This Week In Security: Apple Backdoors Curl, Tor’s New Bridge, And GhostRace

OK, that headline is a bit of a cheap shot. But if you run the curl binary that Apple ships, you’re in for a surprise if you happen to use the --cacert flag. That flag specifies that TLS verification is only to be done using the certificate file specified. That’s useful to solve certificate mysteries, or to make absolutely sure that you’re connecting to the server you expect.

What’s weird here is that on a MacOS, using the Apple provided curl binary, --cacert doesn’t limit the program to the single certificate file. On an Apple system, the verification falls back to the system’s certificate store. This is an intentional choice by Apple, but not one that’s aimed particularly at curl. The real magic is in Apple’s SSL library, which forces the use of the system keychain.

The current state of things is that this option is simply not going to do the right thing in the Apple provided binary. It’s documented with the note that “this option is supported for backward compatibility with other SSL engines, but it should not be set.” It’s an unfortunate situation, and we’re hopeful that a workaround can be found to restore the documented function of this option.

Jenkins, Bring Me a File

The Jenkins continuous delivery server has a critical issue, CVE-2024-23897. It’s an arbitrary file read that clocks in with a 9.8 CVSS score. The one quirk about the way this works is the vulnerable function does the file read as strings, and loses quite a bit of the raw binary in the process. And many of the interesting files, like the .Secret files, use binary encoding. And on a Linux or Mac system, the default character encoding is UTF-8, which renders half of that 32-byte key unreadable. Far too many missing bytes to be useful.

But hang on. There’s a caveat here. Because of US cryptography export restrictions, JDK ships with only 128-bit encryption keys, truncating the rest of the bits. That means we’ve only got 16 byte keys, and an attacker can recover half the bits via this vulnerability. We may have a problem.

And wait, there’s more! Because the bytes have had an attempt at interpretation as UTF-8, we know more about the missing bytes than one might think. Check out the breakdown by [Guillaume Quéré] for more details, but the short version is that with just a little luck, one of these keys can be brute-forced in minutes or hours on a single desktop. More missing bytes means more processing time, but this is not an attack outside the realm of possibility, particularly for a determined adversary.

Big. Really big

There are some thresholds where things change. Doing security for yourself looks much different from doing security for a small business. It’s different again when at the enterprise level. But what does security posture look like for a company that competes for the top-ten list of largest companies in the world? We get a bit of a peak behind the curtain, at how the Alphabet (Google) migration to BeyondCorp Managed Non-Privileged (MNP) network went.

The basic idea of BeyondCorp is that inside the network offers no benefits or privileges. Every user and device gets authenticated, and has limited capabilities. It sounds great, but runs into the issues you might expect at a technical shop like Google. That’s things like employees needing access to an IRC chat for emergency communications, lots of SSH use, and plenty other niche network needs that’s hard to put into a simple category, and handle through MNP networks. Lots to chew on here, learning about how the really big teams work.

Tor Has a New Toy

One of the fun cat-and-mouse games we get to watch is the constant battle between the folks behind Tor trying to stay a step ahead of various regimes and their attempts to block access. Well Tor has a new tool ready for use, the WebTunnel. The concept is pretty simple in concept — just make it look like all the other HTTPS traffic. Part of the magic here is that all the Tor WebTunnel bridges are also normal web sites, and the Tor traffic is handled by a reverse proxy. So when a sophisticated packet inspection system like the Great Firewall investigates the hidden Tor connection, the website at the remote end checks out.

The weak points here are the same as the rest of the hidden Tor entry node schemes: A user has to have unfettered Internet access to fetch a node address. The system has to stay under the radar enough to prevent an adversary from just grabbing the list of endpoints and blocking them. We’re hoping for the best for Tor and WebTunnels.

GhostRace

There’s a new speculative execution bug, GhostRace. Though more properly, this might be best thought of as a new class of gadgets that enable the Spectre attack. GhostRace is the realization that thread synchronization checkpoints like mutexes and spinlocks can work as conditional branches. The other interesting observation is that an Inter-Process Interrupt (IPI) storm can be used to freeze execution at the proper point in code, extending the window to abuse GhostRace indefinitely.

There’s a mitigation that could be applied to the kernel, but at a performance cost of 5% globally, it’s been opted against for now. In the words of Linux Torvalds, “There’s security, and then there’s just being ridiculous.” The IPI storm is being treated as a problem, and has been fixed, cutting down on the issue’s exposure for abuse.

Bits and Bytes

There’s a clever attack against Tesla customers, where a fake WiFi access point presents a Captive Portal, that prompts the user to sign in with a valid Tesla account. That’s a phishing portal, and the sign-in is then used to add a new “phone key”, which gives full access to the vehicle. The hack was originally pulled off using a Flipper Zero, which fed into the pandemonium about that particular device. This is your reminder that this is a simple WiFi trick, and any laptop running a bit of software could also pull it off. And more people have laptops.

We’re big fans of the Termux command line tool for Android. While yes, tapping on the tiny keyboard on your mobile screen is a terrible experience, bringing your entire toolkit of command line tools along in your pocket is awesome!. And here’s another tool that belongs on the mobile. APKDeepLense is specifically designed for scanning APKs to look for vulnerable apps. With Termux, we have the added bonus of doing the scan locally. Neat!

With just a bit of know-how and curiosity, you don’t have to look far to find exploitable bugs. [Stefán] was looking at a travel website, and was annoyed by a disabled checkbox that was pre-selected, and labeled as a mandatory fee. That’s nothing to a skilled hacker with access to elite tools like… Google Chrome’s built-in devtools. Remove the flag on the checkbox, deselect it, and the price dropped accordingly. But that’s just user facing, surely the transaction wouldn’t complete for the lower price, right? It completed for the lower price. There’s no trains, but the story covers ferries and automobiles for more fun.

And finally, have you ever wanted an in-depth look at a Ruby exploit chain? Include Security brings us the goods, with a walk-through of how to go from a deserialization bug all the way to arbitrary code execution. The takeaway? Don’t do unsafe deserialization on user-provided payloads!

8 thoughts on “This Week In Security: Apple Backdoors Curl, Tor’s New Bridge, And GhostRace

    1. tfw the most simplistic roblox game has better data integrity than the entire national transit system of iceland

      (well over a decade ago, they improved the client/server divide with FilteringEnabled and RemoteEvents, so the server no longer blindly trusts the client to do everything – aside from physics, since Roblox has a distributed physics model – and anything the client tries to directly modify will only be visible to that player and not replicate to the server whatsoever)

  1. Apple’s not the only outfit that tries to “improve” security by forcing every application to have the same crypto trust policy. Basically they’re blindly taking a practice that *sometimes* makes sense for corporate IT systems, and trying to apply it to everything in the world. They’re probably strongly encouraged in this by whining from corporate IT customers. Many of whom actually *do* use system certs to back-door things, actually.

  2. Re curl on MacOS, I’ve long assumed that most of the CLI-based tools and their dependencies were going to at least be old, but I hadn’t considered that something like ‘curl’ would be tied to an utterly MacOS dependent behavior. Hopefully (!) my habitual use of Homebrew for CLI stuff will have generally reduced my exposure to old and/or flawed implementations.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.