This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!

Reading through a vulnerability report about ClamAV, I came across a phrase that filled me with dread: “The file name is not sanitized”. It’s a feature, VirusEvent, that can be enabled in the ClamnAV config. And that configuration includes a string formatting function, where the string includes %v and %s, which gets replaced with a detected virus name and the file name from the email. And now you see the problem, I hope: The filename is attacker supplied input.

Where this really gets out of hand is what ClamAV does with this string. execle("/bin/sh", "sh", "-c", buffer_cmd, NULL, env). So let’s talk defensive program design for a minute. When it comes to running a secondary command, there are two general options, system() and the exec*() family of system calls. system() is very simple to use. It pauses execution of the main process and asks the operating system to run a string, just as if the user had typed that command into the shell. While this is very convenient to use, there is a security problem if any of that command string is user-supplied. All it takes is a semicolon or ampersand to break assumptions and inject a command.

To the rescue comes exec(). It’s a bit more complicated to use, requiring the programmer to manually call fork() and wait(). But it’s not running the command via the shell. exec() executes a program directly, totally eliminating the potential for command injection! Except… oops.

Yeah, exec() and related calls don’t offer any security protections when you use them to execute /bin/sh. I suspect the code was written this way to allow running a script without specifying /bin/sh in the config. The official fix was to disable the filename format character, and instead supply it as an environment variable. That certainly works, and that fix is available in 1.0.5, 1.2.2, and 1.3.0.

The real danger here is that we have another case where some hardware appliance manufacturer has used ClamAV for email filtering, and uses this configuration by default. That’s how we get orders from CISA to unplug your hardware, because it’s already compromised. Continue reading “This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!”

Why Stealing A Car With Flipper Zero Is A Silly Idea

In another regular installment of politicians making ridiculous statements about technology, Canada’s Minister of Innovation, Science and Industry, [François-Philippe Champagne], suggested banning Flipper Zero and similar devices from sale in the country, while accusing them of being used for ‘stealing cars’ and similar. This didn’t sit right with [Peter Fairlie] who put together a comprehensive overview video of how car thieves really steal cars. Perhaps unsurprisingly, the main method is CAN bus injection, for which a Flipper Zero is actually a terribly clumsy device. Rather you’d use a custom piece of kit that automates the process.

You can also find these devices being sold all over the internet as so-called ‘Emergency Start’ devices for sale all over the internet, all of which use weaknesses in the car’s CAN bus network. The common problem appears to be that with these days even the lights on the car being part of the CAN network, an attacker can gain access for injection purposes. This way no key fob is needed, and the ignition system can be triggered with the usual safeties and lockouts being circumvented.

Ultimately, although the Flipper Zero is a rather cutesy toy, it doesn’t do anything that cannot be done cheaper and more effectively by anyone with a bit of CAN bus knowledge and a disregard for the law.

Thanks to [Stephen Walters] for the tip.

Continue reading “Why Stealing A Car With Flipper Zero Is A Silly Idea”

Apple Pushes Back On Right To Repair Bill Due To Parts Pairing

After previously supporting one in California, Apple has made an about-face and is now pushing back against a “Right to Repair” bill (Senate Bill 1596) currently under consideration in Oregon. The reason for this appears to be due to this new bill making parts pairing illegal, as reported by [404media] and [PCMag].

The practice of parts pairing is becoming ever more prevalent with Apple devices, which links specific parts of a system such as cameras, displays, batteries, and fingerprint sensors to the mainboard. During the open hearing on the newly proposed Oregonian bill, Apple’s [John Perry] insisted that this parts pairing is done for user security, safety and privacy.

Even in we take that claim at face value, the fact remains that with parts pairing in place, only authorized Apple repair centers can routinely replace components — while user repairs are limited to specific devices with limited part availability. Even in the latter case the user still has to contact Apple to have them reauthorize the replaced part. This is becoming an issue with Apple’s MacBooks as well, where the lid angle sensor requires calibration using a proprietary tool.

During the same hearing, the director of an Oregon nonprofit organization noted that of the 15,000 iPhones which they had donated to them last year, only 300 could be refurbished due to parts pairing. The remainder of otherwise perfectly fine phones are discarded for recycling, which is terrible for everyone but Apple. Whether the parts pairing element of the bill survives it to the final form remains to be seen, but if it passes it’d set the trend for future bills in other states as well as amendments to existing ones.

Thanks to [paulvdh] for the tip.

Sprint: The Mach 10 Magic Missile That Wasn’t Magic Enough

Defending an area against incoming missiles is a difficult task. Missiles are incredibly fast and present a small target. Assuming you know they’re coming, you have to be able to track them accurately if you’re to have any hope of stopping them. Then, you need some kind of wonderous missile of your own that’s fast enough and maneuverable enough to take them out.

It’s a task that at times can seem overwhelmingly impossible. And yet, the devastating consequences of a potential nuclear attack are so great that the US military had a red hot go anyway. In the 1970s, America’s best attempt to thwart incoming Soviet ICBMs led to the development of the Sprint ABM—a missile made up entirely of improbable numbers.

Continue reading “Sprint: The Mach 10 Magic Missile That Wasn’t Magic Enough”

Understanding Deep Learning: Free MIT Press EBook For Instructors And Students

The recently published book Understanding Deep Learning by [Simon J. D. Prince] is notable not only for focusing primarily on the concepts behind Deep Learning — which should make it highly accessible to most — but also in that it can be either purchased as a hardcover from MIT Press or downloaded for free from the Understanding Deep Learning website. If you intend to use it for coursework, a separate instructor answer booklet and other resources can be purchased, but student resources like Python notebooks are also freely available. In the book’s preface, the author invites readers to send feedback whenever they find an issue.

Continue reading “Understanding Deep Learning: Free MIT Press EBook For Instructors And Students”

Canada Bans Flipper Zero Over What It Imagines It Does

Canada’s intent to ban the Flipper Zero wireless tool over car thefts is, on the one hand, an everyday example of poorly researched government action. But it may also be a not-so-subtle peek into the harm misinformation online can cause by leading to said government action.

The Government of Canada recently hosted a national summit on combatting vehicle theft, and Minister of Innovation, Science and Industry François-Philippe Champagne proudly declared immediate actions being taken to ban devices used to steal vehicles by wirelessly bypassing keyless entry, the Flipper Zero being specifically named as one such device.

And yet, defeating a rolling code keyless entry system is a trick a device like the Flipper Zero simply cannot pull off. (What cars have such a system? Any car made in roughly the last thirty years, for a start.)

Continue reading “Canada Bans Flipper Zero Over What It Imagines It Does”

NIF’s Laser Fusion Experiment’s Energy Gain Passes Peer Review

Back in December of 2022, a team of researchers at the USA’s National Ignition Facility (NIF) announced that they had exceeded ‘scientific breakeven’ with their laser-based inertial confinement fusion (ICF) system. Their work has now been peer-reviewed and passed scrutiny, confirming that the energy put into fusing a small amount of deuterium-tritium fuel resulted in a net gain (Q) of 1.5.

Laser Bay 2, one of NIF's two laser bays
Laser Bay 2 at the NIF.

The key take-away here of course remains that ICF is not a viable method of producing energy, as we detailed back in 2021 when we covered the 1.3 MJ yield announcement, and again in 2022 following the subject of this now completed peer review.  The sheer amount of energy required to produce the laser energy targeting the fuel capsule and loss therein, as well as the energy required to manufacture each of these fuel capsules (Hohlraum) and sustaining a cycle make it a highly impractical proposition for anything except weapons research.

Despite this, it’s good to see that the NIF’s ICF research is bearing fruit, even if for energy production we should look towards magnetic confinement fusion (MCF), which includes the many tokamaks active today like Japan’s JT-60SE, as well as stellarators like Germany’s Wendelstein 7-X and other efforts to make MCF a major clean-energy source for the future.