This Week In Security: Discord, Chromium, And WordPress Forced Updates

[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.

The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.

And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.

Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.

This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?

Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.

It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.

Continue reading “This Week In Security: Discord, Chromium, And WordPress Forced Updates”

This Week In Security: XCode Infections, Freepik, And Crypto Fails

There is a scenario that keep security gurus up at night: Malware that can detect software compilation and insert itself into the resulting binary. A new Mac malware, XCSSET (PDF), does just that, running whenever Xcode is used to build an application. Not only is there the danger of compiled apps being malicious, the malware also collects data from the developer’s machine. It seems that the malware spreads through infected Xcode projects.

WordPress Plugins

WordPress has a complicated security track record. The core project has had very few serious vulnerabilities over the years. On the other hand, WordPress sites are routinely compromised. How? Generally through vulnerable plugins. Case in point? Advanced Access Manager. It’s a third party WordPress plugin with an estimate 100,000 installations. The problem is that this plugin requires user levels, a deprecated and removed WordPress feature. The missing feature had some unexpected results, like allowing any user to request administrator privileges.

The issue has been fixed in 6.6.2 of the plugin, so if you happen to run the Advanced Access Manager plugin, make sure to get it updated. Beyond that, maybe it’s time to do an audit on your WordPress site. Uninstall unused plugins, and make sure the rest are up to date, along with the WordPress installation itself. Continue reading “This Week In Security: XCode Infections, Freepik, And Crypto Fails”

Hackaday Printing Press Upgrade

There comes a time when your movable type becomes so over-used that you no longer get a legible print off of the printing press. For months now we’ve been at work on a new site design that maintains the essence of Hackaday while ejecting the 10-year-old dregs of the site. With each small success we’ve actually ruined ourselves on viewing the old design. It is with great relief that we unveil a site design built specifically for Hackaday’s needs.

The most notable change is in the content of our landing page. For ten years, loading Hackaday.com resulted in the most recent blog posts. The blog concept is proven, but provides little opportunity to highlight quality original content and information about upcoming events. We have tried the use of “sticky” posts but honestly I find them somewhat annoying. The solution to this is not immediately apparent, but I feel we have found the most efficient solution to our complex set of needs..

We have a lot of community members who participate in Hackaday in numerous ways. Changes found in this design are driven by that fact. The landing page will, from this point forward, be a somewhat more persistent collection of notable content from the blog, our community site (hackaday.io), as well as news regarding live events, store features, contest highlights, and more. Those hard-core fans — a label I also assign to myself — will find the same reading experience as always on the new blog URL: hackaday.com/blog.

Aesthetically, we hope that all will agree the new design far supersedes the old. There was a lot to fix, and the work of the Hackaday crew who designed and implemented this new interface is truly amazing. I hope you will take the time to leave a positive comment about their work. As with any major transition, there will be some bumps in the road. Right now most of our sidebar widgets have not been migrated but that and any other problems will be fixed soon.

In this design we strived to highlight the title and image of each post to immediately convey the core concepts of the projects shown here. The author by-line and comment count remain core to the presentation of the articles, and our link style continues to be immediately apparent in the body of each article. I think we have far surpassed the readability of the comments section, in addition to the content itself. We knew we could rebuilt it… we have the technology… long live articles worth reading.

UPDATE: We are working very hard to fix all the parts that don’t look quite right. Thanks for your patience!

UPDATE 2: Infinite scrolling isn’t a feature, it’s a regression. On our test server all the blog listings were paginated just like always. When our host, WordPress VIP, pushed live the infinite scrolling manifested itself. We’ve filed a ticket with them and are hoping for a solution shortly.

UPDATE 3: Infinite scrolling has now been fixed and the blog layout now paginates. The mouse-over zoom effect has been removed. Slideshow speed has been adjusted and if you hover you mouse over a feature it will pause the scrolling.

Scraping Blogs For Fun And Profit

Sometimes when you’re working on a problem, a solution is thrown right at your face. We found ourselves in this exact situation a few days ago while putting together Hackaday’s new retro edition; a way to select a random Hackaday article was needed and [Alexander van Teijlingen] of codepanel.net just handed us the solution.

To grab every Hackaday URL ever, [Alex] wrote a small Python script using the Beautiful Soup screen scraping library. The program starts on Hackaday’s main page and grabs every link to a Hackaday post before going to the next page. It’s not a terribly complex build, but we’re gobsmacked a solution to a problem we’re working on would magically show up in our inbox.

Thanks to [Alex], writing a cron job to automatically update our new retro edition just got a whole lot easier. If you’d like to check out a list of every Hackaday post ever (or at least through two days ago), you can grab 10,693 line text file here.

Are You Human? Resistor Edition

[PT] tipped us off about a new way to screen bots from automatically leaving comments. Resisty is like CAPTCHA but it requires you to decipher color bands on a resistor instead of mangled text. This won’t do much for the cause of digitizing books, but if you can never remember your color codes this is a good way to practice. Resisty comes as a plug-in for WordPress, add it to your blog and for a geek cred +1.

WordPress 2.7 Upgrade In One Line

wordpress

BadPoetry WordPress 2.7 has just been released and features a complete interface overhaul. Hack a Day runs on WordPress MU hosted by WordPress.com, so we got this update last week. We run standard WordPress.org on all of our personal blogs though. We recommend it because it’s free, has a massive userbase, and if you host it yourself, you can do whatever you want with it.

To make the upgrade process as simple as possible (and for the sheer rush of ‘rm -rf’), we use a one line command.

$ curl http://wordpress.org/latest.zip -o "wp.zip" && unzip wp.zip && rm -rf ./wordpress/wp-content/ && cp -r ./wordpress/* ~/www/

curl downloads the latest version from wordpress. unzip unpacks all of the files into a directory called ‘wordpress’. rm -rf removes everything in the ‘wp-content’ directory. Otherwise, you will overwrite your images, themes, and plugins. cp -r copies everything to your http document root, overwriting the previous install.

Naturally, you should back up your current install and database beforehand. We tend to use the one-liner with reckless abandon. If you’re wondering about the terseness, it was designed to fit inside the 140 character limit of Twitter.

[Thanks, Chris Finke]

Hack A Day 2: Electric Boogaloo

Well, that was fun… no, not really, but we’re back from the dead like Steve Jobs. We’ve been getting DDoS’d since essentially the first day we originally came back. After killing a 1G connection, we decided to find a different solution. Since the world didn’t end this week, we brought the site back using WordPress.com as the new host. We now return to our regular blog shenanigans. Here’s to another four years of beta!