This Week In Security: SAD DNS, Incident Documentation Done Well, And TCL Responds

One of the big stories from the past few days is the return of DNS cache poisoning. The new attack has been dubbed SADDNS, and the full PDF whitepaper is now available. When you lookup a website’s IP address in a poisoned cache, you get the wrong IP address.

This can send you somewhere malicious, or worse. The paper points out that DNS has suffered a sort of feature creep, picking up more and more responsibilities. The most notable use of DNS that comes to mind is LetsEncrypt using DNS as the mechanism to prove domain ownership, and issue HTTPS certificates.

DNS Cache poisoning is a relatively old attack, dating from 1993. The first iteration of the attack was simple. An attacker that controlled an authoritative DNS server could include extra DNS results, and those extra results would be cached as if they came from an authoritative server. In 1997 it was realized that the known source port combined with a non-random transaction ID made DNS packet spoofing rather trivial. An attacker simply needs to spoof a DNS response with the appropriate txID, at the appropriate time to trick a requester into thinking it’s valid. Without the extra protections of TCP connections, this was an easy task. The response was to randomize the txID in each connection.

I have to take a moment to talk about one of my favorite gotchas in statistics. The Birthday paradox. The chances that two randomly selected people share a birthday is 1 in 365. How many people have to be in a room together to get a 50% chance of two of them sharing a birthday? If you said 182, then you walked into the paradox. The answer is 23. Why? Because we’re not looking for a specific birthday, we’re just looking for a collision between dates. Each non-matching birthday that walks into the room provides another opportunity for the next one to match.

This is the essence of the DNS birthday attack. An attacker would send a large number of DNS requests, and then immediately send a large number of spoofed responses, guessing random txIDs. Because only one collision is needed to get a poisoned cache, the chances of success go up rapidly. The mitigation was to also randomize the DNS source port, so that spoof attempts had to have both the correct source port and txID in the same attempt. Continue reading “This Week In Security: SAD DNS, Incident Documentation Done Well, And TCL Responds”

This Week In Security: Platypus, Git.bat, TCL TVs, And Lessons From Online Gaming

Git’s Large File System is a reasonable solution to a bit of a niche problem. How do you handle large binary files that need to go into a git repository? It might be pictures or video that is part of a project’s documentation, or even a demonstration dataset. Git-lfs’s solution is to replace the binary files with a text-based pointer to where the real file is hosted. That’s not important to understanding this vulnerability, though. The problem is that git-lfs will call the main git binary as part of its operation, and when it does so, the full path is not used. On a Unix system, that’s not a problem. The $PATH variable is used to determine where to look for binaries. When git is run, /usr/bin/git is automagically run. On a Windows system, however, executing a binary name without a path will first look in the current directory, and if a matching executable file is not found, only then will the standard locations be checked.

You may already see the problem. If a repository contains a git.exe, git.bat, or another git.* file that Windows thinks is executable, git-lfs will execute that file instead of the intended git binary. This means simply checking out a malicious repository gets you immediate code execution. A standard install of git for Windows, prior to 2.29.2.2, contains the vulnerable plugin by default, so go check that you’re updated!

Then remember that there’s one more wrinkle to this vulnerability. How closely do you check the contents of a git download before you run the next git command? Even with a patched git-lfs version, if you clone a malicious repository, then run any other git command, you still run the local git.* file. The real solution is pushing the local directory higher up the path chain. Continue reading “This Week In Security: Platypus, Git.bat, TCL TVs, And Lessons From Online Gaming”

Hackaday Links Column Banner

Hackaday Links: February 9, 2020

In case you thought that we learned everything we need to know to land on the Moon fifty years ago, think again. NASA still has a lot of questions, and has scheduled the first of many commercial missions designed to fill in the blanks. As part of the Artemis program, which aims to land the first women and the next men on the Moon by 2024, NASA’s Commercial Lunar Payload Service (CLPS) will send 16 science payloads to the Moon via two separate commercial flights. The two companies, Astrobotics and Intuitive Machines, will send landers to the Moon in 2021 using a ULA Vulcan Centaur and a SpaceX Falcon 9, respectively. Fourteen companies were selected for CLPS, and with much to learn (or relearn) about landing and working on the Moon, watch for many more flights in the years to come. We’re all for the commercialization of space, but we have to admit that things were easier to keep track of when space exploration was a little more monolithic.

It looks like millions of BlackBerry phone users will have to find something else to do with their thumbs now that TCL is getting out of the BlackBerry business. The Chinese company announced this week that they would no longer have the rights to manufacture BlackBerry-branded phones like the Key2 as of August 31, 2020. Crackberry addicts were understandably upset, but all may not be lost for those who can’t stand the virtual keyboards on most other smartphones, as there’s still a chance another manufacturer will step in to fill the void.

Hypothetical situation: You’re in need of a car, so you go to a used car dealer. You see a nice car, take it for a test drive, and decide to buy it. Money is exchanged, paperwork done, and the salesman hands you the keys. You go out to the lot to drive your new ride home only to find out that the mechanic has removed the tires. When you ask what the deal is, the salesman says, “Sorry, you didn’t buy a license for the tires.” Hypothetical perhaps, but not far off from what happened to one Tesla Model S buyer when an over-the-air update disabled the Enhanced Autopilot and Full Self-Driving features he paid for. Tesla didn’t see it that way, though, claiming that he’d need to pony up to use the new features, which originally sold for $8,000. It raises interesting questions about how the secondary automotive market will respond to the increasingly complicated relationship between hardware and software, and what you’re actually paying for when you buy a car.

Back in the early days of Bitcoin, skeptics used to dismiss the cryptocurrency by saying, “When you can pay your taxes with it, then it’s real money.” Well, that day is apparently here for the municipality of Zermatt in Switzerland, where it was announced that Bitcoin will be accepted as payment for local taxes and other official fees. The Zermatt city hall has installed a Bitcoin point-of-sale terminal, or payments can be made directly from a Bitcoin wallet after filling out the proper paperwork. Bitcoin as legal tender for public debts is not exactly new; Ohio was doing it back as far as 2018. But we find the economic implications of this interesting — as our resident econometrician [Elliot Williams] pointed out, paying taxes in anything but the national currency was considered preposterous not that long ago.