This Week in Security: Adblock for Security, ProxyNotShell Lives, and CVSS 10 to Not Worry About

-

The ubiquity of ransomware continues, this time with The Guardian announcing they were partially shut down from an attack. Staff are working from home as the incident is being investigated and data is recovered. Publishing seems to be continuing, and the print paper ran as expected.

There have been a couple reports published recently on how ransomware and other malware is distributed, the first being a public service announcement from the FBI, detailing what might be a blindly obvious attack vector — search engine advertising. A bad actor picks a company or common search term, pays for placement on a search engine, and then builds a fake web site that looks legitimate. For bonus points, this uses a typosquatted domain, like adobe[dot]cm or a punycode domain that looks even closer to the real thing.

The FBI has a trio of recommendations, one of which I whole-heartedly agree with. Their first suggestion is to inspect links before clicking them, which is great, except for the punycode attack. In fact, there are enough lookalike glyphs to make this essentially useless. Second is to type in URLs directly rather than using a search engine to find a company’s site. This is great so long as you know the URL and don’t make a typo. But honestly, haven’t we all accidentally ended up at website[dot]co by doing this? Their last recommendation is the good one, and that is to run a high-quality ad-blocker for security. Just remember to selectively disable blocking for websites you want to support. (Like Hackaday!)

Exchange Still Targeted

And the other report, a PDF from Prodraft, details the activities of FIN7, who have added ransomware to their criminal portfolio. These attacks are launched through multiple means, including malicious USB drives and using known Exchange vulnerabilities, such as CVE-2020-0688 and the ProxyShell family of problems.

And speaking of which, ProxyShell/ProxyNotShell isn’t dead, as there’s been another bypass found in-the-wild. This isn’t an effective bypass against the November 8th patch, but does bypass the rewrite rules that were touted as an effective mitigation. The reason is that this attack doesn’t use the autodiscover endpoint, but applies the same technique to the OWA (Outlook Web App) endpoint instead.

Password Manager Fail

LastPass isn’t the only password manager in the news, and the problems found in Passwordstate makes the recent LastPass issues seem like the most minor of inconveniences. Passwordstate is an enterprise solution for password management. Researchers at modzero started with the browser extension, that allows a user to access saved passwords. To authenticate, a token is generated and sent to the server. Turns out, that token is just the username and other user information, XOR’d with a static, universal key. And on the server side, the only check that happens is on the username. So on any Passwordstate install anywhere, if you can talk to the API, and know a valid username, you can pull every password accessible to that account.

That same API has another problem, any user can write to any other user’s stored passwords, including the login URL for a given password. And since the whole interface is web-based, Cross-Site Scripting attacks are the way to go. There is, of course, insufficient sanitisation. An administrator can use the API to run Powershell scripts. So spray the malicious link into other user’s URLs, and wait for an admin to use the interface to login somewhere. The powershell script runs, starting a reverse shell. And because the stored passwords aren’t usefully encrypted (AES encrypted, but the key is stored, obfuscated, on the same machine as the database), this allows an attacker to abscond with the entire database of passwords. The vulnerabilities have been fixed in release 9.6 Build 9653, though seeing the severity of issues and other problems, one has to wonder how effectively these problems were dealt with.

Linux Does the Samba (Badly)

There’s a perfect 10 vulnerability in the Linux kernel. CVE-2022-47939 is a problem in the ksmbd driver, that was added last year for the purpose of faster SMB performance. SMB here meaning the Server Message Block, the primary file-sharing protocol for Windows machines. The problem is a dangling pointer, allowing for a use-after-free. The solution is a one-line patch that sets the pointer to null upon close.

Now as scary as a CVE scoring a severity score of 10 seems, I’m pretty sure you have nothing to worry about, even if you are a Linux user or manage a Linux server. Why? Because while ksmbd is officially in the kernel, hardly any distros are compiling it into their official kernels, the Samba project isn’t using any of the vulnerable code, and it’s already a horrible idea to expose any SMB service to untrusted connections. Or put another way, if you’re making use of the ksmbd driver, you did it on purpose.

The Kernel config option is CONFIG_SMB_SERVER, and you can check your current config in either /proc/config.gz or /boot/config-$(uname -r). Alternatively, use lsmod to search for the ksmbd module. The real place where this could be a real issue is in a NAS appliance that runs Linux under the hood, though my guess is that the kernel module is new enough that none of the popular appliances on the market are making use of it. Be sure to let us know if you’re aware of a major distro that compiles the module in by default, or a NAS that uses it.

Google Home Takeover

Google’s smart home devices are based on the same firmware as the Chromecast, and use a similar under-the-hood approach to authentication. [Matt] noticed this, and started wondering, could that be a security problem? See, playing a video on a TV isn’t terribly dangerous, but a smart speaker has access to a few more important abilities. Chromecasts serve a key on a local API, and sending a request with that key off to Google links the device to your account. The intent is that anyone on the local network should be able to cast to the TV. It seems like it was unintentional that the process worked on other smart devices.

But wait, there’s more. These devices have a setup mode, where they broadcast an open WiFi network. All it takes to trigger this mode is to knock the device offline — and that’s as easy as sending spoofed deauth wireless packets. Connect to that network, make the API request, and you have the secret key. Let it reconnect to the real network, and you can authenticate as a new verified user. Smart home actions let you do some interesting things with other devices, but just the ability to make a quiet phone call from the device is creepy enough. Google agreed, and removed both the unintended auth flow and ability to call a phone number via a routine.

Bits and Bytes

The TYPO3 content management system fixed and announced an RCE earlier this month. This one was only accessible by authenticated users with access to the Form Designer module, but allowed injection of TypoScript that could be executed as PHP code.

Do not trust save games from the internet. This is good general advice, but specifically applies to games built on Ren’Py, a visual novel engine built on Python. For loading save games, the pickles library is used — it’s already notorious for being unsafe when unpickling untrusted data. It’s just not obvious that save games can deserialize themselves right over Python functions and take over program execution.

The Netgear RAX30, and possibly other models, run the pucfu application on on boot, checking for firmware updates from a Netgear domain. Researchers at NCC Group have discovered that if they control the JSON response to that request, the binary can be manipulated into command injection, leading to a reverse shell.



from Blog – Hackaday https://ift.tt/zyvHK4F

Comments

Post a Comment

Popular posts from this blog

Modern Radio Receiver Architecture: From Regenerative to Direct Conversion

-
Image
Modern radio receivers have a distinct advantage over the common early designs which I covered in my previous article . Most of the receivers you will have worked with over the past couple decades are designs by Edwin Armstrong ; regenerative, superregenerative, or most commonly superheterodyne. These are distinguished by a few fascinating key traits that bring both benefits and drawbacks. Today let’s dive into Mr. Armstrong’s receivers. I’ll also talk about DC receivers which, despite the name, are not made to listen to batteries. These are receivers you are much more likely to encounter in modern equipment. Regenerative and Superregenerative The regenerative receiver is all about doing more with less. You still see some of these in simple applications like RF remote controls. The idea derives from how an oscillator works. In a simple way of thinking, an oscillator is an amplifier with enough positive feedback that any tiny signal at the right frequency will amplify and then, throu
Get this one»

Hackaday Links: May 31, 2020

-
We begin with sad news indeed as we mark the passing of Marcel van Kervinck on Monday. The name might not ring a bell, but his project, the Gigatron TTL computer , certainly will. We did a deep dive on the microprocessor-less computer a while back, and Marcel was a regular at conferences and on the Gigatron forums, supporting users and extending what the computer can do. He was pretty candid about his health issues, and I’ll add that when I approached him a few weeks ago out of the blue about perhaps doing a Hack Chat about Gigatron, he was brutally honest about how little time he had left and that he wouldn’t make it that long. I was blown away by the grace and courage he displayed. His co-conspirator Walter Belger will carry on the Gigatron mission, including joining us for a Hack Chat on June 24. In the meantime, this might be a great time to pick up a Gigatron kit before they’re all sold out and get busy soldering all those delicious through-hole TTL chips. May of 2020 is the mo
Get this one»

Homebrew 68K Micro-ATX Computer Runs Its Own OS

-
Image
We’re no stranger to home built Motorola 68000 computers here at Hackaday, but more often than not, they tend to be an experiment in retro minimalism. The venerable processor is usually joined by only a handful of components, and there’s an excellent chance they’ll have taken up residence on a piece of perfboard. Then [NotArtyom] sent in his Blitz , and launched the bar into the stratosphere. Make no mistake, the Blitz isn’t just some simple demo of classic chips. The open hardware motherboard has onboard floppy, IDE, and PS/2 interfaces, with a trio of 8-bit ISA expansion slots for good measure. The  Motorola 68030 CPU is humming along at 50 MHz, with 4 MB of RAM and 512 KB of ROM along for the ride. Designed to fit the Micro-ATX motherboard standard, you can even mount the Blitz in a contemporary PC case and run it on a standard ATX power supply. An earlier prototype of the Blitz motherboard. As if the hardware wasn’t impressive enough, [NotArtyom] went ahead and created his ow
Get this one»