This Week In Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, And NetCAT

We often think of SIM cards as simple data storage devices, but in reality a SIM card is a miniature Universal integrated circuit card, or smart card. Subscriber data isn’t a simple text string, but a program running on the smart cards tiny processor, acting as a hardware cryptographic token. The presence of this tiny processor in everyone’s cell phone was eventually put to use in the form of the Sim application ToolKit (STK), which allowed cell phone networks to add services to very basic cell phones, such as mobile banking and account management.

Legacy software running in a place most of us have forgotten about? Sounds like it’s ripe for exploitation. The researchers at Adaptive Mobile Security discovered that exploitation of SMS messages has been happening for quite some time. In an era of complicated and sophisticated attacks, Simjacker seems almost refreshingly simple. An execution environment included on many sim cards, the S@T Browser, can request data from the cell phone’s OS, and even send SMS messages. The attacker simply sends an SMS to this environment containing instructions to request the phones unique identifier and current GPS location, and send that information back in another SMS message.

It’s questionable whether there is actually an exploit here, as it seems the S@T Browser is just insecure by design. Either way, the fact that essentially anyone can track a cell phone simply by sending a special SMS message to that phone is quite a severe problem. Continue reading “This Week In Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, And NetCAT”

This Week In Security: Mass IPhone Compromise, More VPN Vulns, Telegram Leaking Data, And The Hack Of @Jack

In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.

In any case, Google’s Project Zero was the first to notice and disclose the malicious sites and attacks. There were five separate vulnerability chains, targeting iOS versions 10 through 12, with at least one previously unknown 0-day vulnerability in use. The Project Zero write-up is particularly detailed, and really documents the exploits.

The payload as investigated by Project Zero doesn’t permanently install any malware on the device, so if you suspect you could have been compromised, a reboot is sufficient to clear you device.

This attack is novel in how sophisticated it is, while simultaneously being almost entirely non-targeted. The malicious code would run on the device of any iOS user who visited the hosting site. The 0-day vulnerability used in this attack would have a potential value of over a million dollars, and these high value attacks have historically been more targeted against similarly high-value targets. While the websites used in the attack have not been disclosed, the sites themselves were apparently targeted at certain ethnic and religious groups inside China.

Once a device was infected, the payload would upload photos, messages, contacts, and even live GPS information to the command & control infrastructure. It also seems that Android and Windows devices were similarly targeted in the same attack.

Telegram Leaking Phone Numbers

“By default, your number is only visible to people who you’ve added to your address book as contacts.” Telegram, best known for encrypted messages, also allows for anonymous communication. Protesters in Hong Kong are using that feature to organize anonymously, through Telegram’s public group messaging. However, a data leak was recently discovered, exposing the phone numbers of members of these public groups. As you can imagine, protesters very much want to avoid being personally identified. The leak is based on a feature — Telegram wants to automatically connect you to other Telegram users whom you already know.

By default, your number is only visible to people who you’ve added to your address book as contacts.

Telegram is based on telephone numbers. When a new user creates an account, they are prompted to upload their contact list. If one of the uploaded contacts has a number already in the Telegram system, those accounts are automatically connected, causing the telephone numbers to become visible to each other. See the problem? An attacker can load a device with several thousand phone numbers, connect it to the Telegram system, and enter one of the target groups. If there is a collision between the pre-loaded contacts and the members of the group, the number is outed. With sufficient resources, this attack could even be automated, allowing for a very large information gathering campaign.

In this case, it seems such a campaign was carried out, targeting the Hong Kong protesters. One can’t help but think of the first story we covered, and wonder if the contact data from compromised devices was used to partially seed the search pool for this effort.

The Hack of @Jack

You may have seen that Twitter’s CEO, Jack [@Jack] Dorsey’s Twitter account was hacked, and a series of unsavory tweets were sent from that account. This seems to be a continuing campaign by [chucklingSquad], who have also targeted other high profile accounts. How did they manage to bypass two factor authentication and a strong password? Cloudhopper. Acquired by Twitter in 2010, Cloudhopper is the service that automatically posts a user’s SMS messages to Twitter.

Rather than a username and password, or security token, the user is secured only by their cell phone number. Enter the port-out and SIM-swap scams. These are two similar techniques that can be used to steal a phone number. The port-out scam takes advantage of the legal requirement for portable phone numbers. In the port-out scam, the attacker claims to be switching to a new carrier. A SIM-swap scam is convincing a carrier he or she is switching to a new phone and new SIM card. It’s not clear which technique was used, but I suspect a port-out scam, as Dorsey hadn’t gotten his cell number back after several days, while a SIM swap scam can be resolved much more quickly.

Google’s Bug Bounty Expanded

In more positive news, Google has announced the expansion of their bounty programs. In effect, Google is now funding bug bounties for the most popular apps on the Play store, in addition to Google’s own code. This seems like a ripe opportunity for aspiring researchers, so go pick an app with over 100 million downloads, and dive in.

An odd coincidence, that 100 million number is approximately how many downloads CamScanner had when it was pulled from the Play store for malicious behavior. This seems to have been caused by a third party advertisement library.

Updates

Last week we talked about Devcore and their VPN Appliance research work. Since then, they have released part 3 of their report. Pulse Secure doesn’t have nearly as easily exploited vulnerabilities, but the Devcore team did find a pre-authentication vulnerability that allowed reading arbitraty data off the device filesystem. As a victory lap, they compromised one of Twitter’s vulnerable devices, reported it to Twitter’s bug bounty program, and took home the highest tier reward for their trouble.

This Week In Security: VPN Gateways, Attacks In The Wild, VLC, And An IP Address Caper

We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.

It’s… not great. There are multiple pre-authentication vulnerabilities, as well as what appears to be an intentional backdoor.

CVE-2018-13379 abuses an snprintf call made when requesting a different language for the device login page. Snprintf is an alternative to sprintf, but intended to prevent buffer overflows by including the maximum string length to write to the target buffer, which sounds like a good idea but can lead to malicious truncation.

The code in question looks like snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);.
When loading the login page, a request is made for a language file, and the file is sent to the user. At first look, it seems that this would indeed limit the file returned to a .json file from the specified folder. Unfortunately, there is no further input validation on the request, so a language of ../../arbitrary is considered perfectly legitimate, escaping the intended folder.  This would leak arbitrary json files, but sincesnprintf doesn’t fail if it exceeds the specified length, sending a request for a lang that’s long enough results in the “.json” extension not being appended to the request either.

A metasploit module has been written to test for this vulnerability, and it requests a lang of /../../../..//////////dev/cmdb/sslvpn_websession. That’s just long enough to force the json extension to fall off the end of the string, and it is Unix convention is to ignore the extra slashes in a path. Just like that, the Fortigate is serving up any file on its filesystem just for asking nice.

More worrying than the snprintf bug is the magic value that appears to be an intentional backdoor. A simple 14 character string sent as an http query string bypasses authentication and allows changing any user’s password — without any authentication. This story is still young, it’s possible this was intended to have a benign purpose. If it’s an honest mistake, it’s a sign of incompetence. If it’s an intentional backdoor, it’s time to retire any and all Fortinet equipment you have.

Pulse Secure VPNs have a similar pre-auth arbitrary file read vulnerability. Once the full report is released, we’ll cover that as well.

Exploitation in the Wild

But wait, there’s more. Hide your kids, hide your wife. Webmin, Pulse Secure, and Fortigate are already being exploited actively in the wild, according to ZDNet. Based on reports from Bad Packets, the Webmin backdoor was being targeted in scans within a day of announcement, and exploited within three days of the announcement. There is already a botnet spreading via this backdoor. It’s estimated that there are around 29,000 vulnerable Internet-facing servers.

Both Pulse Secure and Fortinet’s Fortigate VPN appliances are also being actively targeted. Even though the vulnerabilities were reported first to the vendors, and patched well in advance of the public disclosure, thousands of vulnerable devices remain. Apparently routers and other network appliance hardware are fire-and-forget solutions, and often go without important security updates.

VLC is Actually Vulnerable This Time

The VLC media player has released a new update, fixing 11 CVEs. These CVEs are all cases of mishandling malformed media files, and are only exploitable by opening a malicious file with VLC. Be sure to go update VLC if you have it installed. Even though no arbitrary code execution has been demonstrated for any of these issues, it’s likely that it will eventually happen.

Gray Market IP Addresses

With the exhaustion of IPv4 addresses, many have begun using alternative methods to acquire address space, including the criminal element. Krebs on Security details his investigation into one such story: Residential Networking Solutions LLC (Resnet). It all started with an uptick in fraudulent transactions originating from Resnet residential IP addresses. Was this a real company, actually providing internet connectivity, or a criminal enterprise?

This Week In Security: Black Hat, DEF CON, And Patch Tuesday

Blackhat and DEF CON both just wrapped, and Patch Tuesday was this week. We have a bunch of stories to cover today.

First some light-hearted shenanigans. Obviously inspired by Little Bobby Tables, Droogie applied for the vanity plate “NULL”. A year went by without any problems, but soon enough it was time to renew his registration. The online registration form refused to acknowledge “NULL” as a valid license plate. The hilarity didn’t really start until he got a parking ticket, and received a bill for $12,000. It seems that the California parking ticket collection system can’t properly differentiate between “NULL” and a null value, and so every ticket without a license plate is now unintentionally linked to his plate.

In the comments on the Ars Technica article, it was suggested that “NULL” simply be added to the list of disallowed vanity plates. A savvy reader pointed out that the system that tracks disallowed plates would probably similarly choke on a “NULL” value.

Hacking an F-15

In a surprising move, Air Force officials brought samples of the Trusted Aircraft Information Download Station (TADS) from an F-15 to DEF CON. Researchers were apparently able to compromise those devices in a myriad of ways. This is a radical departure from the security-through-obscurity approach that has characterized the U.S. military for years.

Next year’s DEF CON involvement promises to be even better as the Air Force plans to bring researchers out to an actual aircraft, inviting them to compromise it in every way imaginable.

Patch Tuesday

Microsoft’s monthly dump of Windows security fixes landed this week, and it was a doozy. First up are a pair of remotely exploitable Remote Desktop vulnerabilities, CVE-2019-1222 and CVE-2019-1226. It’s been theorized that these bugs were found as part of an RDP code review launched in response to the BlueKeep vulnerability from earlier this year. The important difference here is that these bugs affect multiple versions of Windows, up to and including Windows 10.

What the CTF

Remember Tavis Ormandy and his Notepad attack? We finally have the rest of the story! Go read the whole thing, it’s a great tale of finding something strange, and then pulling it apart looking for vulnerabilities.

Microsoft Windows has a module, MSCTF, that is part of the Text Services Framework. What does the CTF acronym even stand for? That’s not clear. It seems that CTF is responsible for handling keyboard layouts, and translating keystrokes based on what keyboard type is selected. What is also clear is that every time an application builds a window, that application also connects to a CTF process. CTF has been a part of Microsoft’s code base since at least 2001, with relatively few code changes since then.

CTF doesn’t do any validation, so an attacker can connect to the CTF service and claim to be any process. Tavis discovered he could effectively attempt to call arbitrary function pointers of any program talking to the same CTF service. Due to some additional security measures built into modern Windows, the path to an actual compromise is rather convoluted, but by the end of the day, any CFT client can be compromised, including notepad.

The most interesting CFT client Tavis found was the login screen. The exploit he demos as part of the write-up is to lock the computer, and then compromise the login in order to spawn a process with system privileges.

The presence of this unknown service running on every Windows machine is just another reminder that operating systems should be open source.

Biostar 2

Biostar 2 is a centralized biometric access control system in use by thousands of organizations and many countries around the globe. A pair of Israeli security researchers discovered that the central database that controls the entire system was unencrypted and unsecured. 23 Gigabytes of security data was available, including over a million fingerprints. This data was stored in the clear, rather than properly hashed, so passwords and fingerprints were directly leaked as a result. This data seems to have been made available through an Elasticsearch instance that was directly exposed to the internet, and was found through port scanning.

If you have any exposure to Biostar 2 systems, you need to assume your data has been compromised. While passwords can be changed, fingerprints are forever. As biometric authentication becomes more widespread, this is an unexplored side effect.

This Week In Security: VxWorks, Expensive Email Fraud, And What’s In Your Wallet?

This has been an interesting week. First off, security researchers at Armis discovered a set of serious vulnerabilities in the vxWorks Real Time Operating System (RTOS). Released under a name that sounds like the title of a western or caper movie, Urgent/11. Not familiar with vxWorks? It’s a toss-up as to whether vxWorks or Linux is more popular for embedded devices. Several printer brands, Arris modems, Sonicwall firewalls, and a whole host of other industrial and medical devices run the vxWorks RTOS.

Several of these vulnerabilities are in the network stack, rather than in applications. The worst offender is CVE-2019-12256, a vulnerability in error handling. An ICMP error response is generated from an incoming packet, and assumptions are made about that incoming packet. When data is copied from that packet into the ICMP error, the length is not first checked, allowing unconfined memory write. If this sounds familiar, it should. We covered a similar vulnerability in Apple’s XNU kernel not long ago.

This particular vulnerability can compromise a vxWorks machine even without an opened port. The saving grace of that vulnerability applies here: a maliciously crafted packet is necessarily malformed, and won’t navigate public routing. In other words, it’s LAN only, and can’t be sent over the internet.

They come in through the firewall.

A second class of vulnerability, where the name comes from, is related to the TCP urgent pointer. This rarely used TCP feature was intended to allow more up-to-date information to supersede data still being processed. Not only has TCP urgent not been widely used, the specifications were not written particularly well, with the various RFC documents describing conflicting implementations. It’s surprising that vxWorks supports it at all, but isn’t particularly surprising that their implementation is flawed. Manipulation of the data stream can cause a length integer to underflow. The nature of binary arithmetic means that underflowing an unsigned integer causes it to wrap around to maximum value, which can lead to writing packet data in the buffer in unexpected memory locations. These vulnerabilities require an established TCP connection, but the researchers describe several scenarios where that could be accomplished by an attacker.

The last RCE vulnerability they describe is in the DHCP client, ipdhcpc. This is a very simple vulnerability. One section of code allocates a buffer for DHCP options, but allocates 24 bytes fewer than the maximum size. An attacker could use this 24 byte overflow to manipulate the data structure and potentially jump execution into manipulated memory.

Update (2019-08-02 09:15 UTC-7): Hackaday received a statement from SonicWall that they made a patch for this vulnerability back on July 19th:

Ensuring the security of our customers is a responsibility we take seriously at SonicWall and we work vigilantly to always keep our customers secure. SonicWall physical firewall appliances running certain versions of SonicOS contain vulnerabilities in code utilized for remote management. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild. The patches are available now and we strongly advised our partners and end users July 19 th to apply the SonicOS patch immediately.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009

Capital One: What’s in Your Data

Capital One made use of Amazon AWS for storing customer data. This isn’t surprising, many companies have turned to Amazon’s seemingly inexhaustible cloud computing platform for storing large data sets. It seems, however, that Capital One failed to configure the security properly on that bucket. (As many other companies have done.) Information was leaked for over an estimated 100 million customers. A former Amazon employee has been arrested, and seems to have posted at least a portion of that data in a Github gist.

Reading between the lines, it seems that this was a very simple mistake. Perhaps credentials were leaked, or the S3 bucket was publicly available. That particular detail has not been released. There is something to be said for Capital One’s response to the incident. They were anonymously informed of the existence of the gist on July 17, using their responsible disclosure process. By the 29th, they had fixed the misconfiguration, coordinated with law enforcement, and publicly announced the breach. A twelve day turn-around is an impressive response, particularly when so many companies have tried to hide or ignore similar breaches.

Cabarrus County, NC

It seemed simple enough. The general contractor for the county’s new school building needed to update bank account information. The appropriate forms were signed and filed, and the information was updated. Nothing seemed amiss unto two months later, when the contractor notified the county that they had missed a scheduled payment of 2.5 million dollars. But the transaction went through, and the money was transferred to the account on file.

Yes, the transfer went through, but the the county had been hit with a social engineering scam. The report refers to it as an Email Account Compromise (EAC) scam, which seems to indicate that the scammer first gained access to a legitimate email account of the contractor in question. Alternatively, an attacker could simply spoof the sender’s email address, and set a different reply-to field. Unless a user was particularly watching for such a scheme, it would be easy to overlook the discrepancy. In any case, even after recovering some of the transferred money, the county seems to be out about $1.7 million. These scams are becoming more and more popular, so remember, don’t believe anything you read in an email.

The Weird and Wacky

And to round out this week’s news, yet another [Satoshi Nakamoto] candidate has been found: Linus Torvalds. While it appears to be a serious suggestion, I’ll just note that the author doesn’t have his name attached to this article. He does make one interesting observation — git is the killer blockchain app. You see, I tend to compare blockchain to the laser. Both were very clever inventions, but didn’t have any immediate uses. They were solutions in search of a problem. This article points out that core concepts of blockchain are present in git, which seems to be an accurate and clever observation. So what is blockchain good for? Git!

And the most useless security news of the week? The CAN bus on airplanes is exploitable when an attacker has unsupervised physical access. Yes, people with unsupervised physical access can do bad things to airplanes. Think about what they could do if they brought a wrench.

This Week In Security: Selfblow, Encryption Backdoors, Killer Apps, And The VLC Apocalypse That Wasn’t

Selfblow (Don’t google that at work, by the way) is a clever exploit by [Balázs Triszka] that affects every Nvidia Tegra device using the nvtboot bootloader — just about all of them except the Nintendo Switch. It’s CVE 2019-5680, and rated at an 8.2 according to Nvidia, but that high CVE rating isn’t entirely reflective of the reality of the situation. Taking advantage of the vulnerability means writing to the boot device, which requires root access, as well as a kernel flag set to expose the boot partitions to userspace. This vulnerability was discovered as part of an effort by [Balázs] and other LineageOS developers to build an open source bootloader for Nvidia Tegra devices.

The Tegra boot process is a bit different, having several stages and a dedicated Boot and Power Management CPU (BPMP). A zero-stage ROM loads nvtboot to memory and starts it executing on the BPMP. One of the tasks of nvtboot is to verify the signature of the next bootloader step, nvtboot-cpu. The file size and memory location are embedded in the nvtboot-cpu header. There are two problems here that together make this vulnerability possible. The first is that the bootloader binary is loaded to its final memory location before the signature verification is performed. The code is written to validate the bootloader signature before starting it executing on the primary CPU, so all is well, right? Continue reading “This Week In Security: Selfblow, Encryption Backdoors, Killer Apps, And The VLC Apocalypse That Wasn’t”

This Week In Security: Censoring Researchers, The Death Of OpenPGP, Dereferencing Nulls, And Zoom Is Watching You

Last week the schedule for our weekly security column collided with the Independence Day holiday. The upside is that we get a two-for-one deal this week, as we’re covering two weeks worth of news, and there is a lot to cover!

[Petko Petrov], a security researcher in Bulgaria, was arrested last week for demonstrating an weakness he discovered in a local government website. In the demonstration video, he stated that he attempted to disclose the vulnerability to both the software vendor and the local government. When his warnings were ignored, he took to Facebook to inform the world of the problem.

From the video, it appears that a validation step was performed on the browser side, easily manipulated by the end user. Once such a flaw is discovered, it becomes trivial to automate the process of scraping data from the vulnerable site. The vulnerability found isn’t particularly interesting, though the amount of data exposed is rather worrying. The bigger story is that as of the latest reports, the local government still intends to prosecute [Petko] for downloading data as part of demonstrating the attack.

Youtube Censorship

We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it. YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"

In related news, Google has begun cracking down on “Instructional Hacking and Phishing” videos. [Kody] from the Null Byte Youtube channel found himself locked out of his own channel, after receiving a strike for a video discussing a Wifi vulnerability.

The key to getting a video unblocked seems to be generating lots of social media attention. Enough outcry seems to trigger a manual review of the video in question, and usually results in the strike being rescinded.

Improved Zip Bomb

A zip bomb is a small zip file that unzips into a ridiculously large file or collection of files. While there are obvious nefarious uses for such a file, it has also become something of a competition, crafting the most extreme zip bomb. The previous champion was 42.zip, a recursive zip file that when fully extracted, weighs in at 42 petabytes. A new contender may have just taken the crown, and without using zip file recursion.

[David Fifield] discovered a pair of ZIP tricks. First being that multiple files can be constructed from a single “kernel” of compressed data. The second is that file headers could also be part of files to be decompressed. It’s clever work, and much easier to understand when looking at the graphics he put together. From those two points, the only task left is to optimize. Taking advantage of the zip64 format, the final compression ratio was approximately 98 million to one.

Breaking OpenPGP Keyservers

OpenPGP as we know it is on the ropes. OpenPGP is the technique that allows encryption and verification of emails through cryptographic signatures. It’s the grandaddy of modern secure communication, and still widely used today. One of the features of OpenPGP is that anyone can upload their public key to keyservers hosted around the world. Because of the political climate in the early 90’s when OpenPGP was first developed, it was decided that a baked-in feature of the keyserver was that uploaded keys could never be deleted.

Another feature of OpenPGP keys is that one user can use their key to sign another user’s key, formally attesting that it is valid. This creates what is known as a “web of trust”. When an OpenPGP instance validates a signature, it also validates all the attestations attached to that signature. Someone has spammed a pair of OpenPGP certificates with tens of thousands of signatures. If your OpenPGP client refreshes those signatures, and attempts to check the validations, it will grind to a halt under the load. Loading the updated certificate permanently poisons the offline key-store. In some cases, just the single certificate can be deleted, but some users have had to delete their entire key store.

It’s now apparent that parts of the OpenPGP infrastructure hasn’t been well maintained for quite some time. [Robert J. Hansen] has been spearheading the public response to this attack, not to mention one of the users directly targeted. In a follow-up post, he alluded to the need to re-write the keyserver component of OpenPGP, and the lack of resources to do so.

It’s unclear what will become of the OpenPGP infrastructure. It’s likely that the old keyserver network will have to be abandoned entirely. An experimental keyserver is available at keys.openpgp.org that has removed the spammed signatures.

Beware the QR Codes

Link shorteners are a useful way to avoid typing out a long URL, but have a downside — you don’t know what URL you’re going to ahead of time. Thankfully there are link unshorteners, like unshorten.it. Paste a shortlink and get the full URL, so you don’t accidentally visit a shady website because you clicked on a shortened link. [Nick Guarino] over at cofense.com raises a new alarm: QR codes can similarly lead to malicious or questionable websites, and are less easily examined before scanning. His focus is primarily how a QR code can be used to bypass security products, in order to launch a fishing attack.

Most QR scanners have an option to automatically navigate to the web page in the code. Turn this option off. Not only could scanning a QR code lead to a malicious web site, but URLs can also launch actions in other apps. This potential problem of QR codes is very similar to the problem of shortened links — the actual payload isn’t human readable prior to interacting with it, when it’s potentially too late.

Dereferencing Pointers for Fun and Profit

On the 10th, the Eset blog, [welivesecurity], covered a Windows local priveledge escalation 0-day being actively exploited in the wild. The exploit highlights several concepts, one of which we haven’t covered before, namely how to use a null pointer dereference in an exploit.

In C, a pointer is simply a variable that holds a memory location. In that memory location can be a data structure, a string, or even a callable function. By convention, when pointers aren’t referring to anything, they are set to NULL. This is a useful way to quickly check whether a pointer is pointing to live data. The process of interacting with a pointer’s data is known a dereferencing the pointer. A NULL pointer dereference, then, is accessing the data referred to by a pointer that is set to NULL. This puts us in the dangerous territory of undefined behavior.

Different compilers, architectures, and even operating systems will potentially demonstrate different behavior when doing something undefined. In the case of C code on 32-bit Windows 7, NULL is indistinguishable from zero, and memory location zero is a perfectly valid location. In this case, we’re not talking about the physical location zero, but logical address zero. In modern systems, each process has a dedicated pool of memory, and the OS manages the offset and memory mapping, allowing the process to use the simpler logical memory addressing.

Windows 7 has a function, “NtAllocateVirtualMemory”, that allows a process to request access to arbitrary memory locations. If a NULL, or zero, is passed to this function as the memory location, the OS simply picks a location to allocate that memory. What many consider a bug is that this function will effectively round down small memory locations. It’s quite possible to allocate memory at logical address 0/NULL, but is considered to be bad behavior. The important takeaway here is that in Windows 7, a program can allocate memory at a location referred to by a null pointer.

On to the vulnerability! The malicious program sets up a popup menu and submenu as part of its GUI. While this menu is still being initialized, the malicious program cancels the request to set up the menu. By timing the cancellation request precisely, it’s possible for the submenu to still be created, but to be a null pointer instead of the expected object. A second process can then trigger the system process to call a function expected to be part of the object. Because Windows allows the allocation of memory page zero, this effectively hands system level execution to the attacker. The full write-up is worth the time to check out.

Zoom Your Way to Vulnerability

Zoom is a popular web-meeting application, aimed at corporations, with the primary selling point being how easy it is to join a meeting. Apparently they worked a bit too hard on easy meeting joins, as loading a malicious webpage on a Mac causes an automatic meeting join with the mic and webcam enabled, so long as that machine has previous connected to a Zoom meeting. You would think that uninstalling the Zoom client would be enough to stop the madness, but installing Zoom also installs a local webserver. Astonishingly, uninstalling Zoom doesn’t remove the webserver, but it was designed to perpetually listen for a new Zoom meeting attempt. If that sounds like a Trojan to you, you’re not wrong.

The outcry over Zoom’s official response was enough to inform them of the error of their ways. They have pushed an update that removes the hidden server and adds a user interaction before joining a meeting. Additionally, Apple has pushed an update that removes the hidden server if present, and prompts before joining a Zoom meeting.

Wireless Keyboards Letting You Down

Have you ever typed your password using a wireless keyboard, and wondered if you just broadcast it in the clear to anyone listening? In theory, wireless keyboards and mice use encryption to keep eavesdroppers out, but at least Logitech devices have a number of problems in their encryption scheme.

Part of the problem seems to be Logitech’s “Unifying” wireless system, and the emphasis on compatibility. One receiver can support multiple devices, which is helpful when eliminating cable clutter, but also weakens the encryption scheme. An attacker only has to be able to monitor the radio signals during pairing, or even monitoring signals while also observing keypresses. Either way, a few moments of processing, and an attacker has both read and write access to the wireless gear.

Several even more serious problems have fixed with firmware updates in the past years, but [Marcus Mengs], the researcher in question, discovered that newly purchased hardware still doesn’t contain the updated firmware. Worse yet, some of the effected devices don’t have an officially supported firmware update tool.

Maybe wired peripherals are the way to go, after all!