This Week In Security: EvilVideo, Crowdstrike, And InSecure Boot

First up this week is the story of EvilVideo, a clever telegram exploit that disguises an APK as a video file. The earliest record we have of this exploit is on June 6th when it was advertised on a hacking forum.

Researchers at ESET discovered a demo of the exploit, and were able to disclose it to Telegram on June 26th. It was finally patched on July 11. While it was advertised as a “one-click” exploit, that’s being a bit generous, as the ESET demo video shows. But it was a clever exploit. The central trick is that an APK file can be sent in a Telegram chat, and it displays what looks like a video preview. Tap the “video” file to watch it, and Telegram prompts you to play it with an external player. But it turns out the external player in this case is Android itself, which prompts the target to install the APK. Sneaky.

Traffic Control

We briefly covered this story a couple months ago, focusing on how bad of an idea it is to threaten a good faith researcher with legal action. Well the details of this traffic controller hack are available, and it’s about what you’d expect. Part one is all about getting the hardware and finding a trivial security bypass. The “web security” tab in the user interface seems to be an iframe, and navigating directly to that iframe address simply doesn’t trigger a login prompt. That’s the issue that [Andrew Lemon] first disclosed to Q-Free, leading to the legal nastygram.

Well now we have part two of that research, and spoilers: it doesn’t get any better. A couple false starts led [Andrew] to a desperation move. He had a new box to test and no login for it, so he started at the basics with the Burp proxy. And lo and behold, in the request was an odd string. 1.3.6.1.4.1.1206.3.36.1.6.10.1*IDO_0=2&

That is an Object IDentifier (OID) for the Simple Network Management Protocol (SNMP). These things use a version of SNMP known as National Transportation Communications for Intelligent Transportation System Protocol, or NTCIP. And this device not only uses that protocol, it seems to do so without authentication. Among the fields that are readable and writable without auth are the system username and system password. No hashing in sight. Now we can only hope that this is ancient hardware that isn’t in use any longer, or at least no longer connected to the Internet. And we’ll also hope that vendors like Q-Free have learned their lessons since this software was written. Though given their response to the vulnerability disclosure, we’re not holding our breaths.

The Rest of the Crowdstrike Story

You may have noticed a bit of weirdness around the world last Friday. Early in the morning of the 18th, Croudstrike pushed a rapid response content update to their Falcon antivirus platform. Rapid Response data does get tested, but does not get a staged roll out. And in this case, a bug in the testing platform led to the invalid file being pushed out, and because the rollout was not staged, it went everywhere all at once.

This bogus configuration data triggered an out-of-bounds memory read in the Falcon kernel driver, leading to system crashes. The particularly bitter context is that Crowdstrike had done the same thing to Linux machines a few months earlier. It’s beginning to seem that antivirus kernel drivers are a bad idea.

Microsoft has made it clear that this wasn’t a Microsoft incident. And the little known fact is that Microsoft tried to put an end to antivirus kernel drivers years ago, and was blocked by government regulators. And why didn’t Windows offer to boot without the crashing driver? The Crowdstrike kernel driver marks itself as a boot-start driver. The one ray of hope is that it’s possible for the system to stay up just long enough for Crowdstrike to pull an update before the system crash. It only takes something like 15 reboots.

This time it was Microsoft

There was, apparently, another Blue Screen crash this month. The July Patch Tuesday update dropped some computers into the BitLocker recovery screen, which just happens to be that same shade of blue. It’s not yet clear what about this set of fixes triggered the problem, but it seems that getting the recovery key does get these machines running again.

LetsKill OCSP

Let’s Encrypt surprised a few of us by announcing the end of OCSP this week. The Online Certificate Status Protocol is used to query whether a given certificate is still valid. One of the problems with that protocol is that it requests status updates per DNS address, effectively sending a running browsing history over the Internet. There’s a technical issue, in that the attacks that OCSP is designed to defend against also place the attacker in a position to block OCSP requests, and clients will silently ignore OCSP requests that time out.

The replacement is the Certificate Revocation List (CRL), which is a simple list of revoked certificates. The problem is that those lists can be huge. Mozilla and Google have rolled out a clever solution, that uses data compression and aggressive optimization to handle those CRLs like any other browser update. And hence, OCSP is destined to go away.

InSecure Boot

Binarly is sounding the alarm on Secure Boot. The biggest problem is that at least five device manufacturer used demo keys in production. The master key predictably leaked, and as a result about 200 devices have broken secure boot protections. That key is labeled DO NOT TRUST - AMI Test PK? Perfect, ship it!

Bits and Bytes

Docker Engine had a nasty regression, where a flaw fixed in 2019 wasn’t properly forward-ported to later versions. CVE-2024-41110 is a CVSS 10.0 issue, where an API call with Content-Length of 0 is forwarded without any authentication.

An interesting bug was just fixed in curl, where a TLS certificate could trigger the curl ASN.1 parser to fail and return an error. When it did this, the function in question can call free() on a stack buffer, which is particularly bad idea. This is notable as the curl developers refer to it as a “C mistake (likely to have been avoided had we not been using C)”. Time to add some Rust code to curl?

And finally, there’s something you should know about Github. Code is forever. This is all working as intended, but can catch you if you’re not aware. Namely, private or deleted commits that are attached to a public repo are still accessible, if you know or guess the short commit hash. This has some important ramifications for cleaning up data leaks, and developing private forks. Knowing is half the battle!

12 thoughts on “This Week In Security: EvilVideo, Crowdstrike, And InSecure Boot

    1. i dont think so, i watch his channel. doesn’t do anything more scammy than promoting his books on autism. does some retro-computing stuff, programming stuff, and claims to have written task manager. you can fake the credentials but not the expertise and idk why he would do that. he doesn’t even solicit donations like most youtubers.

  1. Microsoft tried to end in-kernel anti-virus modules with ring 0 access, that are installed in almost every computer around the world, but the US government blocked them? The same government that told everyone not to install Kaspersky because of security concerns?

    Gee, I wonder why.

  2. The way I understood the video, regarding Windows kernel drivers, is that Crowdstrike could use alternate APIs provided by MS, but has not used them. MS would like to kick everyone onto these alternate APIs but EU did not let them do so.

    I think that Crowdstrike made bad choices in their implementation and testing.
    Does this just and in a “You get what you pay for”?
    Blame the Airlines for buying cheap cyber security?
    Windows is just an OS for “Entertainment Purposes Only” due to EU regulators?

    Seems like nobody committed to anything in this process.

  3. And the little known fact is that Microsoft tried to put an end to antivirus kernel drivers years ago, and was blocked by government regulators.

    This is false. Microsoft tried to put and end to non-Microsoft antivirus kernel drivers but was blocked by regulators because Microsoft has an antivirus kernel driver. By only blocking other companies Microsoft was being anti-competitive. If Microsoft Defender didn’t have a kernel driver then they absolutely could have put an end to antivirus kernel drivers.

    1. Sounds like they were too lazy to make the framework performant or take the performance hit to their own AV. How did Mac get around that? They have a framework for access without kernel mode.

  4. The Bitlocker thing hurts. I have a friend with a still locked drive. His Dell was configured to use Bitlocker and he or I had never heard of it before. There was no recovery key saved anywhere we could find. Still no idea how this happened. Perhaps Dell and Microsoft had bitlocker activated by defualt, or it had been images for an institution and sold wholesale instead?
    Either way I disable TPM now because I never want to be ‘bitlocked’ out of anything again.
    I’m hoping they actually fix this before it hurts more people. Also a good warning to erase and fresh install Windows when you get any PC. You have no idea what settings are on it even if it seems to be fairly plain windows.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.