This Week In Security: Black Hat, DEF CON, And Patch Tuesday

August 16, 2019 by Jonathan Bennett 11 Comments

Blackhat and DEF CON both just wrapped, and Patch Tuesday was this week. We have a bunch of stories to cover today.

First some light-hearted shenanigans. Obviously inspired by Little Bobby Tables, Droogie applied for the vanity plate “NULL”. A year went by without any problems, but soon enough it was time to renew his registration. The online registration form refused to acknowledge “NULL” as a valid license plate. The hilarity didn’t really start until he got a parking ticket, and received a bill for $12,000. It seems that the California parking ticket collection system can’t properly differentiate between “NULL” and a null value, and so every ticket without a license plate is now unintentionally linked to his plate.

In the comments on the Ars Technica article, it was suggested that “NULL” simply be added to the list of disallowed vanity plates. A savvy reader pointed out that the system that tracks disallowed plates would probably similarly choke on a “NULL” value.

Hacking an F-15

In a surprising move, Air Force officials brought samples of the Trusted Aircraft Information Download Station (TADS) from an F-15 to DEF CON. Researchers were apparently able to compromise those devices in a myriad of ways. This is a radical departure from the security-through-obscurity approach that has characterized the U.S. military for years.

Next year’s DEF CON involvement promises to be even better as the Air Force plans to bring researchers out to an actual aircraft, inviting them to compromise it in every way imaginable.

Patch Tuesday

Microsoft’s monthly dump of Windows security fixes landed this week, and it was a doozy. First up are a pair of remotely exploitable Remote Desktop vulnerabilities, CVE-2019-1222 and CVE-2019-1226. It’s been theorized that these bugs were found as part of an RDP code review launched in response to the BlueKeep vulnerability from earlier this year. The important difference here is that these bugs affect multiple versions of Windows, up to and including Windows 10.

What the CTF

Remember Tavis Ormandy and his Notepad attack? We finally have the rest of the story! Go read the whole thing, it’s a great tale of finding something strange, and then pulling it apart looking for vulnerabilities.

Microsoft Windows has a module, MSCTF, that is part of the Text Services Framework. What does the CTF acronym even stand for? That’s not clear. It seems that CTF is responsible for handling keyboard layouts, and translating keystrokes based on what keyboard type is selected. What is also clear is that every time an application builds a window, that application also connects to a CTF process. CTF has been a part of Microsoft’s code base since at least 2001, with relatively few code changes since then.

CTF doesn’t do any validation, so an attacker can connect to the CTF service and claim to be any process. Tavis discovered he could effectively attempt to call arbitrary function pointers of any program talking to the same CTF service. Due to some additional security measures built into modern Windows, the path to an actual compromise is rather convoluted, but by the end of the day, any CFT client can be compromised, including notepad.

The most interesting CFT client Tavis found was the login screen. The exploit he demos as part of the write-up is to lock the computer, and then compromise the login in order to spawn a process with system privileges.

The presence of this unknown service running on every Windows machine is just another reminder that operating systems should be open source.

Biostar 2

Biostar 2 is a centralized biometric access control system in use by thousands of organizations and many countries around the globe. A pair of Israeli security researchers discovered that the central database that controls the entire system was unencrypted and unsecured. 23 Gigabytes of security data was available, including over a million fingerprints. This data was stored in the clear, rather than properly hashed, so passwords and fingerprints were directly leaked as a result. This data seems to have been made available through an Elasticsearch instance that was directly exposed to the internet, and was found through port scanning.

If you have any exposure to Biostar 2 systems, you need to assume your data has been compromised. While passwords can be changed, fingerprints are forever. As biometric authentication becomes more widespread, this is an unexplored side effect.

Overclocking In An SNES Emulator

August 14, 2019 by Jonathan Bennett 12 Comments

The bsnes emulator has a new overclocking mode to eliminate slowdowns in SNES games while keeping the gameplay speed accurate. We’re emulating old SNES hardware on modern machines that are vastly more powerful. Eliminating slowdowns should be trivial, right? For an emulator such as bsnes, which is written to achieve essentially pixel-perfect accuracy when emulating, the problem is decidedly non-trivial. Stick around to learn why.

Continue reading “Overclocking In An SNES Emulator” →

Laser Trip Wire Hides What You’re (Not) Working On

August 9, 2019 by Tom Nardi 15 Comments

We assume your office policy allows for reading Hackaday during work hours. But what about cruising reddit, or playing Universal Paperclips? There’s a special kind of stress experienced when attempting to keep one eye on your display and the other on the doorway; all the while convinced the boss is about to waltz into the room and be utterly disappointed in you.

But fear not, for [dekuNukem] has found the solution with Daytripper. This wireless laser tripwire communicates back to your computer using NRF24 (2.4 Ghz on the ISM band) and can be used to invisibly cordon off a door or hallway and fire a scripted action on your computer if its beam has been broken. Nominally this is used to send the keyboard command that hides all open windows, but we’re sure the imaginative readers of Hackaday could come up with all sorts of alternate uses for this capability.

The Daytripper transmitter uses a laser time-of-flight sensor, in this case the very small VL53L0X by STMicroelectronics. It’s best situated so the laser will be bounced straight back at it. It has a range of about four feet, which is perfect for covering a door, though a wide hallway could give it some trouble. [dekuNukem] admits that the 5 Hz scan rate means a sufficiently fast moving adversary might slip past the sensor, but if they’re trying that hard to see what’s on your monitor, they probably deserve a peek.

On the receiver side, there’s a small board that plugs into your computer and mimics a USB keyboard. It has a selector switch on the side that allows the user to set what key sequence will be “typed” once the system has been tripped. It has built-in support for minimizing all windows or locking the computer, or you can set it to send ALT + Pause, which you can listen for and act on however you see fit.

If you want to build your own Daytripper, the firmware and hardware are both available on GitHub under an MIT license. For those who prefer instant gratification, [dekuNukem] is doing a small production run and offering them up on Tindie.

This Week In Security: SWAPGS, Malicious Shaders, More IOS Woes, And WPA3

August 9, 2019 by Jonathan Bennett 19 Comments

I’m sure you’ve heard of Spectre, which was the first of many speculative execution vulnerabilities found in modern processors. A new one just popped up this week. At Blackhat on Tuesday, CVE-2019-1125 was announced by Bitdefender as SWAPGS.

SWAPGS is an x86_64 instruction that is intended for use in context switching, that is when execution is transferred from a user-space program back into the kernel. Specifically, SWAPGS swaps the value of the GS register so that it refers to either a memory location in the running application, or a location in the kernel’s space. An unprivileged program can attempt to call this instruction and leak kernel memory contents as a result of the processor speculatively executing the instruction (this is similar to Spectre). Even though the instruction will ultimately not be executed, because a userspace program doesn’t have sufficient privilege to do so, the contents of the system cache have already been sufficiently altered, and an attack could feasibly leverage this to read arbitrary kernel memory.

While the initial reports have mentioned both AMD and Intel products, AMD has released a statement:

AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.

Patches for Windows and Linux have been released, and Red Hat has an informative write-up on the vulnerability. I would have reviewed Bitdefender’s whitepaper on the vulnerability, but rather than make it freely available, they have opted to require a name and email address. While I would like to see their work, I refuse to sell my contact information in exchange for access.

A Malicious Shader?

This is the first time I can remember hearing of a malicious pixel shader. Cisco Talos announced a set of vulnerabilities targeting VMware and NVIDIA graphics drivers.

Shaders are specialized programs that run on a video card, and are generally used to apply effects like blur, lighting, bump mapping, and more. Most of the graphical improvements in the last few years of gaming is a result of shaders.

Talos researchers were specifically looking at how to compromise a VM Hyper-visor from inside a guest OS, and they discovered that when a host provides 3d acceleration to the guest, shaders are passed directly through to the system drivers without verification. Because the NVIDIA drivers are also vulnerable, this could allow a malicious program on the host to run arbitrary code on the hypervisor.

While this is troubling enough, the topper is that a malicious shader could potentially be run via WebGL. Taken together, this represents a real danger where simply loading a malicious WebGL enabled page could compromise not only a conventional machine, but could also compromise the bare-metal OS even when run on a guest instance.

Both NVIDIA and VMware have already released driver updates that fixes the flaw, so go update!

iOS Problems

Natalie Silvanovich of Google’s Project Zero released a set of 5 iOS vulnerabilities on Wednesday the 7th. These are not garden variety bugs, but so-called “zero click” problems where no user interaction is required for exploit.

The first exploit, for example, is a spoofed visual voicemail message. Visual voicemail notifications are sent as specially formatted text messages and contain information about the message and the address of an IMAP server to connect to and download the message. That information can be spoofed, leading a device to try to download a message from an IMAP server in the control of an attacker. From that point, finding a bug in the iOS IMAP handling code was relatively easy.

5 vulnerabilities have been fixed in iOS updates. There is a 6th vulnerability, CVE-2019-8641, that has yet to be fixed. While a few hints about this problem are given, the details have been withheld until an update has been released to fully fix the problem. One could be a bit cynical and point out that it’s the Google research team announcing these flaws. While there is certainly a self-serving angle to consider, it’s much better for iOS and consumers if flaws are fixed and publicized, rather than kept secret and sold to an offensive security vendor.

One more iOS story is Apple Bleee. Bluetooth Low Energy is an extremely useful communication protocol, allowing Apple devices to perform many of their seemingly magic functionality. The downside is that to make the magic happen, iOS devices are constantly sending BLE signals, probing for other devices. The researchers at Hexway realized that these signals leak lots of data about your device, potentially including your phone number.

iOS uses a SHA256 hash of the device’s phone number as an identifier when using AirDrop. A SHA256 is still a reasonably secure one-way hash, so there’s no problem, right? The clever realization is that while the hash is secure, and the output space is too large to attack, the input space is small enough to be manageable. An attacker could target the most common area codes in their area, limiting the target space further. From there, the SHA256 hashes for all valid numbers can be pre-calculated and stored in a lookup table.

This Week In Security: VxWorks, Expensive Email Fraud, And What’s In Your Wallet?

August 2, 2019 by Jonathan Bennett 11 Comments

This has been an interesting week. First off, security researchers at Armis discovered a set of serious vulnerabilities in the vxWorks Real Time Operating System (RTOS). Released under a name that sounds like the title of a western or caper movie, Urgent/11. Not familiar with vxWorks? It’s a toss-up as to whether vxWorks or Linux is more popular for embedded devices. Several printer brands, Arris modems, Sonicwall firewalls, and a whole host of other industrial and medical devices run the vxWorks RTOS.

Several of these vulnerabilities are in the network stack, rather than in applications. The worst offender is CVE-2019-12256, a vulnerability in error handling. An ICMP error response is generated from an incoming packet, and assumptions are made about that incoming packet. When data is copied from that packet into the ICMP error, the length is not first checked, allowing unconfined memory write. If this sounds familiar, it should. We covered a similar vulnerability in Apple’s XNU kernel not long ago.

This particular vulnerability can compromise a vxWorks machine even without an opened port. The saving grace of that vulnerability applies here: a maliciously crafted packet is necessarily malformed, and won’t navigate public routing. In other words, it’s LAN only, and can’t be sent over the internet.

A second class of vulnerability, where the name comes from, is related to the TCP urgent pointer. This rarely used TCP feature was intended to allow more up-to-date information to supersede data still being processed. Not only has TCP urgent not been widely used, the specifications were not written particularly well, with the various RFC documents describing conflicting implementations. It’s surprising that vxWorks supports it at all, but isn’t particularly surprising that their implementation is flawed. Manipulation of the data stream can cause a length integer to underflow. The nature of binary arithmetic means that underflowing an unsigned integer causes it to wrap around to maximum value, which can lead to writing packet data in the buffer in unexpected memory locations. These vulnerabilities require an established TCP connection, but the researchers describe several scenarios where that could be accomplished by an attacker.

The last RCE vulnerability they describe is in the DHCP client, ipdhcpc. This is a very simple vulnerability. One section of code allocates a buffer for DHCP options, but allocates 24 bytes fewer than the maximum size. An attacker could use this 24 byte overflow to manipulate the data structure and potentially jump execution into manipulated memory.

Update (2019-08-02 09:15 UTC-7): Hackaday received a statement from SonicWall that they made a patch for this vulnerability back on July 19th:

Ensuring the security of our customers is a responsibility we take seriously at SonicWall and we work vigilantly to always keep our customers secure. SonicWall physical firewall appliances running certain versions of SonicOS contain vulnerabilities in code utilized for remote management. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild. The patches are available now and we strongly advised our partners and end users July 19 th to apply the SonicOS patch immediately.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009

Capital One: What’s in Your Data

Capital One made use of Amazon AWS for storing customer data. This isn’t surprising, many companies have turned to Amazon’s seemingly inexhaustible cloud computing platform for storing large data sets. It seems, however, that Capital One failed to configure the security properly on that bucket. (As many other companies have done.) Information was leaked for over an estimated 100 million customers. A former Amazon employee has been arrested, and seems to have posted at least a portion of that data in a Github gist.

Reading between the lines, it seems that this was a very simple mistake. Perhaps credentials were leaked, or the S3 bucket was publicly available. That particular detail has not been released. There is something to be said for Capital One’s response to the incident. They were anonymously informed of the existence of the gist on July 17, using their responsible disclosure process. By the 29th, they had fixed the misconfiguration, coordinated with law enforcement, and publicly announced the breach. A twelve day turn-around is an impressive response, particularly when so many companies have tried to hide or ignore similar breaches.

Cabarrus County, NC

It seemed simple enough. The general contractor for the county’s new school building needed to update bank account information. The appropriate forms were signed and filed, and the information was updated. Nothing seemed amiss unto two months later, when the contractor notified the county that they had missed a scheduled payment of 2.5 million dollars. But the transaction went through, and the money was transferred to the account on file.

Yes, the transfer went through, but the the county had been hit with a social engineering scam. The report refers to it as an Email Account Compromise (EAC) scam, which seems to indicate that the scammer first gained access to a legitimate email account of the contractor in question. Alternatively, an attacker could simply spoof the sender’s email address, and set a different reply-to field. Unless a user was particularly watching for such a scheme, it would be easy to overlook the discrepancy. In any case, even after recovering some of the transferred money, the county seems to be out about $1.7 million. These scams are becoming more and more popular, so remember, don’t believe anything you read in an email.

The Weird and Wacky

And to round out this week’s news, yet another [Satoshi Nakamoto] candidate has been found: Linus Torvalds. While it appears to be a serious suggestion, I’ll just note that the author doesn’t have his name attached to this article. He does make one interesting observation — git is the killer blockchain app. You see, I tend to compare blockchain to the laser. Both were very clever inventions, but didn’t have any immediate uses. They were solutions in search of a problem. This article points out that core concepts of blockchain are present in git, which seems to be an accurate and clever observation. So what is blockchain good for? Git!

And the most useless security news of the week? The CAN bus on airplanes is exploitable when an attacker has unsupervised physical access. Yes, people with unsupervised physical access can do bad things to airplanes. Think about what they could do if they brought a wrench.

Fake Graphics Cards And How To Fix Them

August 2, 2019 by Lewin Day 48 Comments

When shopping online, there’s plenty of great deals out there on modern graphics hardware. Of course, if you’re like [Dawid] and bought a GTX1050 Ti for $48 from Wish, you probably suspect it’s too good to be true. Of course, you’d be correct.

[Dawid] notes from the outset that the packaging the card ships in is unusual. While it’s covered in NVIDIA and GeForce branding, there’s no note of the model number or even the overarching series. The card is loosely packed in bubblewrap, free to bounce around in transit. Upon installation, the card reports itself as a GTX1050 Ti, but refuses to properly work with NVIDIA drivers and routinely causes a Blue Screen of Death.

Upon disassembly, it becomes apparent that the card is merely a poorly manufactured GTS450 Revision 2, over five generations older than the card it was advertised as. Thanks to the mismatch between the actual hardware and what the card reports as, the drivers are unable to properly work with the card.

For those that have been scammed, there is some hope. [Phil] has had experience with several of these cards, which similarly misreport their actual hardware. To correct this, the cards need to have their BIOS flashed to reflect reality, but the fake cards don’t work with NVIDIA’s NVFlash tool. Instead, they must be flashed manually using an EEPROM programmer. Once the cards are flashed with an appropriate BIOS, they can be used with the proper drivers and will function properly, albeit with much less performance than was advertised.

It’s an interesting insight into the state of online shopping platforms, and the old adage remains true – if it’s too good to be true, it probably is. Plus, hacking GPUs can often have great results. Video after the break.

Continue reading “Fake Graphics Cards And How To Fix Them” →

Where The Work Is Really Done – Casual Profiling

July 29, 2019 by Bryan Cockfield 13 Comments

Once a program has been debugged and works properly, it might be time to start optimizing it. A common way of doing this is a method called profiling – watching a program execute and counting the amount of computing time each step in the program takes. This is all well and good for most programs, but gets complicated when processes execute on more than one core. A profiler may count time spent waiting in a program for a process in another core to finish, giving meaningless results. To solve this problem, a method called casual profiling was developed.

In casual profiling, markers are placed in the code and the profiler can measure how fast the program gets to these markers. Since multiple cores are involved, and the profiler can’t speed up the rest of the program, it actually slows everything else down and measures the markers in order to simulate an increase in speed. [Daniel Morsig] took this idea and implemented it in Go, with an example used to demonstrate its effectiveness speeding up a single process by 95%, resulting in a 22% increase in the entire program. Using a regular profiler only counted a 3% increase, which was not as informative as the casual profiler’s 22% measurement.

We got this tip from [Greg Kennedy] who notes that he hasn’t seen much use of casual profiling outside of the academic world, but we agree that there is likely some usefulness to this method of keeping track of a multi-threaded program’s efficiency. If you know of any other ways of solving this problem, or have seen causal profiling in use in the wild, let us know in the comments below.

Header image: Alan Lorenzo [CC BY-SA 3.0].

Hackaday

computer hacks

1327 Articles