Security Hacks

1446 Articles

This Week In Security: Minecraft Fractureiser, MOVEit, And Triangulation

June 9, 2023 by 2 Comments

Modded Minecraft is having a security moment, to match what we’ve seen in the Python and JavaScript repositories over the last few months. It looks like things started when a handful of burner accounts uploaded malicious mods to Curseforge and Bukkit. Those mods looked interesting enough, that a developer for Luna Pixel Studios (LPS) downloaded one of them to test-run. After the test didn’t pan out, he removed the mod, but the malicious code had already run.

Where this gets ugly is in how much damage that one infection caused. The virus, now named fractureiser, installs itself into every other Minecraft-related .jar on the compromised system. It also grabs credentials, cookies, cryptocurrency addresses, and the clipboard contents. Once that information was exfiltrated from the LPS developer, the attacker seems to have taken manual actions, using the purloined permissions to upload similarly infected mod files, and then marking them archived. This managed to hide the trapped files from view on the web interface, while still leaving them exposed when grabbed by the API. Once the malware hit a popular developer, it began to really take off.

It looks like the first of the malicious .jar files actually goes all the way back to mid-April, so it may take a while to discover all the places this malware has spread. It was first noticed on June 1, and investigation was started, but the story didn’t become public until the 7th. Things have developed rapidly, and the malware fingerprints has been added to Windows Defender among other scanners. This helps tremendously, but the safe move is to avoid downloading anything Minecraft related for a couple days, while the whole toolchain is inspected. If it’s too late and you’ve recently scratched that voxel itch, it might be worth it to take a quick look for Indicators of Compromise (IoCs).

Continue reading “This Week In Security: Minecraft Fractureiser, MOVEit, And Triangulation”

This Week In Security: Barracuda, Zyxel, And The Backdoor

June 2, 2023 by 12 Comments

Barracuda’s Email Security Gateway (ESG) has had a vulnerability in it for years. Tracked as CVE-2023-2868, this one was introduced back in version 5.1.3.001, and only got patched during the 9.2 development cycle. Specific build information on patched firmware has not been made available, but a firmware build containing the patch was deployed on May 20.

The flaw was a command injection bug triggered by .tar files attached to incoming emails. The appliance scans attachments automatically, and the file names could trigger the qx operator in a Perl script. It’s a nasty one, ranking a 9.4 on the CVSS scale. But the really bad news is that Barracuda found the vulnerability in the wild, and they have found evidence of exploitation as far back as October 2022.

There have been three malware modules identified on the compromised appliances. SALTWATER is a backdoor trojan, with the ability to transfer files, execute commands, and host network tunnels. SEASPY is a stealthier module, that looks like a legitimate service, and uses PCAP to monitor traffic and receive commands. And SEASIDE is a Lua module for the Barracuda SMTP monitor, and it exists to host a reverse shell on command. Indicators of Compromise (IOCs) have been published, and Barracuda recommends the unplug-and-remove approach to cleaning up an infection. The saving grace is that this campaign seems to have been targeted, and wasn’t launched against every ESG on the Internet, so maybe you’re OK.

Moxa, Too

And speaking of security software that has problems, the Moxa MXsecurity appliance has a pair of problems that could be leveraged together to lead to a complete device takeover. The most serious problem is a hard coded credential, that allows authentication bypass for the web-API. Then the second issue is a command-line escape, where an attacker with access to the device’s Command Line Interface (CLI) can break out and run arbitrary commands. Continue reading “This Week In Security: Barracuda, Zyxel, And The Backdoor”

This Week In Security: Gitlab, KeyPassMini, And Horse

May 26, 2023 by 6 Comments

There’s a really nasty CVSS 10.0 severity vulnerability in Gitlab 16.0.0. The good news is that this is the only vulnerable version, and the fix came a mere two days after the vulnerable release. If you happened to be very quick to go to 16.0.0, then be very quick to get the fix, because CVE-2023-2825 looks like a bad one.

An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

That’s a very specific set of requirements for vulnerability, so it seems like hardly any installs would be vulnerable. The rest of the story is that regular users can create groups, and many installs allow for open user registration. So if you’re running Gitlab 16.0.0, update now!

KeyPassMini

A Redditor got a surprising notice that someone attempted to access a bank account, but failed two-factor authentication. That seemed odd, and led the Redditor down the rabbithole of auditing applications. And one iOS app in particular stood out as maybe problematic — KeyPassMini.

The app was a mobile client for KeyPass, the password manager. The problem was some analytics. It looks like KeyPassMini was bundling up some system information and uploading it to a server controlled by the creator. Analytics are often unpopular, but this app was including the system clipboard contents in the uploaded data. Yikes! And it gets worse: The app does password fills by using that same clipboard, so some of the protected passwords may have been scooped up into that analytics data. And sent unencrypted. Oof.

Now, the app author has pulled the plug on the app altogether, and responded on the old Github project page. It’s a bit odd, but it’s perfectly believable that there were no ill intentions here. Regardless, code to send the clipboard is a big problem, and definitely undoes a lot of trust in a project.

And KeyPass itself has a problem, though much less worrying. KeyPass attempts to keep sensitive data out of its own memory when possible. This approach aims to protect even in the event of a compromised machine. [vdohney] on Sourceforge discovered that there is a channel to recover the master password, by being just a bit clever. When a user types in the master password, by default, KeyPass will show the last letter typed, and replace the previous letters with bullets. But each iteration of that string ends up in program memory, so a privileged attacker can get a memory dump, look for the bullet characters, and find a set of leftover strings like •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. It’s an easy password grab. Now remember, this essentially implies an attacker has memory access on your system, so it’s not a gaping weakness in KeyPass.

As you can see from the POC on GitHub, the problem is that a .NET text box keeps the strings in memory, so it probably hits both Windows and Linux users under Mono. The proposed solution that the KeyPass team is taking is to poison the well with enough random characters that retrieving the correct password is a lot harder. It’s still getting fixed in the next release.

Horse Shell for MIPS Routers

Checkpoint Research brings us news of the Horse Shell, a bit of malware specifically for MIPS architecture routers running Linux. It’s been found in TP-Link firmware images so far, but as so many of those routers are essentially based on the same Linux SDK, the malware appears to be applicable to many models. The exact firmware images being examined were found in a collection of tools used by Camaro Dragon, a rather catchy name for a Chinese APT group.

The firmware images have some of the normal bits you would expect, like data collection, remote shell, and remote proxy support. They have some really sneaky tricks, too, like storing part of the data on the partition reserved for WiFi calibration data. One has to wonder if hijacking that partition negatively affects the router’s wireless performance. In the firmware images examined, the quickest tell is to go to the firmware upgrade page. If it’s blank, without a form to upload new firmware, you may have the malicious image.

WordPress

WordPress 6.2.1 has a security fix, that is then improved upon in 6.2.2, where block themes could parse user-generated shortcodes. A shortcode is tags inside [brackets], that gets replaced by more complicated data. We use a code shortcode all the time here on Hackaday, to try to get source code to render nicely, angle brackets and all.

It turns out, the fix in 6.2.1 went a little overboard, breaking quite a few sites by disabling shortcodes in block themes altogether. The situation in 6.2.2 is a bit better, with most of the problems being dealt with. Sometimes it’s hard to tell the bugs and the features apart.

And a WordPress plugin, Beautiful Cookie Consent Banner, is under active attack for a Cross-Site Scripting vulnerability. The attack is odd, as WordPress.org shows just 40,000 active installs, and almost 1.5 million sites have been sent the malicious payload to try to exploit the plugin. And the kicker? It looks like the payload on this attack is a dud, and fails to actually infect a vulnerable site. It can still goober a vulnerable site, so make sure to check your plugins.

Bits and Bytes

Speaking of plugins, be careful what VScode plugins you use. They’re not all friendly. Microsoft has been working to keep malicious plugins off the official marketplace, but that arms race never seems to have an end. And as such, there were a couple known malicious plugins with nearly 50,000 installs.

For some in-depth fun, check out this PDF paper on Android Fingerprint Reader attacks. It seems simple, right? Take a screenshot of a finger, compare it to a known data set, and lock the phone if the test fails too many times. It is, of course, not quite that simple. Researchers formulated two loopholes, Cancel-After-Match-Fail and Match-After-Lock, both of which abuse user-friendly features to manage way more attempts at a fingerprint read. Read the paper for the juicy details.

And finally, Troy Hunt had some fun at the expense of a scammer. Troy’s wife was selling a fridge on Gumtree, and they decided to play along with a suspicious “buyer”. Turns out, it’s the old agent fee scam. I’ll give you the money you asked for, plus $800 to cover the fee. Can you forward that extra money on? But of course, the Paypal confirmation message was faked, and there was no money paid. Troy managed to get an impressive bit of information, including that the scam is actually being run out of, you guessed it, Nigeria. Shipping would be a pain. ><

Watch A Web Page Fetch Itself Over TLS, Complete With Commentary

May 21, 2023 by 12 Comments

TLS, byte by byte performs an unusual and interesting function: it fetches itself over HTTPS, and provides a complete annotation of what’s going on in the process, one byte at a time. Visit the site and give the button a click to watch it happen, it’s neat!

Transport Layer Security (TLS) is what’s responsible for encrypting traffic over the internet, and it’s normally implemented on top of TCP to encrypt an application-layer protocol like HTTP (resulting in HTTPS and the little padlock icon in browsers indicating a connection with a web site is encrypted.) Back in the day, traffic over the internet was commonly unencrypted, but nowadays no communication or hardware is too humble for encryption and methods are easily accessible.

So for what purpose would someone actually need or use such an implementation of TLS? Well, probably no one actually needs it. But it is a userspace TLS implementation in javascript that may fit a niche for someone, and it certainly provides beautifully-indented and annotated binary data in the process. Sound up your alley? The GitHub repository for the project has all the details, so give it a look.

Get That Dream Job, With A Bit Of Text Injection

May 20, 2023 by 28 Comments

Getting a job has always been a tedious and annoying process, as for all the care that has been put into a CV or resume, it can be still headed for the round file at the whim of some corporate apparatchik. At various times there have also been dubious psychometric tests and other horrors to contend with, and now we have the specter of AI before us. We can be tossed aside simply because some AI model has rejected our CV, no human involved. If this has made you angry, perhaps it’s time to look at [Kai Greshake]’s work. He’s fighting back, by injecting a PDF CV with extra text to fool the AI into seeing the perfect candidate, and even fooling AI-based summarizers.

Text injection into a PDF is a technique the same as used by the less salubrious end of the search engine marketing world, of placing text in a web page such that a human can’t read it but a machine can. The search engine marketeers put them in tiny white text or offset them far out of the viewport, and it seems the same is possible in a PDF. He’s put the injection in white and a tiny font, and interestingly, overlaid it several times.

Using the ChatGPT instance available in the Bing sidebar he’s then able to fool it into an affirmative replay to questions about whether he should be hired. But it’s not just ChatGPT he’s targeting, another use of AI in recruitment is via summarizing tools. By injecting a lot of text with phrases normally used in conclusion of a document, he’s able to make Quillbot talk about puppies. Fancy a go yourself? He’s put a summarizer online, in the link above.

So maybe the all-seeing AI isn’t as clever as we’ve been led to believe. Who’d have thought it!

This Week In Security: .zip Domains, Zip Scanning

May 19, 2023 by 17 Comments

The world may not be ready, but the .zip Top Level Domain (TLD) is here. It’s a part of the generic TLD category, which was expanded to allow applications for custom TLDs. Google has led the charge, applying for 101 such new TLDs, with .zip being one of the interesting ones. Public registration for .zip domains has been open for a couple weeks, and some interesting domains have been registered, like update.zip, installer.zip, and officeupdate.zip.

The obvious question to ask is whether this new TLD can be abused for scamming and phishing purposes. And the answer is yes, sure it can. One of the trickiest ways is to use the AT symbol @ in a URL, which denotes user info at the beginning of the URL. It usually is used to include a username and password, like http://username:password@192.168.1.1/. That is pretty obvious, but what about https://google.com@bing.com? Still looks weird. The catch that really prevents this technique being abused is that slashes are disallowed in user data, so a abusive URL like https://google.com∕gmail∕inbox@bing.com is right out.

Except, take a look at that last link. Looks like it has slashes in it, so it should take you to google, and ignore the AT symbol. But it doesn’t, it goes to Bing. You may have guessed, it’s Unicode shenanigans again. Those aren’t slashes, they’re U2215, the division slash. And that means that a .zip TLD could be really sneaky, if the apparent domain is one you trust. Continue reading “This Week In Security: .zip Domains, Zip Scanning”

Two Factor Authentication Apps: Mistakes To Malware

May 17, 2023 by 58 Comments

Everyone in security will tell you need two-factor authentication (2FA), and we agree. End of article? Nope. The devil, as always with security, is in the details. Case in point: in the last few weeks, none less than Google messed up with their Google Authenticator app. The security community screamed out loud, and while it’s not over yet, it looks like Google is on the way to fixing the issue.

Since 2FA has become a part of all of our lives – or at least it should – let’s take a quick dip into how it works, the many challenges of implementing 2FA correctly, what happened with Google Authenticator, and what options you’ve got to keep yourself safe online.

Continue reading “Two Factor Authentication Apps: Mistakes To Malware”