We’re covering two weeks of news today, which is handy, because the week between Christmas and New Years is always a bit slow.
And up first is the inevitable problem with digital license plates. Unless very carefully designed to be bulletproof, they can be jailbroken, and the displayed number can be changed. And the Reviver plates were definitely not bulletproof, exposing a physical programming port on the back of the plate. While it’s not explicitly stated, we’re guessing that’s a JTAG port, given that the issue is considered unpatchable, and the port allows overwriting the firmware. That sort of attack can be hardened against with signed firmware, and using an MCU that enforces it.
This does invite comparisons to the James Bond revolving license plate — and that comparison does put the issue into context. It’s always been possible to swap license plates. If someone really wants to cause mischief, traditional plates can be stolen, or even faked. What a digital plate adds to the equation is the ability to switch plate numbers on the fly, without stopping or turning a screwdriver. Regardless, this seems like it will be an ongoing problem, as so many manufacturers struggle to create secure hardware.
Malicious RDP
There’s a clever attack, that uses Microsoft’s Remote Desktop Protocol (RDP), to give away way too much control over a desktop. That’s accomplished by sending the target a .rdp file that shares local resources like the clipboard, filesystem, and more. What’s new is that it seems this theoretical attack has now shown up in the wild.
The attack campaign has been attributed to APT29, CozyBear, a threat actor believed to be associated with Russia’s Foreign Intelligence Service. This attribution tracks with the victims of choice, like government, research, and Ukrainian targets in particular. To escape detection, the malicious RDP endpoints are set up behind RDP proxies, running on services like AWS. The proxies and endpoints are accessed through TOR and other anonymous proxies. The .rdp files were spread via spear-phishing emails sent through compromised mail servers. The big push, with about 200 targets, was triggered on October 22nd. Researchers at TrendMicro believe this was the end of a targeted campaign. The idea being that at the end of the campaign, it no longer matters if the infrastructure and methods get discovered, so aim for maximum impact.
Free* Mcdonalds?
Here we learn that while McDonald’s USA dosn’t have a bug bounty program, McDonald’s India does — and that’s why researcher [Eaton Zveare] looked there. And found a series of Broken Object Level Authorization (BOLA) bugs. That’s a new term to this column, but a concept we’ve talked about before. BOLA vulnerabilities happen when a service validates a user’s authentication token, but doesn’t properly check that the user is authorized to access the specific resources requested.
In the McDonald’s case, any user of the web app is issued a guest JWT token, and that token is then valid to access any Order ID in the system. That allows some interesting fun, like leaving reviews on other users’ orders, accessing delivery maps, and getting copies of receipts. But things got really interesting when creating an account, and then ordering food. A hidden, incomplete password login page allowed breaking the normal user verification flow, and creating an account. Then after food is added to the cart, the cart can be updated to have a total price of a single rupee, about the value of a penny.
This research earned [Eaton] a $240 Amazon gift card, which seems a little stingy, but the intent behind the gesture is appreciated. The fixes landed just over 2 months after reported, and while [Eaton] notes that this is slower than some companies, it’s significantly faster than some of the less responsive vendors that we’ve seen.
Banning TP-Link
The US Government has recently begun discussing a plan to ban TP-Link device purchases in the United States. The reported reason is that TP-Link devices have shipped with security problems. One notable example is a botnet that Microsoft has been tracking, that primarily consists of TP-Link devices.
This explanation rings rather hollow, particularly given the consistent security failings from multiple vendors that we’ve covered on this very column over the years. Where it begins to make more sense is when considered in light of the Chinese policy that all new vulnerabilities must first be reported to the Chinese government, and only then can fixes be rolled out. It suggests that the US Commerce Department suspects that TP-Link is still following this policy, even though it’s technically now a US company.
I’m no stranger to hacking TP-Link devices. Many years ago I wrote a simple attack to put the HTTPD daemon on TP-Link routers into debug mode, by setting the wifi network name. Because the name was used to build a command run with bash, it was possible to do command injection, build a script in the device’s /tmp space, and then execute that script. Getting to debug mode allowed upgrading to OpenWRT on the device. And that just happens to be my advice for anyone still using TP-Link hardware: install OpenWRT on it.
Developers Beware
We have two separate instances of malware campaigns directly targeting developers. The first is malicious VSCode extensions being uploaded to the marketplace. These fakes are really compelling, too, with lots of installs, reviews, and links back to the real pages. These packages seem to be droppers for malware payloads, and seem to be targeting cryptocurrency users.
If malware in your VSCode extensions isn’t bad enough, OtterCookie is a campaign believed to come from North Korea, spreading via fake job interviews. The interview asks a candidate to run a Node.js project, or install an npm package as part of prep. Those are malicious packages, and data stealers are deployed upon launch. Stay frosty, even on the job hunt.
Bits and Bytes
PHP has evolved over the years, but there are still a few quirks that might trip you up. One of the dangerous ones is tied up in $_SERVER['argv'], a quick way to test if PHP is being run from the command line, or on a server. Except, that relies on register_argc_argv set to off, otherwise query strings are enough to fool a naive application into thinking it’s running on the command line. And that’s exactly the footgun that caught Craft CMS with CVE-2024-56145.
Australia may know something we don’t, setting 2030 as the target for retiring cryptography primitives that aren’t quantum resistant. That’s RSA, Elliptic-curve, and even SHA-256. It’s a bit impractical to think that those algorithms will be completely phased out by then, but it’s an interesting development to watch.
Fuzzing is a deep subject, and the discovery of 29 new vulnerabilities found in GStreamer is evidence that there’s still plenty to discover. This wasn’t coverage-guided fuzzing, where the fuzzer mutates the fuzzing input to maximize. Instead, this work uses a custom corpus generator, where the generator is aware of how valid MP4 files are structured.
So not only will the MH-CD42 charge your lithium-ion cells when given a nominal USB input voltage (4.5 – 5 VDC), it will also provide essential protections for the battery. That means looking out for short circuits, over-charge, and over-discharge conditions. It can charge at up to 2 A (up from 1 A on the TP4056), and includes a handy LED “battery gauge” on the board. But perhaps best of all for our purposes, it includes the necessary circuitry to boost the output from the battery up to 5 V.
