This Week In Security: Chrome 0-day,Cassandra, And A Cisco PoC

February 18, 2022 by Jonathan Bennett 7 Comments

Running Chrome or a Chromium-based browser? Check for version 98.0.4758.102, and update if you’re not running that release or better. Quick tip, use chrome://restart to trigger an immediate restart of Chrome, just like the one that comes after an update. This is super useful especially after installing an update on Linux, using apt, dnf, or the like.

CVE-2022-0609 is the big vulnerability just patched, and Google has acknowledged that it’s being exploited in the wild. It’s a use-after-free bug, meaning that the application marks a section of memory as returned to the OS, but then accesses that now-invalid memory address. The time gap between freeing and erroneously re-using the memory allows malicious code to claim that memory as its own, and write something unexpected.

Google has learned their lesson about making too many details public too early, and this CVE and associated bug aren’t easily found in in the Chromium project’s source, and there doesn’t seem to be an exploit published in the Chromium code testing suite. Continue reading “This Week In Security: Chrome 0-day,Cassandra, And A Cisco PoC” →

This Week In Security: Y2K22, Accidentally Blocking 911, And Bug Alert

January 7, 2022 by Jonathan Bennett 45 Comments

If you had the misfortune of running a Microsoft Exchange server this past week, then you don’t need me to tell you about the Y2K22 problem. To catch rest of us up, when Exchange tried to download the first malware definitions update of 2022, the version number of the new definitions triggered a crash in the malware detection engine. The date is represented as the string 2201010001, where the first two digits represent the year. This string gets converted to a signed long integer, which maxes out at 2,147,483,647. The integer overflows, and the result is undefined behavior, crashing the engine. The server fails safe, not processing any messages without a working malware engine, which means that no e-mail gets through. Happy new year!
Continue reading “This Week In Security: Y2K22, Accidentally Blocking 911, And Bug Alert” →

This Week In Security: Discord, Chromium, And WordPress Forced Updates

October 30, 2020 by Jonathan Bennett 42 Comments

[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.

The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.

And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.

Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.

This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?

Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.

It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.

Continue reading “This Week In Security: Discord, Chromium, And WordPress Forced Updates” →

This Week In Security: XCode Infections, Freepik, And Crypto Fails

August 28, 2020 by Jonathan Bennett 8 Comments

There is a scenario that keep security gurus up at night: Malware that can detect software compilation and insert itself into the resulting binary. A new Mac malware, XCSSET (PDF), does just that, running whenever Xcode is used to build an application. Not only is there the danger of compiled apps being malicious, the malware also collects data from the developer’s machine. It seems that the malware spreads through infected Xcode projects.

WordPress Plugins

WordPress has a complicated security track record. The core project has had very few serious vulnerabilities over the years. On the other hand, WordPress sites are routinely compromised. How? Generally through vulnerable plugins. Case in point? Advanced Access Manager. It’s a third party WordPress plugin with an estimate 100,000 installations. The problem is that this plugin requires user levels, a deprecated and removed WordPress feature. The missing feature had some unexpected results, like allowing any user to request administrator privileges.

The issue has been fixed in 6.6.2 of the plugin, so if you happen to run the Advanced Access Manager plugin, make sure to get it updated. Beyond that, maybe it’s time to do an audit on your WordPress site. Uninstall unused plugins, and make sure the rest are up to date, along with the WordPress installation itself. Continue reading “This Week In Security: XCode Infections, Freepik, And Crypto Fails” →

Hackaday Printing Press Upgrade

November 11, 2014 by Mike Szczys 655 Comments

There comes a time when your movable type becomes so over-used that you no longer get a legible print off of the printing press. For months now we’ve been at work on a new site design that maintains the essence of Hackaday while ejecting the 10-year-old dregs of the site. With each small success we’ve actually ruined ourselves on viewing the old design. It is with great relief that we unveil a site design built specifically for Hackaday’s needs.

The most notable change is in the content of our landing page. For ten years, loading Hackaday.com resulted in the most recent blog posts. The blog concept is proven, but provides little opportunity to highlight quality original content and information about upcoming events. We have tried the use of “sticky” posts but honestly I find them somewhat annoying. The solution to this is not immediately apparent, but I feel we have found the most efficient solution to our complex set of needs..

We have a lot of community members who participate in Hackaday in numerous ways. Changes found in this design are driven by that fact. The landing page will, from this point forward, be a somewhat more persistent collection of notable content from the blog, our community site (hackaday.io), as well as news regarding live events, store features, contest highlights, and more. Those hard-core fans — a label I also assign to myself — will find the same reading experience as always on the new blog URL: hackaday.com/blog.

Aesthetically, we hope that all will agree the new design far supersedes the old. There was a lot to fix, and the work of the Hackaday crew who designed and implemented this new interface is truly amazing. I hope you will take the time to leave a positive comment about their work. As with any major transition, there will be some bumps in the road. Right now most of our sidebar widgets have not been migrated but that and any other problems will be fixed soon.

In this design we strived to highlight the title and image of each post to immediately convey the core concepts of the projects shown here. The author by-line and comment count remain core to the presentation of the articles, and our link style continues to be immediately apparent in the body of each article. I think we have far surpassed the readability of the comments section, in addition to the content itself. We knew we could rebuilt it… we have the technology… long live articles worth reading.

UPDATE: We are working very hard to fix all the parts that don’t look quite right. Thanks for your patience!

UPDATE 2: Infinite scrolling isn’t a feature, it’s a regression. On our test server all the blog listings were paginated just like always. When our host, WordPress VIP, pushed live the infinite scrolling manifested itself. We’ve filed a ticket with them and are hoping for a solution shortly.

UPDATE 3: Infinite scrolling has now been fixed and the blog layout now paginates. The mouse-over zoom effect has been removed. Slideshow speed has been adjusted and if you hover you mouse over a feature it will pause the scrolling.

Scraping Blogs For Fun And Profit

June 13, 2012 by Brian Benchoff 23 Comments

Sometimes when you’re working on a problem, a solution is thrown right at your face. We found ourselves in this exact situation a few days ago while putting together Hackaday’s new retro edition; a way to select a random Hackaday article was needed and [Alexander van Teijlingen] of codepanel.net just handed us the solution.

To grab every Hackaday URL ever, [Alex] wrote a small Python script using the Beautiful Soup screen scraping library. The program starts on Hackaday’s main page and grabs every link to a Hackaday post before going to the next page. It’s not a terribly complex build, but we’re gobsmacked a solution to a problem we’re working on would magically show up in our inbox.

Thanks to [Alex], writing a cron job to automatically update our new retro edition just got a whole lot easier. If you’d like to check out a list of every Hackaday post ever (or at least through two days ago), you can grab 10,693 line text file here.

Are You Human? Resistor Edition

April 21, 2010 by Mike Szczys 72 Comments

[PT] tipped us off about a new way to screen bots from automatically leaving comments. Resisty is like CAPTCHA but it requires you to decipher color bands on a resistor instead of mangled text. This won’t do much for the cause of digitizing books, but if you can never remember your color codes this is a good way to practice. Resisty comes as a plug-in for WordPress, add it to your blog and for a geek cred +1.