This Week In Security: Zimbra, DNS Poisoning, And Perfctl

Up first this week is a warning for the few of us still brave enough to host our own email servers. If you’re running Zimbra, it’s time to update, because CVE-2024-45519 is now being exploited in the wild.

That vulnerability is a pretty nasty one, though thankfully requires a specific change from default settings to be exposed. The problem is in postjournal. This logging option is off by default, but when it’s turned on, it logs incoming emails. One of the fields on an incoming SMTP mail object is the RCPT TO: field, with the recipients made of the to, cc, and bcc fields. When postjournal logs this field, it does so by passing it as a bash argument. That execution wasn’t properly sanitized, and wasn’t using a safe call like execvp(). So, it was possible to inject commands using the $() construction.

The details of the attack are known, and researchers are seeing early exploratory attempts to exploit this vulnerability. At least one of these campaigns is attempting to install webshells, so at least some of those attempts have teeth. The attack seems to be less reliable when coming from outside of the trusted network, which is nice, but not something to rely on.

New Tool Corner

What is that binary doing on your system? Even if you don’t do any security research, that’s a question you may ask yourself from time to time. A potential answer is WhoYouCalling. The wrinkle here is that WYC uses the Windows Event Tracing mechanism to collect the network traffic strictly from the application in question. So it’s a Windows only application for now. What you get is a packet capture from a specific executable and all of its children processes, with automated DNS capture to go along.

DNS Poisoning

Here’s a mystery. The folks at Assetnote discovered rogue subdomains from several of their customers, showing up with seemingly random IP addresses attached. A subdomain like webproxy.id.customer.vn might resolve with 10 different addresses, when querying on alibabadns.com.

That turned out to be a particularly important clue. These phantom subdomains were all linked to the Chinese Internet in some way, and it turns out that each subdomain had some interesting keyword in it, like webproxy or VPN. This seems to be a really unique way to censor the Internet, as part of the Chinese Great Firewall. The problem here is that the censorship can escape, and actually poison DNS for those subdomains for the rest of the Internet. And because sometimes the semi-random IPs point at things like Fastly CDN or old cPanel installs. A bit of legwork gets you the equivalent of subdomain takovers. Along with the story, Assetnote have shared a tool to check domains for this issue.

Virtual Name Tags Bring the Creep Factor

What do you get when you combine Internet-connected smart glasses with LLM doing facial recognition? The optimistic opinion is that you get virtual nametags for everybody you meet. I’ve played a video game or two that emulates that sort of ability. Taking a bit more cynical and realistic view, this auto-doxxing of everyone in public strays towards dystopian.

perfctl

There’s a newly discovered Linux malware, perfctl, that specializes in stealth, combined with Monero mining. The malware is also used to relay traffic, as well as install other malware in compromised machines. The malware communicates over TOR, and uses some clever tricks to avoid detection. Log in to a compromised machine, and the Monero mining stops until you log back out.

The malware is particularly difficult to get rid of, and as always, the best solution is to carefully back up and then wipe the affected machine. One of the tells to look for is a machine that’s hard charging when it has no business being spun up to 100% CPU usage, and then when you log in and look for the culprit, it drops to normal.

Bits and Bytes

[nv1t] found a kid’s toy, the Kekz Headphones, and they just begged to be taken apart. This toy has a bunch of audio on an SD Card, and individual NFC-enabled tokens that triggers playback of the right file. This one is interesting from an infosec perspective, because the token actually supplies the encryption key for the file playback, making it a nominally secure system. After pulling everything apart, it became apparent that the encryption wasn’t up to the task, with only about 56 possible keys for each file.

Something we’ve continually talked about is how the subtle mismatches in data parsing often lead to vulnerabilities. [Mahmoud Awali] has noticed this, too, and decided to put together a comparison of how different languages handle HTTP parameters. Did you know that Ruby uses the semicolon as a parameter delimiter? There are a bunch of quirks like this, and this is the sort of material that you’ll need to find that next big vulnerability.

And finally, speaking of Ruby, are you familiar with Ruby’s class pollution category of vulnerabilities? It’s akin to Python and JavaScript’s prototype pollution, and not entirely unlike Java’s deserialization issues. If Ruby is your thing, go brush up on how to avoid this particular pitfall.

6 thoughts on “This Week In Security: Zimbra, DNS Poisoning, And Perfctl

  1. The smart glasses thing is decidedy a mixed bag. Leaving aside the doxxing/police state implications already abundantly explored elsewhere methinks there’s value for the people too in hit-and-run and violence scenarios where there in no time or chance to pull out your phone and record the event.

    1. It’s decidedly more dystopian that the number of events in your region of the world are such that your immediate thought is “this’ll be great when I get robbed”.

      Almost 40 years on this earth and I’m yet to be in a situation so violent I wish I had an ID detecting body cam.

  2. Missed the part with Kekz phones that using their Windows app logs your location to a ‘public’ Azure with links in the project files. Can scrape it all and find out what MP3s are being uploaded too.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.