This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE

February 4, 2022 by Jonathan Bennett 6 Comments

Samba has a very serious vulnerability, CVE-2021-44142, that was just patched in new releases 4.13.17, 4.14.12, and 4.15.5. Discovered by researchers at TrendMicro, this unauthenticated RCE bug weighs in at a CVSS 9.9. The saving grace is that it requires the fruit VFS module to be enabled, which is used to support MacOS client and server interop. If enabled, the default settings are vulnerable. Attacks haven’t been seen in the wild yet, but go ahead and get updated, as PoC code will likely drop soon.

Crypto Down the Wormhole

One notable selling point to cryptocurrencies and Web3 are smart contracts, little computer programs running directly on the blockchain that can move funds around very quickly, without intervention. It’s quickly becoming apparent that the glaring disadvantage is these are computer programs that can move money around very quickly, without intervention. This week there was another example of smart contracts at work, when an attacker stole $326 million worth of Ethereum via the Wormhole bridge. A cryptocurrency bridge is a service that exists as linked smart contracts on two different blockchains. These contracts let you put a currency in on one side, and take it out on the other, effectively transferring currency to a different blockchain. Helping us make sense of what went wrong is [Kelvin Fichter], also known appropriately as [smartcontracts].

Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.

— smartcontracts (@kelvinfichter) February 3, 2022

When the bridge makes a transfer, tokens are deposited in the smart contract on one blockchain, and a transfer message is produced. This message is like a digital checking account check, which you take to the other side of the bridge to cash. The other end of the bridge verifies the signature on the “check”, and if everything matches, your funds show up. The problem is that one one side of the bridge, the verification routine could be replaced by a dummy routine, by the end user, and the code didn’t catch it.

It’s a hot check scam. The attacker created a spoofed transfer message, provided a bogus verification routine, and the bridge accepted it as genuine. The majority of the money was transferred back across the bridge, where other user’s valid tokens were being held, and the attacker walked away with 90,000 of those ETH tokens. Continue reading “This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE” →

Remoticon 2021 // Colin O’Flynn Zaps Chips (And They Talk)

February 3, 2022 by Jenny List 5 Comments

One of the many fascinating fields that’s covered by Hackaday’s remit lies in the world of hardware security, working with physical electronic hardware to reveal inner secrets concealed in its firmware. Colin O’Flynn is the originator of the ChipWhisperer open-source analysis and fault injection board, and he is a master of the art of glitching chips. We were lucky enough to be able to welcome him to speak at last year’s Remoticon on-line conference, and now you can watch the video of his talk below the break. If you need to learn how to break RSA encryption with something like a disposable camera flash, this is the talk for you.

This talk is an introduction to signal sniffing and fault injection techniques. It’s well-presented and not presented as some unattainable wizardry, and as his power analysis demo shows a clearly different trace on the correct first letter of a password attack the viewer is left with an understanding of what’s going on rather than hoping for inspiration in a stream of the incomprehensible. The learning potential of being in full control of both instrument and target is evident, and continues as the talk moves onto fault injection with an introduction to power supply glitching as a technique to influence code execution.

Schematic of an EM injector built from a camera flash.

Continue reading “Remoticon 2021 // Colin O’Flynn Zaps Chips (And They Talk)” →

Blast Chips With This BBQ Lighter Fault Injection Tool

January 29, 2022 by Dan Maloney 16 Comments

Looking to get into fault injection for your reverse engineering projects, but don’t have the cash to lay out for the necessary hardware? Fear not, for the tools to glitch a chip may be as close as the nearest barbecue grill.

If you don’t know what chip glitching is, perhaps a primer is in order. Glitching, more formally known as electromagnetic fault injection (EMFI), or simply fault injection, is a technique that uses a pulse of electromagnetic energy to induce a fault in a running microcontroller or microprocessor. If the pulse occurs at just the right time, it may force the processor to skip an instruction, leaving the system in a potentially exploitable state.

EMFI tools are commercially available — we even recently featured a kit to build your own — but [rqu]’s homebrew version is decidedly simpler and cheaper than just about anything else. It consists of a piezoelectric gas grill igniter, a little bit of enameled magnet wire, and half of a small toroidal ferrite core. The core fragment gets a few turns of wire, which then gets soldered to the terminals on the igniter. Pressing the button generates a high-voltage pulse, which gets turned into an electromagnetic pulse by the coil. There’s a video of the tool in use in the Twitter thread, showing it easily glitching a PIC running a simple loop program.

To be sure, a tool as simple as this won’t do the trick in every situation, but it’s a cheap way to start exploring the potential of fault injection.

Thanks to [Jonas] for the tip.

Long Range Burglar Alarm Relies On LoRa Modules

January 28, 2022 by Lewin Day 16 Comments

[Elite Worm] had a problem; there had been two minor burglaries from a storage unit. The unit had thick concrete walls, cellular signal was poor down there, and permanent wiring wasn’t possible. He thus set about working on a burglar alarm that would fit his unique requirements.

An ESP32 is the heart of the operation, paired with a long-range LoRa radio module running at 868 MHz. This lower frequency has much better penetration when it comes to thick walls compared to higher-frequency technologies like 4G, 5G or WiFi. With a little coil antenna sticking out the top of the 3D-printed enclosure, the device was readily able to communicate back to [Elite Worm] when the storage unit was accessed illegitimately.

With an eye to security, the device doesn’t just warn of door open events. If signal is lost from the remote transmitter in the storage unit, perhaps due to an advanced adversary cutting the power, the alarm will also be raised. There’s still some work to be done on the transmitter side, though, as [Elite Worm] needs to make sure the door sensor is reliable under all conditions.

Many put their hardware skills to work in service of security, and we regularly see proprietary alarm systems modified by enterprising hackers. Video after the break.

Continue reading “Long Range Burglar Alarm Relies On LoRa Modules” →

This Week In Security: Geopolitical Hacktivism, Antivirus Mining, And Linux Malware

January 28, 2022 by Jonathan Bennett 15 Comments

~~The CIA~~ Hacktivists have launched a sort of ransomware campaign against the Belarusian rail system, but instead of cryptocurrency, they want the release of political prisoners and removal of Russian soldiers. This could be called an example of cyber-terrorism, though there is a reasonable theory that this is a state-sponsored hack, masquerading as hacktivism. What does seem certain is that something has interrupted rail transit, and a group on Twitter has produced convincing proof of a breach.

Your Antivirus Now Includes a CryptoMiner

Don’t look now, but your latest update of Norton 360 or Avira may have installed a cryptocurrency mining module. The silver lining is that some sanity has been retained, and you have to opt-in to the crypto scheme before your machine starts spending its spare cycles on mining. For users who do, they’re put into a mining pool, making for small payouts for most hardware. Norton, naturally, takes a 15% fee off the top for their trouble.

The State of Linux Malware

There used to be an adage that Linux machines don’t get malware. That’s never really been quite true, but the continued conquest of the server landscape has had the side effect of making Linux malware an even greater danger. Crowdstrike has seen a 35% increase in Linux malware in 2021, with three distinct categories leading the charge: XorDDoS, Mozi, and Mirai. Continue reading “This Week In Security: Geopolitical Hacktivism, Antivirus Mining, And Linux Malware” →

Major Bug Grants Root For All Major Linux Distributions

January 26, 2022 by Bryan Cockfield 65 Comments

One of the major reasons behind choosing Linux as an operating system is that it’s much more secure than Windows. There are plenty of reasons for this including appropriate user permissions, installing software from trusted sources and, of course, the fact that most software for Linux including the Linux kernel itself is open source which allows anyone to review the code for vulnerabilities. This doesn’t mean that Linux is perfectly secure though, as researchers recently found a major bug found in most major Linux distributions that allows anyone to run code as the root user.

The exploit is a memory corruption vulnerability in Polkit, a framework that handles the privilege level of various system processes. It specifically impacts the program pkexec. With the proof-of-concept exploit (file download warning) in hand, all an attacker needs to do to escalate themselves to root is to compile the program on the computer and run it as the default user. An example is shown by [Jim MacDonald] on Twitter for those not willing to try this on their own machines.

As bad as this sounds, it seems as though all of the major distributions that this impacts have already released updates that patch the issue, including Debian, Ubuntu, Red Hat, Fedora, open SUSE, and Arch. There is also a temporary workaround that removes read/write permission from the pkexec program so it can’t run at all. That being said, it might be best to check that your Linux systems are all up-to-date and that no strangers have been typing random commands into the terminal recently.

An artistic representation of a red Moon, hovering over the Earth

Is That The Moon Worming Its Way Into Your BIOS?

January 23, 2022 by Arya Voronova 52 Comments

When facing a malware situation, the usual “guaranteed solution” is to reinstall your OS. The new developments in malware world will also require you to have a CH341 programmer handy. In an arguably inevitable development, [Kaspersky Labs] researchers have found an active piece of malware, out in the wild, that would persist itself by writing its bootstrap code into the BIOS chip. It doesn’t matter if you shred the HDD and replace it with a new one. In fact, so-called MoonBounce never really touches the disk at all, being careful to only store itself in RAM, oh, and the SPI flash that stores the BIOS code, of course.

MoonBounce is Microsoft-tailored, and able to hook into a chain of components starting from the UEFI’s DXE environment, through the Windows Loader, and finishing as a part of svchost.exe, a process we all know and love.

This approach doesn’t seem to be widespread – yet, but it’s not inconceivable that we’ll eventually encounter a ransomware strain using this to, ahem, earn a bit of extra cash on the side. What will happen then – BIOS reflashing service trucks by our curbsides? After all, your motherboard built-in BIOS flasher UI is built into the same BIOS image that gets compromised, and at best, could be disabled effortlessly – at worst, subverted and used for further sneaky persistence, fooling repairpeople into comfort, only to be presented with one more Monero address a week later.

Will our hardware hacker skills suddenly go up in demand, with all the test clip fiddling and SOIC-8 desoldering being second nature to a good portion of us? Should we stock up on CH341 dongles? So many questions!

This week’s installment of “threat vectors that might soon become prevalent” is fun to speculate about! Want to read about other vectors we might not be paying enough attention to? Can’t go wrong with supply-chain attacks on our repositories! As for other auxiliary storage-based persistence methods – check out this HDD firmware-embedded proof-of-concept rootkit. Of course, we might not always need the newfangled ways to do things, the old ways still work pretty often – you might only need to disguise your malicious hardware as a cool laptop accessory to trick an average journalist, even in a hostile environment.

Continue reading “Is That The Moon Worming Its Way Into Your BIOS?” →