This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More

There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.

This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.

Downloader Beware

The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.

The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn.

PyTorch Scores a Dubious 10.0

CVE-2024-5480 is a PyTorch flaw that allows PyTorch worker nodes to trigger arbitrary eval() calls on the master node. No authentication is required to add a PyTorch worker, so this is technically an unauthorized RCE, earning the CVSS of 10.0. Practically speaking it’s not that dire of a problem, as your PyTorch cluster shouldn’t be on the Internet to start with, and there’s no authentication as a design choice. It’s not clear the the PyTorch developers consider this a legitimate security vulnerability at all. It may or may not be fixed with version 2.3.

Next Level Smishing

My least favorite term in infosec has to be “smishing”, a frankenword for SMS phishing. Cell phone carriers around the world are working hard to blocking spam messages, making smishing an impossible task. And that’s why it’s particularly interesting to hear about a bypass that a pair of criminals were using in London. The technical details are light, but the police reported a “homemade mobile antenna”, “illegitimate telephone mast”, and “text message blaster” as part of the seized kit. The initial report sounds like it may be a sort of reverse stingray, where messages are skipping the regular cellular infrastructure and are getting sent directly to nearby cell phones. Hopefully more information will be forthcoming soon.

Zyxel’s NsaRescueAngel

The programmers at Zyxel apparently have a sense of humor, given the naming used for this mis-feature. Zyxel NAS units have a bit of magic code that writes a password for the new user, NsaRescueAngel, to the shadow password file. The SSH daemon is restarted, and upnp is fired off to request port forwarding from the outside world. One of the script names, possibly from a previous iteration, was, which seems to be sort of lampshading the whole thing.

It’s presumably intended to be a great troubleshooting tool, when a customer is stuck and needs help, to be able to visit a web url to enable remote access for a Zyxel tech. The problem is that the Zyxel NAS already has an authentication bypass flaw, and while it’s been patched, it wasn’t patched very well, making this whole scheme accessible without authentication, just by slapping /favicon.ico onto the url. The additional problems have been fixed in a more recent update.

Russian Secure Phablet?

A Twitter thread tells the story of a Russian secure device, left behind on the back of a bus in England. That’s an interesting premise. But the thread continues, that ‘conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about “trusted” devices too!’ OK, now this has to either be a fanfic, or a fell-off-the-back-of-a-truck story. There’s some convincing looking screenshots, and even rom dumps. What’s going on here?

The most likely explanation is that somebody got their hands on a trove of data on these devices, and wanted to dump it online with a silly story. But fair warning, don’t trust any of the shared files. Who knows what’s actually in there. Taking a look at something untrusted like this is an art in itself, best done with isolated VMs and burner machines, maybe a Linux install you don’t mind wiping?

Bits and Bytes

Buskill just published their 8th warrant canary, a cryptographically signed statement attesting that they have not been served any secret warrants or national security letters that would undermine the trustworthiness of the Buskill project or code. In addition to a good cryptographic signature, this canary includes a handful of latest news headlines in the signed material, proving it is actually a recently generated document.

[Aethlios] has published Reset Tolkien, an open source tool for finding and attacking a very specific sort of weakness in time based tokens. The targeted flaw is a token generated from improper randomness source, like the current time. If the pattern can be found, a “sandwich attack” can narrow down the possible reset codes by requesting a reset code for a controlled account, requesting one for the target account, and then once again for the controlled account. The target code must come between the two known codes.

And finally, TPM security is hard. This time, the Trusted Platform Module can be reset by reclaiming the GPIO pins connected to it, and simulating a reboot by pulling the reset pin. This results in the TPM possibly talking to an application when it thinks it is talking to the CPU doing boot decryption. In short, it can result in compromised keys. Thanks to [char] from Discord for sending this one in!

7 thoughts on “This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More

  1. Well, at least smishing as a portmanteau is somewhat deciperable.
    I’ve seen others recently that need to web searched to know what they mean.
    And following the lampshading link…
    Introduced me to more terms/tropes making me sure I am definitely not schooled in Internetese.

  2. Buskill just published their 8th warrant canary, a cryptographically signed statement attesting that…

    Honestly, the entire Buskill project seems like an op that the FBI would fund.

  3. That is not a meme…
    That is a saying or a joke.

    A meme is a reference that causes individuals to recall a shared experience, even if the experience was not personally shared.

    “That feeling when…” is a soft requirement for memes, and is why ‘internet jokes based on a picture with text’ are incorrectly all called memes.

    When they call you and tell you they can’t find the any key…

  4. > The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

    Yeah, because filtering out the attack strings that come to your mind at the moment is going to be enough. This is like having an SQL injection bug and fixing it by blocking queries containing “DROP TABLES”.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.