could that be a security problem? See, playing a video on a TV isn’t terribly dangerous, but a smart speaker has access to a few more important abilities. Chromecasts serve a key on a local API, and sending a request with that key off to Google links the device to your account. The intent is that anyone on the local network should be able to cast to the TV. It seems like it was unintentional that the process worked on other smart devices.

But wait, there’s more. These devices have a setup mode, where they broadcast an open WiFi network. All it takes to trigger this mode is to knock the device offline — and that’s as easy as sending spoofed deauth wireless packets. Connect to that network, make the API request, and you have the secret key. Let it reconnect to the real network, and you can authenticate as a new verified user. Smart home actions let you do some interesting things with other devices, but just the ability to make a quiet phone call from the device is creepy enough. Google agreed, and removed both the unintended auth flow and ability to call a phone number via a routine.

Bits and Bytes

The TYPO3 content management system fixed and announced an RCE earlier this month. This one was only accessible by authenticated users with access to the Form Designer module, but allowed injection of TypoScript that could be executed as PHP code.

Do not trust save games from the internet. This is good general advice, but specifically applies to games built on Ren’Py, a visual novel engine built on Python. For loading save games, the pickles library is used — it’s already notorious for being unsafe when unpickling untrusted data. It’s just not obvious that save games can deserialize themselves right over Python functions and take over program execution.

The Netgear RAX30, and possibly other models, run the pucfu application on on boot, checking for firmware updates from a Netgear domain. Researchers at NCC Group have discovered that if they control the JSON response to that request, the binary can be manipulated into command injection, leading to a reverse shell.

14 thoughts on “This Week In Security: Adblock For Security, ProxyNotShell Lives, And CVSS 10 To Not Worry About

    1. I just set up a Ring camera last weekend for a family member and had to press a button on the side of the device (after removing the cover) to get it to enter “setup mode” and broadcast a WiFi network. Hopefully that means that a fully remote attack is not possible using this vector, but it would still be possible if you were in front of the device. That might mean that you’re already on video though…

  1. As for not blocking sites you want to support, ads, in my opinion are dead. It’s the reason I no longer watch plain old TV, I stream with paid services, I have 4 streaming subscriptions for example. If they start with ads even if I pay them, I unsubscribe immediately.

    I’ll support sites that I like if they offer a subscription or donate if they have an easy way to do it.

    Enabling ads still allows malicious ads to be executed on my machine and it destroys the web experience, moving ads, pop up etc on sites that have text as content. I can’t read text with something moving in my peripheral vision. Even if I can force myself to read, I don’t enjoy it.

    I yearly donate to open source projects like wikipedia, thunderbird and firefox. I don’t need your praise, it’s just to illustrate that I’m willing to pay for things that I support and like. And I utterly dislike ads.

    1. The problem is that, without direct ads & the unwillingness of the majority of users to pay for content, sites will move to sponsored content. I’d far rather have a clear separation between ads & independently produced content, than media produced in “partnership” that blurs the line between reality and marketing.

      Ad providers need to clean up their act to provide safe, non-intrusive, ads like AdSense, and consumers need to accept the idea that content doesn’t come for free.

      1. > safe, non-intrusive, ads like AdSense

        …Are you kidding? Google’s ad network is the BIGGEST source of malicious ads, especially the zero-click install variety… and not just because they’re the biggest ad network period. Ads shouldn’t be able to run _arbitrary code_ in the first place (or worse, Flash-based ads back when that was a thing). I get that Google’s way beyond the scale where they can screen every ad uploaded to their service… so just remove the capability to run ANY code in an ad whatsoever. The idea of “getting ransomware just from visiting a mundane website that just happened to pull the wrong ad from the ad provider pool” shouldn’t be _possible_ in the first place.

        The only ad network I’d even remotely consider allowlisting is Project Wonderful, specifically because they DON’T allow ads to run javascript. Ads have to be text, static images, or gifs, just like back in the day, and they are securely contained within the designated area the website owner allocated for them, no fullscreen overlay takeovers. That won’t stop “fake download button” type ads, but it’ll at least stop zero-click malvertising, the kind that makes me think of adblocking as a _security_ type of plugin.

    2. I’d love to allow “ads” on most sites but that’s not possible because I’m blocking tracking…
      -> “Traditional” context based ads are ok. Humanity tracking, quantifying(?) and profiling scripts, services and so on are not.

      1. I agree with imqqmi, doug and limroh.
        I use an adblocker that is supposed to allow “innocent” ads and block those with scripts. I have no problem with the same kind of advertising I would find in print media – a simple graphic. Add an obvious clickable link so I can go to the advertiser’s site if I am interested in the advertised product. What I don’t want is other software being loaded to my computer.
        There also needs to be some sort of guarantee that paying the subscription will actually keep the stuff away. I paid a (time limited) subscription fee once on a newspaper, and my adblocker indicated it was still blocking over 20 scripts on their pages. My request for a cancellation and refund was ignored.

    3. >I yearly donate to open source projects like wikipedia, thunderbird and firefox.

      For which I personally think you do deserve thanks…
      The biggest problem with donation driven models is how easy it is to use the service a great deal and never pay towards it, not through malice, but simply because you forgot to and missed that window of time when they remind you that the service is donation funded – Wiki covers the Page with the ‘please donate a little’ reminder every now and then for instance.

      And as so much of the web has been paid for by Advertising its easier still to not even think about it – the assumption the ads paid for it, as that is how it always worked. Which is still easy to assume even if you do run an adblocker – as you still probably see a few ads from the ‘safe list’ and/or sponsor spot in an article that look like the regular ads if you don’t pay too much attention (and maybe are actually paying enough?). If you go putting in the effort to make sure a page or two you use and trust isn’t blocked its easy to then forget exactly which ones you have already done, or not bring those settings to your new computer but think its fine – as its often rather harder to notice somethings absence than its presence.

      I know I end up using many donation driven things I’ve forgotten all about for ages, and often don’t even know the funding model this project uses – you get a software package from the ‘app-store’ of your Linux distro, or just installed as part of the default install process and its really easy to never look at the funding model for instance. Perhaps making the assumption that these FOSS elements are paid for by the developing companies charging business to provide direct support.

  2. Why the hell should I be forced to put up with advertising content on a streaming service or website whom use my bandwidth that I pay for.The companies that flood websites with crap pop-ups and advertising.Don’t
    pay for the maintenance and servicing of the infrastructure that I use and pay for. They say we are free loading using adblockers etc.It goes both ways. They are free loading from users already restricted bandwidth accounts such as my 12/1 satellite connection. Because fixed wireless is not available and the copper cable has been ripped up. So Im forced to use a skymuster sat connection. Perhaps if netflix and the like should become an ISP and provide the private infrastructure themselves.The satellites or fixed wifi whatever then maybe ill put up with the ads and shut-up. Bit like the recorded ads that a businesses in my country that you have sometimes whilst on hold or before you enter the telephones menu selection. I know that they are using the same government unreliable NBNco system that I was forced on and are paying for.

  3. Why isn’t there a simple option to disable Punycode? So many of us never use it.
    And for those who do use it, an option to select which scripts to enable it for. If I read e.g. Greek, I’m probably able to recognise an iota from an I. But if I read Chinese, I don’t want Greek.

    Or even just a marker in the URL bar that the domain uses punycode.

  4. The problem is shameless corporate greed and the fact that nobody has figured out how to make money from the internet (which was never intended anyways) other than through means of ads and stealing of users data. The internet has become one big ad jerk!

    As far as “sponsored content” goes, if it was new original and unique content developed by the site, then I might be willing to pay for it. But simply scouring the internet for projects that people have posted on their own janky websites and re-presenting it with some glitz and jazz added to make it more appealing is not in my opinion worth paying for! And do these sites kickback any money to the original creator of such content from which they use to make money?

    And for that matter does Google and Amazon reimburse people for the bandwidth they’re helping themselves to on our devices while they’re busy stealing our data and content? Advertisers, ad consortiums, marketing alliances, and data analytics companies all should be banned out of existence! PERIOD!!

  5. Also why not use stronger language for the unethical practices various companies are engaging in?

    Internet trackers = stalking
    Data collection/gathering = theft
    Popup Ads = harassment
    Republishing content without credit given = plageurism

  6. Dear Hackaday – I’ll happily unblock ads when that doesn’t entail allowing 15+ assorted 3rd party domains through, half of which are spread all over every other website and half of which appear to be randomly generated with no way to really trust what they’re doing.

    If there was a single sensible source serving somewhat trustworthy ads that I could allow through for HaD and only HaD, that would be fine.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.