This Week In Security: Spectre In The Browser, Be Careful What You Clone, And Hackintosh

March 19, 2021 by Jonathan Bennett 12 Comments

Google has been working on mitigations for the Spectre attack, and has made available a Proof of Concept that you can run in your browser right now. Spectre is one of the issues that kicked off the entire series of speculative execution vulnerabilities and fixes. What Google has demonstrated is that the Spectre attack can actually be pulled off in Javascript, right in the browser. Spectre is limited to reading memory allocated to the same process, and modern browsers have implemented measures like site isolation, which puts each site in a separate, sandboxed process.

These security features don’t mean that there is no practical dangers from Spectre. There are a handful of ways an attacker can run Javascript on another site, from something as simple as an interactive advertisement, to a cross-site scripting injection. Google has produced features and guidance to mitigate those dangers.

Via Bleeping Computer. Continue reading “This Week In Security: Spectre In The Browser, Be Careful What You Clone, And Hackintosh” →

Injecting Bugs With An Electric Flyswatter

March 15, 2021 by Stephen Ogier 9 Comments

Hardware fault injection uses electrical manipulation of a digital circuit to intentionally introduce errors, which can be used to cause processors to behave in unpredictable ways. This unintentional behavior can be used to test for reliability, or it can be used for more nefarious purposes such as accessing code and data that was intended to be inaccessible. There are a few ways to accomplish this, and electromagnetic fault injection uses a localized electromagnetic pulse to flip bits inside a processor. The pulse induces a voltage in the processor’s circuits, causing bits to flip and often leading to unintentional behavior. The hardware to do this is very specialized, but [Pedro Javier] managed to hack a $4 electric flyswatter into an electromagnetic fault injection tool. (Page may be dead, try the Internet Archive version.)

[Pedro] accomplishes this by turning an electric flyswatter into a spark-gap triggered EMP generator. He removes the business end of the flyswatter and replaces it with a hand-wound inductor in series with a small spark gap. Pressing the power button on the modified flyswatter charges up the output capacitor until the developed voltage is enough to ionize the air in the spark gap, at which point the capacitor discharges through the inductor. The size of the spark gap determines the charge that is built up—a larger gap results in a larger charge, which produces a larger pulse, which induces a larger voltage in the chip.

[Pedro] demonstrates how this can be used to produce arithmetic glitches and even induce an Arduino to dump its memory. Others have used electromagnetic fault injection to corrupt SRAM, and intentionally glitching the power supply pins can also be used to access otherwise protected data.

An Anti-Tamper Mesh Plugin For KiCad

March 14, 2021 by Mike Szczys 31 Comments

Physical access to electronics generally means all bets are off when it comes to information security. But in special cases this is just unacceptable and a better solution must be found. Consider the encryption keys used by point of sale machines. To protect them, the devices incorporate anti-tamper mechanisms that will wipe the keys from memory if the device is opened. One such technique is to use a mesh of traces on a circuit board that are monitored for any changes in resistance or capacitance. [Sebastian Götte] has been researching in this area and wrote a KiCad plugin to automatically generate tamper-detection mesh.

The idea is pretty simple, place traces very close to one another and it makes it impossible to drill into the case of a device without upsetting the apple cart. There are other uses as well, such as embedding them in adhesives that destroy the traces when pried apart. For [Sebastian’s] experiments he’s sticking with PCBs because of the ease of manufacture. His plugin lays down a footprint that has four pads to begin and end two loops in the mesh. The plugin looks for an outline to fence in the area, then uses a space filling curve to generate the path. This proof of concept works, but it sounds like there are some quirks that can crash KiCad. Consider taking a look at the code if you have the expertise to help make it more stable.

We’ve seen these anti-tamper meshes in practice in the VeriFone payment terminal that [Tom Nardi] tore down a couple of years ago. The approach that [Sabastian] took with the plugin actually produces a more complex mesh than was in use there as it only really used vertical lines for the traces.

This Week In Security: APT Targeting Researchers, And Someone Watching All The Cameras

March 12, 2021 by Jonathan Bennett 16 Comments

Microsoft’s Patch Tuesday just passed, and it’s a humdinger. To add the cherry on top, two seperate BSOD inducing issues led to Microsoft temporarily pulling the update.

Among the security vulnerabilities fixed is CVE-2021-26897, another remote code exploit in the Windows DNS server. It’s considered a low-complexity attack, but does require local network access to pull off. CVE-2021-26867 is another of the patched vulnerabilities that sounds very serious, allowing an attacker on a Hyper-V virtual machine to pierce the barrier and run code on the hypervisor. The catch here is that the vulnerability is only present when using the Plan 9 filesystem, which surely limits the scope of the problem to a small handful of machines.

The most interesting fixed flaw was CVE-2021-26411 a vulnerability that allowed remote code execution when loading a malicious web page in either IE or pre-chromium Edge. That flaw was actively being exploited in a unique APT campaign, which we’ll cover right after the break.

Continue reading “This Week In Security: APT Targeting Researchers, And Someone Watching All The Cameras” →

This Week In Security: Text Rendering On Windows, GNU Poke, And Bitsquatting

March 5, 2021 by Jonathan Bennett 27 Comments

Project Zero just unrestricted the details on CVE-2021-24093, a potentially nasty vulnerability in Windows 10’s DirectWrite, a text rendering library. The flaw got fixed in this month’s patch Tuesday roundup. The flaw is accessible in all the major browsers on Windows 10, as they use DirectWrite for font rendering. The trick here is to use a malicious font that uses some nonsense values. Those values result in a buffer allocation that is too small for complex characters such as Æ.

Because the vulnerability is a Windows library, it’s possible that an exploit would automatically work as a sandbox escape, but I haven’t seen confirmation either way. Let us know if you have some insight there.

Via Bleeping Computer

GNU Poke

The good folks at GNU have minted the 1.0 release of poke, a new binary editing tool. The real killer feature of poke is that it can interpret binary data, decoding it back into readable data structures. If you’re familiar with the way Wireshark can decode packets and give useful, organized output, it seems that poke will provide a similar function, but not limited to network traffic.

It looks like it could become a useful tool for getting a look inside otherwise opaque binaries. What poke brings is a system where you can write pretty-printing templates on the fly, which should be very useful when mapping out an unfamiliar binary. Distros will likely pick up and start packaging poke in the coming weeks, making it even easier to get and play with. Continue reading “This Week In Security: Text Rendering On Windows, GNU Poke, And Bitsquatting” →

This Week In Security: Mysterious Mac Malware, An Elegant VMware RCE, And A JSON Mess

February 26, 2021 by Jonathan Bennett 10 Comments

There’s a new malware strain targeting MacOS, Silver Sparrow, and it’s unusual for a couple reasons. First, it’s one of the few pieces of malware that targets the new M1 ARM64 processors. Just a reminder, that is Apple’s new in-house silicon design. It’s unusual for a second reason — it’s not doing anything. More precisely, while researchers have been watching, the command and control infrastructure didn’t provide a payload. Silver Sparrow has been positively found on nearly 30,000 machines.

The malware also has an intentional kill switch, where the presence of a particular file triggers a complete removal of the malware package. Researchers at Red Canary point out that this package behaves very much like a legitimate program, difficult to pick out as malware. Ars Technica got an off-the-record statement from Apple, indicating that they are tracking the situation, and have revoked the developer’s certificate used to sign the malware. It’s not entirely clear whether this prevents the malware running on already compromised machines, or just stops new infections.

So who’s behind Silver Sparrow? The observed stealth mode and other complexities suggest that this is more than a simple adware or ransomware campaign. Since it was discovered before the payload was delivered, we may never know what the purpose is. It may have been a government created campaign, targeting something specific. Continue reading “This Week In Security: Mysterious Mac Malware, An Elegant VMware RCE, And A JSON Mess” →

This Week In Security: ISNs, Patch Tuesday, And Clubhouse

February 19, 2021 by Jonathan Bennett 4 Comments

Let’s talk TCP. Specifically, how do the different TCP connections stay distinct, and how is a third party kept from interrupting a connection? One of the mechanisms that help accomplish this feat is the TCP sequence number. Each of the two endpoints of a TCP connection tracks an incrementing 32-bit number, corresponding to the bytes sent in the connection. It’s handy, because each side can use that value to track what parts of the data stream they have received. On missing packets, a message can be sent requesting bytes 7-15 to be resent, for instance.

Each side of the connection sets their own Initial Sequence Number (ISN), and it’s important that this number is unique, as collisions can cause stream confusion. That statement should make your security spidey sense tingle. If a collision can cause problems when it happens by chance, what can a hacker do with it intentionally? Potentially quite a bit. Knowing the current sequence number, as well as a couple other pieces of information, a third party can close a TCP stream or even inject data. The attack has been around for years, originally known as the Mitnick Attack. It was originally possible because TCP implementations used a simple counter to set the ISN. Once the security ramifications of this approach were understood, the major implementations moved to a random number generation for their ISNs.

Now to this week’s story: researchers at Forescout took the time to check 11 TCP/IP stacks for vulnerability to the old Mitnick Attack (PDF Whitepaper). Of the eleven embedded stacks texted, nine have serious weaknesses in their ISN generation. Most of the vulnerable implementations use a system time value as their ISN, while several use a predictable pseudorandom algorithm that can be easily reversed.

CVEs have been assigned, and vendors notified of “NUMBER:JACK”, Forescout’s name for the research. Most of the vulnerable software already has patches available. The problem with embedded systems is that they often never get security updates. The vulnerable network stacks are in devices like IP cameras, printers, and other “invisible” software. Time will tell if this attack shows up as part of a future IoT botnet.
Continue reading “This Week In Security: ISNs, Patch Tuesday, And Clubhouse” →