This Week In Security: Argentina, MysterySnail, And L0phtcrack

The government of Argentina has a national ID card system, and as a result maintains a database containing data on every citizen in the country. What could possibly go wrong? Predictably, an attacker has managed to gain access to the database, and is offering the entire dataset for sale. The Argentinian government has claimed that this wasn’t a mass breach, and only a handful of credentials were accessed. This seems to be incorrect, as the seller was able to provide the details of an arbitrary citizen to the journalists investigating the story.

Patch Tuesday

Microsoft has released their monthly round of patches for October, and there are a couple doozies. CVE-2021-40486 is an RCE in Microsoft Word, and this flaw can trigger via the preview pane. CVE-2021-38672 and CVE-2021-40461 are both RCE vulnerabilities in Hyper-V. And finally, CVE-2021-40449 is a privilege upgrade actively being used in the wild, more on that in a moment. Oh, and you thought the Print Nightmare was over? CVE-2021-36970 is yet another print spooler vulnerability. The unfortunate thing about the list of Microsoft vulnerabilities is that there is hardly any information available about them.

On the other hand, Apple just patched CVE-2021-30883, a 0-day that’s being actively exploited in iOS. With the release of the fix, [Saar Amar] has put together a very nice explanation of the bug with PoC. It’s a simple integer overflow when allocating a buffer, leading to an arbitrary memory write. This one is particularly nasty, because it’s not gated behind any permissions, and can be triggered from within app sandboxes. It’s being used in the wild already, so go update your iOS devices now.

MysterySnail

Snail” by Ilweranta, CC BY 2.0

Kaspersky brings us a report on a CVE-2021-40449 being used in the wild. It’s part of an attack they’re calling MysterySnail, and seems to originate from IronHusky out of China. The vulnerability is a use-after-free, and is triggered by making a the ResetDC API call that calls its own callback. This layer of recursive execution results in an object being freed before the outer execution has finished with it.

Since the object can now be re-allocated and controlled by the attacker code, the malformed object allows the attacker to run their code in kernel space, achieving privilege escalation. This campaign then does some data gathering and installs a Remote Access Trojan. Several Indicators of Compromise are listed as part of the write-up.

Off to the Races

Google’s Project Zero is back with a clever Linux Kernel hack, an escalation of privilege triggered by a race condition in the pseudoterminal device. Usually abbreviated PTY, this kernel device can be connected to userspace applications on both ends, making for some interesting interactions. Each end has a struct that reflects the status of the connection. The problem is that TIOCSPGRP, used to set the process group that should be associated with the terminal, doesn’t properly lock the terminal’s internal state.

As a result, calling this function on both sides at the same time is a race condition, where the reference count can be corrupted. Once the reference count is untrustworthy, the whole object can be freed, with a dangling pointer left in the kernel. From there, it’s a typical use-after-free bug. The post has some useful thoughts about hardening a system against this style of attack, and the bug was fixed December 2020.

AI vs Pseudorandom Numbers

[Mostafa Hassan] of the NCC Group is doing some particularly fascinating research, using machine learning to test pseudorandom number generators. In the first installment, he managed to break the very simple xorshift128 algorithm. Part two tackles the Mersenne Twister, which also falls to the neural network. Do note that neither of these are considered cryptographic number generators, so it isn’t too surprising that a ML model can determine their internal state. What will be most interesting is the post to come, when he tackles other algorithms thought to be secure. Watch for that one in a future article.

L0phtcrack Becomes Open Source

The l0pht crew, back thenIn a surprise to me, the L0phtcrack tool has been released as open source. L0phtcrack is the password cracking/auditing tool created by [Mudge] and company at L0pht Heavy Industries, about a billion years ago. Ownership passed to @stake, which was purchased by Symantec in 2004. Due to export regulations, Symantec stopped selling the program, and it was reacquired by the original L0pht team.

In April 2020, Terahash announced that they had purchased rights to the program, and began selling and supporting it as a part of their offerings. Terahash primarily builds GPU based cracking hardware, and has been hit exceptionally hard by the chip shortage. As a result of Terahash entering bankruptcy protection, the L0phtcrack ownership has reverted back to L0pht, and version 7.2.0 has been released as Open Source.

This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger

Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files. Continue reading “This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger”

Thingiverse Data Leaked — Check Your Passwords

Every week seems to bring another set of high-profile data leaks, and this time it’s the turn of a service that should be of concern to many in our community. A database backup from the popular 3D model sharing website Thingiverse has leaked online, containing 228,000 email addresses, full names, addresses, and passwords stored as unsalted SHA-1 or bcrypt hashes. If you have an account with Thingiverse it is probably worth your while to head over to Have I Been Pwned to search on your email address, and just to be sure you should also change your password on the site. Our informal testing suggests that not all accounts appear to be contained in the leak, which appears to relate to comments left on the site.

Aside from the seriousness of a leak in itself, the choice of encryption should raise a few eyebrows. Both SHA-1 and bcrypt can be considered broken or at best vulnerable to attack here in 2021, so much so that for any website to have avoided migration to a stronger algorithm indicates a very poor attention to website security on the part of Thingiverse. We’d like to think that it would serve as a salutary warning to other website operators in our field, to review and upgrade their encryption, but we suspect readers will agree that this won’t be the last time we report on such a leak and nervously check our own login details.

This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll

The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.

curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'

If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.

# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>

The Day The Internet Stood Still

You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale.
Continue reading “This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll”

Flipper Zero tool reading bank card, displaying data on LCD

What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID

The Flipper Zero is a multipurpose hacker tool that aims to make the world of hardware hacking more accessible with a slick design, wide array of capabilities, and a fantastic looking UI. They are struggling with manufacturing delays like everyone else right now, but there’s a silver lining: the team’s updates are genuinely informative and in-depth. The latest update is all about RFID and NFC, and how the Flipper Zero can interact with a variety of contactless protocols.

Drawing of Flipper Zero and a variety of RFID tags
Popular 125 kHz protocols: EM-Marin, HID Prox II, and Indala

Contactless tags are broadly separated into low-frequency (125 kHz) and high-frequency tags (13.56 MHz), and it’s not really possible to identify which is which just by looking at the outside. Flipper Zero can interface with both, but the update at the link above goes into considerable detail about how these tags are used in the real world, and what they look like from both the outside and inside.

For example, 125 kHz tags have an antenna made from many turns of very fine wire, with no visible space between the loops. High-frequency tags on the other hand will have antennas with fewer loops, and visible space between them. To tell them apart, a bright light is often enough to see the antenna structure through thin plastic.

Low-frequency tags are “dumb” and incapable of encryption or two-way communication, but what about high-frequency (often referred to as NFC) like bank cards and applications like Apple Pay? One thing demonstrated is that mobile payment methods offer up considerably less information on demand than a physical bank or credit card. With a physical contactless card it’s possible to read the full card number, expiry date, and in some cases the name as well as recent transactions. Mobile payment systems (like Apple or Google Pay) don’t do that.

Like many others, we’re looking forward to it becoming available, sadly there is just no getting around component shortages that seem to be affecting everyone.

Flaw In AMD Platform Security Processor Affects Millions Of Computers

Another day, another vulnerability. This time, it’s AMD’s turn, with a broad swathe of its modern CPU lines falling victim to a dangerous driver vulnerability that could leave PCs open to all manner of attacks.

As reported by TechSpot, the flaw is in the driver for AMD Platform Security Processor (PSP), and could leave systems vulnerable by allowing attackers to steal encryption keys, passwords, or other data from memory. Today, we’ll take a look at what the role of the PSP is, and how this vulnerability can be used against affected machines.

Continue reading “Flaw In AMD Platform Security Processor Affects Millions Of Computers”

This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea

We start this week with a good write-up by [Eugene Lim] on getting started on vulnerability hunting, and news of a problem in OpenOffice’s handling of DBase files. [Lim] decided to concentrate on a file format, and picked the venerable dbase format, .dbf. This database format was eventually used all over the place, and is still supported in Microsoft Office, Libreoffice, and OpenOffice. He put together a fuzzing approach using Peach Fuzzer, and found a handful of possible vulnerabilities in the file format, by testing a very simple file viewer that supported the format. He managed to achieve code execution in dbfview, but that wasn’t enough.

Armed with a vulnerability in one application, [Lim] turned his attention to OpenOffice. He knew exactly what he was looking for, and found vulnerable code right away. A buffer is allocated based on the specified data type, but data is copied into this buffer with a different length, also specified in the dbase file. Simple buffer overflow. Turning this into an actual RCE exploit took a bit of doing, but is possible. The disclosure didn’t include a full PoC, but will likely be reverse engineered shortly.

Normally we’d wrap by telling you to go get the update, but OpenOffice doesn’t have a stable release with this fix in it. There is a release candidate that does contain the fix, but every stable install of OpenOffice in the world is currently vulnerable to this RCE. The vulnerability report was sent way back on May 4th, over 90 days before full disclosure. And what about LibreOffice, the fork of OpenOffice? Surely it is also vulnerable? Nope. LibreOffice fixed this in routine code maintenance back in 2014. The truth of the matter is that when the two projects forked, the programmers who really understood the codebase went to LibreOffice, and OpenOffice has had a severe programmer shortage ever since. I’ve said it before: Use LibreOffice, OpenOffice is known to be unsafe. Continue reading “This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea”