Reading through a vulnerability report about ClamAV, I came across a phrase that filled me with dread: “The file name is not sanitized”. It’s a feature, VirusEvent, that can be enabled in the ClamnAV config. And that configuration includes a string formatting function, where the string includes %v and %s, which gets replaced with a detected virus name and the file name from the email. And now you see the problem, I hope: The filename is attacker supplied input.

Where this really gets out of hand is what ClamAV does with this string. execle("/bin/sh", "sh", "-c", buffer_cmd, NULL, env). So let’s talk defensive program design for a minute. When it comes to running a secondary command, there are two general options, system() and the exec*() family of system calls. system() is very simple to use. It pauses execution of the main process and asks the operating system to run a string, just as if the user had typed that command into the shell. While this is very convenient to use, there is a security problem if any of that command string is user-supplied. All it takes is a semicolon or ampersand to break assumptions and inject a command.

To the rescue comes exec(). It’s a bit more complicated to use, requiring the programmer to manually call fork() and wait(). But it’s not running the command via the shell. exec() executes a program directly, totally eliminating the potential for command injection! Except… oops.

Yeah, exec() and related calls don’t offer any security protections when you use them to execute /bin/sh. I suspect the code was written this way to allow running a script without specifying /bin/sh in the config. The official fix was to disable the filename format character, and instead supply it as an environment variable. That certainly works, and that fix is available in 1.0.5, 1.2.2, and 1.3.0.

The real danger here is that we have another case where some hardware appliance manufacturer has used ClamAV for email filtering, and uses this configuration by default. That’s how we get orders from CISA to unplug your hardware, because it’s already compromised.

MonikerLink

Outlook tries to protect its users. You can click on an HTTP or HTTPS link in an email, and Outlook will launch a browser to handle it. There are other URI protocols. A bunch of them, it turns out. When you click a link using a different URI scheme, Outlook warns you. If that link is a remote SMB share, it’s blocked altogether. MonikerLink is the simple addition of an exclamation mark and some characters following, and it completely bypasses Outlook’s safeguard against these links.

The reason is that a link with an exclamation mark is seen as a “composite moniker”. In fact, the link is handled via the Component Object Model (COM), which has some interesting implications in Windows. The application that handles the link is actually run as a COM server, and in some cases runs in the background without any user-visible effect on the system. This works with Outlook’s Protected view, so is a relatively powerful primitive. It’s patched in the February round of Microsoft security updates.

There is an interesting tie-in with another bug fixed in the same Patch Tuesday fixes. Microsoft Exchange was vulnerable to an NTLM relay attack, and it was actively exploited before the patch. The flaw here is that a captured Net-NTLMv2 hash can be used in a pass-the-hash attack to authenticate with an Exchange server. And one way to obtain such a hash is to trick the target into making an SMB connection, just what MonikerLink enables.

Oh Snap!

Canonical has been pushing their Snap containerized apps in Ubuntu for several years now. A Snap is something of a cross between a Docker image and a flatpak. A Snap is an application that is bundled with its dependent libraries, to have much less dependencies on the end target’s system libraries. A snap can be a graphical application like Firefox or LibreOffice, but they can also be used for daemons and services, much like Docker. Snaps offer some impressive sandboxing support via AppArmor when used on Ubuntu systems. And while some applications suffer from a minor slowdown, particularly on first launching, the system seems to work well. But there’s a caveat to be aware of.

Ubuntu also has the useful command-not-found package that runs anytime an invalid command is run on the command line. This utility searches the system’s sources of packages for an executable that matches. What’s interesting is that command-not-found will also go looking for snaps that provide a matching application. And if a Snap runs in strict mode, and checks a couple other boxes, it doesn’t require a manual review. Combining that quirk with the ability of a snap to take any unclaimed application name, it’s pretty easy to get an arbitrary snap as the top suggestion for a command-not-found suggestion.

And while the sandboxing of snaps does help mitigate this significantly, it is interesting that we essentially have a typosquatting potential right on the desktop. There are some shenanigans a snap can pull off, especially when running on an X11 system. For instance, on X11, all desktop applications can see all the keyboard input. Stealth keylogger?

So, You Want to Smuggle Some JSON

We usually talk about HTTP request smuggling, but that’s not the only place data can get smuggled. [Grimminck] introduces JSON Smuggling, calling it “a far-fetched intrusion detection evasion technique”. The central concept here is that the JSON spec states that “Insignificant whitespace is allowed before or after any of the six structural characters.” That’s a space, tab, line feed, and carriage return. That’s an alphabet of four different characters to encode data, where no one would think to look. I don’t know that this exact technique is going to revolutionize the world of cybersecurity, but it’s the sort of out-of-the-box thinking that’s always interesting to take a look at.

Bits and Bytes

The explosion in popularity in Large Language Models (LLMs) has brought some clever not-quite-breaches, like convincing the LLM that it’s Dan, or a Linux command line. These pseudo jailbreaks are amusing and maybe useful, but it’s worth keeping in mind that LLMs are new web services, and it’s likely there are the same old security problems to be found. Like this one, where way too much data was getting cached. That cache lives behind a CDN, and there was a URL parsing confusion issue at play. Put simply, trick a ChatGPT user into visiting a malicious link, and their authentication token gets cached by the CDN, easily accessed by the attacker.

There have been serious vulnerabilities fixed in Jetbrains TeamCity, in the SonicSall SonicOS, and Fortiguard’s FortiOS and FortiProxy products. The FortiGuard issue is a remote unauthenticated code execution, while the other two are unauthenticated access and account takeover problems. All three are hair-on-fire issues, and need to get addressed right away. Not content with being the most severe, FortiGuard also reports that this is being exploited in the wild.

And finally, let’s talk about a different sort of bounty. The US Department of State has put a bounty of ten million dollars on the head of Hive ransomware leaders, and a mere five million dollars for information on anyone else involved in the group’s activities. Ransomware pays, but not that well.