This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking

You may not be familiar with the Microsoft Message Queuing (MSMQ) service, a store and forward sort of inter-process and inter-system communication service. MSMQ has become something of a legacy product, but is still available as an optional component in Windows. And in addition to other enterprise software solutions, Microsoft Exchange turns the service on by default. That’s why it’s a bit spooky that there’s a one packet Remote Code Execution (RCE) vulnerability that was just patched in the service.

CVE-2023-21554, also known as QueueJumper, is this unauthenticated RCE with a CVSS score of 9.8. It requires sending a packet to the service on TCP port 1801. The Check Point Research team scanned for listening MSMQ endpoints on the public Internet, and found approximately 360,000 of them. And no doubt far more are listening on internal networks. A one packet exploit is a prime example of a wormable problem, and now that the story has broken, and the patch is available, expect a rapid reverse engineering. Beware, the queue jumpers are coming.

JavaScript VM Escape

The VM2 library is a rather important JavaScript package that sandboxes code, letting a project run untrusted code securely. Or, that’s the idea. CVE-2023-29017 is an example of how hard sandboxing is to get right. It’s another CVSS 9.8 vulnerability, and this one allows a sandbox escape and code execution.

This one now has public Proof of Concept code, and this package has over 16 million monthly installs, so the attack surface is potentially pretty wide. The flaw is fixed in version 3.9.15.

Oldsmar Errata

Remember the scary hack of the water treatment plant at Oldsmar? Someone attempted to raise the Sodium Hydroxide levels from a sane 100 ppm up to an unpleasant 11,000 ppm. We even had a bit of fun with the idea that it could have been a watering hole attack on a real watering hole. A few of our more skeptical readers pointed out that the new value felt a bit like a forgotten decimal point, or a fat fingered attempt at a legitimate change.

Well surprise, it’s beginning to look like the null hypothesis was right. “[T]hrough the course of the investigation the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion of Oldsmar.” The city manager made a statement that it may have even been the reporting employee, accidentally banging on the keyboard. So, that’s awkward. Though it suggests a new hobby, similar to trainspotting: Looking for debunked attacks in presentations. This particular non-incident seems to be one of the favorite for government officials to mention when asking for money or pushing for new regulations.

CAN Bus Zero Day

Modern cars are technological marvels. Components that used to be dead simple, like headlights, are now micro computers in their own right, all networked together over a data bus. The traditional data bus is the Controller Area Network (CAN) Bus, though Automotive Ethernet threatens to toss CAN on the heap of legacy technology. That time has not yet come, and most vehicles still have a CAN bus. Which brings us to the story of [Ian Tabor], a security researcher driving a RAV4.

That vehicle got vandalized one day, with some trim around the headlight being torn off in a seemingly random act of mayhem. A couple days later, when the car was stolen, it became clear that it wasn’t vandalism at all. The headlight just happens to be an easy place to access the CAN bus. When the car was stolen, it experienced a major system fault, and uploaded a log of what all was broken. Turns out, pretty much all of the connected devices dropped off that CAN bus. That’s an interesting part of what’s going on here.

This vehicle, and many others, use a smart key. It’s a bit of hardware that does a reasonably secure cryptographic handshake via wireless, with the wireless receiver. That receiver, upon validating the key, sends a message across the CAN bus that unlocks the vehicle. Wireless cryptography: good. CAN cryptography? Nonexistant. The hack is self-contained in a $10 hardware kit, that gets punched in to the car’s CAN bus where the headlight connects to it. It first does a DOS attack of sorts, knocking the real key receiver off the bus, and then sends a flurry of spoofed messages, telling the rest of the car that the smart key is present. And as a result, the push-to-start button works without complaint.

This is a zero-day attack that’s ongoing against a bunch of vehicle vendors. The researchers behind this discovery have attempted to report their findings, and have run up against a brick wall trying to do normal responsible disclosure. The research report ends with a request for an auto manufacturer or industry group to reach out and assist with the next steps of research and trying to fix this mess for the various vulnerable vehicles.

Bits and Bytes

How do you confirm that a printer isn’t unintentionally spying on you? Rooting the printer and doing an audit, of course. It’s a potential problem that printers save copies of documents to an onboard hard drive, and RedTeam Pentesting wanted to know whether their local printer was guilty of this indiscretion. The hack was to backdoor the printer via the… literal back panel, and finding a serial port. Many embedded devices have a TTL-level serial port, and that port is often not well secured. In this case, the login was console, and one of the menu options was sh mode. Which of course dropped into a root shell on the device. Oh well. At least they confirmed their documents were properly being erased after printing!

There’s a weird trick with Github account names. When you change your account name, Github is nice enough to put up redirects, so the old URLs still work. But the old name is actually an unused account name, that anyone can use to sign up. And now those redirects go away, or if the new user recreates the repositories, they go to the new code. All is fine, until you realize that sometimes build systems are pointing at old usernames. That’s exactly what [Joren Vrancken] found in the Arch User Repository, as well as for a single package on the official Arch repositories. The attack to take advantage of this quirk is called repo jacking, and it’s worth thinking about if you’re a developer or maintainer of software.

Eve Online saw a heist this week, where the equivalent of $22,300 was drained from an in-game corporation. The approach was depressingly similar to a real-world corporate takeover. In this case, [Flam_Hill] managed to get a handful of voting shares, and then applied for membership in the corporation with a couple of accounts. Once accepted, those voting shares granted the right to call for a snap election for CEO. That voting process is open for 72 hours, and because this corp didn’t have a particularly active pool of voters, only the shell accounts cast votes, putting our attacker in complete control. Turns out, that attacker was none other than [Sienna d’Orien], original founder of the corporation, returned from a hiatus to take back his company. Game imitates life indeed.

And finally, Juice Jacking! It sounds like the newest bodybuilding technique of questionable legality, but in fact, it’s a rather old idea for cell phone hacking. Offer free cell phone charging, but secretly use the USB data connection to install malware. It’s such an ongoing problem that the FCC and FBI have recently issued warnings against using untrusted USB charging. Except, no one seems to have actually seen this attack in the wild. And digging a bit into those warnings, the primary source is a District Attorney’s warning, that was later retracted due to no actual cases on record. So let us know, have you ever actually seen a juice jacking attack?

9 thoughts on “This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking

  1. Considering the care taken with the Wi-Fi and infotainment security on modern cars I’m not shocked that the CAN bus is so open a target. But being so impossible to get in touch with as well, really does show how much interest or comprehension they have on what it takes to do ‘smart’ products…

    “Juice Jacking!” does sound rather odd, but given the nature of it I’d not expect most folks to notice if they did get malware in any kind of hurry – While your device may be your lifeline any malware that doesn’t really go out of it way to be noticed is just going to drain your battery a tiny bit faster and no doubt does nothing much of the time. Then when you do have your passwords stolen, notice your phone is part of some botnet, or whatever else it may do can you realistically trace how it happened back to a dodgy charger weeks ago?

    Got to wonder how wide the net can be thrown in device support for each “Juice Jack” malware as well – So many different vendor bits that work the hardware under that android wrapper and the security prompts and the like on Android do seem to be pretty reliable and secure on the whole – if your USB connection openly asked to install an app the user should be prompted and go ‘erm F**** off’. Though with the flaws found in Android and how useless most vendors are at shipping updated OS images…

    1. > being so impossible to get in touch with as well, really does show how much interest or comprehension they have on what it takes to do ‘smart’ products

      What’s worse is that at least one system did use encryption over the CAN bus. I know because I wrote the software for it. Obviously, they skipped the encryption in subsequent versions of the receiver.

  2. Using a small USB dongle that only passed through the power pair would air gap the data pair and prevent Juice Jacking. Would that work for mobile phones? Type C USB might need more electronics to handle power negotiation, of course.

        1. Not at the same time.
          And with QC and USB3 there really aren’t just “power lines” anymore, you still need access to the data lines to negotiate the power and voltage delivered.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.