This Week In Security: Argentina, MysterySnail, And L0phtcrack

The government of Argentina has a national ID card system, and as a result maintains a database containing data on every citizen in the country. What could possibly go wrong? Predictably, an attacker has managed to gain access to the database, and is offering the entire dataset for sale. The Argentinian government has claimed that this wasn’t a mass breach, and only a handful of credentials were accessed. This seems to be incorrect, as the seller was able to provide the details of an arbitrary citizen to the journalists investigating the story.

Patch Tuesday

Microsoft has released their monthly round of patches for October, and there are a couple doozies. CVE-2021-40486 is an RCE in Microsoft Word, and this flaw can trigger via the preview pane. CVE-2021-38672 and CVE-2021-40461 are both RCE vulnerabilities in Hyper-V. And finally, CVE-2021-40449 is a privilege upgrade actively being used in the wild, more on that in a moment. Oh, and you thought the Print Nightmare was over? CVE-2021-36970 is yet another print spooler vulnerability. The unfortunate thing about the list of Microsoft vulnerabilities is that there is hardly any information available about them.

On the other hand, Apple just patched CVE-2021-30883, a 0-day that’s being actively exploited in iOS. With the release of the fix, [Saar Amar] has put together a very nice explanation of the bug with PoC. It’s a simple integer overflow when allocating a buffer, leading to an arbitrary memory write. This one is particularly nasty, because it’s not gated behind any permissions, and can be triggered from within app sandboxes. It’s being used in the wild already, so go update your iOS devices now.


Snail” by Ilweranta, CC BY 2.0

Kaspersky brings us a report on a CVE-2021-40449 being used in the wild. It’s part of an attack they’re calling MysterySnail, and seems to originate from IronHusky out of China. The vulnerability is a use-after-free, and is triggered by making a the ResetDC API call that calls its own callback. This layer of recursive execution results in an object being freed before the outer execution has finished with it.

Since the object can now be re-allocated and controlled by the attacker code, the malformed object allows the attacker to run their code in kernel space, achieving privilege escalation. This campaign then does some data gathering and installs a Remote Access Trojan. Several Indicators of Compromise are listed as part of the write-up.

Off to the Races

Google’s Project Zero is back with a clever Linux Kernel hack, an escalation of privilege triggered by a race condition in the pseudoterminal device. Usually abbreviated PTY, this kernel device can be connected to userspace applications on both ends, making for some interesting interactions. Each end has a struct that reflects the status of the connection. The problem is that TIOCSPGRP, used to set the process group that should be associated with the terminal, doesn’t properly lock the terminal’s internal state.

As a result, calling this function on both sides at the same time is a race condition, where the reference count can be corrupted. Once the reference count is untrustworthy, the whole object can be freed, with a dangling pointer left in the kernel. From there, it’s a typical use-after-free bug. The post has some useful thoughts about hardening a system against this style of attack, and the bug was fixed December 2020.

AI vs Pseudorandom Numbers

[Mostafa Hassan] of the NCC Group is doing some particularly fascinating research, using machine learning to test pseudorandom number generators. In the first installment, he managed to break the very simple xorshift128 algorithm. Part two tackles the Mersenne Twister, which also falls to the neural network. Do note that neither of these are considered cryptographic number generators, so it isn’t too surprising that a ML model can determine their internal state. What will be most interesting is the post to come, when he tackles other algorithms thought to be secure. Watch for that one in a future article.

L0phtcrack Becomes Open Source

The l0pht crew, back thenIn a surprise to me, the L0phtcrack tool has been released as open source. L0phtcrack is the password cracking/auditing tool created by [Mudge] and company at L0pht Heavy Industries, about a billion years ago. Ownership passed to @stake, which was purchased by Symantec in 2004. Due to export regulations, Symantec stopped selling the program, and it was reacquired by the original L0pht team.

In April 2020, Terahash announced that they had purchased rights to the program, and began selling and supporting it as a part of their offerings. Terahash primarily builds GPU based cracking hardware, and has been hit exceptionally hard by the chip shortage. As a result of Terahash entering bankruptcy protection, the L0phtcrack ownership has reverted back to L0pht, and version 7.2.0 has been released as Open Source.

Hackers And Heroes: Rise Of The CCC And Hackerspaces

From its roots in phone phreaking to the crackdowns and legal precedents that drove hacking mostly underground (or into business), hacker culture in the United States has seen a lot over the last three decades. Perhaps the biggest standout is the L0pht, a visible 1990s US hackerspace that engaged in open disclosure and was, arguably, the last of the publicly influential US hacker groups.

The details of the American hacker scene were well covered in my article yesterday. It ended on a bit of a down note. The L0pht is long gone, and no other groups that I know of have matched their mix of social responsibility and public visibility. This is a shame because a lot of hacker-relevant issues are getting decided in the USA right now, and largely without our input.

Chaos Computer Club

But let’s turn away from the USA and catch up with Germany. In the early 1980s, in Germany as in America, there were many local computer clubs that were not much more than a monthly evening in a cafeteria or a science museum or (as was the case with the CCC) a newspaper office. Early computer enthusiasts traded know-how, and software, for free. At least in America, nothing was more formally arranged than was necessary to secure a meeting space: we all knew when to show up, so what more needed to be done?

Things are a little different in the German soul. Peer inside and you’ll find the “Vereinsmentalität” — a “club-mentality”. Most any hobby or sport that you can do in Germany has an associated club that you can join. Winter biathlon, bee-keeping, watercolor painting, or hacking: when Germans do fun stuff, they like to get organized and do fun stuff together.

Continue reading “Hackers And Heroes: Rise Of The CCC And Hackerspaces”

Mustachioed Nintendo Virtual Boy Gone Augmented Reality

Some people just want to watch the world burn. Others want to spread peace, joy and mustaches. [Joe Grand] falls into the latter group this time around. His latest creation is Mustache Mayhem, a hack, video game, and art project all rolled into one. This is a bit of a change from deconstructing circuit boards or designing electronic badges, but not completely new for [Joe], who wrote SCSIcide and Ultra SCSIcide for the Atari 2600 back in the early 2000’s.

Mustache Mayhem is built into a Nintendo Virtual Boy housing. The Virtual Boy itself was broken, and unfortunately was beyond repair. [Joe] removed most of the stock electronics and added a BeagleBone Black, Logitech C920 webcam, an LCD screen and some custom electronics. He kept the original audio amplifier, speakers, and controller connector. Angstrom Linux boots into [Joe’s] software, which uses OpenCV to detect faces and overlay mustaches. Gameplay is simple: Point the console at one or more faces. If you see a mustache, press the A button on the controller! The more faces and mustaches on-screen at once, the more points, or “mojo” the player gets. The code is up on Github, and can be built with Xcode targeted to the Mac, or directly on the BeagleBone Black.

[Joe’s] goal for the project was to make a ridiculous game that looks like it could have come out in the 90’s. He also used Mustache Mayhem as a fun way to learn some new skills which will come in handy for more serious projects in the future.

We caught up with [Joe] for a quick interview about his new creation.

How did you come up with the idea for Mustache Mayhem?

blockI was selling a bunch of my video game collection at PRGE (Portland Retro Gaming Expo) a few years ago and had a broken Virtual Boy that no one bought. A friend of mine was at the table and said I had to do something with it. I thought “People wear cosplay and walk around at conventions, so what if I could do something with the Virtual Boy that you could walk around with?” That was the seed.

A few months later, Texas Instruments sent me the original production release of the BeagleBone Black (rev. A5A). Eighteen months after that I actually started the project. The catalyst was to do something for an upcoming Portland, OR art show (Byte Me 4.0), which is an annual event that shows off interactive technology-based artwork. I wrote up a little description and got accepted. I had less than 2 months to actually get things working and it ended up taking about a month of full-time work. It was much more work than I expected for such a silly project. I originally was going to do something along the lines of walking around in a Doom-like perspective and shooting people when their faces were detected.

That would be pretty darn cool. How did you get from Doom to Mustaches? 

I saw a TI BeagleBoard demo called “boothstache” which drew mustaches on faces and tweeted the pictures. I thought that doing something non-violent with mustaches would be more suitable (and funny) to actually show my kids. I also secretly wanted to use this project as a way to experiment with Linux, write some code, and learn about face detection and image processing with OpenCV, which I plan to use for some actual computer security research in the future. Mustache Mayhem turned out to be a super cool project and I’m really happy with it. I sort of feel guilty spending so much time on it, since it’s basically just a one-off prototype, but I just got so obsessed with making it exactly as I wanted.

You mentioned on your website that Mustache was “designed to challenge the paradigms of personal privacy and entertainment.” What exactly did you mean there?

Continue reading “Mustachioed Nintendo Virtual Boy Gone Augmented Reality”

BSoDomizer Blue-screens Your Enemies

In case you were wondering what industrious hacker [Joe Grand] was doing when he’s not building stuff for Prototype This!, designing Defcon badges, or testifying before congress, it’s this: The BSoDomizer is a VGA pass through device that displays an image of your choice on the victim’s screen. It can do this either periodically or via an IR trigger. The image of choice is a Windows style Blue Screen of Death. It’s powered by a watch battery. The project site has all the schematics you need plus ASCII goatse imagery; you’ve been warned. Embedded below is a demo of the device. We unfortunately didn’t get to see it when it was originally presented during Defcon 16. Continue reading “BSoDomizer Blue-screens Your Enemies”