backdoor

11 Articles

Security Alert: Potential SSH Backdoor Via Liblzma

March 29, 2024 by 34 Comments

In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list.

The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code.

This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds.

Continue reading “Security Alert: Potential SSH Backdoor Via Liblzma”

Did TETRA Have A Backdoor Hidden In Encrypted Police And Military Radios?

July 27, 2023 by 42 Comments

Encrypted communications are considered vital for many organizations, from military users to law enforcement officers. Meanwhile, the ability to listen in on those communications is of great value to groups like intelligence agencies and criminal operators. Thus exists the constant arms race between those developing encryption and those desperately eager to break it.

In a startling revelation, cybersecurity researchers have found a potentially intentional backdoor in encrypted radios using the TETRA (TErrestrial Trunked RAdio) standard. TETRA equipment is used worldwide by law enforcement agencies, military groups, and critical infrastructure providers, some of which may have been unintentionally airing sensitive conversations for decades.

Continue reading “Did TETRA Have A Backdoor Hidden In Encrypted Police And Military Radios?”

Peel Apart Your ISP’s Router

April 2, 2020 by 35 Comments

Whether your home Internet connection comes by ADSL, fibre, cable, or even satellite, at some point in the chain between your ISP and your computer will be a router in your home. For some of us it’s a model we’ve bought ourselves and loaded up with a custom distro, but for the majority it’s a box supplied by our ISP and subject to their settings and restrictions. [Paddlesteamer] has just such a router, a Huawei model supplied by the Turkcell ISP, and decided to do a little snooping into its setup.

In a tale of three parts, we see the device unravel, from uncovering a shell to reverse engineering its update process, to delving in its firmware and finally removing all its restrictions entirely. It’s a fascinating process in which we learn a lot, such as the way a man-in-the-middle attack is performed on the router’s connection tot he ISP, or that it contains an authorised SSH key seemingly giving Huawei a back door into it. You may never do this with your ISP’s router, but it pays to be aware of what can be put in your home by them without your realising it.

The Golden Age of router hacking may be behind us as the likes of the Raspberry Pi have replaced surplus routers as a source of cheap Linux boards, but  as this shows us there’s still a need to dive inside a router from time to time. After all, locked-down routers are hardly a new phenomenon.

Via Hacker News.

LEDs Light The Way To This Backdoor

September 27, 2019 by 41 Comments

A curious trend for some years in the world of PC hardware has been that of attaching LEDs to all the constituent parts of a computer. The idea is that somehow a gaming rig that looks badass will somehow be just a little bit faster. As [Graham  Sutherland] discovered when he wanted to extinguish the LEDs on his new Gigabyte graphics card, these LEDs can present an unexpected security hazard.

The key to their insecurity comes in the Gigabyte driver. This is a piece of software that you would normally expect to be an abstraction layer with an interface visible to your user level privilege, and a safe decoupling between that and the considerably more security sensitive hardware layer from which the LED bus can be found. Instead of this, the Gigabyte driver is more of a wrapper that simply exposes the LED bus directly to the user level. It’s intended that user-level code can easily bit-bang WS2812 LEDs without hinderance, but its effect is to provide a gaping hole in the security layers intended to keep malicious code away from the hardware. The cherry on the cake is provided by the discovery of a PIC microcontroller on the bus which can be flashed with new code, providing an attacker with persistent storage unbeknownst to the operating system or CPU.

The entire Twitter thread is very much worth reading whether you are a PC infosec savant or a dilettante, because not only should we all know something about the mechanisms of PC backdoors we should also be aware that sometimes a component as innocuous as an LED can be a source of a security issue.

Thanks [Slurm] for the tip.

Gigabyte motherboard picture: Gani01 [Public domain].

This Week In Security: VPN Gateways, Attacks In The Wild, VLC, And An IP Address Caper

August 30, 2019 by 7 Comments

We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.

It’s… not great. There are multiple pre-authentication vulnerabilities, as well as what appears to be an intentional backdoor.

CVE-2018-13379 abuses an snprintf call made when requesting a different language for the device login page. Snprintf is an alternative to sprintf, but intended to prevent buffer overflows by including the maximum string length to write to the target buffer, which sounds like a good idea but can lead to malicious truncation.

The code in question looks like snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);.
When loading the login page, a request is made for a language file, and the file is sent to the user. At first look, it seems that this would indeed limit the file returned to a .json file from the specified folder. Unfortunately, there is no further input validation on the request, so a language of ../../arbitrary is considered perfectly legitimate, escaping the intended folder.  This would leak arbitrary json files, but sincesnprintf doesn’t fail if it exceeds the specified length, sending a request for a lang that’s long enough results in the “.json” extension not being appended to the request either.

A metasploit module has been written to test for this vulnerability, and it requests a lang of /../../../..//////////dev/cmdb/sslvpn_websession. That’s just long enough to force the json extension to fall off the end of the string, and it is Unix convention is to ignore the extra slashes in a path. Just like that, the Fortigate is serving up any file on its filesystem just for asking nice.

More worrying than the snprintf bug is the magic value that appears to be an intentional backdoor. A simple 14 character string sent as an http query string bypasses authentication and allows changing any user’s password — without any authentication. This story is still young, it’s possible this was intended to have a benign purpose. If it’s an honest mistake, it’s a sign of incompetence. If it’s an intentional backdoor, it’s time to retire any and all Fortinet equipment you have.

Pulse Secure VPNs have a similar pre-auth arbitrary file read vulnerability. Once the full report is released, we’ll cover that as well.

Exploitation in the Wild

But wait, there’s more. Hide your kids, hide your wife. Webmin, Pulse Secure, and Fortigate are already being exploited actively in the wild, according to ZDNet. Based on reports from Bad Packets, the Webmin backdoor was being targeted in scans within a day of announcement, and exploited within three days of the announcement. There is already a botnet spreading via this backdoor. It’s estimated that there are around 29,000 vulnerable Internet-facing servers.

Both Pulse Secure and Fortinet’s Fortigate VPN appliances are also being actively targeted. Even though the vulnerabilities were reported first to the vendors, and patched well in advance of the public disclosure, thousands of vulnerable devices remain. Apparently routers and other network appliance hardware are fire-and-forget solutions, and often go without important security updates.

VLC is Actually Vulnerable This Time

The VLC media player has released a new update, fixing 11 CVEs. These CVEs are all cases of mishandling malformed media files, and are only exploitable by opening a malicious file with VLC. Be sure to go update VLC if you have it installed. Even though no arbitrary code execution has been demonstrated for any of these issues, it’s likely that it will eventually happen.

Gray Market IP Addresses

With the exhaustion of IPv4 addresses, many have begun using alternative methods to acquire address space, including the criminal element. Krebs on Security details his investigation into one such story: Residential Networking Solutions LLC (Resnet). It all started with an uptick in fraudulent transactions originating from Resnet residential IP addresses. Was this a real company, actually providing internet connectivity, or a criminal enterprise?

What Happened With Supermicro?

May 14, 2019 by 45 Comments

Back in October 2018, a bombshell rocked the tech industry when Bloomberg reported that some motherboards made by Supermicro had malicious components on them that were used to spy or interfere with the operation of the board, and that these motherboards were found on servers used by Amazon and Apple. We covered the event, looking at how it could work if it were true. Now seven months have passed, and it’s time to look at how things shook out.

Continue reading “What Happened With Supermicro?”

Shut The Backdoor! More IoT Cybersecurity Problems

March 22, 2017 by 30 Comments

We all know that what we mean by hacker around here and what the world at large thinks of as a hacker are often two different things. But as our systems get more and more connected to each other and the public Internet, you can’t afford to ignore the other hackers — the black-hats and the criminals. Even if you think your data isn’t valuable, sometimes your computing resources are, as evidenced by the recent attack launched from unprotected cameras connected to the Internet.

As [Elliot Williams] reported earlier, Trustwave (a cybersecurity company) recently announced they had found a backdoor in some Chinese voice over IP gateways. Apparently, they left themselves an undocumented root password on the device and — to make things worse — they use a proprietary challenge/response system for passwords that is insufficiently secure. Our point isn’t really about this particular device, but if you are interested in the details of the algorithm, there is a tool on GitHub, created by [JacobMisirian] using the Trustwave data. Our interest is in the practice of leaving intentional backdoors in products. A backdoor like this — once discovered — could be used by anyone else, not just the company that put it there.

Continue reading “Shut The Backdoor! More IoT Cybersecurity Problems”