There was a disturbance in the enterprise security world, and it started with a Pwn2Own Berlin. [Khoa Dinh] and the team at Viettel Cyber Security discovered a pair of vulnerabilities in Microsoft’s SharePoint. They were demonstrated at the Berlin competition in May, and patched by Microsoft in this month’s Patch Tuesday.
This original exploit chain is interesting in itself. It’s inside the SharePoint endpoint, /_layouts/15/ToolPane.aspx. The code backing this endpoint has a complex authentication and validation check. Namely, if the incoming request isn’t authenticated, the code checks for a flag, which is set true when the referrer header points to a sign-out page, which can be set arbitrarily by the requester. The DisplayMode value needs set to Edit, but that’s accessible via a simple URL parameter. The pagePath value, based on the URL used in the call, needs to start with /_layouts/ and end with /ToolPane.aspx. That particular check seems like a slam dunk, given that we’re working with the ToolPane.aspx endpoint. But to bypass the DisplayMode check, we added a parameter to the end of the URL, and hilariously, the pagePath string includes those parameters. The simple work-around is to append another parameter, foo=/ToolPane.aspx.
Putting it together, this means a POST of /_layouts/15/ToolPane.aspx?DisplayMode=Edit&foo=/ToolPane.aspx with the Referrer header set to /_layouts/SignOut.aspx. This approach bypasses authentication, and allows a form parameter MSOTlPn_DWP to be specified. These must be a valid file on the target’s filesystem, in the _controltemplates/ directory, ending with .iscx. But it grants access to all of the internal controls on the SafeControls list.
There’s an entire second half to [Khoa Dinh]’s write-up, detailing the discovery of a deserialization bug in one of those endpoints, that also uses a clever type-confusion sort of attack. The end result was remote code execution on the SharePoint target, with a single, rather simple request. Microsoft rolled out patches to fix the exploit chain. The problem is that Microsoft often opts to fix vulnerabilities with minimal code changes, often failing to fix the underlying code flaws. This apparently happened in this case, as the authentication bypass fix could be defeated simply by adding yet another parameter to the URL.
These bypasses were found in the wild on July 19th, and Microsoft quickly confirmed. The next day, the 20th, Microsoft issued an emergency patch to address the bypasses. The live exploitation appears to be coming from a set of Chinese threat actors, with a post-exploitation emphasis on stealing data and maintaining access. There seem to be more than 400 compromised systems worldwide, with some of those being rather high profile.
The Initramfs Encryption Bypass
While Linux enthusiasts have looked at Secure Boot with great skepticism ever since Microsoft and hardware vendors worked together to roll out this security feature, the modern reality is that Linux systems depend on it for their security assurances as well. An encrypted hard drive is of limited use if the elements used to decrypt the drive are compromised. Imagine a kernel or GRUB with a hidden backdoor, that modifies the system once the decryption password has been entered. There’s a new, interesting attack described earlier this month, that targets the initramfs.
Let’s take a quick detour to talk about how a Linux machine boots. At power start, the machine’s firmware does the Power On Self Test (POST), and then loads a UEFI payload from the hard drive. In the case of Linux, this is the shim, a first stage bootloader that then boots a signed GRUB image. GRUB then loads a signed Linux kernel and the initramfs image, which is nothing more than a compressed, minimal filesystem. It usually contains just the barest essentials to start the boot process and switch to the real root filesystem.
You may have noticed something missing in that description: The initramfs image isn’t signed. This is often built by the end-user with each new kernel, and so can’t be signed by the Linux distribution. The possibility of modifying the initramfs isn’t a new idea, but what this research adds is the observation that many distros provide a debug shell when the wrong encryption password is given several times in a row. This is quickly accessible to an attacker, and that debug shell does have access to the initramfs. A very quick “evil maid” attack is to boot the machine, fail the password several times to launch the debug shell, and install a malicious initramfs from there.
Et Tu Clear Linux?
Clear Linux OS was Intel’s playground for tuning Linux for running its best on modern Intel (and AMD) CPUs. And sadly, as of the 18th, it is no longer maintained, with updates and even security fixes ceasing immediately. This isn’t a huge surprise, as there have been several Linux engineers departing the company in recent weeks.
What’s particularly interesting is that there was no runway provided for active users, and security updates stopped immediately with this announcement. While Clear Linux wasn’t exactly intended for production use, there were certainly a group of users that used it in some variation of production use. And suddenly those users have an immediate need to migrate to a different, still supported Linux.
UI Automation
There’s a new Akamai report on malware using accessibility features to more effectively spy on users. The malware is Coyote, and a particular strain targeting Brazilian Windows users has been found using the Microsoft UI Automation (UIA) framework. When I first found this story, I thought it was about malware using Artificial Intelligence. Instead, it’s the UIA accessibility feature that makes it trivial for malware to pull detailed information from inside a running application. The researchers at Akamai have been sounding the alert over this as a potential problem for several months, so it’s particularly interesting to see it in the wild in actual use.
Prepared Injection
When I first learned PHP security, one of the golden rules was to use prepared statements, to avoid SQL injection. This is still good advice — there’s just a sneaky secret inside PHP’s PDO SQL library. It doesn’t actually do prepared statements by default. It fakes them. And in some cases, that is enough to get a SQL injection, even in a “prepared statement”.
The key to this is injection of a ? or : symbol, that the PDO parser can erroneously interpret as another bound parameter. So vulnerable code might look like $pdo->prepare("SELECT $col FROM fruit WHERE name = ?"). If an attacker can smuggle text into both the $col variable and the value to bind to name, then injection is possible.
The malicious request might look like http://localhost:8000/?name=x` FROM (SELECT table_name AS `'x` from information_schema.tables)y;%23&col=\?%23%00. That url encoded text becomes \?#\0, which defeats PDO’s parsing logic, allowing the injection text to be inserted into the fake placeholder.
Bits and Bytes
Possibly the most depressing thing you will read today is this play-by-play of Clorox and Cognizant each blaming each other for a nasty data breach in 2023. Clorox outsourced their IT, and therefore can’t be blamed. Cognizant’ help desk reset passwords and multi factor authentication without any real verification of who was requesting those actions. And Cognizant’s statement is that Clorox should have had sufficient cybersecurity systems to mitigate these events.
VMWare’s Guest Authentication Service, VGAuth, had an issue where a limited-privilege user on a Virtual Windows machine could abuse the service to gain SYSTEM privileges. This is a bit different from the normal stories about VM additions, as this one doesn’t include an actual VM escape. Achieving SYSTEM is an important step in that direction for most exploit chains.
And finally, who needs malware or attackers, when you have AI tools? Two different AI agents were given too much freedom to work with real data, and one managed to delete folders while trying to reorganize them, while the other wiped out a production database. My favorite quote from the entire saga is directly from Gemini: “I have failed you completely and catastrophically. My review of the commands confirms my gross incompetence.”
Initramfs – ugh!
Ok, I get why a distro maintainer would want this. You have to come up with one kernel that works across all your many users hardware and install choices. In the past that might have been IDE (PATA) vs SCSI hard drives. Did anyone actually install Linux on MFMs? Now it’s probably all SATA but there are still many possible choices of filesystems.
The alternative would be to compile the drivers for ALL of them directly into the kernel making for a very bloated kernel.
But what about the power user who compiles their own kernel? I can think of exactly zero instances (outside of shutdown) when I would want my Linux desktop to unload it’s SATA or filesystem drivers. So why bother with this complication? I always used to just build those drivers into the kernel directly. No initrd or initramfs needed!
Ever since the switch from BIOS to UEFI though… everything is so damn complicated! I eventually gave up and now I have to have an initramfs. Which means I also gave up having a trim and clean kernel and instead just use a config where I started with the distro’s defaults and only made changes where necessary. Maybe I just never understood the UEFI boot process well enough to pick the right “modules” to build in. But it shouldn’t need to be this difficult!
UEFI isn’t really any different to a traditional BIOS booting once you’ve got to GRUB (or your favourite bootloader). I never bothered with an initramfs pre or post UEFI so I’m curious what hurdles you faced with UEFI that necessitated an initramfs.
If you encrypt /boot, an unsigned initrd doesn’t matter. Grub has supported encrypted /boot for many years. So, probably not an issue for anyone using a device that is interactively unlocked by sitting in front of it, if it has been setup correctly. Although most of these devices will have “secure” boot disabled to allow suspend to disk anyway.
The only place unencrypted /boot is needed is remote hosts where you remotely unlock the encrypted disk via dropbear bundled in the initrd. These hosts are usually in a colo / are vms at some vps/cloud provider who could mess with you in many other ways than this particular evil maid attack.
The issue isn’t nothing, but it for the main use case of “secure” boot, a mobile laptop, it is mitigated by just encrypting /boot.
Possibly the real purpose of “secure” boot friction :
“Can we create a standard or expand something like ACPI, so Linux becomes unbootable on PCs?”
Bill Gates
Note that MS’s compiler for acpi stuff (used by bios vendors) generates broken garbage for hosts that state they are running linux, so linux has to claim it is windows when retrieving acpi stuff from the bios– so, there is a pretty obvious example of MS doing as BG requested.
If you don’t like PC and their standards which are made to run Windows (as demanded by 99,8% of users) then nobody is preventing you from doing your own thing using ARM, RISC-V, STM32 or MIPS.
Similar arguments were rose when Mozilla tried to break IE monopoly. If a standard if designed to block competition it’s never good for users.
That 99.8% figure is ignoring the server market, which uses the same standards.
But yeah, even with secure boot available, PC is a lot easier to run different operating systems on than practically any other platform.
I fail to find anything novel in the PHP SQL injection case. Using “SELECT $col …” means that you are not using a prepared statement after all. It is your responsibility to ensure that $col is safe…
“Clorox outsourced their IT, and therefore can’t be blamed.” Saving money and can’t be blamed? That’s most triumphant. Except we take and find that:
“Clorox’s IT operations are handled by an internal IT department, headed by Chau Banks, the Senior Vice President and Chief Information and Data Officer. Clorox’s IT department is responsible for managing its IT infrastructure, systems, and data.”
Clorox and Cognizant was 2023.
Sharepoint deserialization exploit uses heap grooming, so the attacker doesn’t even need to deal with CET, pkey, MTE, NX, and ASLR as long as they use forward-edge primitives.
The IBM X-Force paper from BH is showing latest MS heap manager security is still just cookies, and the actual segment management is carried over from 7
Intel’s Clear Linux action is something people say can only happen to community driven products. Support from big company was supposed to be a guarantee of predictable live process.