Author: Jonathan Bennett

533 Articles

This Week In Security: Gitlab, VMware, And PixeFAIL

January 19, 2024 by 3 Comments

There’s a Gitlab vulnerability that you should probably pay attention to. Tracked as CVE-2023-7028, this issue allows an attacker to specify a secondary email during a the password reset request. Only one email has to match the one on record, but the password reset link gets sent to both emails. Yikes!

What makes this worse is there is already a Proof of Concept (PoC) released, and it’s a trivial flaw. In an HTTP/S post containing the password reset request, just include two email addresses. Thankfully, a fix is already out. Versions 16.7.2, 16.6.4, and 16.5.6 contain this patch, as well as fixes for a flaw that allowed sneaking unauthorized changes into a previously approved merge request, and an issue with Slack and Mattermost where slash commands could be spoofed.

VMware

We don’t want to over-dramatise this vulnerability, but VMware is calling it an emergency. This one affects VMware vRealize and Aria Automation. According to the the CVSS calculator, it’s a low complexity network flaw, but does require at least some privileges. Hopefully more information will come out about this vulnerability, but for now that’s about all we know.

Continue reading “This Week In Security: Gitlab, VMware, And PixeFAIL”

FLOSS Weekly Episode 766: WebRTC — The Hack That Connects Everyone To Everything

January 17, 2024 by 7 Comments

This week Jonathan Bennett and Dan Lynch talk with Sean DuBois, WebRTC wizard, all about the crazy feats the Pion Go server is capable of, how WebRTC is about to change OBS, and what it looks like to build a successful Open Source Career.

WebRTC is for more than video. The TOR Snowflake project uses Pion to sneak TOR traffic through firewalls even with Deep Packet Inspection (DPI) at play. Since nobody wants to block web conferencing, TOR and even Wireguard can use this to slip though.

Sean is also working on some game-changing patches for OBS Studio, including WHEP support to go along with the newly introduced WHIP feature. This enables direct connections to another OBS client, as well as connection to another WebRTC client like vdo.ninja without running an embedded browser to make it work.

And then there’s WebRTC For The Curious, a free CC0 e-book all about the nuts and bolts of WebRTC. And Broadcast Box, a ready-to-run WebRTC one-to-many broadcasting solution that lets you run your own streaming service. You can connect with Sean at the Real-time Broadcast Discord server for information about all of the projects listed here and more!

Continue reading “FLOSS Weekly Episode 766: WebRTC — The Hack That Connects Everyone To Everything”

This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop

January 12, 2024 by 8 Comments

So first off, go take a look at this curl bug report. It’s a 8.6 severity security problem, a buffer overflow in websockets. Potentially a really bad one. But, it’s bogus. Yes, a strcpy call can be dangerous, if there aren’t proper length checks. This code has pretty robust length checks. There just doesn’t seem to be a vulnerability here.

OK, so let’s jump to the punch line. This is a bug report that was generated with one of the Large Language Models (LLMs) like Google Bard or ChatGPT. And it shouldn’t be a surprise. There are some big bug bounties that are paid out, so naturally people are trying to leverage AI to score those bounties. But as [Daniel Stenberg] point out, LLMs are not actually AI, and the I in LLM stands for intelligence.

There have always been vulnerability reports of dubious quality, sent by people that either don’t understand how vulnerability research works, or are willing to waste maintainer time by sending in raw vulnerability scanner output without putting in any real effort. What LLMs do is provide an illusion of competence that takes longer for a maintainer to wade through before realizing that the claim is bogus. [Daniel] is more charitable than I might be, suggesting that LLMs may help with communicating real issues through language barriers. But still, this suggests that the long term solution may be “simply” detecting LLM-generated reports, and marking them as spam. Continue reading “This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop”

FLOSS Weekly Episode 765: That Ship Sailed… And Sank

January 9, 2024 by 5 Comments

This week Jonathan Bennett and Aaron Newcomb talk with Randal Schwartz, the longest running host of FLOSS Weekly, Perl’s biggest cheerleader, and now Dart and Flutter expert. What’s new with Randal since his last FLOSS Weekly episode in May 2020? Why should you look at Dart and Flutter? And how do you avoid becoming a security martyr?

Randal has been busy since handing over the reigns of FLOSS Weekly, adding to his Perl credentials a solid claim to being a Dart Flutter expert. The Dart language has some real appeal, taking the best features from JIT languages like JavaScript, and also offering binary compilation like a real systems language should. Then the Flutter framework lets you write your code once, and literally run it on any screen. Sure, there have been some growing pains along the way, and listen to the episode to hear Randal describe the “45-degree turns” the language/framework duo has taken through the years.

Then as almost a bonus at the end of the episode, Randal quickly covered his now-expunged conviction for “doing his job with too much enthusiasm”, and covered some basic pointers to keep other security researchers out of trouble. This week is a nostalgia trip for long-time listeners, as well as a real treat for everyone else.

Continue reading “FLOSS Weekly Episode 765: That Ship Sailed… And Sank”

This Week In Security: Bitwarden, Reverse RDP, And Snake

January 5, 2024 by 10 Comments

This week, we finally get the inside scoops on some old stories, starting with the Bitwarden Windows Hello problem from last year. You may remember, Bitwarden has an option to use Windows Hello as a vault unlock option. Unfortunately, the Windows credential API doesn’t actually encrypt credentials in a way that requires an additional Windows Hello verification to unlock. So a derived key gets stored to the credential manager, and can be retrieved through a simple API call. No additional biometrics needed. Even with the Bitwarden vault locked and application closed.

There’s another danger, that doesn’t even require access to the the logged-in machine. On a machine that is joined to a domain, Windows backs up those encryption keys to the Domain Controller. The encrypted vault itself is available on a domain machine over SMB by default. A compromised domain controller could snag a bitwarden vault without ever even running code on the target machine. The good news is that this particular problem with Bitwarden and Windows Hello is now fixed, and has been since version 2023.10.1.

Reverse RDP Exploitation

We normally think about the Remote Desktop Protocol as dangerous to expose to the internet. And it is. Don’t put your RDP service online. But reverse RDP is the idea that it might also be dangerous to connect an RDP client to a malicious server. And of course, multiple RDP implementations have this problem. There’s rdesktop, FreeRDP, and Microsoft’s own mstsc that all have vulnerabilities relating to reverse RDP.

The technical details here aren’t terribly interesting. It’s all variations on the theme of not properly checking remote data from the server, and hence either reading or writing past internal buffers. This results in various forms of information leaks and code executions problems. What’s interesting is the different responses to the findings, and then [Eyal Itkin]’s takeaway about how security researchers should approach vulnerability disclosure.

So first up, Microsoft dismissed a vulnerability as unworthy of servicing. And then proceeded to research it internally, and present it as a novel attack without properly attributing [Eyal] for the original find. rdesktop contained quite a few of these issues, but were able to fix the problem in a handful of months. FreeRDP fixed some issues right away, in what could be described as a whack-a-mole style process, but a patch was cooked up that would actually address the problem at a deeper level: changing an API value from the unsigned size_t to a signed ssize_t. That change took a whopping 2 years to actually make it out to the world in a release. Why so long? Continue reading “This Week In Security: Bitwarden, Reverse RDP, And Snake”

FLOSS Weekly Episode 764: You Have To Be Pretty Cynical

January 3, 2024 by 8 Comments

This week Jonathan Bennett and Katherine Druckman talk with benny Vasquez, chair of AlmaLinux, all about the weird road we’ve been on with Enterprise Linux distributions, and how that’s landed us here, where we have AlmaLinux, Rocky Linux, and multiple other Red Hat downstream distros. What’s the difference between those projects, and why does it matter?

Projects need more than just developers. How do you keep members doing documentation, bug hunting, outreach, and even graphic design plugged in and feeling like part of the team? How do you walk the narrow line between the different directions a project can drift, setting up your community for long term success? And where’s the most surprising place benny has found AlmaLinux running? And why is benny’s first name never capitalized? Give this week’s show a listen to find out!

Continue reading “FLOSS Weekly Episode 764: You Have To Be Pretty Cynical”

This Week In Security: Triangulation, ProxyCommand, And Barracuda

December 29, 2023 by 6 Comments

It’s not every day we get to take a good look inside a high-level exploit chain developed by an unnamed APT from the western world. But thanks to some particularly dedicated researchers at Kaspersky, which just happens to be headquartered in Moscow, that’s exactly what we have today. The name Operation Triangulation was picked, based off part of the device fingerprinting code that rendered a yellow triangle on an HTML canvas.

The entire talk is available, given this week at the 37th Chaos Communication Congress, 37c3. The exploit starts with an iMessage attachment, delivered silently, that exploits an undocumented TrueType font instruction. Looking at the source code implies that it was a copy-paste error where a programmer didn’t quite get the logic right for a pointer calculation. That vulnerability gives a memory write primitive that pivots into code execution. What’s particularly interesting is that Apple silently fixed this bug January 2023, and didn’t make any public statements. Presumably there were an uptick of crash logs that pointed to this problem, but didn’t conclusively show attempted exploitation.

The exploits then moves to using NSExpression as a next stage. NSExpression is an ugly way to write code, but it does allow the exploit chain to get to the next stage, running JavaScript as an application, without Just In Time compilation. The JS payload is quite a beast, weighing in at 11,000 lines of obfuscated code. It manages to call native APIs directly from JS, which then sets up a kernel exploit. This is multiple integer overflow flaws that result in essentially arbitrary system memory reads and writes. Continue reading “This Week In Security: Triangulation, ProxyCommand, And Barracuda”