This Week In Security: Patch Monday Mysteries, CentOS 8 And CentOS Stream, Russian Surveillance, And CSRF

September 27, 2019 by 5 Comments

So first off this week is something of a mystery. Microsoft released an out-of-cycle patch for Internet Explorer. The exploitability assessment from Microsoft indicates that this bug is under active exploitation, but not many details are available. Let’s take a look at what information has been released, and see what we can learn.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.

It’s a remote code execution vulnerability, it affects Internet Explorer, it’s in the scripting engine, and it happens due to objects in memory being mishandled. We could take some guesses, but later in this document we’re given a few other clues. The workaround is to disable jscript.dll, and the impact is limited, as jscript9.dll is the default JavaScript engine. jscript.dll is apparently a legacy JavaScript engine that a website can request.

“Jscript” is what Microsoft called their shameless copy implementation of JavaScript. The older jscript.dll seems to be present in newer versions of Internet Explorer for compatibility reasons. So it’s a problem in how the older JavaScript library handles objects. Any website can request this legacy engine, so the attack vector is basically unlimited.

The urgency implied by the out-of-cycle patch, combined with the otherwise eery silence surrounding this patch, suggests this 0-day was possibly being used in a targeted attack. We hope the details will eventually be revealed.

CentOS 8 and CentOS Stream

CentOS 8 was released this week, the community repackage of Red Hat Enterprise Linux (RHEL) 8. In 2014, Red Hat announced that CentOS was officially becoming a Red Hat sponsored project. This week, CentOS Stream was also announced.

The Fedora distribution has long served as a test-bed for upcoming RHEL releases, with RHEL 8 being based on Fedora 28. CentOS Stream will serve as a “midstream” distribution, a rolling release that pulls updates from Fedora, and will eventually become future RHEL/CentOS releases. It remains to be seen exactly how far ahead of the main CentOS distribution Stream will stay. A long-standing problem with CentOS is that by the time a release hits end-of-life, some of the software versions are very old. Even though security fixes are quickly backported to these older versions, there are security issues that arise as a result. For example, CentOS 7 contains PHP 5.4 with no official path to installing a newer version of PHP. WordPress now requires PHP 5.6.20 as the oldest supported PHP version. Red Hat may backport fixes to PHP 5.4, but that doesn’t help the out-of-date installs of WordPress, running on otherwise up-to-date CentOS machines.

Hopefully CentOS Stream will provide the much needed middle-ground between the bleeding-edge pace of Fedora, and the frustratingly slow march of CentOS/RHEL.

Russian Surveillance

A Nokia employee accidentally backed up a company drive to his home storage device, which was unintentionally Internet accessible. The data contained on this drive was detailed information on Russia’s SORM (System for Operative Investigative Activities), the government’s wiretapping program. The amount of data revealed is staggering, 1.7 terabytes. Passwords, administrative URLs, and even precise physical locations were included. The breadth of information makes one wonder if it was actually an accident, or if this was intended to be another Snowden style data leak. Just an aside, it’s not clear that the revealed wiretapping effort is as broad or onerous as the one Snowden revealed.

PHPMyAdmin CSRF

Running PHPMyAdmin on one of your servers? You should probably go update it. Version 4.9.1 was released on Saturday the 21st, and contains a fix for CVE-2019-12922. This vulnerability is a Cross Site Request Forgery, or CSRF. A CSRF attack can be as simple as an image link on one site, that links to another site, and triggers an action on that second site. Let’s look at the PHPMyAdmin example:

img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1";
style="display:none;"

A hidden image will actually trigger an HTTP GET request, which asks for the server’s page, and tries to remove the first entry. If a user is logged in to the PHPMyAdmin server that the link is targeting, the command will silently complete. This is one of the reasons that HTTP GET requests should never make state changes, and only ever retrieve information. An HTTP POST message is much harder to generate in this way, though not impossible.

Gatwick Drone Incident: Police Still Clueless

September 27, 2019 by 32 Comments

Quietly released and speedily buried by Parliamentary wrangles over Brexit is the news that Sussex Police have exhausted all lines of inquiry  into the widely publicised drone sighting reports that caused London’s Gatwick Airport to be closed for several days last December. The county’s rozzers have ruled out 96 ‘people of interest’ and combed through 129 separate reports of drone activity, but admit that they are no closer to feeling any miscreant collars. There is no mention of either their claims at the time to have found drone wreckage, their earlier admissions that sightings might have been of police drones, or even that there might have been no drone involved at all.

Regular readers will know that we have reported extensively the sorry saga of official reactions to drone incidents, because we believe that major failings in reporting and investigation will accumulate to have an adverse effect on those many people in our community who fly multi-rotors. In today’s BBC report for example there is the assertion that 109 of the drone sightings came from “‘credible witnesses’ including a pilot and airport police” which while it sounds reassuring is we believe a dangerous route to follow because it implies that the quality of evidence is less important than its source. It is crucial to understand that multi-rotors are still a technology with which the vast majority of the population are still unfamiliar, and simply because a witness is a police officer or a pilot does not make them a drone expert whose evidence is above scrutiny.

Whichever stand you take on the drone sightings at Gatwick and in other places it is clear that Sussex Police do not emerge from this smelling of roses and that their investigation has been chaotic and inept from the start. We believe that there should be a public inquiry into the whole mess, so that those embarrassing parts of it which they and other agencies are so anxious to quietly forget can be subjected to scrutiny. We do not however expect this to happen any time soon.

Keystone Kops header image: Mack Sennett Studios [Public domain].

LEDs Light The Way To This Backdoor

September 27, 2019 by 41 Comments

A curious trend for some years in the world of PC hardware has been that of attaching LEDs to all the constituent parts of a computer. The idea is that somehow a gaming rig that looks badass will somehow be just a little bit faster. As [Graham  Sutherland] discovered when he wanted to extinguish the LEDs on his new Gigabyte graphics card, these LEDs can present an unexpected security hazard.

The key to their insecurity comes in the Gigabyte driver. This is a piece of software that you would normally expect to be an abstraction layer with an interface visible to your user level privilege, and a safe decoupling between that and the considerably more security sensitive hardware layer from which the LED bus can be found. Instead of this, the Gigabyte driver is more of a wrapper that simply exposes the LED bus directly to the user level. It’s intended that user-level code can easily bit-bang WS2812 LEDs without hinderance, but its effect is to provide a gaping hole in the security layers intended to keep malicious code away from the hardware. The cherry on the cake is provided by the discovery of a PIC microcontroller on the bus which can be flashed with new code, providing an attacker with persistent storage unbeknownst to the operating system or CPU.

The entire Twitter thread is very much worth reading whether you are a PC infosec savant or a dilettante, because not only should we all know something about the mechanisms of PC backdoors we should also be aware that sometimes a component as innocuous as an LED can be a source of a security issue.

Thanks [Slurm] for the tip.

Gigabyte motherboard picture: Gani01 [Public domain].

Awesome Animation Channel Is An Educational Rabbit Hole

September 27, 2019 by 3 Comments

Once [Shabab] clued us in to the brilliant animations of [Jared Owen], we pretty much lost an afternoon exploring this incredible YouTube channel. Self-taught Blender wizard [Jared] combines fantastic animations with clear and concise explanations for the inner workings of everything from Nerf guns and Fisher-Price corn poppers to the International Space Station.

Space nerds and casuals alike should check out [Jared]’s crowning achievement: a three-video Apollo spacecraft series, which covers many details in a short amount of time. Want more Apollo? Here’s a deeper dive into the lunar module. [Jared] uses music to great effect in these videos, especially in the Apollo series.

Several videos are devoted to mechanisms, like the humble gumball machine, the grand piano, and the combination lock. In addition to all the great how-it-works videos, [Jared] explores various noteworthy buildings. You know there’s a bowling alley in the White House, right? [Jared]’s tour shows you exactly where it is.

We love the diversity of the videos, all of which [Jared] researches in great detail. He enjoys working from user suggestions, so let him know what you’re dying to see dissected in detail.

Thanks for the tip, [Shabab].

3 Words To Describe Any Spot On Earth

September 26, 2019 by 118 Comments

For quite a long while now, latitude and longitude has been the way humankind has navigated the globe. This is a perfectly workable system, but it’s a little overwrought for daily use by the layperson. What3Words seeks to provide a simpler solution.

The system is based on splitting the surface of the globe into a grid of 3 m x 3 m sections. This includes oceans and bodies of water. With the grid layed out, each section is given a name consisting of three English words strung together. For example, ///eggs.form.breakfast denotes a spot in the outskirts of Chengdu, China, while ///crops.cards.gifts is a good approximation of that spot where the Naked Cowboy hangs out in Times Square, New York.

Addresses in this format are written with three leading forward slashes, along with a dot between each word. An attempt has been made to only use uncontroversial words, as well as to make sure no crude addresses are created by awkward combinations. Don’t worry, we checked – but if you do find anything good, drop it in the comments below.

It’s a tool that’s been around for a while, but an interesting one nonetheless. It’s something that needs a wider societal acceptance to become truly useful; we imagine it could be good in a small social circle once everyone is familiar with it. It may yet catch on – only time will tell!

A Crane Fit For Any Workshop

September 26, 2019 by 18 Comments

Sometimes we will encounter items in our workshops that are a little bigger than we bargained for. An engine block, an anvil, or a particularly substantial machine tool. Lifting these things may be possible, but doing so risks injury, perhaps a hernia or worse. For these moments a particularly well-appointed workshop will include a small crane, and [Workshop from scratch] has posted a video that we’ve placed below the break showing the construction of a particularly nice model.

The fabrication of a crane is not in itself a difficult task, in that most metalwork-minded readers could probably make one. What’s appealing about this video is the sense of gratification at watching metalwork being done well, and that while he does use a bandsaw and a drill press there’s not a lot in the video that couldn’t be done with more basic tools. The result is a handsome item that is probably better than many commercial offerings, though the gut feeling here is that the pivot points would have been better made with a sleeve and pin rather than a threaded bolt. The lifting effort comes from an off-the-shelf hydraulic ram.

Cranes feature here surprisingly rarely, but at least we’ve brought you a balcony crane.

Continue reading “A Crane Fit For Any Workshop”

Barcode Guitar Plays More Than Beep-Bop

September 26, 2019 by 5 Comments

One of our favorite things about the rise of hobbyist development ecosystems such as the Arduino is that it’s now possible to make a MIDI controller out of almost anything, as long as you have the the shields and the dedication. We’re glad that [James Bruton] takes the occasional break from making robots to detour into instrument making, because his latest creation turns it up to 11.

This awesome guitar uses a barcode scanner to play notes, and various arcade controls to manipulate those notes. The barcodes themselves scan as ASCII values, and their equivalent integers are sent to an external MIDI device. This futuristic axe is built on an Arduino Mega, with a USB shield for the barcode scanner, and a MIDI shield on top that [James] connects to various synths in the video after the break.

In between shooting barcodes, the right hand also controls octave shifting and changing MIDI channels with the joystick, and doing pitch-bends with the rotary encoder. The array of arcade buttons on the bottom neck let him switch between single player for monophonic synths, and multiplayer for polys. The other three buttons are press-and-scan programmable single-note sounders that assist in chord-making and noodling.

We particularly dig the construction, which is a combination of 20/20 and 3D printed boxes. [James] found some angled PVC to serve as fretboards for the four necks, and a nice backgrounds for bar codes.The only thing we would change is the native beep of the barcode scanner — either silence it forever or make it mutable, because it doesn’t jive with every note. It might be nice to get the gun to scan continuously so [James] doesn’t get trigger finger. Or better yet, build the scanner into a glove.

Want to do something more useful with that barcode scanner in your parts bin? Use it to manage your household inventory. But first, reacquaint yourself with the history of the humble barcode as presented by [Adam Fabio].

Continue reading “Barcode Guitar Plays More Than Beep-Bop”