This Week In Security: Palo Alto Scores A 10, Cursed Images, VM Escapes, And Malicious Music

July 3, 2020 by Jonathan Bennett 12 Comments

We’ve looked at many vulnerabilities over the years here on Hackaday, but it’s rather rare for a CVE to score a perfect 10 severity. This is reserved for the most severe and exploitable of problems. Palo Alto announced such a vulnerability, CVE-2020-2021, on the 29th. This vulnerability affects Palo Alto devices running PAN-OS that have SAML authentication enabled and a certain validation option disabled. The vulnerability is pre-authentication, but does require access to a service protected by SAML authentication. For example, a Palo Alto device providing a web-based VPN could be vulnerable. The good news is that the vulnerable settings aren’t default, but the bad news is that the official configuration guide recommends the vulnerable settings for certain scenarios, like using a third party authentication service.

The issue is in the Security Assertion Markup Language (SAML) implementation, which is an XML based open standard for authentication. One of the primary use cases for SAML is to provide a Single Sign On (SSO) scheme. The normal deployment of SAML SSO is that a central provider handles the authentication of users, and then asserts to individual services that the connecting user is actually who they claim to be.

The setting needed for this vulnerability to be exploitable is ‘Validate Identity Provider Certificate’ to be disabled. If this option is enabled, the SSO provider must use a CA signed SAML certificates. This doesn’t appear to mean that unsigned SSL certificates would be accepted, and only applies to certificates inside the SAML messages. It seems to be widely accepted that these certificates don’t need to be CA signed. In the official announcement, the vulnerability type is said to be “CWE-347 Improper Verification of Cryptographic Signature”. Continue reading “This Week In Security: Palo Alto Scores A 10, Cursed Images, VM Escapes, And Malicious Music” →

This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords

June 26, 2020 by Jonathan Bennett 13 Comments

[Wladimir Palant] seems to be on a one man crusade against security problems in security software. The name may not be immediately recognizable, but among his other infamies is originating Adblock Plus, which we have a love-hate relationship with. (Look, surf the net with an adblocker, but disable it for sites you trust and want to support, like HaD).

This week, he announced a rather serious flaw in the Bitdefender. The disclosure starts off with high praise for the Bitdefender: “security-wise Bitdefender Antivirus is one of the best antivirus products I’ve seen so far….” Even with that said, the vulnerability he found is a serious one. A malicious website can trigger the execution of arbitrary applications. The problem was fixed in an update released on the 22nd.

The vulnerability is interesting. First, Bitdefender uses an API that was added to web browsers specifically to enable security software to work without performing man-in-the-middle decryption of HTTPS connections. When a problem is detected, Bitdefender replaces the potentially malicious page with it’s own error message.

Because of the way this is implemented, the browser sees this error message as being the legitimate contents of the requested site. Were this a static page, it wouldn’t be a problem. However, Bitdefender provides an option to load the requested page anyway, and does this by embedding tokens in that error page. When a user pushes the button to load the page, Bitdefender sees the matching tokens in the outgoing request, and allows the page. Continue reading “This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords” →

This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers

June 19, 2020 by Jonathan Bennett 27 Comments

We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--

Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson. Continue reading “This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers” →

This Week In Security: Crosstalk, TLS Resumption, And Brave Shenanigans

June 12, 2020 by Jonathan Bennett 2 Comments

Intel announced CrossTalk, a new side-channel attack that can leak data from CPU buffers. It’s the same story we’ve heard before. Bits of internal CPU state can be inferred by other processes. This attack is a bit different, in that it can leak data across CPU cores. Only a few CPU instructions are vulnerable, like RDRAND, RDSEEED, and EGETKEY. Those particular instructions matter, because they’re used in Intel’s Secure Enclave and OpenSSL, to name a couple of important examples.
Continue reading “This Week In Security: Crosstalk, TLS Resumption, And Brave Shenanigans” →

This Week In Security: Exim, Apple Sign-in, Cursed Wallpaper, And Nuclear Secrets

June 5, 2020 by Jonathan Bennett 9 Comments

So first off, remember the Unc0ver vulnerability/jailbreak from last week? In the 13.5.1 iOS release, the underlying flaw was fixed, closing the jailbreak. If you intend to jailbreak your iOS device, make sure not to install this update. That said, the normal warning applies: Be very careful about running out-of-date software.

Apple Sign In

An exploit in Apple’s web authentication protocol was fixed in the past week . Sign In With Apple is similar to OAuth, and allows using an Apple account to sign in to other sites and services. Under the hood, a JSON Web Token (JWT) gets generated and passed around, in order to confirm the user’s identity. In theory, this scheme even allows authentication without disclosing the user’s email address.

So what could go wrong? Apparently a simple request for a JWT that’s signed with Apple’s public key will automatically be approved. Yeah, it was that bad. Any account linked to an Apple ID could be trivially compromised. It was fixed this past week, after being found and reported by [Bhavuk Jain]. Continue reading “This Week In Security: Exim, Apple Sign-in, Cursed Wallpaper, And Nuclear Secrets” →

This Week In Security: Leaking Partial Bits, Apple News, And Overzealous Contact Tracing

May 29, 2020 by Jonathan Bennett 11 Comments

Researchers at the NCCGroup have been working on a 5-part explanation of a Windows kernel vulnerability, targeting the Kernel Transaction Manager (KTM). The vulnerability, CVE-2018-8611, is a local privilege escalation bug. There doesn’t seem to be a way to exploit this remotely, but it is an interesting bug, and NCCGroup’s work on it is outstanding.

They start with a bit of background on what the KTM is, and why one might want to use it. Next is a handy guide to reverse engineering Microsoft patches. From there, they describe the race condition and how to actually exploit it. They cover a wide swath in the series, so go check it out.

Left4Dead 2

Just a reminder that bugs show up where you least expect them, [Hunter Stanton] shares his story of finding a code execution bug in the popular Valve game, Left4Dead 2. Since the game’s code isn’t available to look at, he decided to go the route of fuzzing. The specific approach he took was to fuzz the navigation mesh data, part of the data contained in each game map. Letting the Basic Fuzzing Framework (BFF) run for three days turned up a few possible crashes, and the most promising turned out to have code execution potential. [Hunter] submitted the find through Valve’s HackerOne bug bounty program, and landed a cool $10k bounty for his trouble.

While it isn’t directly an RCE, [Hunter] does point out that malicious mesh data could be distributed with downloadable maps on the Steam workshop. Alternatively, it should be possible to set up a fake game server that distributes the trapped map. Continue reading “This Week In Security: Leaking Partial Bits, Apple News, And Overzealous Contact Tracing” →

This Week In Security: DNS DDOS, Revenge Of The 15 Year Old Bug, And More

May 22, 2020 by Jonathan Bennett 9 Comments

Another DDOS amplification technique has just recently been disclosed, NXNSAttack (technical paper here) that could be used against DNS servers.

We’ve covered amplification attacks before. The short explanation is that some UDP services, like DNS, can be abused to get more mileage out of a DDoS attack. The attacking machined send messages like this: “Hello Google DNS, This is the Hackaday server. Can you send me a really big DNS response packet?” If the DNS response is bigger than the request, then the overall attack is bigger as a result. The measure of effectiveness is the amplification factor. For every byte of DDoS sent by attacking machines, how much many bytes are actually sent to the victim machine? Mirai, for example, had an amplification factor of something around 2.6.

NXNSAttack has a theoretical per-byte amplification factor of 163. That’s not a missed decimal point, this has the potential to be quite the nasty problem. Continue reading “This Week In Security: DNS DDOS, Revenge Of The 15 Year Old Bug, And More” →