In a brilliant write-up, [Stephen Tong] brings us his “Use-After-Free for Dummies“. It’s a surprising tale of a vulnerability that really shouldn’t exist, and a walkthrough of how to complete a capture the flag challenge. The vulnerable binary is running on a Raspberry Pi, which turns out to be very important. It’s a multithreaded application that uses lock-free data sharing, through pair of integers readable by multiple threads. Those ints are declared using the volatile keyword, which is a useful way to tell a compiler not to optimize too heavily, as this value may get changed by another thread.
On an x86 machine, this approach works flawlessly, as all the out-of-order execution features are guaranteed to be globally transparent. Put another way, even if thread one can speed up execution by modifying shared memory ahead of time, the CPU will keep the shared memory changes in the proper order. When that shared memory is controlling concurrent access, it’s really important that ordering happens the way you expect it. What was a surprise to me is that the ARM platform does not provide that global memory ordering. While the out-of-order execution will be transparent to the thread making changes, other threads and processes may observe those actions out of order. An example may help:
volatile int value;
volatile int ready;
// Thread 1
value = 123; // (1)
ready = 1; // (2)
// Thread 2
while (!ready); // (3)
print(value); // (4)
The government of Argentina has a national ID card system, and as a result maintains a database containing data on every citizen in the country. What could possibly go wrong? Predictably, an attacker has managed to gain access to the database, and is offering the entire dataset for sale. The Argentinian government has claimed that this wasn’t a mass breach, and only a handful of credentials were accessed. This seems to be incorrect, as the seller was able to provide the details of an arbitrary citizen to the journalists investigating the story.
Patch Tuesday
Microsoft has released their monthly round of patches for October, and there are a couple doozies. CVE-2021-40486 is an RCE in Microsoft Word, and this flaw can trigger via the preview pane. CVE-2021-38672 and CVE-2021-40461 are both RCE vulnerabilities in Hyper-V. And finally, CVE-2021-40449 is a privilege upgrade actively being used in the wild, more on that in a moment. Oh, and you thought the Print Nightmare was over? CVE-2021-36970 is yet another print spooler vulnerability. The unfortunate thing about the list of Microsoft vulnerabilities is that there is hardly any information available about them.
On the other hand, Apple just patched CVE-2021-30883, a 0-day that’s being actively exploited in iOS. With the release of the fix, [Saar Amar] has put together a very nice explanation of the bug with PoC. It’s a simple integer overflow when allocating a buffer, leading to an arbitrary memory write. This one is particularly nasty, because it’s not gated behind any permissions, and can be triggered from within app sandboxes. It’s being used in the wild already, so go update your iOS devices now.
Kaspersky brings us a report on a CVE-2021-40449 being used in the wild. It’s part of an attack they’re calling MysterySnail, and seems to originate from IronHusky out of China. The vulnerability is a use-after-free, and is triggered by making a the ResetDC API call that calls its own callback. This layer of recursive execution results in an object being freed before the outer execution has finished with it.
Since the object can now be re-allocated and controlled by the attacker code, the malformed object allows the attacker to run their code in kernel space, achieving privilege escalation. This campaign then does some data gathering and installs a Remote Access Trojan. Several Indicators of Compromise are listed as part of the write-up.
Off to the Races
Google’s Project Zero is back with a clever Linux Kernel hack, an escalation of privilege triggered by a race condition in the pseudoterminal device. Usually abbreviated PTY, this kernel device can be connected to userspace applications on both ends, making for some interesting interactions. Each end has a struct that reflects the status of the connection. The problem is that TIOCSPGRP, used to set the process group that should be associated with the terminal, doesn’t properly lock the terminal’s internal state.
As a result, calling this function on both sides at the same time is a race condition, where the reference count can be corrupted. Once the reference count is untrustworthy, the whole object can be freed, with a dangling pointer left in the kernel. From there, it’s a typical use-after-free bug. The post has some useful thoughts about hardening a system against this style of attack, and the bug was fixed December 2020.
AI vs Pseudorandom Numbers
[Mostafa Hassan] of the NCC Group is doing some particularly fascinating research, using machine learning to test pseudorandom number generators. In the first installment, he managed to break the very simple xorshift128 algorithm. Part two tackles the Mersenne Twister, which also falls to the neural network. Do note that neither of these are considered cryptographic number generators, so it isn’t too surprising that a ML model can determine their internal state. What will be most interesting is the post to come, when he tackles other algorithms thought to be secure. Watch for that one in a future article.
L0phtcrack Becomes Open Source
In a surprise to me, the L0phtcrack tool has been released as open source. L0phtcrack is the password cracking/auditing tool created by [Mudge] and company at L0pht Heavy Industries, about a billion years ago. Ownership passed to @stake, which was purchased by Symantec in 2004. Due to export regulations, Symantec stopped selling the program, and it was reacquired by the original L0pht team.
In April 2020, Terahash announced that they had purchased rights to the program, and began selling and supporting it as a part of their offerings. Terahash primarily builds GPU based cracking hardware, and has been hit exceptionally hard by the chip shortage. As a result of Terahash entering bankruptcy protection, the L0phtcrack ownership has reverted back to L0pht, and version 7.2.0 has been released as Open Source.
The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.
If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
The Day The Internet Stood Still
You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale. Continue reading “This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll”→
We start this week with a good write-up by [Eugene Lim] on getting started on vulnerability hunting, and news of a problem in OpenOffice’s handling of DBase files. [Lim] decided to concentrate on a file format, and picked the venerable dbase format, .dbf. This database format was eventually used all over the place, and is still supported in Microsoft Office, Libreoffice, and OpenOffice. He put together a fuzzing approach using Peach Fuzzer, and found a handful of possible vulnerabilities in the file format, by testing a very simple file viewer that supported the format. He managed to achieve code execution in dbfview, but that wasn’t enough.
Armed with a vulnerability in one application, [Lim] turned his attention to OpenOffice. He knew exactly what he was looking for, and found vulnerable code right away. A buffer is allocated based on the specified data type, but data is copied into this buffer with a different length, also specified in the dbase file. Simple buffer overflow. Turning this into an actual RCE exploit took a bit of doing, but is possible. The disclosure didn’t include a full PoC, but will likely be reverse engineered shortly.
In case you needed yet another example of why your IoT devices shouldn’t be exposed to the internet, a large swath of Hikvision IP Cameras have a serious RCE vulnerability. CVE-2021-36260 was discovered by the firm Watchful_IP in the UK. In Hikvision’s disclosure, they refer to the problem as a command injection vulnerability in the device’s web interface. The vuln is pre-authentication, and requires no user interaction. This could be something as simple as a language chooser not sanitizing the inputs on the back-end, and being able to use backticks or a semicolon to trigger an arbitrary command.
Now you’re probably thinking, “I don’t use Hikvision cameras.” The sneaky truth is that a bunch of cameras with different brand names are actually Hikvision hardware, with their firmware based on the Hikvision SDK. The outstanding question about this particular vulnerability is whether it’s present in any of the re-labelled cameras. Since the exact vulnerability has yet to be disclosed, it’s hard to know for sure whether the relabeled units are vulnerable. But if we were betting… Continue reading “This Week In Security: Somebody’s Watching, Microsoft + Linux, DDoS”→
A particularly nasty 0-day was discovered in the wild, CVE-2021-40444, a flaw in how Microsoft’s MSHTML engine handled Office documents. Not all of the details are clear yet, but the result is that opening a office document can trigger a remote code execution. It gets worse, though, because the exploit can work when simply previewing a file in Explorer, making this a potential 0-click exploit. So far the attack has been used against specific targets, but a POC has been published.
It appears that there are multiple tricks that should be discrete CVEs behind the exploit. First, a simple invocation of mshtml:http in an Office document triggers the download and processing of that URL via the Trident engine, AKA our old friend IE. The real juicy problem is that in Trident, an iframe can be constructed with a .cpl URI pointing at an inf or dll file, and that gets executed without any prompt. This is demonstrated here by [Will Dormann]. A patch was included with this month’s roundup of fixes for Patch Tuesday, so make sure to update. Continue reading “This Week In Security: Office 0-day, ForcedEntry, ProtonMail, And OMIGOD”→
A PoC was just published for a potentially serious flaw in the Ghostscript interpreter. Ghostscript can load Postscript, PDF, and SVG, and it has a feature from Postscript that has been a continual security issue: the %pipe% command. This command requests the interpreter to spawn a new process — It’s RCE as part of the spec. This is obviously a problem for untrusted images and documents, and Ghostscript has fixed security vulnerabilities around this mis-feature several times over the years.
This particular vulnerability was discovered by [Emil Lerner], and described at ZeroNights X. That talk is available, but in Russian. The issue seems to be a bypass of sorts, where the pipe command appears to be working in the /tmp/ directory, but a simple semicolon allows for an arbitrary command to be executed. Now why is this a big deal? Because ImageMagick uses Ghostscript to open SVG images by default on some distributions, and ImageMagick is often used for automatically resizing and converting images for web sites. In [Emil]’s presentation, he uses this flaw as part of an attack chain against three different companies.
I was unable to reproduce the flaw on my Fedora install, but I haven’t found any notice of it being fixed in the Ghostscript or Imagemagick changelogs either. It’s unclear if this problem has already been fixed, or if this is a true 0-day for some platforms. Either way, expect attackers to start trying to make use of it.
In a surprise to me, 
