Security Hacks

1442 Articles

This Week In Security: License Plates, TP-Link, And Attacking Devs

December 27, 2024 by 19 Comments

We’re covering two weeks of news today, which is handy, because the week between Christmas and New Years is always a bit slow.

And up first is the inevitable problem with digital license plates. Unless very carefully designed to be bulletproof, they can be jailbroken, and the displayed number can be changed. And the Reviver plates were definitely not bulletproof, exposing a physical programming port on the back of the plate. While it’s not explicitly stated, we’re guessing that’s a JTAG port, given that the issue is considered unpatchable, and the port allows overwriting the firmware. That sort of attack can be hardened against with signed firmware, and using an MCU that enforces it.

This does invite comparisons to the James Bond revolving license plate — and that comparison does put the issue into context. It’s always been possible to swap license plates. If someone really wants to cause mischief, traditional plates can be stolen, or even faked. What a digital plate adds to the equation is the ability to switch plate numbers on the fly, without stopping or turning a screwdriver. Regardless, this seems like it will be an ongoing problem, as so many manufacturers struggle to create secure hardware.

Malicious RDP

There’s a clever attack, that uses Microsoft’s Remote Desktop Protocol (RDP), to give away way too much control over a desktop. That’s accomplished by sending the target a .rdp file that shares local resources like the clipboard, filesystem, and more. What’s new is that it seems this theoretical attack has now shown up in the wild.

The attack campaign has been attributed to APT29, CozyBear, a threat actor believed to be associated with Russia’s Foreign Intelligence Service. This attribution tracks with the victims of choice, like government, research, and Ukrainian targets in particular. To escape detection, the malicious RDP endpoints are set up behind RDP proxies, running on services like AWS. The proxies and endpoints are accessed through TOR and other anonymous proxies. The .rdp files were spread via spear-phishing emails sent through compromised mail servers. The big push, with about 200 targets, was triggered on October 22nd. Researchers at TrendMicro believe this was the end of a targeted campaign. The idea being that at the end of the campaign, it no longer matters if the infrastructure and methods get discovered, so aim for maximum impact.

Free* Mcdonalds?

Here we learn that while McDonald’s USA dosn’t have a bug bounty program, McDonald’s India does — and that’s why researcher [Eaton Zveare] looked there. And found a series of Broken Object Level Authorization (BOLA) bugs. That’s a new term to this column, but a concept we’ve talked about before. BOLA vulnerabilities happen when a service validates a user’s authentication token, but doesn’t properly check that the user is authorized to access the specific resources requested.

In the McDonald’s case, any user of the web app is issued a guest JWT token, and that token is then valid to access any Order ID in the system. That allows some interesting fun, like leaving reviews on other users’ orders, accessing delivery maps, and getting copies of receipts. But things got really interesting when creating an account, and then ordering food. A hidden, incomplete password login page allowed breaking the normal user verification flow, and creating an account. Then after food is added to the cart, the cart can be updated to have a total price of a single rupee, about the value of a penny.

This research earned [Eaton] a $240 Amazon gift card, which seems a little stingy, but the intent behind the gesture is appreciated. The fixes landed just over 2 months after reported, and while [Eaton] notes that this is slower than some companies, it’s significantly faster than some of the less responsive vendors that we’ve seen.

Banning TP-Link

The US Government has recently begun discussing a plan to ban TP-Link device purchases in the United States. The reported reason is that TP-Link devices have shipped with security problems. One notable example is a botnet that Microsoft has been tracking, that primarily consists of TP-Link devices.

This explanation rings rather hollow, particularly given the consistent security failings from multiple vendors that we’ve covered on this very column over the years. Where it begins to make more sense is when considered in light of the Chinese policy that all new vulnerabilities must first be reported to the Chinese government, and only then can fixes be rolled out. It suggests that the US Commerce Department suspects that TP-Link is still following this policy, even though it’s technically now a US company.

I’m no stranger to hacking TP-Link devices. Many years ago I wrote a simple attack to put the HTTPD daemon on TP-Link routers into debug mode, by setting the wifi network name. Because the name was used to build a command run with bash, it was possible to do command injection, build a script in the device’s /tmp space, and then execute that script. Getting to debug mode allowed upgrading to OpenWRT on the device. And that just happens to be my advice for anyone still using TP-Link hardware: install OpenWRT on it.

Developers Beware

We have two separate instances of malware campaigns directly targeting developers. The first is malicious VSCode extensions being uploaded to the marketplace. These fakes are really compelling, too, with lots of installs, reviews, and links back to the real pages. These packages seem to be droppers for malware payloads, and seem to be targeting cryptocurrency users.

If malware in your VSCode extensions isn’t bad enough, OtterCookie is a campaign believed to come from North Korea, spreading via fake job interviews. The interview asks a candidate to run a Node.js project, or install an npm package as part of prep. Those are malicious packages, and data stealers are deployed upon launch. Stay frosty, even on the job hunt.

Bits and Bytes

PHP has evolved over the years, but there are still a few quirks that might trip you up. One of the dangerous ones is tied up in $_SERVER['argv'], a quick way to test if PHP is being run from the command line, or on a server. Except, that relies on register_argc_argv set to off, otherwise query strings are enough to fool a naive application into thinking it’s running on the command line. And that’s exactly the footgun that caught Craft CMS with CVE-2024-56145.

Australia may know something we don’t, setting 2030 as the target for retiring cryptography primitives that aren’t quantum resistant. That’s RSA, Elliptic-curve, and even SHA-256. It’s a bit impractical to think that those algorithms will be completely phased out by then, but it’s an interesting development to watch.

Fuzzing is a deep subject, and the discovery of 29 new vulnerabilities found in GStreamer is evidence that there’s still plenty to discover. This wasn’t coverage-guided fuzzing, where the fuzzer mutates the fuzzing input to maximize. Instead, this work uses a custom corpus generator, where the generator is aware of how valid MP4 files are structured.

This Week In Security: Recall, BadRAM, And OpenWRT

December 13, 2024 by 6 Comments

Microsoft’s Recall feature is back. You may remember our coverage of the new AI feature back in June, but for the uninitiated, it was a creepy security trainwreck. The idea is that Windows will take screenshots of whatever is on the screen every few seconds, and use AI to index the screenshots for easier searching. The only real security win at the time was that Microsoft managed to do all the processing on the local machine, instead of uploading them to the cloud. All the images and index data was available unencrypted on the hard drive, and there weren’t any protections for sensitive data.

Things are admittedly better now, but not perfect. The recall screenshots and database is no longer trivially opened by any user on the machine, and Windows prompts the user to set up and authenticate with Windows Hello before using Recall. [Avram] from Tom’s Hardware did some interesting testing on the sensitive information filter, and found that it worked… sometimes.

So, with the public preview of Recall, is it still creepy? Yes. Is it still a security trainwreck? It appears that the security issues are much improved. Time will tell if a researcher discovers a way to decrypt the Recall data outside of the Recall app.

Patch Tuesday

Since we’re talking about Microsoft, this week was Patch Tuesday, and we had seventy-one separate vulnerabilities fixed, with one of those being a zero-day that was used in real-world attacks. CVE-2024-49138 doesn’t seem to have a lot of information published yet. We know it’s a Heap-based Buffer Overflow in the Common Log File driver, and allows an escalation of privilege to SYSTEM on Windows machines. Continue reading “This Week In Security: Recall, BadRAM, And OpenWRT”

This Week In Security: National Backdoors, Web3 Backdoors, And Nearest Neighbor WiFi

December 6, 2024 by 16 Comments

Maybe those backdoors weren’t such a great idea. Several US Telecom networks have been compromised by a foreign actor, likely China’s Salt Typhoon, and it looks like one of the vectors of compromise is the Communications Assistance for Law Enforcement Act (CALEA) systems that allow for automatic wiretapping at government request.

[Jeff Greene], a government official with the Cybersecurity and Infrastructure Security Agency (CISA), has advised that end-user encryption is the way to maintain safe communications. This moment should forever be the touchstone we call upon when discussing ideas like mandated encryption backdoors and even the entire idea of automated wiretapping systems like CALEA. He went on to make a rather startling statement:

I think it would be impossible for us to predict a time frame on when we’ll have full eviction

There are obviously lots of unanswered questions, but with statements like this from CISA, this seems to be an extremely serious compromise. CALEA has been extended to Internet data, and earlier reports suggest that attackers have access to Internet traffic as a result. This leaves the US telecom infrastructure in a precarious position where any given telephone call, text message, or data packet may be intercepted by an overseas attacker. And the FCC isn’t exactly inspiring us with confidence as to its “decisive steps” to fix things. Continue reading “This Week In Security: National Backdoors, Web3 Backdoors, And Nearest Neighbor WiFi”

This Week In Security: Footguns, Bing Worms, And Gogs

November 22, 2024 by 5 Comments

The world of security research is no stranger to the phenomenon of not-a-vulnerability. That’s where a security researcher finds something interesting, reports it to the project, and it turns out that it’s something other than a real security vulnerability. There are times that this just means a researcher got over-zealous on reporting, and didn’t really understand what was found. There is at least one other case, the footgun.

A footgun is a feature in a language, library, or tool that too easily leads to catastrophic mistake — shooting ones self in the foot. The main difference between a footgun and a vulnerability is that a footgun is intentional, and a vulnerability is not. That line is sometimes blurred, so an undocumented footgun could also be a vulnerability, and one possible solution is to properly document the quirk. But sometimes the footgun should really just be eliminated. And that’s what the article linked above is about. [Alex Leahu] takes a look at a handful of examples, which are not only educational, but also a good exercise in thinking through how to improve them.

Continue reading “This Week In Security: Footguns, Bing Worms, And Gogs”

This Week In Security: Hardware Attacks, IoT Security, And More

November 15, 2024 by 9 Comments

This week starts off with examinations of a couple hardware attacks that you might have considered impractical. Take a Ball Grid Array (BGA) NAND removal attack, for instance. The idea is that a NAND chip might contain useful information in the form of firmware or hard-coded secrets.

The question is whether a BGA desolder job puts this sort of approach out of the reach of most attackers. Now, this is Hackaday. We regularly cover how our readers do BGA solder jobs, so it should come as no surprise to us that less than two-hundred Euro worth of tools, and a little know-how and bravery, was all it took to extract this chip. Plop it onto a pogo-pin equipped reader, use some sketchy Windows software, and boom you’ve got firmware.

What exactly to do with that firmware access is a little less straightforward. If the firmware is unencrypted and there’s not a cryptographic signature, then you can just modify the firmware. Many devices include signature checking at boot, so that limits the attack to finding vulnerabilities and searching for embedded secrets. And then worst case, some platforms use entirely encrypted firmware. That means there’s another challenge, of either recovering the key, or finding a weakness in the encryption scheme. Continue reading “This Week In Security: Hardware Attacks, IoT Security, And More”

Nix + Automated Fuzz Testing Finds Bug In PDF Parser

November 9, 2024 by 4 Comments

[Michael Lynch]’s adventures in configuring Nix to automate fuzz testing is a lot of things all rolled into one. It’s not only a primer on fuzz testing (a method of finding bugs) but it’s also a how-to on automating the setup using Nix (which is a lot of things, including a kind of package manager) as well as useful info on effectively automating software processes.

[Michael] not only walks through how he got it all up and running in a simplified and usefully-portable way, but he actually found a buffer overflow in pdftotext in the process! (Turns out someone else had reported the same bug a few weeks before he found it, but it demonstrates everything regardless.)

[Michael] chose fuzz testing because using it to find security vulnerabilities is conceptually simple, actually doing it tends to require setting up a test environment with a complex workflow and a lot of dependencies. The result has a high degree of task specificity, and isn’t very portable or reusable. Nix allowed him to really simplify the process while also making it more adaptable. Be sure to check out part two, which goes into detail about how exactly one goes from discovering an input that crashes a program to tracking down (and patching) the reason it happened.

Making fuzz testing easier (and in a sense, cheaper) is something people have been interested in for a long time, even going so far as to see whether pressing a stack of single-board computers into service as dedicated fuzz testers made economic sense.

This Week In Security: Linux VMs, Real AI CVEs, And Backscatter TOR DoS

November 8, 2024 by 4 Comments

Steve Ballmer famously called Linux “viral”, with some not-entirely coherent complaints about the OS. In a hilarious instance of life imitating art, Windows machines are now getting attacked through malicious Linux VM images distributed through phishing emails.

This approach seems to be intended to fool any anti-malware software that may be running. The VM includes the chisel tool, described as “a fast TCP/UDP tunnel, transported over HTTP, secured via SSH”. Now that’s an interesting protocol stack. It’s an obvious advantage for an attacker to have a Linux VM right on a target network. As this sort of virtualization does require hardware virtualization, it might be worth disabling the virtualization extensions in BIOS if they aren’t needed on a particular machine.

AI Finds Real CVE

We’ve talked about some rather unfortunate use of AI, where aspiring security researchers asked an LLM to find vulnerabilities in a project like curl, and then completely wasted a maintainer’s time on those bogus reports. We happened to interview Daniel Stenberg on FLOSS Weekly this week, and after he recounted this story, we mused that there might be a real opportunity to use LLMs to find vulnerabilities, when used as a way to direct fuzzing, and when combined with a good test suite.

And now, we have Google Project Zero bringing news of their Big Sleep LLM project finding a real-world vulnerability in SQLite. This tool was previously called Project Naptime, and while it’s not strictly a fuzzer, it does share some similarities. The main one being that both tools take their educated guesses and run that data through the real program code, to positively verify that there is a problem. With this proof of concept demonstrated, it’s sure to be replicated. It seems inevitable that someone will next try to get an LLM to not only find the vulnerability, but also find an appropriate fix. Continue reading “This Week In Security: Linux VMs, Real AI CVEs, And Backscatter TOR DoS”