Security Hacks

1528 Articles

This Week In Security: Updraft, Termux, And Magento

February 25, 2022 by 7 Comments

One of the most popular WordPress backup plugins, UpdraftPlus, has released a set of updates, x.22.3, that contain a potentially important fix for CVE-2022-23303. This vulnerability exposes existing backups to any logged-in WordPress user. This bug was found by the guys at Jetpack, who have a nice write-up on it. It’s a combination of instances of a common problem — endpoints that lacked proper authentication. The heartbeat function allows any user to access it, and it returns the latest backup nonce.

A cryptographic nonce is a value that’s not exactly a cryptographic secret, but is only used once. In some cases, this is to mitigate replay attacks, or is used as an initialization vector. In the case of UpdraftPlus, the nonce works as a unique identifiers for individual backups. The data leak can be combined with another weak validation in the maybe_download_backup_from_email() function, to allow downloading of a backup. As WordPress backups will contain sensitive information, this is quite the problem. There are no known in-the-wild instances of this attack being used, but as always, update now to stay ahead of the game.

Continue reading “This Week In Security: Updraft, Termux, And Magento”

Pixelating Text Not A Good Idea

February 23, 2022 by 63 Comments

People have gotten much savvier about computer security in the last decade or so. Most people know that sending a document with sensitive information in it is a no-no, so many people try to redact documents with varying levels of success. A common strategy is to replace text with a black box, but you sometimes see sophisticated users pixelate part of an image or document they want to keep private. If you do this for text, be careful. It is possible to unredact pixelated images through software.

It appears that the algorithm is pretty straightforward. It simply guesses letters, pixelates them, and matches the result. You do have to estimate the size of the pixelation, but that’s usually not very hard to do. The code is built using TypeScript and while the process does require a little manual preparation, there’s nothing that seems very difficult or that couldn’t be automated if you were sufficiently motivated.

Continue reading “Pixelating Text Not A Good Idea”

No Privacy: Cloning The AirTag

February 22, 2022 by 55 Comments

You’ve probably heard of the infamous rule 34, but we’d like to propose a new rule — call it rule 35: Anything that can be used for nefarious purposes will be, even if you can’t think of how at the moment. Case in point: apparently there has been an uptick in people using AirTags to do bad things. People have used them to stalk people or to tag cars so they can be found later and stolen. According to [Fabian Bräunlein], Apple’s responses to this don’t consider cases where clones or modified AirTags are in play. To prove the point, he built a clone that bypasses the current protection features and used it to track a willing experimental subject for 5 days with no notifications.

According to the post, Apple says that AirTags have serial numbers and beep when they have not been around their host Apple device for a certain period. [Fabian] points out that clone tags don’t have serial numbers and may also not have speakers. There is apparently a thriving market, too, for genuine tags that have been modified to remove their speakers. [Fabian’s] clone uses an ESP32 with no speaker and no serial number.

The other protection, according to Apple, is that if they note an AirTag moving with you over some period of time without the owner, you get a notification. In other words, if your iPhone sees your own tag repeatedly, that’s fine. It also doesn’t mind seeing someone else’s tags if they are near you. But if your phone sees a tag many times and the owner isn’t around, you get a notification. That way, you can help identify random tags, but you’ll know if someone is trying to track you. [Fabian] gets around that by cycling between 2,000 pre-loaded public keys so that the tracked person’s device doesn’t realize that it is seeing the same tag over and over. Even Apple’s Android app that scans for trackers is vulnerable to this strategy.

Even for folks who aren’t particularly privacy minded, it’s pretty clear a worldwide network of mass-market devices that allow almost anyone to be tracked is a problem. But what’s the solution? Even the better strategies employed by AirGuard won’t catch everything, as [Fabian] explains.

This isn’t the first time we’ve had a look at privacy concerns around AirTags. Of course, it is always possible to build a tracker. But it is hard to get the worldwide network of Bluetooth listeners that Apple has.

How A Pentester Gets Root

February 20, 2022 by 9 Comments

Have you ever wanted to be a fly on the wall, watching a penetration tester attack a new machine — working their way through the layers of security, ultimately leveraging what they learned into a login?  What tools are used, what do they reveal, and how is the information applied? Well good news, because [Phani] has documented a step-by-step of every action taken to eventually obtain root access on a machine — amusingly named DevOops — which was set up specifically for testing.

[Phani] explains every command used (even the dead-end ones that reveal nothing useful in this particular case) and discusses the results in a way that is clear and concise. He starts from a basic port scan, eventually ending up with root privileges. On display is an overall process of obtaining general information.  From there, [Phani] methodically moves towards more and more specific elements. It’s a fantastic demonstration of privilege escalation in action, and an easy read as well.

For some, this will give a bit of added insight into what goes on behind the scenes in some of the stuff covered by our regular feature, This Week in Security.

This Week In Security: Chrome 0-day,Cassandra, And A Cisco PoC

February 18, 2022 by 7 Comments

Running Chrome or a Chromium-based browser? Check for version 98.0.4758.102, and update if you’re not running that release or better. Quick tip, use chrome://restart to trigger an immediate restart of Chrome, just like the one that comes after an update. This is super useful especially after installing an update on Linux, using apt, dnf, or the like.

CVE-2022-0609 is the big vulnerability just patched, and Google has acknowledged that it’s being exploited in the wild. It’s a use-after-free bug, meaning that the application marks a section of memory as returned to the OS, but then accesses that now-invalid memory address. The time gap between freeing and erroneously re-using the memory allows malicious code to claim that memory as its own, and write something unexpected.

Google has learned their lesson about making too many details public too early, and this CVE and associated bug aren’t easily found in in the Chromium project’s source, and there doesn’t seem to be an exploit published in the Chromium code testing suite. Continue reading “This Week In Security: Chrome 0-day,Cassandra, And A Cisco PoC”

This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE

February 4, 2022 by 6 Comments

Samba has a very serious vulnerability, CVE-2021-44142, that was just patched in new releases 4.13.17, 4.14.12, and 4.15.5. Discovered by researchers at TrendMicro, this unauthenticated RCE bug weighs in at a CVSS 9.9. The saving grace is that it requires the fruit VFS module to be enabled, which is used to support MacOS client and server interop. If enabled, the default settings are vulnerable. Attacks haven’t been seen in the wild yet, but go ahead and get updated, as PoC code will likely drop soon.

Crypto Down the Wormhole

One notable selling point to cryptocurrencies and Web3 are smart contracts, little computer programs running directly on the blockchain that can move funds around very quickly, without intervention. It’s quickly becoming apparent that the glaring disadvantage is these are computer programs that can move money around very quickly, without intervention. This week there was another example of smart contracts at work, when an attacker stole $326 million worth of Ethereum via the Wormhole bridge. A cryptocurrency bridge is a service that exists as linked smart contracts on two different blockchains. These contracts let you put a currency in on one side, and take it out on the other, effectively transferring currency to a different blockchain. Helping us make sense of what went wrong is [Kelvin Fichter], also known appropriately as [smartcontracts].

When the bridge makes a transfer, tokens are deposited in the smart contract on one blockchain, and a transfer message is produced. This message is like a digital checking account check, which you take to the other side of the bridge to cash. The other end of the bridge verifies the signature on the “check”, and if everything matches, your funds show up. The problem is that one one side of the bridge, the verification routine could be replaced by a dummy routine, by the end user, and the code didn’t catch it.

It’s a hot check scam. The attacker created a spoofed transfer message, provided a bogus verification routine, and the bridge accepted it as genuine. The majority of the money was transferred back across the bridge, where other user’s valid tokens were being held, and the attacker walked away with 90,000 of those ETH tokens. Continue reading “This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE”

Remoticon 2021 // Colin O’Flynn Zaps Chips (And They Talk)

February 3, 2022 by 5 Comments

One of the many fascinating fields that’s covered by Hackaday’s remit lies in the world of hardware security, working with physical electronic hardware to reveal inner secrets concealed in its firmware. Colin O’Flynn is the originator of the ChipWhisperer open-source analysis and fault injection board, and he is a master of the art of glitching chips. We were lucky enough to be able to welcome him to speak at last year’s Remoticon on-line conference, and now you can watch the video of his talk below the break. If you need to learn how to break RSA encryption with something like a disposable camera flash, this is the talk for you.

This talk is an introduction to signal sniffing and fault injection techniques. It’s well-presented and not presented as some unattainable wizardry, and as his power analysis demo shows a clearly different trace on the correct first letter of a password attack the viewer is left with an understanding of what’s going on rather than hoping for inspiration in a stream of the incomprehensible. The learning potential of being in full control of both instrument and target is evident, and continues as the talk moves onto fault injection with an introduction to power supply glitching as a technique to influence code execution.

Schematic of an EM injector built from a camera flash.
Schematic of an EM injector built from a camera flash.

Continue reading “Remoticon 2021 // Colin O’Flynn Zaps Chips (And They Talk)”