This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!

It’s TikTok, On Your Wrist!

One of the ultimate objects of desire in the early 1980s was the Seiko TV wristwatch. It didn’t matter that it required a bulky external box in your pocket for its electronics, it was a TV on your wrist, and the future was here! Of course, now we have the technology to make wrist-mounted video a practical reality, but it’s sad to see we’ve opted to use our phones for video and never really followed up on the promise of a wrist-mounted television. There’s always hope though, and here it is in the form of [Dave Bennett]’s ESP32-powered TikTok wristwatch.

On the wrist is the ESP32 itself with an audio DAC and amplifier, LCD screen, and battery, but sadly this combo doesn’t have quite the power to talk to TikTok directly. Instead that’s done using Python on a companion PC with the resulting videos uploaded to the device over WiFi. It’s not the bulky electronics of the Seiko TV, so we’ll take it. All the info can be found on GitHub, and there’s a YouTube video below the break.

So the viral videos of a generation can now be taken on the move without resorting to a slightly less portable mobile phone. It may not be the most unobtrusive of timepieces, but it’ll certainly get you noticed.

Continue reading “It’s TikTok, On Your Wrist!”

Three-Wheeled Turret Car Looks Like It Should Be Orbiting Thunderdome

In a post-apocalyptic world, this is the hacker you want rebuilding society. He’s showing off a three-wheeled go-kart that pivots the cockpit as it steers. A hand crank mounted at the center of the vehicle pivots each of the three wheels in place, but keeps the driver facing forwards with a matching rotation. Hit up the video after the break to see it for yourself.

The real question here is, how did he pull this off? The watermark on the video shows that this was published by [wo583582429], a user on Douyin (the platform known as TikTok in the US). We plied our internet-fu but were unable to track down the user for more of the juicy details we crave. If you have a lead on more info, leave it in the comments below. For now, please join us in speculating on this build.

This is a pretty good closeup of one of the wheel assemblies. First question is how does the turning mechanism work? Since all three wheels and hub are smoothly coordinated it’s likely this is a planetary gearing setup where the inner ring has teeth that turn the rings around the tires themselves. However, we can see a spring suspension system which makes us doubt the lower ring surrounding the tire would stay engaged with a planetary gear. What do you think?

Trying to figure out how control and locomotion happens is even more of a head-scratcher. First guess is that it’s electric from the mere simplicity of the setup and this closeup shows what looks like a circuit breaker and wires connecting to batteries on either side of the suspension system. But where is the electric motor?

It’s a horrible image, but this is the best we can do for a view of the other side of the wheel assembly. There is a box that appears to be made from aluminum mounted to the wheel frame. After a few hundred times through the demo video we don’t think there’s a chain drive going down to the axle. It doesn’t look like there is a hub motor at play here either. We wondered if there was a second smaller wheel under the top of the frame to drive the main tire, but again, the suspension system would make this unfeasible and at points in the video there is clear daylight. Spend some time reviewing the Zapruder demo film below and when you figure all of this out, clue the rest of us in please!

It’s awesome seeing bootstrapped vehicles come to life. One of our favorites remains this all-terrain motorcycle that has no problem taking on stairs.

Continue reading “Three-Wheeled Turret Car Looks Like It Should Be Orbiting Thunderdome”

This Week In Security: Camera Feeds, Python 2, FPGAs

Networked cameras keep making the news, and not in the best of ways. First it was compromised Ring accounts used for creepy pranks, and now it’s Xiaomi’s stale cache sending camera images to strangers! It’s not hard to imagine how such a flaw could happen: Xiaomi does some video feed transcoding in order to integrate with Google’s Hub service. When a transcoding slot is re-purposed from one camera to another, the old data stays in the buffer until it is replaced by the new camera’s feed. The root cause is probably the same as the random images shown when starting some 3D games.

Python is Dead, Long Live Python

Python 2 has finally reached End of Life. While there are many repercussions to this change, the security considerations are important too. The Python 2 environment will no longer receive updates, even if a severe security vulnerability is found. How often is a security vulnerability found in a language? Perhaps not very often, but the impact can be far-reaching. Let’s take, for instance, this 2016 bug in zipimport. It failed to sanitize the header of a ZIP file being processed, causing all the problems one would expect.

It is quite possible that because of the continued popularity and usage of Python2, a third party will step in and take over maintenance of the language, essentially forking Python. Unless such an event happens, it’s definitely time to migrate away from Python2.
Continue reading “This Week In Security: Camera Feeds, Python 2, FPGAs”