Security Hacks

1437 Articles

BBQ lighter fault injector

Blast Chips With This BBQ Lighter Fault Injection Tool

January 29, 2022 by 16 Comments

Looking to get into fault injection for your reverse engineering projects, but don’t have the cash to lay out for the necessary hardware? Fear not, for the tools to glitch a chip may be as close as the nearest barbecue grill.

If you don’t know what chip glitching is, perhaps a primer is in order. Glitching, more formally known as electromagnetic fault injection (EMFI), or simply fault injection, is a technique that uses a pulse of electromagnetic energy to induce a fault in a running microcontroller or microprocessor. If the pulse occurs at just the right time, it may force the processor to skip an instruction, leaving the system in a potentially exploitable state.

EMFI tools are commercially available — we even recently featured a kit to build your own — but [rqu]’s homebrew version is decidedly simpler and cheaper than just about anything else. It consists of a piezoelectric gas grill igniter, a little bit of enameled magnet wire, and half of a small toroidal ferrite core. The core fragment gets a few turns of wire, which then gets soldered to the terminals on the igniter. Pressing the button generates a high-voltage pulse, which gets turned into an electromagnetic pulse by the coil. There’s a video of the tool in use in the Twitter thread, showing it easily glitching a PIC running a simple loop program.

To be sure, a tool as simple as this won’t do the trick in every situation, but it’s a cheap way to start exploring the potential of fault injection.

Thanks to [Jonas] for the tip.

Long Range Burglar Alarm Relies On LoRa Modules

January 28, 2022 by 15 Comments

[Elite Worm] had a problem; there had been two minor burglaries from a storage unit. The unit had thick concrete walls, cellular signal was poor down there, and permanent wiring wasn’t possible. He thus set about working on a burglar alarm that would fit his unique requirements.

An ESP32 is the heart of the operation, paired with a long-range LoRa radio module running at 868 MHz. This lower frequency has much better penetration when it comes to thick walls compared to higher-frequency technologies like 4G, 5G or WiFi. With a little coil antenna sticking out the top of the 3D-printed enclosure, the device was readily able to communicate back to [Elite Worm] when the storage unit was accessed illegitimately.

With an eye to security, the device doesn’t just warn of door open events. If signal is lost from the remote transmitter in the storage unit, perhaps due to an advanced adversary cutting the power, the alarm will also be raised. There’s still some work to be done on the transmitter side, though, as [Elite Worm] needs to make sure the door sensor is reliable under all conditions.

Many put their hardware skills to work in service of security, and we regularly see proprietary alarm systems modified by enterprising hackers. Video after the break.

Continue reading “Long Range Burglar Alarm Relies On LoRa Modules”

This Week In Security: Geopolitical Hacktivism, Antivirus Mining, And Linux Malware

January 28, 2022 by 15 Comments

The CIA Hacktivists have launched a sort of ransomware campaign against the Belarusian rail system, but instead of cryptocurrency, they want the release of political prisoners and removal of Russian soldiers. This could be called an example of cyber-terrorism, though there is a reasonable theory that this is a state-sponsored hack, masquerading as hacktivism. What does seem certain is that something has interrupted rail transit, and a group on Twitter has produced convincing proof of a breach.

Your Antivirus Now Includes a CryptoMiner

Don’t look now, but your latest update of Norton 360 or Avira may have installed a cryptocurrency mining module. The silver lining is that some sanity has been retained, and you have to opt-in to the crypto scheme before your machine starts spending its spare cycles on mining. For users who do, they’re put into a mining pool, making for small payouts for most hardware. Norton, naturally, takes a 15% fee off the top for their trouble.

The State of Linux Malware

There used to be an adage that Linux machines don’t get malware. That’s never really been quite true, but the continued conquest of the server landscape has had the side effect of making Linux malware an even greater danger. Crowdstrike has seen a 35% increase in Linux malware in 2021, with three distinct categories leading the charge: XorDDoS, Mozi, and Mirai. Continue reading “This Week In Security: Geopolitical Hacktivism, Antivirus Mining, And Linux Malware”

Major Bug Grants Root For All Major Linux Distributions

January 26, 2022 by 66 Comments

One of the major reasons behind choosing Linux as an operating system is that it’s much more secure than Windows. There are plenty of reasons for this including appropriate user permissions, installing software from trusted sources and, of course, the fact that most software for Linux including the Linux kernel itself is open source which allows anyone to review the code for vulnerabilities. This doesn’t mean that Linux is perfectly secure though, as researchers recently found a major bug found in most major Linux distributions that allows anyone to run code as the root user.

The exploit is a memory corruption vulnerability in Polkit, a framework that handles the privilege level of various system processes. It specifically impacts the program pkexec. With the proof-of-concept exploit (file download warning) in hand, all an attacker needs to do to escalate themselves to root is to compile the program on the computer and run it as the default user. An example is shown by [Jim MacDonald] on Twitter for those not willing to try this on their own machines.

As bad as this sounds, it seems as though all of the major distributions that this impacts have already released updates that patch the issue, including Debian, Ubuntu, Red Hat, Fedora, open SUSE, and Arch. There is also a temporary workaround that removes read/write permission from the pkexec program so it can’t run at all. That being said, it might be best to check that your Linux systems are all up-to-date and that no strangers have been typing random commands into the terminal recently.

An artistic representation of a red Moon, hovering over the Earth

Is That The Moon Worming Its Way Into Your BIOS?

January 23, 2022 by 52 Comments

When facing a malware situation, the usual “guaranteed solution” is to reinstall your OS. The new developments in malware world will also require you to have a CH341 programmer handy. In an arguably inevitable development, [Kaspersky Labs] researchers have found an active piece of malware, out in the wild, that would persist itself by writing its bootstrap code into the BIOS chip. It doesn’t matter if you shred the HDD and replace it with a new one. In fact, so-called MoonBounce never really touches the disk at all, being careful to only store itself in RAM, oh, and the SPI flash that stores the BIOS code, of course.

MoonBounce is Microsoft-tailored, and able to hook into a chain of components starting from the UEFI’s DXE environment, through the Windows Loader, and finishing as a part of svchost.exe, a process we all know and love.

This approach doesn’t seem to be widespread – yet, but it’s not inconceivable that we’ll eventually encounter a ransomware strain using this to, ahem, earn a bit of extra cash on the side. What will happen then – BIOS reflashing service trucks by our curbsides? After all, your motherboard built-in BIOS flasher UI is built into the same BIOS image that gets compromised, and at best, could be disabled effortlessly – at worst, subverted and used for further sneaky persistence, fooling repairpeople into comfort, only to be presented with one more Monero address a week later.

Will our hardware hacker skills suddenly go up in demand, with all the test clip fiddling and SOIC-8 desoldering being second nature to a good portion of us? Should we stock up on CH341 dongles? So many questions!

This week’s installment of “threat vectors that might soon become prevalent” is fun to speculate about! Want to read about other vectors we might not be paying enough attention to? Can’t go wrong with supply-chain attacks on our repositories! As for other auxiliary storage-based persistence methods – check out this HDD firmware-embedded proof-of-concept rootkit. Of course, we might not always need the newfangled ways to do things, the old ways still work pretty often – you might only need to disguise your malicious hardware as a cool laptop accessory to trick an average journalist, even in a hostile environment.

Continue reading “Is That The Moon Worming Its Way Into Your BIOS?”

A Zhengbang Pick&Place machine, with a Virustotal 53/69 result and "53 security vendors and 1 sandbox flagged this file as mailcious" crudely overlaid on top of the image

Zhengbang Pick & Places Your Confidential Data In The Bag, Slowly

January 22, 2022 by 30 Comments

Isn’t it convenient when your pick-and-place machine arrives with a fully-set-up computer inside of it? Plug in a keyboard, mouse and a monitor, and you have a production line ready to go. Turns out, you can have third parties partake in your convenience by sharing your private information with them – as long as you plug in an Ethernet cable! [Richard] from [RM Cybernetics] has purchased a ZhengBang ZB3245TSS machine, and in the process of setting it up, dutifully backed up its software onto a USB stick – as we all ought to.

This bit of extra care, often missed by fellow hackers, triggered an antivirus scanner alert, and subsequently netted some interesting results on VirusTotal – with 53/69 result for a particular file. That wasn’t conclusive enough – they’ve sent the suspicious file for an analysis, and the test came back positive. After static and dynamic analysis done by a third party, the malware was confirmed to collect metadata accessible to the machine and send it all to a third-party server. Having contacted ZhengBang about this mishap, they received a letter with assurances that the files were harmless, and a .zip attachment with replacement “clean” files which didn’t fail the antivirus checks.

It didn’t end here! After installing the “clean” files, they also ran a few anti-malware tools, and all seemed fine. Then, they plugged the flash drive into another computer again… to encounter even more alerts than before. The malware was equipped with a mechanism to grace every accessible .exe with a copy of itself on sight, infecting even .exe‘s of the anti-malware tools they put on that USB drive. The article implies that the malware could’ve been placed on the machines to collect your company’s proprietary design information – we haven’t found a whole lot of data to support that assertion, however; as much as it is a plausible intention, it could have been a case of an unrelated virus spread in the factory. Surprisingly, all of these discoveries don’t count as violations of Aliexpress Terms and Conditions – so if you’d like to distribute a bunch of IoT malware on, say, wireless routers you bought in bulk, now you know of a platform that will help you!

This goes in our bin of Pretty Bad News for makers and small companies. If you happen to have a ZhengBang pick-and-place machine with a built-in computer, we recommend that you familiarize yourself with the article and do an investigation. The article also goes into details on how to reinstall Windows while keeping all the drivers and software libraries working, but we highly recommend you worry about the impact of this machine’s infection spread mechanisms, first.

Supply chain attacks, eh? We’ve seen plenty of these lately, what’s with communities and software repositories being targeted every now and then. Malware embedded into devices from the factory isn’t a stranger to us, either – at least, this time we have way more information than we did when Supermicro was under fire.

Editor’s Note: As pointed out by our commenters, there’s currently not enough evidence to assert that Zhengbang’s intentions were malicious. The article has been edited to reflect the situation more accurately, and will be updated if more information becomes available.

Editor’s Note Again: A rep from Zhengbang showed up in the comments and claims that this was indeed a virus that they picked up and unintentionally passed on to the end clients.

This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back

January 21, 2022 by 2 Comments

Let’s imagine a worst case situation for home routers. It would have to start with a port unintentionally opened to the internet, ideally in a popular brand, like Netgear. For fun, let’s say it’s actually a third-party kernel module, that is in multiple router brands. This module would then need a trivial vulnerability, say an integer overflow on the buffer size for incoming packets. This flaw would mean that the incoming data would write past the end of the buffer, overwriting whatever kernel data is there. So far, this exactly describes the NetUSB flaw, CVE-2021-45608.

Because red teams don’t get their every wish, there is a catch. While the overflow is exceptionally easy to pull off, there isn’t much wiggle room on where the data gets written. There’s no remote code execution Proof of Concept (PoC) yet, and [Max Van Amerongen], who discovered the flaw, says it would be difficult but probably not impossible to pull off. All of this said, it’s a good idea to check your router for open ports, particularly non-standard port numbers. If you have a USB port on your router, check for updates.

Windows HTTP.sys Problem

A serious problem has been announced in Windows Server 2019 and Windows 10, with some versions vulnerable in their default configurations. The problem is in how Windows handles HTTP Trailer packets, which contain extra information at the end of normal HTTP transfers. There is a PoC available that demonstrates a crash. It appears that an additional information leak vulnerability would have to be combined with this one to produce a true exploit. This seems to be a different take on CVE-2021-31166, essentially exploiting the same weakness, and working around the incomplete fix. This issue was fixed in the January patch set for Windows, so make sure you’re covered. Continue reading “This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back”