This Week In Security: Adblock For Security, ProxyNotShell Lives, And CVSS 10 To Not Worry About

The ubiquity of ransomware continues, this time with The Guardian announcing they were partially shut down from an attack. Staff are working from home as the incident is being investigated and data is recovered. Publishing seems to be continuing, and the print paper ran as expected.

There have been a couple reports published recently on how ransomware and other malware is distributed, the first being a public service announcement from the FBI, detailing what might be a blindly obvious attack vector — search engine advertising. A bad actor picks a company or common search term, pays for placement on a search engine, and then builds a fake web site that looks legitimate. For bonus points, this uses a typosquatted domain, like adobe[dot]cm or a punycode domain that looks even closer to the real thing.

The FBI has a trio of recommendations, one of which I whole-heartedly agree with. Their first suggestion is to inspect links before clicking them, which is great, except for the punycode attack. In fact, there are enough lookalike glyphs to make this essentially useless. Second is to type in URLs directly rather than using a search engine to find a company’s site. This is great so long as you know the URL and don’t make a typo. But honestly, haven’t we all accidentally ended up at website[dot]co by doing this? Their last recommendation is the good one, and that is to run a high-quality ad-blocker for security. Just remember to selectively disable blocking for websites you want to support. (Like Hackaday!) Continue reading “This Week In Security: Adblock For Security, ProxyNotShell Lives, And CVSS 10 To Not Worry About”

This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE

Samba has a very serious vulnerability, CVE-2021-44142, that was just patched in new releases 4.13.17, 4.14.12, and 4.15.5. Discovered by researchers at TrendMicro, this unauthenticated RCE bug weighs in at a CVSS 9.9. The saving grace is that it requires the fruit VFS module to be enabled, which is used to support MacOS client and server interop. If enabled, the default settings are vulnerable. Attacks haven’t been seen in the wild yet, but go ahead and get updated, as PoC code will likely drop soon.

Crypto Down the Wormhole

One notable selling point to cryptocurrencies and Web3 are smart contracts, little computer programs running directly on the blockchain that can move funds around very quickly, without intervention. It’s quickly becoming apparent that the glaring disadvantage is these are computer programs that can move money around very quickly, without intervention. This week there was another example of smart contracts at work, when an attacker stole $326 million worth of Ethereum via the Wormhole bridge. A cryptocurrency bridge is a service that exists as linked smart contracts on two different blockchains. These contracts let you put a currency in on one side, and take it out on the other, effectively transferring currency to a different blockchain. Helping us make sense of what went wrong is [Kelvin Fichter], also known appropriately as [smartcontracts].

When the bridge makes a transfer, tokens are deposited in the smart contract on one blockchain, and a transfer message is produced. This message is like a digital checking account check, which you take to the other side of the bridge to cash. The other end of the bridge verifies the signature on the “check”, and if everything matches, your funds show up. The problem is that one one side of the bridge, the verification routine could be replaced by a dummy routine, by the end user, and the code didn’t catch it.

It’s a hot check scam. The attacker created a spoofed transfer message, provided a bogus verification routine, and the bridge accepted it as genuine. The majority of the money was transferred back across the bridge, where other user’s valid tokens were being held, and the attacker walked away with 90,000 of those ETH tokens. Continue reading “This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE”

Linux SambaCry

Great news everyone, Windows is not the only operating system with remote code execution via SMB. Linux has also its own, seven-year-old version of the bug. /s

This Linux remote execution vulnerability (CVE-2017-7494) affects Samba, the Linux re-implementation of the SMB networking protocol, from versions 3.5.0 onwards (since 2010). The SambaCry moniker was almost unavoidable.

The bug, however, has nothing to do on how Eternalblue works, one of the exploits that the current version of WannaCry ransomware packs with. While Eternalblue is essentially a buffer overflow exploit, CVE-2017-7494 takes advantage of an arbitrary shared library load.  To exploit it, a malicious client needs to be able to upload a shared library file to a writeable share, afterwards it’s possible for the attacker to cause the server to load and execute it. A Metasploit exploit module is already public, able to target Linux ARM, X86 and X86_64 architectures.

A patch addressing this defect has been posted to the official website and Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are also available. If you can’t apply the patch at the moment, the workaround is to add the parameter “nt pipe support = no” to the [global] section of your smb.conf and restart smbd. Note that this can disable some expected functionality for Windows clients.

Meanwhile, NAS vendors start to realise they have work on their hands. Different brands and models that use Samba for file sharing (a lot, if not all, of them provide this functionality) will have to issue firmware updates if they want to patch this flaw. If the firmware updates for these appliances take the same time they usually do, we will have this bug around for quite some time.

HOPE X: Wireless Tor Proxies And Sharing TrueCrypt Volumes

When you’re at HOPE, of course you’re going to see a few Tor proxies, but [Jose]’s is top-notch. It’s a completely portable Tor proxy (.br, Google translation), battery-powered, with a connection for 4G networks.

[Jose]’s OnionPi setup is based on the Adafruit version, but adds a few interesting features that make it even more useful. It’s battery-powered with about a day of charge time, has a built-in battery charger, Ethernet pass through, external 4G and WiFi antennas, all in a sealed case that makes the entire build impervious to the elements.

While this isn’t much of a hack per se, the amount of integration is impressive. There are switches to turn off each individual networking port, and all the relevant plugs are broken out to the front panel, with the AC input and USB serial connection using screw connectors that are supposedly very popular in Brazil.

[Jose] also brought along a new device that isn’t documented anywhere else on the web. It’s called NNCFA, or Nothing New Crypto For All. Using a Cubieboard, an interesting ARM single board computer with a SATA connector, [Jose] created a device that will mount TrueCrypt volumes on a hard drive and share them via Samba.

More OpenWRT Image Building For The Dockstar

[Der_picknicker] wrote in to let us know about a guide to building OpenWRT images for the dockstar (translated). What they end up with is a nice little network attached storage device that runs SAMBA and subversion under the umbrella of OpenWRT. We looked at flashing and building OpenWRT images for this device back in July. The development branch of OpenWRT hasn’t quite reached a stable release yet, but much has been done in the last few months.

The machine translation is a little rough, but the compilation process is easy enough to follow. If you don’t care to slog through compiling (which apparently takes 1-2 hours) they’ve also made their images available for download. It should be possible to flash via SSH but you might want to add a serial port to the device just to be safe.