Security Hacks

1567 Articles

This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back

January 21, 2022 by 2 Comments

Let’s imagine a worst case situation for home routers. It would have to start with a port unintentionally opened to the internet, ideally in a popular brand, like Netgear. For fun, let’s say it’s actually a third-party kernel module, that is in multiple router brands. This module would then need a trivial vulnerability, say an integer overflow on the buffer size for incoming packets. This flaw would mean that the incoming data would write past the end of the buffer, overwriting whatever kernel data is there. So far, this exactly describes the NetUSB flaw, CVE-2021-45608.

Because red teams don’t get their every wish, there is a catch. While the overflow is exceptionally easy to pull off, there isn’t much wiggle room on where the data gets written. There’s no remote code execution Proof of Concept (PoC) yet, and [Max Van Amerongen], who discovered the flaw, says it would be difficult but probably not impossible to pull off. All of this said, it’s a good idea to check your router for open ports, particularly non-standard port numbers. If you have a USB port on your router, check for updates.

Windows HTTP.sys Problem

A serious problem has been announced in Windows Server 2019 and Windows 10, with some versions vulnerable in their default configurations. The problem is in how Windows handles HTTP Trailer packets, which contain extra information at the end of normal HTTP transfers. There is a PoC available that demonstrates a crash. It appears that an additional information leak vulnerability would have to be combined with this one to produce a true exploit. This seems to be a different take on CVE-2021-31166, essentially exploiting the same weakness, and working around the incomplete fix. This issue was fixed in the January patch set for Windows, so make sure you’re covered. Continue reading “This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back”

Identifying Malware By Sniffing Its EM Signature

January 19, 2022 by 17 Comments

The phrase “extraordinary claims require extraordinary evidence” is most often attributed to Carl Sagan, specifically from his television series Cosmos. Sagan was probably not the first person to put forward such a hypothesis, and the show certainly didn’t claim he was. But that’s the power of TV for you; the term has since come to be known as the “Sagan Standard” and is a handy aphorism that nicely encapsulates the importance of skepticism and critical thinking when dealing with unproven theories.

It also happens to be the first phrase that came to mind when we heard about Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification, a paper presented during the 2021 Annual Computer Security Applications Conference (ACSAC). As described in the mainstream press, the paper detailed a method by which researchers were able to detect viruses and malware running on an Internet of Things (IoT) device simply by listening to the electromagnetic waves being emanated from it. One needed only to pass a probe over a troubled gadget, and the technique could identify what ailed it with near 100% accuracy.

Those certainly sound like extraordinary claims to us. But what about the evidence? Well, it turns out that digging a bit deeper into the story uncovered plenty of it. Not only has the paper been made available for free thanks to the sponsors of the ACSAC, but the team behind it has released all of code and documentation necessary to recreate their findings on GitHub.

Unfortunately we seem to have temporarily misplaced the $10,000 1 GHz Picoscope 6407 USB oscilloscope that their software is written to support, so we’re unable to recreate the experiment in full. If you happen to come across it, please drop us a line. But in the meantime we can still walk through the process and try to separate fact from fiction in classic Sagan style.

Continue reading “Identifying Malware By Sniffing Its EM Signature”

PicoEMP EMFI tool

Glitch Your Way To Reverse-Engineering Glory With The PicoEMP

January 15, 2022 by 9 Comments

Most of our projects are, to some extent, an exercise in glitch-reduction. Whether they’re self-inflicted software or hardware mistakes, or even if the glitches in question come from sources beyond our control, the whole point of the thing is to get it running smoothly and predictably.

That’s not always the case, though. Sometimes inducing a glitch on purpose can be a useful tool, especially when reverse engineering something. That’s where this low-cost electromagnetic fault injection tool could come in handy. EMFI is a way to disrupt the normal flow of a program running on an embedded system; properly applied and with a fair amount of luck, it can be used to put the system into an exploitable state. The PicoEMP, as [Colin O’Flynn] dubs his EMFI tool, is a somewhat tamer version of his previous ChipSHOUTER tool. PicoEMP focuses on user safety, an important consideration given that its business end can put about 250 volts across its output. Safety features include isolation for the Raspberry Pi Pico that generates the PWM signals for the HV section, a safety enclosure over the HV components, and a switch to discharge the capacitors and prevent unpleasant surprises.

In use, the high-voltage pulse is applied across an injection tip, which is basically a ferrite-core antenna. The tip concentrates the magnetic flux in a small area, which hopefully will cause the intended glitch in the target system. The video below shows the PicoEMP being used to glitch a Bitcoin wallet, as well as some tests on the HV pulse.

If you’re interested in the PicoEMP and glitching in general, be sure to watch out for [Colin]’s 2021 Remoticon talk on the subject. Until that comes out, you might want to look into glitching attacks on a Nintendo DSi and a USB glitch on a Wacom tablet.

Continue reading “Glitch Your Way To Reverse-Engineering Glory With The PicoEMP”

This Week In Security: NPM Vandalism, Simulating Reboots, And More

January 14, 2022 by 33 Comments

We’ve covered quite a few stories about malware sneaking into NPM and other JavaScript repositories. This is a bit different. This time, a JS programmer vandalized his own packages. It’s not even malware, perhaps we should call it protestware? The two packages, colors and faker are both popular, with a combined weekly download of nearly 23 million. Their author, [Marak] added a breaking update to each of them. These libraries now print a header of LIBERTY LIBERTY LIBERTY, and then either random characters, or very poor ASCII art. It’s been confirmed that this wasn’t an outside attacker, but [Marak] breaking his own projects on purpose. Why?

It seems like this story starts back in late 2020, when [Marak] lost quite a bit in a fire, and had to ask for money on Twitter. Edit: Thanks to commenter [Jack Dansen] for pointing out an important detail that was missing. Marak was charged for reckless endangerment, and was suspected for possible terrorism aspirations, as bomb-making materials were found in his burned-out apartment. Two weeks later, he tweeted that billions were being made off open source devs’ work, citing a FAANG leak. FAANG is a reference to the big five American tech companies: Facebook, Apple, Amazon, Netflix, and Google. The same day, he opened an issue on Github for faker.js, throwing down an ultimatum: “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”
Continue reading “This Week In Security: NPM Vandalism, Simulating Reboots, And More”

This Week In Security: Y2K22, Accidentally Blocking 911, And Bug Alert

January 7, 2022 by 45 Comments

If you had the misfortune of running a Microsoft Exchange server this past week, then you don’t need me to tell you about the Y2K22 problem. To catch rest of us up, when Exchange tried to download the first malware definitions update of 2022, the version number of the new definitions triggered a crash in the malware detection engine. The date is represented as the string 2201010001, where the first two digits represent the year. This string gets converted to a signed long integer, which maxes out at 2,147,483,647. The integer overflows, and the result is undefined behavior, crashing the engine. The server fails safe, not processing any messages without a working malware engine, which means that no e-mail gets through. Happy new year!
Continue reading “This Week In Security: Y2K22, Accidentally Blocking 911, And Bug Alert”

Picture of a monitor with a fake "ransomware" banner on it, and a PC with the ESP32 VGA devboard mounted into it in the foreground

ESP32 Pretends To Be GPU; Gives You A Ransomware Scare

December 30, 2021 by 27 Comments

Sometimes a piece of hardware meets a prank idea, and that’s how the fun Hackaday articles are born. [AnotherMaker] shows us some harmless entertainment at the expense of an IT enthusiast in your life – programming an ESP32-powered devboard with a VGA output to show an ever-feared “all your files are encrypted” screen on a monitor connected to it. The ASCII text in its 8-bit glory helps sell this prank, making it look exactly like a BIOS-hijacking piece of malware it claims to be; akin to UIs of the past that skilled hackers would whip up in x86 assembly. The devboard’s integration into a PCI card backplate is a cherry on top, a way to seamlessly integrate this into a PC case, making it look not particularly different from an old graphics card. In such a configuration, we don’t doubt that this would be a head-scratcher to a certain kind of an IT department worker.

If you already have someone in mind as a target for this prank, you’re in luck, since [AnotherMaker] has shared his source code, too, and all you need is a ESP32 with a VGA port set up. You can get the same devboard, or you can even solder it all together with an ESP32 breakout and resistors, if you’re on a time or money budget, since the schematics for the LilyGO devboard are public. Not all devboards gets such a fun application, but it’s always fun to see when someone thinks of one – a perfect prank scenario that calls for a very specific devboard.

Wondering how it’s even possible to output VGA from the ESP32? We’ve covered this in the past – like this R&D project done by [bitluni], who then went ahead and expanded on it by connecting six displays at once. If you’ve connected your ESP32 to a VGA port and ran some test sketches, a UI library will help you upgrade your idea into a ready project in no time.

Continue reading “ESP32 Pretends To Be GPU; Gives You A Ransomware Scare”

Linux For The Paranoid Does The Work For You

December 22, 2021 by 42 Comments

We all know that our activity on the Internet is not that hard to track. It just annoys some people more than others. If you are really hardcore, you’ll learn all the ins and outs of networking to help cover your tracks, but what if you don’t want to invest that kind of time? Maybe, as [TechRepublic] suggests, try Kodachi Linux.

You could, of course, start with your own live image. Then when you boot, you could take the following steps:

  • Randomize your MAC Address
  • Establish a TOR connection through a VPN
  • Route all internet traffic through TOR and use DNS encryption
  • Set up a scheduled task to scramble your MAC address periodically

But that’s what Kodachi does without any real effort on your part.

The distribution is based on Ubuntu, so all the familiar tools are there. There are also a few security and privacy tools included like KeePass, Tox, OnionShare, i2p, and more. The desktop shows a summary of secure network information

Do you need Kodachi? Probably not, if you are a Linux guru. Plus, most people aren’t doing anything that’s that interesting. But if you want to protect your privacy or you are up to something, give Kodachi a try. Then again, if you are that paranoid, maybe that’s just what THEY want you to do. Make your own decisions. You can also check out the video review from [eBuzz Central] below.

Looking for more conventional Linux? Why not Rocky Linux? If you just want a VPN, you can always just use ssh.

Continue reading “Linux For The Paranoid Does The Work For You”