The Internet Archive has been hacked. This is an ongoing story, but it looks like this started at least as early as September 28, while the site itself was showing a creative message on October 9th, telling visitors they should be watching for their email addresses to show up on Have I Been Pwnd.

Hi folks, yes, I'm aware of this. I've been in communication with the Internet Archive over the last few days re the data breach, didn't know the site was defaced until people started flagging it with me just now. More soon. https://t.co/uRROXX1CF9

— Troy Hunt (@troyhunt) October 9, 2024

There are questions still. The site defacement seems to have included either a subdomain takeover, or a long tail attack resulting from the polyfill takeover. So far my money is on something else as the initial vector, and the polyfill subdomain as essentially a red herring.

Troy Hunt has confirmed that he received 31 million records, loaded them into the HIBP database, and sent out notices to subscribers. The Internet Archive had email addresses, usernames, and bcrypt hashed passwords.

In addition, the Archive has been facing Distributed Denial of Service (DDoS) attacks off and on this week. It’s open question whether the same people are behind the breach, the message, and the DDoS. So far it looks like one group or individual is behind both the breach and vandalism, and another group, SN_BLACKMETA, is behind the DDoS.

Palo Alto Expedition

Researchers at HORIZON3 started with a known vulnerability in Palo Alto’s Expedition application. This follows a pattern we’ve seen many times before. A vulnerability is found, usually in a codebase or niche that hadn’t been considered interesting to researchers. A new vulnerability is announced, and suddenly the boring code seems interesting.

The new vulnerability was pretty straightforward — an HTTP call to a specific endpoint resets the admin password to default. The obvious next step was to look for something to do with this new admin power. Expedition uses cron to schedule tasks, and while there didn’t seem to be a way to directly set the command, the start time wasn’t sanitized, and ended up part of a string executed in bash. Yes, it’s a simple command line injection. Sometimes the simple approach just works.

The flaws were fixed with 1.2.96. As Expedition is intended for network migration, it’s not expected to be run indefinitely. Shodan lists a whopping 23 Expedition servers on the Internet. Don’t be like those guys.

Arbitrary Write, But Read Only Filesystem

[Stefan Schiller] from Sonar had an interesting challenge. He had found an arbitrary file upload widget in a node.js application. This sort of write anything anywhere flaw is usually an instant exploit, with many options to choose from. This particular application was hardened: The filesystem was read only. This is a great strategy for making exploitation harder. But as we see here, it’s not foolproof. In Unix, everything is a file. And that means that file write vulnerabilities are useful even with a read-only FS.

In this case, the weak point was an anonymous pipe, an inter-process communication (IPC) construction. The Linux procfs puts those pipes on the filesystem. Listening on the other end of one of those pipes was libuv, a signal handling library. One of the things this library does with these messages is to jump execution to a pointer in the message, as a callback function implementation. Build this data structure properly, and you have shell code execution. Nifty!

Glitching With a Lighter

Memory glitching attacks are really cool. And most of the time, they’re pretty difficult to pull off. Getting access often means physically attacking a chip, or using some expensive EM generator. [David Buchanan] wanted to know if that style of attack is possible with makeshift tools. So, he channeled his inner MacGyver, and looked at the junk in his pockets. A scrap of wire and a pocket lighter? Perfect!

That lighter didn’t use flint and steel, but instead a piezo-electric trigger. Solder the wire onto the memory chip of a laptop, and flick the lighter right next to it. That scrap of wire is suddenly an antenna, and the em burst from the lighter is enough to flip a bit. It’s rowhammer, with an antenna.

And yes, using similar techniques to rowhammer, it’s quite possible to use this to compromise a machine, assuming you can get some arbitrary data somewhere in memory. It’s a clever bit of magic, and while not particularly useful as an attack, it’s really great to see someone working with these attacks on a shoestring budget and making it work.

Firefox 0-day

It’s time to update Firefox. Mozilla has released an emergency update, version 131.0.2, to fix a critical use-after-free vulnerability in Animation timelines, part of the Web Animations API. Not much is known about this vulnerability, but it’s being used in real-world attacks already. We know that ESET discovered the flaw, but not yet whether that discovery was from observing it in use. Regardless, the fix is now available.

Bits and Bytes

We normally think of data breaches as leaking personal information, and then brace for the inevitable targeted spam. Here’s your reminder that it can be worse than that. AT&T seems to have an ongoing data breach where someone with access to shipping information for new iPhones is sending it to organized porch pirate rings.

And finally, Google Project Zero has a new post out, from [Nick Galloway], chatting about OSS-Fuzz and the Dav1d AV1 decoder. [Nick] expanded the fuzzing setup for Dav1d, and managed to find an integer overflow while at it. And while you’re here, maybe check out the OSS-Fuzz Bounty program, where Google offers to pay programmers for adding Open Source software to the OSS-Fuzz project.