Author: Jonathan Bennett

35 Articles

This Week In Security: Censoring Researchers, The Death Of OpenPGP, Dereferencing Nulls, And Zoom Is Watching You

July 12, 2019 by 24 Comments

Last week the schedule for our weekly security column collided with the Independence Day holiday. The upside is that we get a two-for-one deal this week, as we’re covering two weeks worth of news, and there is a lot to cover!

[Petko Petrov], a security researcher in Bulgaria, was arrested last week for demonstrating an weakness he discovered in a local government website. In the demonstration video, he stated that he attempted to disclose the vulnerability to both the software vendor and the local government. When his warnings were ignored, he took to Facebook to inform the world of the problem.

From the video, it appears that a validation step was performed on the browser side, easily manipulated by the end user. Once such a flaw is discovered, it becomes trivial to automate the process of scraping data from the vulnerable site. The vulnerability found isn’t particularly interesting, though the amount of data exposed is rather worrying. The bigger story is that as of the latest reports, the local government still intends to prosecute [Petko] for downloading data as part of demonstrating the attack.

Youtube Censorship

We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it. YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"

In related news, Google has begun cracking down on “Instructional Hacking and Phishing” videos. [Kody] from the Null Byte Youtube channel found himself locked out of his own channel, after receiving a strike for a video discussing a Wifi vulnerability.

The key to getting a video unblocked seems to be generating lots of social media attention. Enough outcry seems to trigger a manual review of the video in question, and usually results in the strike being rescinded.

Improved Zip Bomb

A zip bomb is a small zip file that unzips into a ridiculously large file or collection of files. While there are obvious nefarious uses for such a file, it has also become something of a competition, crafting the most extreme zip bomb. The previous champion was 42.zip, a recursive zip file that when fully extracted, weighs in at 42 petabytes. A new contender may have just taken the crown, and without using zip file recursion.

[David Fifield] discovered a pair of ZIP tricks. First being that multiple files can be constructed from a single “kernel” of compressed data. The second is that file headers could also be part of files to be decompressed. It’s clever work, and much easier to understand when looking at the graphics he put together. From those two points, the only task left is to optimize. Taking advantage of the zip64 format, the final compression ratio was approximately 98 million to one.

Breaking OpenPGP Keyservers

OpenPGP as we know it is on the ropes. OpenPGP is the technique that allows encryption and verification of emails through cryptographic signatures. It’s the grandaddy of modern secure communication, and still widely used today. One of the features of OpenPGP is that anyone can upload their public key to keyservers hosted around the world. Because of the political climate in the early 90’s when OpenPGP was first developed, it was decided that a baked-in feature of the keyserver was that uploaded keys could never be deleted.

Another feature of OpenPGP keys is that one user can use their key to sign another user’s key, formally attesting that it is valid. This creates what is known as a “web of trust”. When an OpenPGP instance validates a signature, it also validates all the attestations attached to that signature. Someone has spammed a pair of OpenPGP certificates with tens of thousands of signatures. If your OpenPGP client refreshes those signatures, and attempts to check the validations, it will grind to a halt under the load. Loading the updated certificate permanently poisons the offline key-store. In some cases, just the single certificate can be deleted, but some users have had to delete their entire key store.

It’s now apparent that parts of the OpenPGP infrastructure hasn’t been well maintained for quite some time. [Robert J. Hansen] has been spearheading the public response to this attack, not to mention one of the users directly targeted. In a follow-up post, he alluded to the need to re-write the keyserver component of OpenPGP, and the lack of resources to do so.

It’s unclear what will become of the OpenPGP infrastructure. It’s likely that the old keyserver network will have to be abandoned entirely. An experimental keyserver is available at keys.openpgp.org that has removed the spammed signatures.

Beware the QR Codes

Link shorteners are a useful way to avoid typing out a long URL, but have a downside — you don’t know what URL you’re going to ahead of time. Thankfully there are link unshorteners, like unshorten.it. Paste a shortlink and get the full URL, so you don’t accidentally visit a shady website because you clicked on a shortened link. [Nick Guarino] over at cofense.com raises a new alarm: QR codes can similarly lead to malicious or questionable websites, and are less easily examined before scanning. His focus is primarily how a QR code can be used to bypass security products, in order to launch a fishing attack.

Most QR scanners have an option to automatically navigate to the web page in the code. Turn this option off. Not only could scanning a QR code lead to a malicious web site, but URLs can also launch actions in other apps. This potential problem of QR codes is very similar to the problem of shortened links — the actual payload isn’t human readable prior to interacting with it, when it’s potentially too late.

Dereferencing Pointers for Fun and Profit

On the 10th, the Eset blog, [welivesecurity], covered a Windows local priveledge escalation 0-day being actively exploited in the wild. The exploit highlights several concepts, one of which we haven’t covered before, namely how to use a null pointer dereference in an exploit.

In C, a pointer is simply a variable that holds a memory location. In that memory location can be a data structure, a string, or even a callable function. By convention, when pointers aren’t referring to anything, they are set to NULL. This is a useful way to quickly check whether a pointer is pointing to live data. The process of interacting with a pointer’s data is known a dereferencing the pointer. A NULL pointer dereference, then, is accessing the data referred to by a pointer that is set to NULL. This puts us in the dangerous territory of undefined behavior.

Different compilers, architectures, and even operating systems will potentially demonstrate different behavior when doing something undefined. In the case of C code on 32-bit Windows 7, NULL is indistinguishable from zero, and memory location zero is a perfectly valid location. In this case, we’re not talking about the physical location zero, but logical address zero. In modern systems, each process has a dedicated pool of memory, and the OS manages the offset and memory mapping, allowing the process to use the simpler logical memory addressing.

Windows 7 has a function, “NtAllocateVirtualMemory”, that allows a process to request access to arbitrary memory locations. If a NULL, or zero, is passed to this function as the memory location, the OS simply picks a location to allocate that memory. What many consider a bug is that this function will effectively round down small memory locations. It’s quite possible to allocate memory at logical address 0/NULL, but is considered to be bad behavior. The important takeaway here is that in Windows 7, a program can allocate memory at a location referred to by a null pointer.

On to the vulnerability! The malicious program sets up a popup menu and submenu as part of its GUI. While this menu is still being initialized, the malicious program cancels the request to set up the menu. By timing the cancellation request precisely, it’s possible for the submenu to still be created, but to be a null pointer instead of the expected object. A second process can then trigger the system process to call a function expected to be part of the object. Because Windows allows the allocation of memory page zero, this effectively hands system level execution to the attacker. The full write-up is worth the time to check out.

Zoom Your Way to Vulnerability

Zoom is a popular web-meeting application, aimed at corporations, with the primary selling point being how easy it is to join a meeting. Apparently they worked a bit too hard on easy meeting joins, as loading a malicious webpage on a Mac causes an automatic meeting join with the mic and webcam enabled, so long as that machine has previous connected to a Zoom meeting. You would think that uninstalling the Zoom client would be enough to stop the madness, but installing Zoom also installs a local webserver. Astonishingly, uninstalling Zoom doesn’t remove the webserver, but it was designed to perpetually listen for a new Zoom meeting attempt. If that sounds like a Trojan to you, you’re not wrong.

The outcry over Zoom’s official response was enough to inform them of the error of their ways. They have pushed an update that removes the hidden server and adds a user interaction before joining a meeting. Additionally, Apple has pushed an update that removes the hidden server if present, and prompts before joining a Zoom meeting.

Wireless Keyboards Letting You Down

Have you ever typed your password using a wireless keyboard, and wondered if you just broadcast it in the clear to anyone listening? In theory, wireless keyboards and mice use encryption to keep eavesdroppers out, but at least Logitech devices have a number of problems in their encryption scheme.

Part of the problem seems to be Logitech’s “Unifying” wireless system, and the emphasis on compatibility. One receiver can support multiple devices, which is helpful when eliminating cable clutter, but also weakens the encryption scheme. An attacker only has to be able to monitor the radio signals during pairing, or even monitoring signals while also observing keypresses. Either way, a few moments of processing, and an attacker has both read and write access to the wireless gear.

Several even more serious problems have fixed with firmware updates in the past years, but [Marcus Mengs], the researcher in question, discovered that newly purchased hardware still doesn’t contain the updated firmware. Worse yet, some of the effected devices don’t have an officially supported firmware update tool.

Maybe wired peripherals are the way to go, after all!

This Week In Security: Invalid Curve Attacks, OpenSSH Shielded, And More Details On Coinbase

June 28, 2019 by 19 Comments

AMD Epyc processors support Secure Encrypted Virtualization (SEV), a technique that prevents even a hypervisor reading memory belonging to a virtual machine. To pull this off, the encryption and decryption is handled on the fly by the Platform Security Processor (PSP), which is an ARM core that handles processor start-up and many security features of modern AMD processors. The vulnerability announced this week is related to the encryption scheme used. The full vulnerability is math heavy, and really grokking it requires a deeper understanding of elliptical curve cryptography (ECC) than your humble author currently possesses.

During the process of starting a virtual machine, the VM process goes through a key-sharing process with the PSP, using an ECC Diffie-Hellman key exchange. Rather than raising prime numbers to prime exponents, an ECC-DH process bounces around inside an elliptical curve in order to find a shared secret. One of the harder problems to solve when designing an ECC based cryptographic system, is the design of the curve itself. One solution to this problem is to use a published curve that is known to be good. AMD has taken this route in their SEV feature.

The attack is to prime the key exchange with invalid data, and observing the shared key that is generated. A suitably simple initial value will leak information about the PSP’s secret key, allowing an attacker to eventually deduce that key and decrypt the protected memory. If you’d like to bone up on invalid curve attacks, here’s the seminal paper. (PDF)

OpenSSH Shielding

[Damien Miller] of OpenSSH was apparently tired of seeing that project tied to vulnerabilities like Rambleed and Rowhammer, so added a technique he’s calling key-shielding. OpenSSH now encrypts private keys in memory using a 16 kB pre-key. While an attacker with full knowledge of the process’s memory wouldn’t be deterred, the error rate of Rambleed and similar attacks is high enough that the 16 kB of randomness is likely to thwart the attempt to recover the secret key.

Firefox and Coinbase

We mentioned Firefox vulnerabilities and updates last week, and as anticipated, more information is available. [Philip Martin] from Coinbase shared more information on Twitter. Coinbase employees, as well as other cryptocurrency companies, were targeted with fishing emails. These lured employees to a malicious page that attempted to exploit a pair of Firefox vulnerabilities. Coinbase has a security system in place that was able to prevent the exploit, and their security team was able to reverse engineer the attack.

The first vulnerability has been dissected in some detail by a Google security researcher. It’s a weakness in Firefox’s Javascript engine related to type handling. An object is created with one data type, and when that data is changed to another type, not all the data handlers are appropriately updated. Under the hood, a value is assumed to be a pointer, but is actually a double-length value, controlled by the attacker.

The second vulnerability is in the functions used to prompt for user interaction. Specifically the call to “Prompt:Open” isn’t properly validated, and can result in the un-sandboxed Firefox process loading an arbitrary web location. I suspect the sandbox escape is used to run the initial exploit a second time, but this time it’s running outside the sandbox.

Odds and Ends

[Tom] wrote a great intro into how to Impersonate The President With Consumer-Grade SDR, go check it out!

Another city, more ransomware. Riviera Beach, Florida was hit with a ransomware attack, and paid $600,000 in an attempt to get their data back. For a city of 35,000 inhabitants, that’s $17.14 in ransom per man, woman, and child. According to the linked article, though, the city was insured.

This Week In Security: SACK Of Death, Rambleed, HIBP For Sale, And Oracle Weblogic — Again!

June 21, 2019 by 12 Comments

Netflix isn’t the first name to come to mind when considering security research firms, but they make heavy use of FreeBSD in their content delivery system and do security research as a result. Their first security bulletin of the year, not surprisingly, covers a FreeBSD vulnerability that happens to also affect Linux kernels from the last 10 years. This vulnerability uses SACKs and odd MSS values to crash a server kernel.

To understand Selective ACKs, we need to step back and look at how TCP connections work. TCP connections provide guaranteed delivery, implemented in the from of ACKnowledgement (ACK) packets. We think of a TCP connection as having a dedicated ACK packet for every data packet. In reality, the Operating System makes great effort to avoid sending “naked” ACK packets, and combines multiple ACKs in a single packet. An ACK is simply a flag in a packet header combined with a running total of bytes received, and can be included in a normal data packet. As much as is possible, the ACK for data received is sent along with data packets flowing in the opposite direction. Continue reading “This Week In Security: SACK Of Death, Rambleed, HIBP For Sale, And Oracle Weblogic — Again!”

This Week In Security: Use Emacs, Crash A Windows Server, And A Cryptocurrency Heist

June 14, 2019 by 5 Comments

It looks like Al was right, we should all be using Emacs. On the 4th of June, [Armin Razmjou] announced a flaw in Vim that allowed a malicious text file to trigger arbitrary code execution. It’s not every day we come across a malicious text file, and the proof of concept makes use of a clever technique — escape sequences hide the actual payload. Printing the file with cat returns “Nothing here.” Cat has a “-v” flag, and that flag spills the secrets of our malicious text file. For simplicity, we’ll look at the PoC that doesn’t include the control characters. The vulnerability is Vim’s modeline function. This is the ability to include editor options in a text file. If a text file only works with 80 character columns, a modeline might set “textwidth=80”. Modeline already makes use of a sandbox to prevent the most obvious exploits, but [Armin] realized that the “:source!” command could run the contents of a file outside that sandbox. “:source! %” runs the contents of the current file — the malicious text file.

:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Taking this apart one element at a time, the “:!” is the normal mode command to run something in the shell, so the rest of the line is what gets run. “uname -a” is the arbitrary command, benign in this case. Up next is the OR operator, “||” which fully evaluates the first term first, and only evaluates what comes after the operator if the first term returns false. In this case, it’s a simple way to get the payload to run even though the rest of the line is garbage, as far as bash is concerned. “vi:” informs Vim that we have a modeline string. “:fen” enables folding, and “:fdm=expr” sets the folding method to use an expression. This feature is usually used to automatically hide lines matching a regular expression. “:fde=” is the command to set the folding expression. Here’s the exploit, the folding expression can be a function like “execute()” or “assert_fails()”, which allows calling the :source! command. This pops execution out of the sandbox, and begins executing the text file inside vim, just as if a user were typing it in from the keyboard. Continue reading “This Week In Security: Use Emacs, Crash A Windows Server, And A Cryptocurrency Heist”

Shorting Pins On A Raspberry Pi Is A Bad Idea; PMIC Failures Under Investigation

June 12, 2019 by 134 Comments

You may have noticed, we’re fans of the Raspberry Pi here at Hackaday. Hardly a day goes by that we don’t feature a hack that uses a Pi somewhere in the build. As useful as the Pis are, they aren’t entirely without fault. We’ve talked about the problems with the PoE hat, and multiple articles about keeping SD cards alive. But a new failure mode has popped that is sometimes, but not always, caused by shorting the two power rails on the board.

The Pi 3 B+ has a new PMIC (Power Management Integrated Circuit) made by MaxLinear. This chip, the MxL7704, is a big part of how the Raspberry Pi foundation managed to make the upgrades to the Pi 3 without raising the price over $35.

A quick look at the Raspberry Pi forum shows that some users have been experiencing a specific problem with their new Raspberry Pi 3 B+ units, where the power LED will illuminate but the unit will not boot. The giveaway is zero voltage on the 3v3 pin. It’s a common enough problem that it’s even mentioned in the official boot problems thread.

Make sure the probe you are measuring with does not slip, and simultaneously touches any of the other GPIO pins, as that might instantly destroy your PI, especially shorting the 3V3 pin to the 5V pin will prove to be fatal.

Continue reading “Shorting Pins On A Raspberry Pi Is A Bad Idea; PMIC Failures Under Investigation”

This Week In Security: Nvidia, Ransomware Retirement, And A TOCTOU Bug In Docker

June 7, 2019 by 2 Comments

Nvidia’s GeForce Experience (GFE) is the companion application for the Nvidia drivers, keeping said drivers up to date, as well as adding features around live streaming and media capture. The application runs as two parts, a GUI, and a system service, using an HTTP API to communicate. [David Yesland] from Rhino Security Labs decided to look into this API, searching for interesting, undocumented behavior, and shared the results on Sunday the 2nd.

The first interesting finding was that the service was written in Javascript and run using Node.js. Javascript is a scripting language, not a compiled language — the source code of the service was open for studying. This led to the revelation that API requests would be accepted from any origin, so long as the request included the proper security token. The application includes an update mechanism, which allows an authorized API call to execute an arbitrary system command. So long as the authentication token isn’t leaked to an attacker, this still isn’t a problem, right? Continue reading “This Week In Security: Nvidia, Ransomware Retirement, And A TOCTOU Bug In Docker”

Doom On The NES

June 6, 2019 by 20 Comments

“But can it run Doom?” is perhaps the final test of hacking a platform. From calculators to thermostats, we’ve seen Doom shoehorned into a lot of different pieces of hardware. Many times we’re left scratching our heads at the mashup, and this is no exception.

[TheRasteri] wasn’t satisfied with the existing ports of Doom, so he decided to bring the classic game to a classic console, the NES. In the video embedded after the break, he helpfully points out the system requirements for running Doom, and compares them with the specifications of the NES. Spoilers: not nearly enough.

How did he manage the feat? Taking inspiration from Nintendo’s own SuperFX chip, he embedded a co-processor in the cartridge, and fed the video stream from the cartridge back into the NES. It might not be fair to call it a co-processor, since it’s a Raspberry Pi with thousands of times the processing power of the 6502 that powers the NES. The idea might seem familiar, and in fact it was partially inspired by [Tom7]’s similar hack last year.

Using a Cypress USB controller to feed the graphics bus, [TheRasteri] is able to run Doom on the Raspberry Pi, take the visuals from the game, and convert them into blocks of graphics the NES expects to load from the cartridge. The best trick is that he apparently managed to squeeze everything into a normal NES cartridge. He plans to release a build video on his channel, so keep an eye out.

Meanwhile, don’t forget to take a look at those calculators and thermostats we mentioned.

Continue reading “Doom On The NES”