Author: Jonathan Bennett

523 Articles

This Week In Security: Barracuda, Zyxel, And The Backdoor

June 2, 2023 by 12 Comments

Barracuda’s Email Security Gateway (ESG) has had a vulnerability in it for years. Tracked as CVE-2023-2868, this one was introduced back in version 5.1.3.001, and only got patched during the 9.2 development cycle. Specific build information on patched firmware has not been made available, but a firmware build containing the patch was deployed on May 20.

The flaw was a command injection bug triggered by .tar files attached to incoming emails. The appliance scans attachments automatically, and the file names could trigger the qx operator in a Perl script. It’s a nasty one, ranking a 9.4 on the CVSS scale. But the really bad news is that Barracuda found the vulnerability in the wild, and they have found evidence of exploitation as far back as October 2022.

There have been three malware modules identified on the compromised appliances. SALTWATER is a backdoor trojan, with the ability to transfer files, execute commands, and host network tunnels. SEASPY is a stealthier module, that looks like a legitimate service, and uses PCAP to monitor traffic and receive commands. And SEASIDE is a Lua module for the Barracuda SMTP monitor, and it exists to host a reverse shell on command. Indicators of Compromise (IOCs) have been published, and Barracuda recommends the unplug-and-remove approach to cleaning up an infection. The saving grace is that this campaign seems to have been targeted, and wasn’t launched against every ESG on the Internet, so maybe you’re OK.

Moxa, Too

And speaking of security software that has problems, the Moxa MXsecurity appliance has a pair of problems that could be leveraged together to lead to a complete device takeover. The most serious problem is a hard coded credential, that allows authentication bypass for the web-API. Then the second issue is a command-line escape, where an attacker with access to the device’s Command Line Interface (CLI) can break out and run arbitrary commands. Continue reading “This Week In Security: Barracuda, Zyxel, And The Backdoor”

Books You Should Read: Red Team Blues

June 1, 2023 by 12 Comments

Martin Hench really likes playing on the Red Team — being on the attack. He’s a financial geek, understands cryptocurrency, understands how money is moved around to keep it hidden, and is really good at mining data from social media. He puts those skills together as a forensic accountant. Put simply, Martin finds money that people want hidden. Against his better judgment, Marty does the job of a lifetime, and makes an absolute mint. But that job had hair, and he’s got to live through the aftermath. It turns out, that might just be a challenge, as three separate groups want a piece of him.

Red Team Blues, a work of fiction by [Cory Doctorow] about cryptocurrency, trust, finance, and society as a whole. When [Doctorow] offered to send us a copy to review, we jumped at the chance, and can give it a hearty recommendation as a fun and thoughtful tale. The moral seems to be that while everyone plays the sordid finance game, the government should really work harder to disentangle the mess, but maybe we would do better if more people opted for integrity. There is also a real point to be made about the dark side of cryptocurrency, in that it enables crime, ransomware, and money laundering on a global scale. For all the pluses for privacy and anonymity, there’s some real downsides. The characters spend most of the book wrestling with that dichotomy in the background.

The book took something of a moralizing turn just over halfway through. Which, depending on your viewpoint, you’ll either really appreciate, or have to hold your nose a bit to get through. But the suspense pulls the reader through it, making for an overall enjoyable read. As an added bonus, you might end up with a better mental image of how the pieces of digital privacy, finance, and the real world all fit together.

The book has all the fun references to Tor, Signal, Bitcoin, and computer history you could want. And the central MacGuffin is an interesting one: a cryptocurrency that runs on proof-of-secure-enclave, eliminating the ridiculous power consumption of proof-of-work schemes. All of this with some rich Silicon Valley lore setting up the background. Our conclusion? Two wrenches up.

This Week In Security: Gitlab, KeyPassMini, And Horse

May 26, 2023 by 6 Comments

There’s a really nasty CVSS 10.0 severity vulnerability in Gitlab 16.0.0. The good news is that this is the only vulnerable version, and the fix came a mere two days after the vulnerable release. If you happened to be very quick to go to 16.0.0, then be very quick to get the fix, because CVE-2023-2825 looks like a bad one.

An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

That’s a very specific set of requirements for vulnerability, so it seems like hardly any installs would be vulnerable. The rest of the story is that regular users can create groups, and many installs allow for open user registration. So if you’re running Gitlab 16.0.0, update now!

KeyPassMini

A Redditor got a surprising notice that someone attempted to access a bank account, but failed two-factor authentication. That seemed odd, and led the Redditor down the rabbithole of auditing applications. And one iOS app in particular stood out as maybe problematic — KeyPassMini.

The app was a mobile client for KeyPass, the password manager. The problem was some analytics. It looks like KeyPassMini was bundling up some system information and uploading it to a server controlled by the creator. Analytics are often unpopular, but this app was including the system clipboard contents in the uploaded data. Yikes! And it gets worse: The app does password fills by using that same clipboard, so some of the protected passwords may have been scooped up into that analytics data. And sent unencrypted. Oof.

Now, the app author has pulled the plug on the app altogether, and responded on the old Github project page. It’s a bit odd, but it’s perfectly believable that there were no ill intentions here. Regardless, code to send the clipboard is a big problem, and definitely undoes a lot of trust in a project.

And KeyPass itself has a problem, though much less worrying. KeyPass attempts to keep sensitive data out of its own memory when possible. This approach aims to protect even in the event of a compromised machine. [vdohney] on Sourceforge discovered that there is a channel to recover the master password, by being just a bit clever. When a user types in the master password, by default, KeyPass will show the last letter typed, and replace the previous letters with bullets. But each iteration of that string ends up in program memory, so a privileged attacker can get a memory dump, look for the bullet characters, and find a set of leftover strings like •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. It’s an easy password grab. Now remember, this essentially implies an attacker has memory access on your system, so it’s not a gaping weakness in KeyPass.

As you can see from the POC on GitHub, the problem is that a .NET text box keeps the strings in memory, so it probably hits both Windows and Linux users under Mono. The proposed solution that the KeyPass team is taking is to poison the well with enough random characters that retrieving the correct password is a lot harder. It’s still getting fixed in the next release.

Horse Shell for MIPS Routers

Checkpoint Research brings us news of the Horse Shell, a bit of malware specifically for MIPS architecture routers running Linux. It’s been found in TP-Link firmware images so far, but as so many of those routers are essentially based on the same Linux SDK, the malware appears to be applicable to many models. The exact firmware images being examined were found in a collection of tools used by Camaro Dragon, a rather catchy name for a Chinese APT group.

The firmware images have some of the normal bits you would expect, like data collection, remote shell, and remote proxy support. They have some really sneaky tricks, too, like storing part of the data on the partition reserved for WiFi calibration data. One has to wonder if hijacking that partition negatively affects the router’s wireless performance. In the firmware images examined, the quickest tell is to go to the firmware upgrade page. If it’s blank, without a form to upload new firmware, you may have the malicious image.

WordPress

WordPress 6.2.1 has a security fix, that is then improved upon in 6.2.2, where block themes could parse user-generated shortcodes. A shortcode is tags inside [brackets], that gets replaced by more complicated data. We use a code shortcode all the time here on Hackaday, to try to get source code to render nicely, angle brackets and all.

It turns out, the fix in 6.2.1 went a little overboard, breaking quite a few sites by disabling shortcodes in block themes altogether. The situation in 6.2.2 is a bit better, with most of the problems being dealt with. Sometimes it’s hard to tell the bugs and the features apart.

And a WordPress plugin, Beautiful Cookie Consent Banner, is under active attack for a Cross-Site Scripting vulnerability. The attack is odd, as WordPress.org shows just 40,000 active installs, and almost 1.5 million sites have been sent the malicious payload to try to exploit the plugin. And the kicker? It looks like the payload on this attack is a dud, and fails to actually infect a vulnerable site. It can still goober a vulnerable site, so make sure to check your plugins.

Bits and Bytes

Speaking of plugins, be careful what VScode plugins you use. They’re not all friendly. Microsoft has been working to keep malicious plugins off the official marketplace, but that arms race never seems to have an end. And as such, there were a couple known malicious plugins with nearly 50,000 installs.

For some in-depth fun, check out this PDF paper on Android Fingerprint Reader attacks. It seems simple, right? Take a screenshot of a finger, compare it to a known data set, and lock the phone if the test fails too many times. It is, of course, not quite that simple. Researchers formulated two loopholes, Cancel-After-Match-Fail and Match-After-Lock, both of which abuse user-friendly features to manage way more attempts at a fingerprint read. Read the paper for the juicy details.

And finally, Troy Hunt had some fun at the expense of a scammer. Troy’s wife was selling a fridge on Gumtree, and they decided to play along with a suspicious “buyer”. Turns out, it’s the old agent fee scam. I’ll give you the money you asked for, plus $800 to cover the fee. Can you forward that extra money on? But of course, the Paypal confirmation message was faked, and there was no money paid. Troy managed to get an impressive bit of information, including that the scam is actually being run out of, you guessed it, Nigeria. Shipping would be a pain. ><

This Week In Security: .zip Domains, Zip Scanning

May 19, 2023 by 17 Comments

The world may not be ready, but the .zip Top Level Domain (TLD) is here. It’s a part of the generic TLD category, which was expanded to allow applications for custom TLDs. Google has led the charge, applying for 101 such new TLDs, with .zip being one of the interesting ones. Public registration for .zip domains has been open for a couple weeks, and some interesting domains have been registered, like update.zip, installer.zip, and officeupdate.zip.

The obvious question to ask is whether this new TLD can be abused for scamming and phishing purposes. And the answer is yes, sure it can. One of the trickiest ways is to use the AT symbol @ in a URL, which denotes user info at the beginning of the URL. It usually is used to include a username and password, like http://username:password@192.168.1.1/. That is pretty obvious, but what about https://google.com@bing.com? Still looks weird. The catch that really prevents this technique being abused is that slashes are disallowed in user data, so a abusive URL like https://google.com∕gmail∕inbox@bing.com is right out.

Except, take a look at that last link. Looks like it has slashes in it, so it should take you to google, and ignore the AT symbol. But it doesn’t, it goes to Bing. You may have guessed, it’s Unicode shenanigans again. Those aren’t slashes, they’re U2215, the division slash. And that means that a .zip TLD could be really sneaky, if the apparent domain is one you trust. Continue reading “This Week In Security: .zip Domains, Zip Scanning”

This Week In Security: TPM And BootGuard, Drones, And Coverups

May 12, 2023 by 17 Comments

Full disk encryption is the go-to solution for hardening a laptop against the worst-case scenario of physical access. One way that encryption can be managed is through a Trusted Platform Module (TPM), a chip on the motherboard that manages the disk encryption key, and only hands it over for boot after the user has authenticated. We’ve seen some clever tricks deployed against these discrete TPMs, like sniffing the data going over the physical traces. So in theory, an integrated TPM might be more secure. Such a technique does exist, going by the name fTPM, or firmware TPM. It uses a Trusted Execution Environment, a TEE, to store and run the TPM code. And there’s another clever attack against that concept (PDF).

It’s chip glitching via a voltage fault. This particular attack works against AMD processors, and the voltage fault is triggered by injecting commands into the Serial Voltage Identification Interface 2.0 (SVI2). Dropping the voltage momentarily to the AMD Secure Processor (AMD-SP) can cause a key verification step to succeed even against an untrusted key, bypassing the need for an AMD Root Key (ARK) signed board firmware. That’s not a simple process, and pulling it off takes about $200 of gear, and about 3 hours. This exposes the CPU-unique seed, the board NVRAM, and all the protected TPM objects.

So how bad is this in the real world? If your disk encryption only relies on an fTPM, it’s pretty bad. The attack exposes that key and breaks encryption. For something like BitLocker that can also use a PIN, it’s a bit better, though to really offer more resistance, that needs to be a really long PIN: a 10 digit PIN falls to a GPU in just 4 minutes, in this scenario where it can be attacked offline. There is an obscure way to enable an “enhanced PIN”, a password, which makes that offline attack impractical with a secure password.

And if hardware glitching a computer seems to complicated, why not just use the leaked MSI keys? Now to be fair, this only seems to allow a bypass of Intel’s BootGuard, but it’s still a blow. MSI suffered a ransomware-style breach in March, but rather than encrypt data, the attackers simply threatened to release the copied data to the world. MSI apparently refused to pay up, and source code and signing keys are now floating in the dark corners of the Internet. There have been suggestions that this leak impacts the entire line of Intel processors, but it seems likely that MSI only had their own signing keys to lose. But that’s plenty bad, given the lack of a revocation system or automatic update procedure for MSI firmware. Continue reading “This Week In Security: TPM And BootGuard, Drones, And Coverups”

This Week In Security: Oracle Opera, Passkeys, And AirTag RFC

May 5, 2023 by 10 Comments

There’s a problem with Opera. No, not that kind of opera. The Oracle kind. Oracle OPERA is a Property Management Solution (PMS) that is in use in a bunch of big-name hotels around the world. The PMS is the system that handles reservations and check-ins, talks to the phone system to put room extensions in the proper state, and generally runs the back-end of the property. It’s old code, and handles a bunch of tasks. And researchers at Assetnote found a serious vulnerability. CVE-2023-21932 is an arbitrary file upload issue, and rates at least a 7.2 CVSS.

It’s a tricky one, where the code does all the right things, but gets the steps out of order. Two parameters, jndiname and username are encrypted for transport, and the sanitization step happens before decryption. The username parameter receives no further sanitization, and is vulnerable to path traversal injection. There are two restrictions to exploitation. The string encryption has to be valid, and the request has to include a valid Java Naming and Directory Interface (JNDI) name. It looks like these are the issues leading Oracle to consider this flaw “difficult to exploit vulnerability allows high privileged attacker…”.

The only problem is that the encryption key is global and static. It was pretty straightforward to reverse engineer the encryption routine. And JDNI strings can be fetched anonymously from a trio of endpoints. This lead Assetnote to conclude that Oracle’s understanding of the flaw is faulty, and a much higher CVSS score is appropriate. Particularly with this Proof of Concept code, it is relatively straightforward to upload a web shell to an Opera system.

The one caveat there is that an attacker has to get network access to that install. These aren’t systems intended to be exposed to the internet, and my experience is that they are always on a dedicated network connection, not connected to the rest of the office network. Even the interconnect between the PMS and phone system is done via a serial connection, making this network flaw particularly hard to get to. Continue reading “This Week In Security: Oracle Opera, Passkeys, And AirTag RFC”

This Week In Security: Session Puzzling, Session Keys, And Speculation

April 28, 2023 by 7 Comments

Last week we briefly mentioned a vulnerability in the Papercut software, and more details and a proof of concept have been published. The vulnerability is one known as session puzzling. That’s essentially where a session variable is used for multiple purposes, or gets incorrectly set. In Papercut, it was possible to trigger the SetupCompleted class on a server that had already finished that initial setup process. And part of SetupCompleted validated the session of the current user. In a normal first-setup case, that might make sense, but as anyone could trigger that code, it allowed anonymous users to jump straight to admin.

The other half of the exploit leverages the “print script” feature, which lets admins write code that runs on printing. A simple java.lang.Runtime.getRuntime().exec('calc.exe'); does the trick to jump from web interface to remote code execution. The indicators of compromise are reasonable generic, including User "admin" logged into the administration interface. and Admin user "admin" modified the print script on printer "".. A Shodan search turns up around 1,700 Papercut servers accessible from the Internet, which prompts the painfully obvious observation that your internal print auditing solution’s web interface definitely should not be exposed online.

Apache Superset

Superset is a nifty data visualization tool for showing charts, graphs, and all sorts of pretty data sets on a dashboard. It also has some weirdness with using web sessions for user management. The session is stored on the user side in a cookie, signed with a secret key. This works great, unless the key used is particularly weak. And guess what, the default configuration of Superset uses a pre-populated secret key. thisismysecretkey is arguably a bad key to start with, but it turns out it’s also shared by more than 70% of the accessible Superset servers.

Continue reading “This Week In Security: Session Puzzling, Session Keys, And Speculation”