Author: Jonathan Bennett

533 Articles

This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack

September 1, 2023 by 6 Comments

Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice something odd about those two vulnerabilities, but I promise the 2020 date is only the tip of the iceberg here.

Let’s start with PostgreSQL. That vulnerability was only present in version 12.2, which released in February of 2020, and was fixed with the 12.3 release in May of that same year. The problem is a stack buffer overflow, which doesn’t seem to enable code execution, but does cause a denial of service situation. To trigger the bug? Repeatedly send the PostgreSQL daemon the SIGHUP signal.

If you’re familiar with Linux signals, that might sound odd. See, the SIGHUP signal technically indicates the end of a user session, but most daemons use it to indicate a restart or reload request. And to send this signal, a user has to have elevated privileges — elevated enough to simply stop the daemon altogether. Put simply, it’s not a security vulnerability, just a minor bug.

And now on to curl — This one is just bizarre. The issue is a integer overflow in the --retry-delay argument, which specifies in seconds how often curl should retry a failing download. The value is multiplied by 1000 to convert to milliseconds, resulting in an overflow for very large values. The result of that overflow? A smaller value for the retry delay.

[Daniel Stenberg] makes the point that this tale is a wonderful demonstration of the brokenness of the CVE system and NVD’s handling of it. And in this case, it’s hard not to see this as negligence. We have to work really hard to construct a theoretical scenario where this bug could actually be exploited. The best I’ve been able to come up with is an online download tool, where the user can specify part of the target name and a timeout. If that tool had a check to ensure that the timeout was large enough to avoid excess traffic, this bug could bypass that check. Should we be assigning CVEs for that sort of convoluted, theoretical attack?

But here’s the thing, that attack scenario should rate something like a CVSS of 4.8 at absolute worst. NVD assigned this a 9.8. There’s no way you can squint at this bug hard enough to legitimately rank it that severe. At the time of writing, the NVD lists this as “UNDERGOING REANALYSIS”.
Continue reading “This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack”

This Week In Security: WinRAR, DNS Disco, And No Silver Bullets

August 25, 2023 by 1 Comment

So what does WinRAR, day trading, and Visual Basic have in common? If you guessed “elaborate malware campaign aimed at investment brokers”, then you win the Internet for the day. This work comes from Group-IB, another cybersecurity company with a research team. They were researching a malware known as DarkMe, and found an attack on WinRAR being used in the wild, using malicious ZIP files being spread on a series of web forums for traders.

Among the interesting tidbits of the story, apparently at least one of those forums locked down the users spreading the malicious files, and they promptly broke into the forum’s back-end and unlocked their accounts. The vulnerability itself is interesting, too. A rigged zip file is created with identically named image file and folder containing a script. The user tries to open the image, but because the zip is malformed, the WinRAR function gets confused and opens the script instead.

Based on a user’s story from one of those forums, it appears that the end goal was to break into the brokers’ trading accounts, and funnel money into attacker accounts. The one documented case only lost $2 worth of dogecoin.

There was one more vulnerability found in WinRAR, an issue when processing malicious recovery volumes. This can lead to code execution due to a memory access error. Both issues were fixed with release 6.23, so if you still have a WinRAR install kicking around, make sure it’s up to date! Continue reading “This Week In Security: WinRAR, DNS Disco, And No Silver Bullets”

This Week In Security: TunnelCrack, Mutant, And Not Discord

August 18, 2023 by 10 Comments

Up first is a clever attack against VPNs, using some clever DNS and routing tricks. The technique is known as TunnelCrack (PDF), and every VPN tested was vulnerable to one of the two attacks, on at least one supported platform.
Continue reading “This Week In Security: TunnelCrack, Mutant, And Not Discord”

Thin Client Wysens Up To Become OpenWrt Router

August 14, 2023 by 27 Comments

For some of us, unused hardware lying around just calls to be used. It seems like [Miles Goodhew] heard the call, and wanted to put a Dell Wyse 3040 thin client to use — in this case as a wireless router. It seems simple enough. OpenWrt supports x64_64 targets, and the thin client has 2G of ram and 8G of flash. It should make for a very capable router.

And before you tell us that it’s just another computer, and that installing OpenWrt on a miniature x86 machine isn’t a hack, note that there were some speedbumps along the way. First off, the motherboard has integrated storage, with the not-very-useful ThinLinux installed, and the system BIOS locked down to prevent reinstall. There is a BIOS clear button on the system’s diminutive motherboard. With the BIOS lock out of the way, a real Linux system can be installed on the small 8 GB mmcblk device.

The next issue the the CPU. It’s an Intel Atom x5 z-series. OpenWrt won’t actually boot on that oddball, not-quite- processor, so [Miles] opted to install Fedora and test via virtualization instead. If that statement makes you do a double-take, you’re not alone. The initial explanation sounded like the mobile-centric processor was missing instructions to make OpenWrt run, but virtualization doesn’t add any instructions for a guest to use. It turns out, the problem is a missing serial port that OpenWrt uses as a debugging output by default.

After a custom OpenWrt compile, the device comes up just as you’d expect, and while it would be underpowered as a desktop, OpenWrt runs happily shuffling bits from Ethernet to wireless adapter at respectable speeds. As [Miles] points out, there’s nothing ground-breaking here, but it’s nice to have the details on re-using these machines compiled in one place. And if you too love the idea of putting OpenWrt in places where nobody intended, we’ve got you covered.

This Week In Security: It’s Con Season

August 11, 2023 by 8 Comments

It must be Blackhat/DEFCON season. Up first in the storm of named vulnerabilities, we have Downfall. The PDF has the juicy details here. It’s quite similar to the Zenbleed issue from last week, in that it abuses speculative execution to leak data via a hidden register. Unlike Zenbleed, this isn’t direct access, but using cache timing analysis to extract individual bytes using a FLUSH+RELOAD approach.

The key to the vulnerability is the gather instruction, which pulls data from multiple locations in memory, often used to run a followup instruction on multiple bytes of data at once. The gather instruction is complex, takes multiple clock cycles to execute, and uses several tricks to execute faster, including managing buffers to avoid multiple reads. In certain cases, that instruction can be interrupted before it completes, leaving the data in the cache. And this data can be speculatively accessed and the values leaked through timing analysis.

This flaw affects 6th generation Intel Core processors through 11th. Mitigations are already rolling out via a microcode update, but do carry a performance hit for gather instructions. Continue reading “This Week In Security: It’s Con Season”

Pedal Car Vs Ministry Of Transport

August 9, 2023 by 49 Comments

[Tim] from the “Way Out West” Youtube channels has started a fun project — building a wooden pedal-car heavily inspired by “Bugsy Malone”. The kids-sized gangsters in that movie got around in kid-sized pedal cars. Apparently kid-sized [Tim] just loved the idea, but just didn’t have the skills or tools to try to build one. But the time has come, and he has spent years putting together a workshop, tools, and skills.

The goal is a 4-wheeled vehicle that can actually be enclosed, to keep the driver out of the rain. It would be petal powered, with an optional electric assist. It should be made of simple materials, like plywood and epoxy. The design would be freely shared, and the overall cost hopefully kept low. Come back after the link to find the rest of the story, including the monkey wrench thrown into the works.
Continue reading “Pedal Car Vs Ministry Of Transport”

Hackaday Prize 2023: LoShark, The Radio Debugger For LoRa

August 6, 2023 by 24 Comments

LoRa, the Long Range wireless protocol is pretty great for trickling data across long distances. There are some great embedded devices based around STM32, NRF52, and ESP32 microcontrollers. What’s been missing for quite a while is a device that allows for full access to a LoRa radio from a more capable CPU. The wait may be over, as there’s now the LoShark. It’s a USB key form factor, with a MIPS processor running a real Linux kernel. Cool!

The way debugging works is interesting, too. The team at SudoMaker is working on their Resonance runtime, which allows interacting with the onboard sx126x radio chip using JavaScript code. That chip can both send and receive, so this device should be capable of more than just capturing traffic. And if JavaScript isn’t your thing, the Linux system on the device means you can knock yourself out with C or C++ code. Who knows, we may even see Meshtastic running on this thing some day.

If this gets you excited, it’s already available for order for a reasonable $59.99. The LoShark ships in 433, 868, and 915 megahertz versions. It’s a really slick looking device, and maybe worth your time to check out. Enjoy!

The HackadayPrize 2023 is Sponsored by: