News

3602 Articles

This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It

July 8, 2022 by 16 Comments

To start with, Microsoft’s June Security Patch has a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively being exploited in the wild, so it landed on the KEV (Known Exploited Vulnerabilities) Catalog. That list tracks the most important vulnerabilities to address, and triggers a mandated patch install no later than July 22nd. The quirk here is that the Microsoft Patch that fixes CVE-2022-26925 also includes a fix for a couple certificate vulnerabilities including CVE-2022-2693, Certifried. That vulnerability was one where a machine certificate could be renamed to the same as a domain controller, leading to organization-wide compromise.

The fix that rolled out in June now requires that a “strong certificate mapping” be in place to tie a user to a certificate. Having the same common name is no longer sufficient, and a secure value like the Security IDentifier (SID) must be mapped from certificate to user in Active Directory. The patch puts AD in a compatibility mode, which accepts the insecure mapping, so long as the user account predates the security certificate. This has an unintended consequence of breaking how the US Government uses CACs (Common Access Cards) to authenticate their users. Government agencies typically start their onboarding by issuing a CAC, and then establishing an AD account for that user. That makes the certificate older, which means the newest patch rejects it. Thankfully there’s a registry key that can be set, allowing the older mapping to still work, though likely with a bit of a security weakness opened up as a result. Continue reading “This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It”

This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly

July 1, 2022 by 8 Comments

There’s a problem in the unrar utility, and as a result, the Zimbra mail server was vulnerable to Remote Code Execution by simply sending an email. So first, unrar is a source-available command-line application made by RarLab, the same folks behind WinRAR. CVE-2022-30333 is the vulnerability there, and it’s a classic path traversal on archive extraction. One of the ways this attack is normally pulled off is by extracting a symlink to the intended destination, which then points to a location that should be restricted. unrar has code hardening against this attack, but is sabotaged by its cross-platform support. On a Unix machine, the archive is checked for any symbolic links containing the ../ pattern. After this check is completed, a function runs to convert any Windows paths to Unix notation. As such, the simply bypass is to include symlinks using ..\ traversal, which don’t get caught by the check, and then are converted to working directories.

That was bad enough, but Zimbra made it worse by automatically extracting .rar attachments on incoming emails, in order to run a virus and spam check. That extraction isn’t sandboxed, so an attacker’s files are written anywhere on the filesystem the zimbra user can write. It’s not hard to imagine how this turns into a full RCE very quickly. If you have an unrar binary based on RarLab code, check for version 6.1.7 or 6.12 of their binary release. While Zimbra was the application specifically called out, there are likely to be other cases where this could be used for exploitation.
Continue reading “This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly”

DIY Airless Tires Work Surprisingly Well

June 30, 2022 by 47 Comments

Airless tires have been “a few years away” from production for decades now. They’re one of the automotive version of vaporware (at least those meant for passenger vehicles), always on the cusp of being produced but somehow never materializing. They have a number of perks over traditional air-filled tires in that they are immune to flats and punctures, and since there aren’t any airless tires available at the local tire shop, [Driven Media] decided to make and test their own.

The tires are surprisingly inexpensive to make. A few pieces of drainage tubing of varying diameters, cut to short lengths, and then bolted together with off-the-shelf hardware is all it takes, although they note that there was a tremendous amount of hardware needed to fasten all the pipe lengths together. With the structure in place they simply cut a tread off of a traditional tire and wrapped it around each of the four assemblies, then bolted them up to their Caterham street-legal race car for testing.

While the ride quality was notoriously (and unsurprisingly) rough and bumpy, the tires perform admirably under the circumstances and survive being driven fairly aggressively on a closed-circuit race course. For such a low price and simple parts list it’s shocking that a major tire manufacturer like Michelin hasn’t figured out how to successfully bring one to a light passenger car yet.

Thanks to [Itay] for the tip!

Continue reading “DIY Airless Tires Work Surprisingly Well”

Raspberry Pi Pico W Adds Wireless

June 30, 2022 by 63 Comments

News just in from the folks at Raspberry Pi: the newest version of their Pico has WiFi and is called, obviously, the Pico W. We were going to get our hands on a sample unit and kick its tires, but it’s stuck in customs. Boo! So until it shows up, here’s what we can glean from the press releases and documentation.

The Pico is, of course, the Raspberry Pi microcontroller dev board based on their RP2040 microcontroller. This in turn has two Cortex M0+ cores and a good chunk of onboard RAM, which has made it a popular target for MicroPython. They had some extra real estate on the PCB, so they’ve added an Infineon CYW43439 WiFi chip, and voila: Pico W.

As of now, the WiFi is supported in both the C SDK and the pre-baked MicroPython image. It looks trivially easy to get it working, and it’s based on the time-tested lwIP stack, a classic in the embedded world. The CYW43439 is also Bluetooth capable, but there’s no firmware support for that yet, but we wouldn’t be surprised if it showed up soon.

The price? $6 for the whole shooting match. You can view this two ways: a small $2 premium over the old Pico, or a price increase of 50%. How you see things probably depends on your order quantity. Either way, it’s firmly in the ESP32 module price range, so you’ve got some comparison shopping to do if your project needs a microcontroller and WiFi. And in these days of silicon shortages, it’s nice to have a couple of options.

This Week In Security: IoT In The Hot Tub, App Double Fail, And FreeBSD BadBeacon

June 24, 2022 by 3 Comments

[Eaton Zveare] purchased a Jacuzzi hot tub, and splurged for the SmartTub add-on, which connects the whirlpool to the internet so you can control temperature, lights, etc from afar. He didn’t realize he was about to discover a nightmare of security problems. Because as we all know, in IoT, the S stands for security. In this case, the registration email came from smarttub.io, so it was natural to pull up that URL in a web browser to see what was there. The page presented a login prompt, so [Eaton] punched in the credentials he had just generated. “Unauthorized” Well that’s not surprising, but what was very odd was the flash of a dashboard that appeared just before the authorization complaint. Could that have been real data that was unintentionally sent? A screen recorder answered that question, revealing that there was indeed a table loaded up with valid-looking data.

Digging around in the page’s JavaScript comes up with the login flow. The page uses the Auth0 service to handle logins, and that service sends back an access token. The page sends that access token right back to the Auth0 service to get user privileges. If the logged in user isn’t an admin, the redirect happens. However, we already know that some real data gets loaded. It appears that the limitations to data is all implemented on the client side, and the backend only requires a valid access token for data requests. What would happen if the response from Auth0 were modified? There are a few approaches to accomplish this, but he opted to use Fiddler. Rewrite the response so the front-end believes you’re an admin, and you’re in.

This approach seems to gain admin access to all of the SmartTub admin controls, though [Eaton] didn’t try actually making changes to see if he had write access, too. This was enough to demonstrate the flaw, and making changes would be flirting with that dangerous line that separates research from computer crime. The real problem started when he tried to disclose the vulnerability. SmartTub didn’t have a security contact, but an email to their support email address did elicit a reply asking for details. And after details were supplied, complete radio silence. Exasperated, he finally turned to Auth0, asking them to intervene. Their solution was to pull the plug on one of the two URL endpoints. Finally, after six months of trying to inform Jacuzzi and SmartTub of their severe security issues, both admin portals were secured.

Continue reading “This Week In Security: IoT In The Hot Tub, App Double Fail, And FreeBSD BadBeacon”

South Korea’s KSLV-2 Rocket Delivers Payloads To Orbit

June 23, 2022 by 5 Comments

South Korea’s domestically developed KSLV-2 “Nuri” rocket successfully placed six payloads into low Earth orbit Tuesday, after lifting off from from Naro Space Center at 4 PM KST. This follows an earlier attempt in October which failed to reach orbit after the booster’s third stage engine shutdown prematurely. The flight followed an initial trajectory over the East China Sea, after which the upper stage steered out towards the Philippine Sea, finally placing the payload in the desired orbital inclination of 98 degrees. This less-than-ideal path wasted energy, but ensured that the first and second stages fell into the ocean and not onto people. Success was confirmed shortly after launch as the vehicle passed over South Korea’s King Sejong Station in Antarctica.

The payload on this test flight was primarily a mass simulator of 1.3 metric tons, but a small Performance Verification Satellite (PVSAT) was included, for a grand total of 1.5 metric tons. The PVSAT itself monitors vehicle performance, but also serves as a carrier for four CubeSats. These were developed by engineering teams at various local universities and will be deployed in the coming days.

If you’re inclined to track these, the launch has been given COSPAR ID 2022-065 and the first three objects (third stage, dummy mass, and PVSAT) have been assigned the NORAD catalog numbers 52894, 52895, and 52896. It’s too early to tell which is which at this point, but as more data about their respective orbits are collected, it should be possible to tell them apart. The next four catalog numbers, 52897 – 52900, have been reserved for the CubeSats once they are released.

With this launch, South Korea has become the 10th nation to put a payload into space using its own domestic technology, and the 7th to loft a payload of more than one ton to orbit — joining the ranks of the United States, Russia, Japan, China, France, and India.

Continue reading “South Korea’s KSLV-2 Rocket Delivers Payloads To Orbit”

Plastic CPUs Will Bend To Your Will

June 21, 2022 by 25 Comments

As microcontroller prices drop, they appear in more things. Today you will find microcontrollers in your car, your household appliances, and even kid’s toys. But you don’t see them often embedded in things that are either super cheap or have to flex, such as for example a bandage. Part of the reason is the cost of silicon chips and part of the reason is that silicon chips don’t appreciate bending. What if you could make CPUs for less than a penny out of flexible plastic? What applications would that open up? PragmatIC — a company working to make this possible — thinks it would open up a whole new world of smart items that would be unthinkable today. They worked with a team at the University of Illinois Urbana-Champaign to create prototype plastic CPUs with interesting results.

This is still the stuff of research and dreams, but a team of researchers did work to produce 4-bit and 8-bit processors using IGZO –indium gallium zinc oxide — semiconductor technology. This tech can be put on plastic and will work even if you bend it around a radius as small as a few millimeters.

Continue reading “Plastic CPUs Will Bend To Your Will”