We finally have some answers about the Windows IPv6 vulnerability — and a Proof of Concept! The patch was a single change in the Windows TCP/IP driver’s Ipv6pProcessOptions()
, now calling IppSendError()
instead of IppSendErrorList()
. That’s not very helpful on its own, which is why [Marcus Hutchins]’s analysis is so helpful here. And it’s not an easy task, since decompiling source code like this doesn’t give us variable names.
The first question that needs answered is what is the list in question? This code is handling the option field in incoming IPv6 packets. The object being manipulated is a linked list of packet structs. And that linked list is almost always a single member list. When calling IppSendErrorList()
on a list with a single member, it’s functionally equivalent to the IppSendError()
in the fixed code. The flaw must be in the handling of this list with multiple members. The only way to achieve that criteria is to send a lot of traffic at the machine in question, so it can’t quite keep up with processing packets one at a time. To handle the high throughput, Windows will assemble incoming packets into a linked list and process them in batch.
So what’s next? IppSendErrorList()
, takes a boolean and passes it on to each call of IppSendError()
. We don’t know what Microsoft’s variable name is, but [Marcus] is calling it always_send_icmp
, because setting it to true means that each packet processed will generate an ICMP packet. The important detail is that IppSendError()
can have side effects. There is a codepath where the packet gets reverted, and the processing pointer is set back to the beginning of the packet. That’s fine for the first packet in the list, but because the function processes errors on the entire list of packets, the state of the rest of those packets is now much different from what is expected.
This unexpected but of weirdness can be further abused through IPv6 packet fragmentation. With a bit of careful setup, the reversion can cause a length counter to underflow, resulting in data structure corruption, and finally jumping code execution into the packet data. That’s the Remote Code Execution (RCE). And the good news, beyond the IPv6-only nature of the flaw, is that so far it’s been difficult to actually pull the attack off, as it relies on this somewhat non-deterministic “packet coalescing” technique to trigger the flaw.
CVE Hunting Made Easy
[Eddie Zhang] wanted to take the easy road to finding CVEs. To his immense credit, he did not ask ChatGPT to hallucinate vulnerabilities for him, but instead built an automation chain to find possible vulns. The idea is simple: Download as many WordPress plugins as he could, run Semgrep over the corpus, throw the results in a SQL database, and take a closer look at the most promising findings.
That starts by writing a SQL query, naturally. The interesting flaws were SELECTed, and then the different plugins run in a test bench setup to try to trigger actual vulnerable code. And it’s not a bad approach, judging by the 14 CVEs found in 3 afternoons of work.
Moodle
RedTeam Pentesting got to have a field day with the Moodle platform. Moodle is a web-based distance learning solution written in PHP. And to get the flavor of how this went, the test grading logic is written in PHP — and eval()
‘d on the server during grading. Now it’s not quite as bad as it sounds. There is sanitization done, and the set of symbols, characters, and functions are rather limited.
PHP has a pretty interesting type system. Something like acos(2)
, inverse of the cosine of 2, returns a result of Not a Number, or NAN. The dot .
symbol does string concatenation in PHP, and putting those together, acos(2) . acos(2)
results in a string, NANNAN
. It gets better, as it’s then possible to do bitwise manipulation of those strings, eventually unlocking the entire alphabet. A few more tricks like PHP’s variable functions, variable variables, and other fun language contortions. Eventually we get to system() and escape into the system.
Hacking the TSA
[Ian Carroll] and [Sam Curry] bring an unfortunate tale of clever hacking, cover ups, and incompetence. The actual hack is pretty straightforward, a SQL injection in a login system. The real problem is that this login is in the official airline security systems that controls the Known CrewMember and Cockpit Access Security System. That’s the list of people that get to skip TSA checkpoints altogether, and that get access to airplane cockpits in flight. Not good.
The good news is that after disclosure, the Department of Homeland Security quickly secured the vulnerable site. The takes a turn for the worse, when it came time for disclosure. TSA issues a factually incorrect statement about what is required to use the KCM system. [Ian] and [Sam] reached out again to try to set the record straight about the severity of the finding. In response, the TSA quietly deleted the FAQ that spells out how bad the vulnerability could be. Not a great look.
Bits and Bytes
For your data and packet capture needs, Wireshark 4.4 is out. Among the normal improvements, there’s better VoIP support, a handful of new protocols, and some IPv6 tweaks to make life easier.
Ever wondered how to do effective sandboxing in Linux? Hardened Linux has you covered. There are some obvious things like limited filesystem access, but it might be more useful to read about seccomp to limit the available system calls to your sandboxed program. The article is an overview of the individual techniques, and then some of the more popular all-in-one solutions like firejail, bubblewrap, and landlock.
Volt Typhoon, a collection of hackers believed to be working on behalf of the Chinese government has begun using a vulnerability in Versa Director to attack businesses. Version 22.1.4 of the network management platform fixes the vulnerability, which allowed for executable java filew to be disguised as PNGs and uploaded to the platform.
And finally, one of the sneakier ways to stay on a Linux system is to use udev. For attackers, it’s always a challenge to make sure the malware starts up on each boot, and yet doesn’t attract any attention. There are plenty of places to hide a startup hook, but this one creates a udev rule to automatically run early in boot when the /dev/random device is created. How often do you audit your udev files? Sneaky!
re: Hardened Linux has you covered.
Sadly most solutions are not implemented by the kernel itself by reply on BPF. Built with code that was never scrutinized by kernel developers, might even be closed source. Using a kernel debug interface to build security products, what could go wrong…
I spent 20 years ranting about the ineffective, expensive, privacy-violating nonsense that is the TSA’s security theater. Recently I flew through Sydney and Heathrow. The Aussies and Brits are even worse.