This Week In Security: Loop DOS, Flipper Responds, And More!

Here’s a fun thought experiment. UDP packets can be sent with an arbitrary source IP and port, so you can send a packet to one server, and could aim the response at another server. What happens if that response triggers another response? What if you could craft a packet that continues that cycle endlessly? That is essentially the idea behind Loop DoS (Denial of Service).

This unique avalanche of packets has been managed using specific implementations of several different network services, like TFTP, DNS, and NTP. There are several CVEs being used to track the issue, but CVE-2024-2169 is particularly odd, with the description that “Implementations of UDP application protocol are vulnerable to network loops.” This seems to be a blanket CVE for UDP, which is particularly inappropriate given that the first DoS of this sort was first reported in 2009 at the latest.

More details are available in a Google Doc. There some interesting tidbits there, like the existence of cross-protocol loops, and several legacy protocols that are vulnerable by design. The important thing to remember here is you have to have an accessible UDP port for this sort of attack to take place, so if you’re not using it, firewall it.

Flipper Flips Back

We’ve covered the saga of the Flipper Zero vs the Canadian government, in the context of car theft. The short version is that Canada has seen an uptick of car thefts from organized crime. Rather than meaningfully dealing with this problem, the Canadian government went looking for scapegoats, and found the Flipper Zero.

Well now, Flipper has responded, and put simply, the message is “stop the madness”. There has never been a confirmed case of using a flipper to steal a car, and it’s very unlikely it’s ever happened. On a modern car with proper rolling-code security, it’s not meaningfully possible to use the Flipper Zero for the theft. The two primary ways criminals actually steal cars are with dedicated keyfob repeaters and CAN bus hackers.

There is a petition to sign, and for Canadians, Flipper suggests contacting your local member of parliament.

Data-only EoP

In a post on the state of modern exploitation, [Connor McGarr] explores the world of post-shellcode Elevation of Privilege (EoP) exploits. Why are we talking about exploitation without shellcode? Namely because the latest and greatest of Windows kernel hardening: kCET, kCFG, and HVCI. That’s kernel Control-flow Enforcement Technology, kernel Control Flow Guard, and Hypervisor-Protected Code Integrity. Those technologies together essentially guarantee that any area of kernel memory can either be writable or executable, but not both. That’s a pretty hard limit.

So what’s left? Apparently a lot. Starting with the simplest, a data-only exploit, an attacker can sniff the token of a system process and use it to elevate their own. The rest of the post is an in-depth treatment of how an attacker process can sniff and manipulate its way to a nearly kernel-level position. Impressive stuff.

Fortinet Old and New

We have a deep dive into a Forticlient vulnerability, CVE-2023-48788, a SQL injection in the FcmDaemon process. The vulnerable field here was “FCTUID”, and a WAITFOR DELAY message was enough to prove it was the vulnerability. Turning this into an RCE is trivial thanks to the extremely helpful xp_cmdshell function of Microsoft SQL server. That’s off by default, but can be turned back on… via SQL statements. *sigh* It’s a bit jarring to cover Microsoft’s stellar work on hardening the Windows kernel, only to find old cruft in their SQL server still causing problems like this.

And then there’s the newer Fortinet issue, in the Fortigate SSL VPN. Researchers at Assetnote give us all the details on how they tracked this one down, starting with patch diffing and fuzzing the likely vulnerable endpoint. That led to a crash, which was a great start, but even a Ghidra decompile wasn’t quite enough to work out how to turn the crash into an exploit. What was really needed was to hook a debugger to the crashing function.

And that gets into the hack before the hack. As typically happens, the Assetnote folks had to take a system image and backdoor it to get true root access and a usable system terminal. That was an adventure in itself. With that done, GDB did its magic, revealing that the crash they found was nearly useless for exploitation. But a bit of manipulation with leading 0s in the packet that caused the crash, and they had a primitive: The bytes 0x0a0d could be written to the stack, at a mostly controlled location. Is that enough for an exploit? Just two bytes?

When you can send packets that get stored on the heap, and you have a debugger to watch what happens, it turns out that is enough. A return pointer was chosen, that could be corrupted with this two-byte write, to jump program execution through a gadget right into a carefully controlled heap location. Write the payload that pops /bin/sh, and victory! Except, remember all that hacking they did on their test copy of Fortigate? One of those steps was replacing the /bin/sh binary with something useful. After a bit more wrangling, and borrowing a function or two from the system SSL library, the exploit was finally finished, using a nodejs reverse shell. Whew! At least fixes are available.

How To ROP

Have you always wondered how Return Oriented Programming (ROP) actually works in the context of writing an exploit? [Vandan Pathak] has the step-by-step guide for the rest of us. The very basic explanation is that you manipulate the return address of a function, to jump to an unintended function. One of the most popular tricks is to jump into libc, the standard C library.

Bits and Bytes

Today I learned about a nifty security feature for Linux, as well as an exploit to bypass it. USBGuard is a ruleset to allow and deny USB devices. The trick is that not every USB device is what it claims to be, like a Raspberry Pi or Arduino in gadget mode.

In the same manner as the detailed exploit write-ups above, Github has published an impressive hack of the Pixel 8, that uses GPU memory to bypass the ARM Memory Tagging Extension. We’re out of room to cover this one in depth, but it’s worth a read.

And finally, Linux hit a new milestone: We’ve got malware. The Canonical Snap Store has a problem with hosting fake Bitcoin wallet apps. Such a malicious app was removed back in February, but it looks like the bad penny has turned up again. But this time it was a whole dime. Ten malicious wallets on the Snap Store. For a very long time the Linux ecosystem has been trustworthy as a place to not get malware, specifically if installing software from system repositories. Unfortunately, the Snap Store does not seem to be such a trustworthy software source. Caveat Emptor and Downloader Beware.

8 thoughts on “This Week In Security: Loop DOS, Flipper Responds, And More!

  1. The problem with the Flipper Zero being unbanned is that doing so would embarrass politicians. If you know politicians then you know they have the mentality that they can do no wrong.

    1. Actually almost every thing politicians do is undoing something that some other politician did, so you merely need to present what you want them to do as rectifying the mistakes of their opponents. Of course there are problems with that approach leading to polarization.

  2. “Those technologies together essentially guarantee that any area of kernel memory can either be writable or executable, but not both.”

    The keyword is “essentially” because it doesn’t literally do this. The important qualifier is that the kernel is only checking the memory every X seconds. This can be enough time to perform a quick operation and restore the memory to the correct state. Is it a limiting factor? Yes. Is it an impervious wall? Nope.

    If you’re really clever then you can modify the checking code so that it will falsely report everything as unaltered or simply halt it’s execution. It’s very similar to disarming a time bomb which is possible, so don’t think this will keep the the kernel inviolate.

  3. Why would anyone configure a router to pass traffic from an “arbitrary source IP” when in most cases the valid IP ranges for incoming traffic are defined? Upstream routers should be limiting outbound traffic to valid IP ranges for each sub branch of the network. Surely a in the wild Loop DOS requires a bad actor gaining control at the router level and even then they still can’t successfully generate viable traffic with a completely arbitrary source IP? Ah never mind, “CISCO”… 😏

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.