Wired has a fascinating story this week, about the length Sophos has gone to for the last 5 years, to track down a group of malicious but clever security researchers that were continually discovering vulnerabilities and then using those findings to attack real-world targets. Sophos believes this adversary to be overlapping Chinese groups known as APT31, APT41, and Volt Typhoon.

The story is actually refreshing in its honesty, with Sophos freely admitting that their products, and security products from multiple other vendors have been caught in the crosshairs of these attacks. And indeed, we’ve covered stories about these vulnerabilities over the past weeks and months right here on this column. The sneaky truth is that many of these security products actually have pretty severe security problems.

The issues at Sophos started with an infection of an informational computer at a subsidiary office. They believe this was an information gathering exercise, that was a precursor to the widespread campaign. That campaign used multiple 0-days to crack “tens of thousands of firewalls around the world”. Sophos rolled out fixes for those 0-days, and included just a bit of extra logging as an undocumented feature. That logging paid off, as Sophos’ team of researchers soon identified an early signal among the telemetry. This wasn’t merely the first device to be attacked, but was actually a test device used to develop the attack. The game was on.

Sophos managed to deploy it’s own spyware to these test devices, to stealthily keep an eye on this clever opponent. This even thwarted a later attack before it could really start. Among the interesting observations was a bootkit infection on one of these firewalls. This wasn’t ever found in the wild, but the very nature of such an attack makes it hard to discover.

There’s one more interesting wrinkle to this story. In at least one case, Sophos received the 0-day vulnerability used in an attack through their bug bounty program, right after the wave of attacks was launched. The timing, combined with the Chinese IP Address makes it pretty clear this was more than a coincidence. This might be a Chinese hacker making a bit of extra cash on the side. It’s also reminiscent of the Chinese law requiring companies to disclose vulnerabilities to the Chinese government.

PTA 0-Day

GreyNoise runs a honeypot and an AI threat detection system, and found something interesting with that combination. The PTZOptics network security camera was the intended target, and there were a pair of vulnerabilities that this attack was intended to exploit. The first is a simple authorization bypass, where sending HTTP packets without an authorization header to the param.cgi endpoint returns data without any authorization needed. Use the get_system_conf parameter, and the system helpfully prints out valid username and password hashes. How convenient.

Gaining arbitrary command execution is trivial, as the ntp configuration isn’t properly sanitized, and the ntp binary is called insecurely. A simple $(cmd) can be injected for easy execution. Those two were being chained together for a dead simple attack chain, presumably to add the IoT devices to a botnet. The flaws have been fixed, and law enforcement have been on the case, at least seizing the IP address observed in the attacks.

Speaking of camera hacks, we do have an impressive tale from Pwn2Own 2024, where researchers at Synacktiv used a format string vulnerability to pwn the Synology TC500 camera. The firmware in question had a whole alphabet of security features, like ASLR, PIE, NX, and Full RelRO. That’s Address Space Layout Randomization, Position Independent Executables, Non-Executable memory, and Full Relocation Read-Only protections. Oh, and the payload was limited to 128 characters, with the first 32 ASCII characters unavailable for use.

How exactly does one write an exploit in this case? A bit of a lucky break with the existing memory layout gave access to what the write-up calls a “looping pointer”. That seems to be a pointer that points to itself, which is quite useful to work from offsets instead of precise memory locations. The vulnerability allowed for writing a shell command into unused memory. Then finally a bit of Return Oriented Programming, a ROP gadget, manages to launch a system call on the saved command line. Impressive.

Maybe It Wasn’t a Great Idea

…to give LLMs code execution capabilities. That’s the conclusion we came to after reading CyberArk’s post on how to achieve Remote Code Execution on a Large Language Model. The trick here is that this particular example, LoLLMs, can run python code on the backend to perform certain tasks, like do math calculations. This implementation uses Python sandboxing, and naturally there’s a known way to defeat it. The trick can be pulled off just by getting the model to evaluate the right JSON snippet, but it’s smart enough to realize that something is off and refuse to evaluate the JSON.

The interesting detail here is that it is the LLM itself that is refusing, so it’s the LLM that needs bypassed. There has been very interesting work done on LLM jailbreaks, like DAN, the Do Anything Now prompt. That would probably have worked, but this exploit can be even sneakier than that. Simply ask the LLM to help you write some JSON. Specify the payload, and ask it to add something to it. It gladly complies, and code is executed. Who knew that LLMs were so gullible?

More Quantum Erratta

This story just keeps on giving. This time it’s [Dan Goodin] at Ars Technica that has the lowdown, filling in the last few missing details about the much over-hyped quantum computing breakthrough. One of the first of those details is that the story of the compromise of AES was published in the South China Morning Post, which has over-hyped Chinese quantum progress before. What [Goodin]’s article really adds to the discussion is opinions from experts. The important takeaway is that the performance of the D-Wave quantum computer is comparable to classical approaches.

Bits and Bytes

Remember the traffic light hacking? And part two? We now have the third installment, which is really all about you, too, can purchase and hack on one of these traffic controllers. It may or may not surprise you that the answer is to buy them on Ebay and cobble together a makeshift power supply.

It’s amazing how often printers, point of sale, and other IoT gadgets are just running stripped-down, ancient versions of Android. This point of sale system is no exception, running an old, custom Android 6 system, that seems to actually be rather well locked down. Except that it has an NFC reader, and you can program NFC tags to launch Android apps. Use this creative workaround to get into Android settings, and you’re in business.

I have long maintained that printers are terrible. That sentiment apparently is extending into security research on printers, with Lexmark moving to a new encrypted filesystem for printer firmware. Thankfully, like most of these schemes, it’s not foolproof, and [Peter] has the scoop on getting in. May you never need it. Because seriously, printers are the worst.

Leading off the week is the controversy around the Linux kernel and an unexpected change in maintainership. The exact change was that over a dozen developers with ties to or employment by Russian entities were removed as maintainers. The unfortunate thing about this patch was that it was merged without any discussion or real explanation, other than being “due to various compliance requirements”. We eventually got more answers, that this was due to US sanctions against certain Russian businesses, and that the Linux Foundation lawyers gave guidance that:

If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

So that’s that. One might observe that it’s unfortunate that a single government has that much control over the kernel’s development process. There were some questions about why Russian entities were targeted and not sanctioned Chinese companies like Huawei. [Ted Ts’o] spoke to that, explaining that in the US there are exemptions and different rules for each country and business. This was all fairly standard compliance stuff, up until a very surprising statement from [James Bottomley], a very core Kernel maintainer:

We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.

I can only conclude from this that the US Treasury has in fact made this threat, that code would need to be removed. Now this is genuinely surprising, given the legal precedent that code is 1st Amendment protected speech. That precedent was established when dealing with encryption code that was being export restricted in the 90s. It seems particularly problematic that the US government believes it can specify what code does and does not belong in the Linux kernel.

SELinux

Since we’re in Kernel land, let’s talk SELinux. Many modern Linux systems, and Android in particular, use SELinux to provide an extra security layer. It’s not an uncommon troubleshooting step, to turn off SELinux to see if that helps with mysterious issues. What we have here in the klecko Blog is an intro to bypassing SELinux. The setup is that an exploit has achieved root, but is in a unprivileged context. What options does an attacker have to try to bypass SELinux?

The first, most obvious solution is to just disable SELinux altogether. If you can write to memory, the SELinux enabled bit can just be set to false. But that might not work, if you can’t write to memory, or have a hypervisor to wrestle with, like some Android systems. Another option is the set of permissive flags that can be overwritten, or the AVC cache that can be poisoned, both approaches resulting in every SELinux request being approved. It’s an interesting overview.

Printer Root

Xerox printers with the “Network Troubleshooting” feature have some unintended hidden functionality. The troubleshooting is done by calling tcpdump as root, and the configuration allows setting the IP address to use for the troubleshooting process. And as you might expect, that IP address was used to create a command line string, and it isn’t properly escaped. You can sneak a $(bash ...) in as part of the address, allowing code execution. The good news is that access to this troubleshooting function is locked behind the web admin account. Xerox has made fixed firmware available for this issue.

Fix Your Roundcube

The Roundcube email web client has a Cross-Site Scripting (XSS) vulnerability that is actively being exploited. The flaw is the processing of SVGs, and the addition of an extra space in an href tag, that the browser ignores. Sneaking this inside an SVG allows for arbitrary Javascript to run when opening this malicious email.

Roundcube has released 1.5.7 and 1.6.7 that address the issue. This is under active exploitation, currently being used against the Russian aligned CIS countries. It’s a simple exploit, so expect to see it more widely used soon.

The Archive

The Internet Archive continues to be under siege. The Distributed Denial of Service (DDoS) attacks were apparently done by SN-Blackmeta. But the hacker behind the data breach is still a mystery. But the news this week is that there is still someone with access to Internet Archive API keys. Specifically Zendesk, illustrated by the fact that when Mashable reached out via email, the hacker answered, “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.”

It’s obviously been a terrible, horrible, no good, and very bad month for the Internet Archive. As it’s such an important resource, we’re hoping for some additional support, and getting the service back to 100%.

Quantum Errata

You may remember last week, that we talked about a Quantum Annealing machine making progress on solving RSA cryptography. In the comments, it was pointed out that some coverage on this talks about RSA, and some talks about AES, a cryptography thought to be quantum-resistant. At least one source is claiming that this confusion is because there were actually two papers from the same team, one discussing RSA, and the other techniques that could be used against AES. This isn’t confirmed yet, and there are outstanding questions about both papers.

Bits and Bytes

SQL injection attacks are old hat by this point. [NastyStereo] has an interesting idea: Polyglot SQL injection attacks. The idea is simple. A SQL query might be escapable with a single quote or a double quote. To test it, just include both: OR 1#"OR"'OR''='"="'OR''='. There are more examples and some analysis at the link.

Kaspersky researchers found a Chrome exploit, that was being delivered in the form of an online tank battle game. In reality, the game was stolen from its original developers, and the web site was a crypto stealing scam, making use of the browser 0-day. This campaign has been pinned on Lazarus, the APT from North Korea.

And yet another example of fake software, researchers at kandji discovered a fake Cloudflare Authenticator campaign. This one is a MacOS malware dropper that does a reasonably good job of looking like it’s an official Cloudflare app. It’s malware, and places itself in the system crontab, to get launched on every boot. Follow the link for Indicators of Compromise if you need them.

Depending on who you ask, the big news this week is that quantum computing researchers out of China have broken RSA. (Here’s the PDF of their paper.) And that’s true… sort of. There are multiple caveats, like the fact that this proof of concept is only factoring a 22-bit key. The minimum RSA size in use these days is 1024 bits. The other important note is that this wasn’t done on a general purpose quantum computer, but on a D-Wave quantum annealing machine.

First off, what is the difference between a general purpose and annealing quantum computer? Practically speaking, a quantum annealer can’t run Shor’s algorithm, the quantum algorithm that can factor large numbers into primes in a much shorter time than classical computers. While it’s pretty certain that this algorithm works from a mathematical perspective, it’s not at all clear that it will ever be possible to build effective quantum computers that can actually run it for the large numbers that are used in cryptography.

We’re going to vastly oversimplify the problem, and say that the challenge with general purpose quantum computing is that each q-bit is error prone, and the more q-bits a system has, the more errors it has. This error rate has proved to be a hard problem. The D-wave quantum annealing machine side-steps the issue by building a different sort of q-bits, that interact differently than in a general purpose quantum computer. The errors become much less of a problem, but you get a much less powerful primitive. And this is why annealing machines can’t run Shor’s algorithm.

The news this week is that researchers actually demonstrated a different technique on a D-wave machine that did actually factor an RSA key. From a research and engineering perspective, it is excellent work. But it doesn’t necessarily demonstrate the exponential speedup that would be required to break real-world RSA keys. To put it into perspective, you can literally crack a 22 bit RSA key by hand.

Zendesk Out of Scope

Here’s an example of two things. First off, a bug being out of scope for a bounty shouldn’t stop a researcher from working on a bug. Second, it’s worth being extra careful in how a bug bounty’s scope is set up, as sometimes bugs have unforeseen consequences. We’re talking here about Zendesk, a customer support tool and ticket manager. [Daniel] found an issue where an attacker could send an email to the support email address from a spoofed sender, and add an arbitrary email address to the ticket, gaining access to the entire ticket history.

Because the problem was related to email spoofing, and the Zendesk bounty program on HackerOne considers “SPF, DKIM, and DMARC” to be out of scope, the ticket was closed as “informative” and no bounty awarded. But [Daniel] wasn’t done. What interesting side effects could he find? How about triggering single sign on verification to go to the support email address? Since an Apple account can be used to sign on to slack, an attacker can create an apple account using the support email address, use the email spoof to get access to the created bug, and therefore the one-time code. Verify the account, and suddenly you have an Apple account at the target’s domain. [Daniel] used this to gain access to company Slack channels, but I’d guess this could be used for even more mayhem at some businesses.

Given that the original bug report was closed as “informational”, [Daniel] started reporting the bug to other companies that use Zendesk. And it paid off, netting more than $50,000 for the trouble. Zendesk never did pay a bounty on the find, but did ask [Daniel] to stop telling people about it.

Fortinet Fixed It

The good folks at Watchtowr Labs have the inside scoop on a recently fixed vulnerability in Fortinet’s FortiGate VPN appliance. It’s a good fix found internally by Fortinet, and gives us a good opportunity to talk about a class of vulnerability we haven’t ever covered. Namely, a format string vulnerability.

The printf() function and its siblings are wonderful things. You give it a string, and it prints it to standard output. You give it a string that contains a format specifier, like %s, and it will replace the specifier with the contents of a variable passed in as an additional argument. I write a lot of “printf debugging” code when trying to figure out a problem, that looks like printf("Processing %d bytes!\n", length);

What happens if the specifier doesn’t match the data type? Or if there is a specifier and no argument? You probably know the answer: Undefined behavior. Not great for device security. And in this case, it does lead to Remote Code Execution (RCE). The good news is that Fortinet found this internally, and the fix was quietly made available in February. The bad news is that attackers found it, and have since been actively using it in attacks.

Escape!

[ading2210] has the story of finding a pair of attack chains in Google Chrome/Chromium, where a malicious extension can access the chrome://policy page, and define a custom “browser” command to use when accessing specific pages. There are two separate vulnerabilities that can be used to pull off this trick. One is a race condition where disallowed JS code can run before it’s disabled after a page reload, and the other is a crash in the page inspector view. That’s not a page non-developers have a habit of visiting, so the browser extension just pulls a fast one on install, launching a simple page that claims that something went wrong, asking the user to press f12 to troubleshoot.

Multihomed Spoofing

At this point, most of us rely on Linux for our routers and firewalls. Whether you realize it or not, it’s extremely likely that that little magical box that delivers Internet goodness to your devices is a Linux machine, running iptables as the firewall. And while iptables is excellent at its job, it does have its share of quirks. Researchers at Anvil have the low down on ESTABLISHED connection spoofing.

Iptables, when run on the boarder between networks, is often set to block incoming packets by default, and allow outgoing. The catch is that you probably want responses to your requests. To allow TCP connections to work both ways, it’s common to set iptables to allow ESTABLISHED connections as well. If the IP addresses and ports all match, the packet is treated as ESTABLISHED and allowed through. So what’s missing? Unless you explicitly request it, this firewall isn’t checking that the source port is the one you expected. Packets on one interface just might get matched to a connection on a different interface and passed through. That has some particularly interesting repercussions for guest networks and the like.

Bits and Bytes

On the topic of more secure Linux installs, [Shawn Chang] has thoughts on how to run a container more securely. The easy hint is to use Podman and run rootless containers. If you want even tighter protection, there are restrictions on system calls, selinux, and a few other tricks to think about.

Check the logs! That’s the first step to looking for a breach or infection, right? But what exactly are you looking for? The folks at Trunc have thoughts on this. The basic idea is to look for logins that don’t belong, IPs that shouldn’t be there, and other specific oddities. It’s a good checklist for trouble hunting.

And finally, the playlist from DEF CON 32 is available! Among the highlights are [Cory Doctorow] talking about the future of the Internet, [HD Moore] and [Rob King] talking about SSH, and lots lots more!

The Internet Archive has been hacked. This is an ongoing story, but it looks like this started at least as early as September 28, while the site itself was showing a creative message on October 9th, telling visitors they should be watching for their email addresses to show up on Have I Been Pwnd.

Hi folks, yes, I'm aware of this. I've been in communication with the Internet Archive over the last few days re the data breach, didn't know the site was defaced until people started flagging it with me just now. More soon. https://t.co/uRROXX1CF9

— Troy Hunt (@troyhunt) October 9, 2024

There are questions still. The site defacement seems to have included either a subdomain takeover, or a long tail attack resulting from the polyfill takeover. So far my money is on something else as the initial vector, and the polyfill subdomain as essentially a red herring.

Troy Hunt has confirmed that he received 31 million records, loaded them into the HIBP database, and sent out notices to subscribers. The Internet Archive had email addresses, usernames, and bcrypt hashed passwords.

In addition, the Archive has been facing Distributed Denial of Service (DDoS) attacks off and on this week. It’s open question whether the same people are behind the breach, the message, and the DDoS. So far it looks like one group or individual is behind both the breach and vandalism, and another group, SN_BLACKMETA, is behind the DDoS.

Palo Alto Expedition

Researchers at HORIZON3 started with a known vulnerability in Palo Alto’s Expedition application. This follows a pattern we’ve seen many times before. A vulnerability is found, usually in a codebase or niche that hadn’t been considered interesting to researchers. A new vulnerability is announced, and suddenly the boring code seems interesting.

The new vulnerability was pretty straightforward — an HTTP call to a specific endpoint resets the admin password to default. The obvious next step was to look for something to do with this new admin power. Expedition uses cron to schedule tasks, and while there didn’t seem to be a way to directly set the command, the start time wasn’t sanitized, and ended up part of a string executed in bash. Yes, it’s a simple command line injection. Sometimes the simple approach just works.

The flaws were fixed with 1.2.96. As Expedition is intended for network migration, it’s not expected to be run indefinitely. Shodan lists a whopping 23 Expedition servers on the Internet. Don’t be like those guys.

Arbitrary Write, But Read Only Filesystem

[Stefan Schiller] from Sonar had an interesting challenge. He had found an arbitrary file upload widget in a node.js application. This sort of write anything anywhere flaw is usually an instant exploit, with many options to choose from. This particular application was hardened: The filesystem was read only. This is a great strategy for making exploitation harder. But as we see here, it’s not foolproof. In Unix, everything is a file. And that means that file write vulnerabilities are useful even with a read-only FS.

In this case, the weak point was an anonymous pipe, an inter-process communication (IPC) construction. The Linux procfs puts those pipes on the filesystem. Listening on the other end of one of those pipes was libuv, a signal handling library. One of the things this library does with these messages is to jump execution to a pointer in the message, as a callback function implementation. Build this data structure properly, and you have shell code execution. Nifty!

Glitching With a Lighter

Memory glitching attacks are really cool. And most of the time, they’re pretty difficult to pull off. Getting access often means physically attacking a chip, or using some expensive EM generator. [David Buchanan] wanted to know if that style of attack is possible with makeshift tools. So, he channeled his inner MacGyver, and looked at the junk in his pockets. A scrap of wire and a pocket lighter? Perfect!

That lighter didn’t use flint and steel, but instead a piezo-electric trigger. Solder the wire onto the memory chip of a laptop, and flick the lighter right next to it. That scrap of wire is suddenly an antenna, and the em burst from the lighter is enough to flip a bit. It’s rowhammer, with an antenna.

And yes, using similar techniques to rowhammer, it’s quite possible to use this to compromise a machine, assuming you can get some arbitrary data somewhere in memory. It’s a clever bit of magic, and while not particularly useful as an attack, it’s really great to see someone working with these attacks on a shoestring budget and making it work.

Firefox 0-day

It’s time to update Firefox. Mozilla has released an emergency update, version 131.0.2, to fix a critical use-after-free vulnerability in Animation timelines, part of the Web Animations API. Not much is known about this vulnerability, but it’s being used in real-world attacks already. We know that ESET discovered the flaw, but not yet whether that discovery was from observing it in use. Regardless, the fix is now available.

Bits and Bytes

We normally think of data breaches as leaking personal information, and then brace for the inevitable targeted spam. Here’s your reminder that it can be worse than that. AT&T seems to have an ongoing data breach where someone with access to shipping information for new iPhones is sending it to organized porch pirate rings.

And finally, Google Project Zero has a new post out, from [Nick Galloway], chatting about OSS-Fuzz and the Dav1d AV1 decoder. [Nick] expanded the fuzzing setup for Dav1d, and managed to find an integer overflow while at it. And while you’re here, maybe check out the OSS-Fuzz Bounty program, where Google offers to pay programmers for adding Open Source software to the OSS-Fuzz project.

Up first this week is a warning for the few of us still brave enough to host our own email servers. If you’re running Zimbra, it’s time to update, because CVE-2024-45519 is now being exploited in the wild.

That vulnerability is a pretty nasty one, though thankfully requires a specific change from default settings to be exposed. The problem is in postjournal. This logging option is off by default, but when it’s turned on, it logs incoming emails. One of the fields on an incoming SMTP mail object is the RCPT TO: field, with the recipients made of the to, cc, and bcc fields. When postjournal logs this field, it does so by passing it as a bash argument. That execution wasn’t properly sanitized, and wasn’t using a safe call like execvp(). So, it was possible to inject commands using the $() construction.

The details of the attack are known, and researchers are seeing early exploratory attempts to exploit this vulnerability. At least one of these campaigns is attempting to install webshells, so at least some of those attempts have teeth. The attack seems to be less reliable when coming from outside of the trusted network, which is nice, but not something to rely on.

New Tool Corner

What is that binary doing on your system? Even if you don’t do any security research, that’s a question you may ask yourself from time to time. A potential answer is WhoYouCalling. The wrinkle here is that WYC uses the Windows Event Tracing mechanism to collect the network traffic strictly from the application in question. So it’s a Windows only application for now. What you get is a packet capture from a specific executable and all of its children processes, with automated DNS capture to go along.

DNS Poisoning

Here’s a mystery. The folks at Assetnote discovered rogue subdomains from several of their customers, showing up with seemingly random IP addresses attached. A subdomain like webproxy.id.customer.vn might resolve with 10 different addresses, when querying on alibabadns.com.

That turned out to be a particularly important clue. These phantom subdomains were all linked to the Chinese Internet in some way, and it turns out that each subdomain had some interesting keyword in it, like webproxy or VPN. This seems to be a really unique way to censor the Internet, as part of the Chinese Great Firewall. The problem here is that the censorship can escape, and actually poison DNS for those subdomains for the rest of the Internet. And because sometimes the semi-random IPs point at things like Fastly CDN or old cPanel installs. A bit of legwork gets you the equivalent of subdomain takovers. Along with the story, Assetnote have shared a tool to check domains for this issue.

Virtual Name Tags Bring the Creep Factor

What do you get when you combine Internet-connected smart glasses with LLM doing facial recognition? The optimistic opinion is that you get virtual nametags for everybody you meet. I’ve played a video game or two that emulates that sort of ability. Taking a bit more cynical and realistic view, this auto-doxxing of everyone in public strays towards dystopian.

perfctl

There’s a newly discovered Linux malware, perfctl, that specializes in stealth, combined with Monero mining. The malware is also used to relay traffic, as well as install other malware in compromised machines. The malware communicates over TOR, and uses some clever tricks to avoid detection. Log in to a compromised machine, and the Monero mining stops until you log back out.

The malware is particularly difficult to get rid of, and as always, the best solution is to carefully back up and then wipe the affected machine. One of the tells to look for is a machine that’s hard charging when it has no business being spun up to 100% CPU usage, and then when you log in and look for the culprit, it drops to normal.

Bits and Bytes

[nv1t] found a kid’s toy, the Kekz Headphones, and they just begged to be taken apart. This toy has a bunch of audio on an SD Card, and individual NFC-enabled tokens that triggers playback of the right file. This one is interesting from an infosec perspective, because the token actually supplies the encryption key for the file playback, making it a nominally secure system. After pulling everything apart, it became apparent that the encryption wasn’t up to the task, with only about 56 possible keys for each file.

Something we’ve continually talked about is how the subtle mismatches in data parsing often lead to vulnerabilities. [Mahmoud Awali] has noticed this, too, and decided to put together a comparison of how different languages handle HTTP parameters. Did you know that Ruby uses the semicolon as a parameter delimiter? There are a bunch of quirks like this, and this is the sort of material that you’ll need to find that next big vulnerability.

And finally, speaking of Ruby, are you familiar with Ruby’s class pollution category of vulnerabilities? It’s akin to Python and JavaScript’s prototype pollution, and not entirely unlike Java’s deserialization issues. If Ruby is your thing, go brush up on how to avoid this particular pitfall.

It looks like there’s finally hope for sane password policies. The US National Institue of Standards and Technology, NIST, has released a draft of SP 800-63-4, the Digital Identity Guideline.

There’s password guidance in there, like “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords” and “SHALL NOT require users to change passwords periodically.” NIST approved passwords must be at least 8 characters long, with a weaker recommendation of at least 15 characters. Security questions like name of first pet get the axe. And it’s strongly recommended that all ASCII and Unicode characters should be acceptable for passwords.

This is definitely moving in the right direction. NIST guidelines are only binding for government services and contractors, though they do eventually get picked up by banks and other industries. So there’s hope for sane password policies eventually.

Tank Hacking

Researchers at Bitsight are interested in infrastructure security, and they opted to take a closer look at Automatic Tank Gauging (ATG) systems. Those are found at gas stations, as well as any other facility that needs automated monitoring of liquids or gasses in a tank. There is an actual ATG message format, originally designed for RS-232 serial, and woefully unprepared for the interconnected present. The protocol allows for an optional security code, but it maxes out at only six alpha-numeric characters.

Among the vulnerabilities getting announced today, we have a pair of CVSS 10 command injection flaws, a quartet of 9.8 authentication bypass flaws, with one of those being a hardcoded credential — AKA a backdoor. The other CVSS9+ flaw is a SQL injection, with a trio of slightly less serious flaws.

The really interesting question is what could theoretically be done with admin access and escape to shellcode in one of these systems? There’s the obvious path of Denial of Service. Once you have root, just delete files, flash random noise over the firmware, and walk away. The more interesting approach is to make changes that have physical consequences. If a fuel tank is reprogrammed to indicate that holds twice the volume, will it overflow? Researchers realized that relays have a maximum operation rate, and driving them on and off at faster rates has interesting effects — glowing and letting the magic smoke out.

More Tank Hacking?

Also this week is the story of a Kansas water treatment plant that has gone to manual mode after a cyberattack. It’s not clear whether this was actually an aimed attack at infrastructure, or just a ransomware attack that is impacting the water treatment facility as a side-effect.

The Linux Mystery 9.9 CVE

This week we’ve been watching a story develop after [Simone Margaritelli] sounded the warning about a very serious GNU/Linux vulnerabiltiy on Twitter/X. The claim was a CVSS 9.9 in all Linux systems. Well apparently it’s time, because the details have dropped, and it’s a wild ride.

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR

— Simone Margaritelli (@evilsocket) September 23, 2024

So first, the actual vulnerabilities: Part of the Common Unix Printing System (now just CUPS) is cups-browsed, a helper daemon that automatically installs printers discovered on the local network. This binds to all IP addresses on UDP port 631, and an incoming UDP packet will trigger a printer install. The quirk here is that this incoming request can include an arbitrary URL as the source of the IPP printer driver information. That IPP data isn’t sanitized, allowing for arbitrary information upload and subsequent file creation with that arbitrary data. The cherry on top is the foomatic-rip driver that includes the helpful feature of running a shell command as part of the printing process. Oh, and to be clear, the CVSS 9.9 isn’t strictly accurate, because it does require a user interaction to print to the malicious printer, to trigger the code execution.

Now here’s the tricky question: How many of those quirks are vulnerabilities? Cups-browsed seems obviously architected without an authentication layer, and therefore not at all intended to be exposed to the Internet. Downloading an arbitrary IPP file seems to be working as intended, and the FoomaticRIPCommandLine is a documented feature, not a vulnerability.

And yet, pretty obviously, a printer on the local network shouldn’t be able to trigger arbitrary code execution when printing to it, especially when it’s so easy for any computer to fake being a printer. It’s very surprising that there are over 100,000 systems that expose UDP port 631 and the cups-browsed service to the Internet. I look forward to other researchers double-checking that claim. If it wasn’t obvious, don’t expose CUPS to the Internet. It shouldn’t have taken a CVE to make that abundantly clear. That is probably why it was so hard for [Simone] to get the CUPS developers to take this seriously.

As per the Red Hat notice, you can check your Linux systems for this issue by running sudo systemctl status cups-browsed and check a remote machine using sudo nmap -sU -p 631 -v ip.address.of.machine watching for “631/udp open|filtered ipp” in the output. There is already a Proof of Concept that has leaked, so do check and pull the plug on any systems that expose this service.

The Other One

The “9.9” CVE was just a bit of a letdown, but we do have CVE-2024-20017, a confirmed high severity vulnerability in MediaTek’s wappd daemon that seems to weigh in at 9.8.

The vulnerability is specifically in the handling of the Security Block message that’s part of WiFi roaming handoffs. wappd allocates a fixed-size buffer, and doesn’t validate the actual message size before copying that data. This can overflow by up to 1433 bytes, and that’s certainly enough to trigger full RCE. There’s Proof of Concept code available, so watch for updates for Wireless gear.

Bits and Bytes

Kaspersky has done something unexpected, pulling a switcheroo. Users who still had Kaspersky installed have found UltraAV now automatically installed on their machines. It’s reported that Kaspersky was sending email notices out earlier this month that the update was coming.

There’s a really impressive chain of tricks that redirects from a Youtube URL to an arbitrary Google Docs URL. That may not sound particularly interesting, but the whole chain of redirects means that a page that looks like a Google Form with a simple poll could actually grant permissions to arbitrary Google Drive files on submit. Google paid a juicy $4133.70 for the find, and rolled the fix out on the same day.

ChatGPT has a new feature, long-term memory. The idea is that your conversations with the LLM can become part of the training data, making the model even more useful as you use it. There is a really powerful feature available in ChatGPT now, that the LLM can pull data from the Internet in real time. Turns out if you can get one of these instances to pull some manipulated data, the model can keep it in long term storage. The real trick is that this injection can convince the model to keep revisiting an arbitrary URL, leaking data. Impressive.

And finally, the Kia dealer and owners websites leak a bit too much data. With nothing more than the car’s VIN, an attacker can generate a fake dealer token, and demote and replace the previous owner. From there, it’s trivial to remote start, honk, or otherwise mess with the vehicle. It wasn’t great, but Kia got it fixed over a month ago.

Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.

Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.

A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.

Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.

Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops.

Trains!

[Bertin Jose] has a bit of a side hobby, of scanning the Internet for interesting endpoints, with an emphasis on industrial control systems. In an automated scan, a CZAT7 device popped up — a traction power substation controller. This is a miniature power station that supplies power to electric railways. And this one was not only connected to the Internet, it exposed a web interface that probably wasn’t intended to be public. And it included coordinates. It’s delightful that we can point to a picture on Google Maps, to the little building in Poland where this controller lives.

[Bertin] has enough experience with control devices like these, to know that 1111 is a common password. It’s wild that for these devices, both 1111 and 2222 worked for read/write access to the devices. This is where there was clearly a line, where fiddling around further inside these real devices would be ill-advised. What turned out to be more of a problem is finding the right people to disclose the device to. There was never a response, but the device seems to be finally off the Internet.

Raptor Train

We have news this week of a joint effort between Lumen Technologies and the US DoJ to take down the Raptor Train, a botnet that lives on a variety of routers, IoT devices, and cameras and NVRs. This botnet is interesting, that each device was only compromised for an average of 17 days at a time, with the infection only persisting until the next reboot.

What’s always fun about watching malware activity like this is to line up activity with timezones around the world. This one roughly corresponds to a 10:00 AM to 7:00 PM working day in China Standard Time, which checks out with the likely attribution to the Chinese group, Flax Typhoon. The count of total devices was somewhere around 260,000, with exploitation due to a combination of 0-day and n-day vulnerabilities. Turns out maybe it’s not a great idea to put those cameras on the Internet.

Discord and DAVE

Discord has rolled out DAVE, Discord Audio and Video end-to-end Encryption. This new solution will provide encryption for voice and video for DMs, Group DMs, and other live calls on Discord. The solution is Open Source, and was designed in collaboration with trailofbits.

Lots of established cryptography was used, and at a brief look the scheme seems to check out. Notably missing is any mention of quantum-resistant cryptography. That’s not entirely unexpected, as we’re still several years away from practical quantum computers, and the cryptography schemes designed to be immune to quantum cryptography are still quite new and immature.

The Other Side of the Coin

In an interesting counterpoint to Discord’s new scheme, Interpol has taken down Ghost, an end-to-end-encrypted communications platform widely used for organized crime. It seems that Ghost was designed and marketed specifically for criminal use, but one has to ask the question about whether Discord will also face repercussions for the move to strong encryption.

Bits and Bytes

The folks at Cyber Security Associates have the scoop on doing a Patch Diff on a vulnerability fixed in a recent Windows Patch Tuesday. The short explanation is that incoming calls to the driver weren’t checked for whether they originated in the kernel or in userspace.

And finally, there’s a real mystery on the Internet. GreyNoise describes Noise Storms of spoofed packets flooding the Internet. These seem to be malicious, coming in waves since January 2020. The inclusion of the string LOVE in recent packets suggests the name LOVE Storm. GreyNoise has made packet captures available, if any of our readers feel like joining in on the sleuthing to figure out what these packets are up to.