We finally have some answers about the Windows IPv6 vulnerability — and a Proof of Concept! The patch was a single change in the Windows TCP/IP driver’s Ipv6pProcessOptions(), now calling IppSendError() instead of IppSendErrorList(). That’s not very helpful on its own, which is why [Marcus Hutchins]’s analysis is so helpful here. And it’s not an easy task, since decompiling source code like this doesn’t give us variable names.

The first question that needs answered is what is the list in question? This code is handling the option field in incoming IPv6 packets. The object being manipulated is a linked list of packet structs. And that linked list is almost always a single member list. When calling IppSendErrorList() on a list with a single member, it’s functionally equivalent to the IppSendError() in the fixed code. The flaw must be in the handling of this list with multiple members. The only way to achieve that criteria is to send a lot of traffic at the machine in question, so it can’t quite keep up with processing packets one at a time. To handle the high throughput, Windows will assemble incoming packets into a linked list and process them in batch.

So what’s next? IppSendErrorList(), takes a boolean and passes it on to each call of IppSendError(). We don’t know what Microsoft’s variable name is, but [Marcus] is calling it always_send_icmp, because setting it to true means that each packet processed will generate an ICMP packet. The important detail is that IppSendError() can have side effects. There is a codepath where the packet gets reverted, and the processing pointer is set back to the beginning of the packet. That’s fine for the first packet in the list, but because the function processes errors on the entire list of packets, the state of the rest of those packets is now much different from what is expected.

This unexpected but of weirdness can be further abused through IPv6 packet fragmentation. With a bit of careful setup, the reversion can cause a length counter to underflow, resulting in data structure corruption, and finally jumping code execution into the packet data. That’s the Remote Code Execution (RCE). And the good news, beyond the IPv6-only nature of the flaw, is that so far it’s been difficult to actually pull the attack off, as it relies on this somewhat non-deterministic “packet coalescing” technique to trigger the flaw.

CVE Hunting Made Easy

[Eddie Zhang] wanted to take the easy road to finding CVEs. To his immense credit, he did not ask ChatGPT to hallucinate vulnerabilities for him, but instead built an automation chain to find possible vulns. The idea is simple: Download as many WordPress plugins as he could, run Semgrep over the corpus, throw the results in a SQL database, and take a closer look at the most promising findings.

That starts by writing a SQL query, naturally. The interesting flaws were SELECTed, and then the different plugins run in a test bench setup to try to trigger actual vulnerable code. And it’s not a bad approach, judging by the 14 CVEs found in 3 afternoons of work.

Moodle

RedTeam Pentesting got to have a field day with the Moodle platform. Moodle is a web-based distance learning solution written in PHP. And to get the flavor of how this went, the test grading logic is written in PHP — and eval()‘d on the server during grading. Now it’s not quite as bad as it sounds. There is sanitization done, and the set of symbols, characters, and functions are rather limited.

PHP has a pretty interesting type system. Something like acos(2), inverse of the cosine of 2, returns a result of Not a Number, or NAN. The dot . symbol does string concatenation in PHP, and putting those together, acos(2) . acos(2) results in a string, NANNAN. It gets better, as it’s then possible to do bitwise manipulation of those strings, eventually unlocking the entire alphabet. A few more tricks like PHP’s variable functions, variable variables, and other fun language contortions. Eventually we get to system() and escape into the system.

Hacking the TSA

[Ian Carroll] and [Sam Curry] bring an unfortunate tale of clever hacking, cover ups, and incompetence. The actual hack is pretty straightforward, a SQL injection in a login system. The real problem is that this login is in the official airline security systems that controls the Known CrewMember and Cockpit Access Security System. That’s the list of people that get to skip TSA checkpoints altogether, and that get access to airplane cockpits in flight. Not good.

The good news is that after disclosure, the Department of Homeland Security quickly secured the vulnerable site. The takes a turn for the worse, when it came time for disclosure. TSA issues a factually incorrect statement about what is required to use the KCM system. [Ian] and [Sam] reached out again to try to set the record straight about the severity of the finding. In response, the TSA quietly deleted the FAQ that spells out how bad the vulnerability could be. Not a great look.

Bits and Bytes

For your data and packet capture needs, Wireshark 4.4 is out. Among the normal improvements, there’s better VoIP support, a handful of new protocols, and some IPv6 tweaks to make life easier.

Ever wondered how to do effective sandboxing in Linux? Hardened Linux has you covered. There are some obvious things like limited filesystem access, but it might be more useful to read about seccomp to limit the available system calls to your sandboxed program. The article is an overview of the individual techniques, and then some of the more popular all-in-one solutions like firejail, bubblewrap, and landlock.

Volt Typhoon, a collection of hackers believed to be working on behalf of the Chinese government has begun using a vulnerability in Versa Director to attack businesses. Version 22.1.4 of the network management platform fixes the vulnerability, which allowed for executable java filew to be disguised as PNGs and uploaded to the platform.

And finally, one of the sneakier ways to stay on a Linux system is to use udev. For attackers, it’s always a challenge to make sure the malware starts up on each boot, and yet doesn’t attract any attention. There are plenty of places to hide a startup hook, but this one creates a udev rule to automatically run early in boot when the /dev/random device is created. How often do you audit your udev files? Sneaky!

There have been some hilarious issues on mobile devices over the years. The HTC Dream had a hidden shell that was discovered when a phone rebooted after sending a text containing just the word “reboot”. iOS has gotten in on the fun from time to time, and this time it’s ""::. Type the double quotes, a colon, and any other character, and Apple’s Springboard service crashes.

Another hacker dug in a bit, and realized that Springboard is trying to jump execution to a null pointer, leading to a crash. It’s very odd that user input breaks the query parser badly enough to jump to null like that. There are a couple interesting questions that we have to ask. Given that the crash trigger is quite flexible, "anything goes":x, is it possible to manipulate that function pointer to be something other than null? And perhaps more importantly, why is the code crashing, instead of an invalid address error as one would expect from a Pointer Authentication Code (PAC) violation? Regardless, the bug seems to be fixed in the latest iOS 18 builds.

Typing “”:: in various search bars (e.g. in Settings .app) on iOS, will cause a crash! https://t.co/P4Ax0z9W9F (by: @lorenzofb)

….let's dig into why

— Patrick Wardle (@patrickwardle) August 21, 2024

OpenBMC

OpenBMC is something of a reference Baseboard Management Controller, and as such it’s the upstream for other implementations. And it has a fairly serious issue, in the slpd-lite service, which just happens to be installed and enabled by default. SLP is the Service Location Protocol, a service discovery protocol, which is something of a predecessor to Zeroconf. Slpd-lite has a pair of issues that result in trivial heap reads and writes, beyond the intended buffer.

The slpd-lite project patched the issues about a week after disclosure, back in May. In June, the patch and an advisory was applied to OpenBMC itself. Nice and speedy action. Now to get all the downstream vendors to apply it, too.

WordPress LightSpeed Falls to Weak Hash

The LightSpeed Cache plugin for WordPress does something really clever, but in a way that managed to allow admin authentication bypasses. To cache pages that a logged-in user would see, the plugin’s crawler simulates each user loading the site, and caches that. To protect that cache, a random string is generated. The problem is that this random generation is seeded using the current time, only the microsecond portion of the time. So one of only a million possible values. And while a million is a lot when talking about physical objects, it’s not nearly enough when talking about cryptography.

To log in as a user using this weak hash, an attacker only has to guess te proper user ID (usually 1 is an admin) and then hit the right hash value. Lightspeed hash released a fix, but this is a severe issue, and we should expect to see exploitation attempts — And that didn’t take long. This one could be nasty, as something like 3.5 million sites are still running the vulnerable version of the plugin. Wordfence has already blocked 48,500 in the first 24 hours of this attack being publicly known.

Insulin, Privacy, and Firewalls

[Remy] fron Greynoise Labs is on a bit of a crusade against insecure Bluetooth. And make no mistake, Bluetooth can be a problem. Case in point, the FDA has issued a recall on a particular insulin pump, because the iOS app could enter a crash loop, and the continual Bluetooth re-connections drained the device’s batteries. Battery drain may seem like a mild inconvenience, but apparently over 200 people have reported injuries as a result.

So in this push for more secure use of Bluetooth, [Remy] mined a collection of Android applications for Bluetooth UUIDs. Those are unique identifiers of what kind of device is advertising Bluetooth. With this new treasure trove of identifiers, it was only natural to write a Bluetooth UUID scanner. And this is where a bit of a bizarre coincidence took place. At the some moment [Remy] fired up this scanner, his local Internet access dropped. As a result, his Firewalla firewall started advertising a Bluetooth Low Energy interface. The database returned a hit, and [Remy] had the Android APK to look at.

The Firewalla scheme for authenticating that BLE interface was lacking, with a handful of possible issues, like only checking the first 8 characters of a UUID key. And once past that initial hurdle, further administration tasks are secured using a JSON Web Token. That token’s signing key was global for all Firewally devices, and trivially derived from either firmware or the Android APK. And that’s not even all, since there were also command injection issues over the same Bluetooth link. Firewalla has released version 1.979 to address these issues.

Moar Bluetooth

If that wasn’t enough Bluetooth, the Zero Day Initiative has us covered, with coverage of a pair of flaws in the Autel Maxicharger vehicle charging station. The first was a simple buffer overflow in the Bluetooth data handling, leading to possible Remote Code Execution (RCE). The second issue was the presence of “Backup credentials” in the firmware’s WiFi handling.

Bits and Bytes

“Insufficient sanitization” is not a feature you want in your microservices. Spring’s Cloud Dataflow is a tool to plug data flows in to various other applications. Before a recent patch fixed it, Dataflow was doing some basic checks on file uploads, like looking for nulls or empty files. The problem was some very simple path traversal attacks. Name a package name with ../../../poc, and while the service may throw an error, it still creates the files as requested. 2.11.3 has shipped with the fix, so time to update!

And speaking of bypasses, ingress-nginx has a validation bypass, allowing unauthorized access to Kubernetes clusters using that controller. Kubernetes supports annotations as a sort of metadata system, and ingress-nginx was failing to properly validate those annotations, which could then be used for command injection.

And finally, I think I’ve played this video game. Except this time, someone actually tried to hack himself out of existence. The FBI discovered that a criminal had not only used stolen social security numbers to commit fraud, he had gone so far as to register his own death in a Government system, using stolen credentials. It didn’t turn out so well, as he was discovered alive, and sentenced to jail time for the effort.

Github is struggling to keep up with a malware campaign that’s a new twist on typosquatting. The play is straightforward: Clone popular repositories, add malware, and advertise the forks as the original. Some developers mistake the forks for the real projects, and unintentionally run the malware. The obvious naming choice is forksquatting, but the researchers at apiiro went with the safer name of “Repo Confusion”.

The campaign is automated, and GitHub is aware of it, with the vast majority of these malicious repositories getting removed right away. For whatever reason, the GitHub algorithm isn’t catching all of the new repos. The current campaign appears to publishing millions of forks, using code from over 100,000 legitimate projects. It’s beginning to seem that the squatting family of attacks are here to stay.

RustDesk and Odd Certificates

The RustDesk remote access software is interesting, as it’s open source, allows self-hosting, and written in Rust. I’ve had exploring RustDesk as a todo item for a long time, but a bit of concerning drama has just finished playing out. A user pointed out back in November that a test root certificate was installed as part of the RustDesk installation. That root cert is self-signed with SHA1. There is also concern that the RustDesk binaries are signed with a different certificate.

There have been new events since then. First, there was a Hacker News thread about the issue earlier this month. The next day, CVE-2024-25140 was registered with NIST, ranking an insane CVE 9.8 CVSS. Let’s cut through some FUD and talk about what’s really going on.

First, root certificates ought to be signed with a more secure hashing function than SHA1. But not for the reason you think, and in this case it doesn’t matter. Root certificates are self-signed by definition, and the only reason they’re signed at all is because these certificates must be signed to be valid. Child certs are not protected by the root’s signature. The important function that depends on that root signature is the ability to issue a revocation request. That would be really bad for one of the widely trusted root certificates, and not an issue at all for an untrusted cert like this one.

Next, RustDesk has a valid, signed certificate for the executables. The self-signed root certificate is strictly for signing a kernel driver, which requires an Extended Validation (EV) certificate. It’s a bit disconcerting that this requirement can be so easily sidestepped by installing a root cert during application install, but that’s on Microsoft, not RustDesk.

The final concern here is that this certificate is being installed as a system-wide Certificate Authority (CA). That is the most worrying element of this saga, but certificates have a field specifiying their Key Usage (KU) and Extended Key Usage (EKU). The RustDesk CA is strictly for Code Signing. This does not allow RustDesk or anyone in possession of this key to break TLS or spoof web sites. It does allow code signing, which could be a valid concern, but is not the hair-on-fire situation it first appears.

RustDesk has pulled this key from their installation, which happens to disable the virtual display driver. That was the functionality that required a signed kernel driver. The latest news is that the RustDesk devs are getting some assistance, and are pursuing an EV code-signing certificate, and expect to have that process wrapped up in about a month. And that CVE, scoring a severity 9.8? Seems completely bogus.

Ultimate Member SQL Injection

The Ultimate Member WordPress plugin has been updated to release 2.8.3, fixing a SQL injection flaw that was accessible as an unauthenticated user. Based on the update diff, the key issue is probably a missed prepare() on line 704. Oh, and it’s apparently being probed and potentially exploited in the wild, so go patch.

This is probably a good time to have a chat about why there are so many SQL injection attacks in WordPress. First, SQL injection is when user supplied data is interpreted as part of the SQL command to execute. That’s done by including an unexpected character. For instance, a semicolon indicates the end of a statement, and can be used to start the next. So where a naive program expects a number, an input of 15; DROP TABLE Students will satisfy one SQL statement and inject a second statement to be executed on the database.

Broadly speaking, there are two approaches to prevent SQL injection: input sanitization and prepared statements. And both is good, too! First, sanitize user input. Make sure that integer is actually an integer and only an integer. Strip out quotation marks, semicolons, and other potentially hazardous characters.

The second approach is to use prepared statements. This separates the SQL command from the data in a fundamental way. It’s something like $database->prepare("INSERT INTO Students (name, age) VALUES (?, ?)"); to send the SQL commands. Then it’s followed by $database->bind_param("si", $name, $age); to set the values to be used. And finally a $database->execute(); actually runs the query. There is no injection possible because of the strict separation between the code and values.

Now we come to WordPress, which has its own wpdb class for database calls. That includes a helpful function, wpdb::prepare() that looks almost like a prepared statement as shown above.

$wpdb->prepare( "u.user_registered BETWEEN %s AND %s", $from_date, $to_date );

Except it’s not at all. The prepare() function strictly does a sanitization pass, and an sprintf() value substitution. The prepare() function does not actually produce a prepared database statement. WordPress does not provide a way to actually use prepared statements. One of the basic paradigms to keep developers out of trouble with SQL injections is missing.

The M&Ms Are Watching

I have something of a hobby. I find it fun to spot misbehaving machines, and try to figure out what OS is running underneath the shiny GUI. The weirdest embedded device I’ve found is a page scanner that ran a full-fat copy of Windows. The price scanners in your local big-box store might just run Windows CE. The airplane seat-back infotainment centers run a really old Linux. And apparently the M&M vending machines at the University of Waterloo run Windows with the Invenda.Vending.FacialRecognition.App.exe application.

We know that because [SquidKid47] caught an unknown software exception on the vending machine’s display screen, and shared it on reddit. A school newspaper picked up the story (pdf) and determined that the vending machine uses a camera and facial detection as a combination of smart motion sensor and demographics detector for targeted advertising. Yes, these vending machines serves targeted ads. At least they did. These vending machines have met their Waterloo at the University of Waterloo, with the school now formally requesting their removal.

Bits and Bytes

Ring Doorbell to Pwn: It turns out that some smart doorbells aren’t all that smart. It’s not surprising that there’s a process to reset a smart doorbell, to associate it with another account. It is rather surprising that this process is as easy as holding the big doorbell button itself for 8 seconds. At the very least, the legitimate owner will receive an email about the change.

Printer insecurity is nothing new, but 3D printer security is still a bit of a niche idea. That may be changing, now that the equivalent of a “greetings.txt” file has been dropped on a bunch of Anycubic printers. Apparently Anycubic uses an MQTT server that really doesn’t have sufficient access controls.

It’s that time again, when a vulnerability fix has been released for GitLab, and it’s time to go update. The stand-out this time is a Cross Site Scripting (XSS) flaw upon visiting a user’s profile page. I leave it as an exercise for the reader, to produce sample code that copies “samy is my hero” to the profile page of each visitor.

And finally, in the irony department, Avast has been fined for using a browser privacy plugin as a platform to collect and sell user data. This happened from 2014 to 2020, using the Jumpshot platform for the actual selling of data. The data was nominally anonymized, but the amount and detail of information available is a bit staggering. It is worth pointing out that Jumpshot is no more, and Avast is now owned by another company. Hopefully without harvesting user information.

This week Jonathan Bennett and Doc Searls talk with Tony Zeoli about Netmix and the Radio Station WordPress plugin. The story starts with the Netmix startup, one of the first places doing Internet music in the 1990s. That business did well enough to get bought out just before the Dot Com bubble burst in 2000. Today, Tony runs the Radio Station plugin, which is all about putting a station’s show schedule on a WordPress site.

In the process, the trio covers Internet radio history, the licensing complications around radio and streaming, the state of local radio, and more. Is there a long term future for radio? Does Creative Commons solve the licensing mess? Is AI going to start eating radio, too? All this and more!

– wordpress.org/plugins/radio-station
– radiostation.pro
– netmix.com
– tonyzeoli.com
– avlhms.com
– linkedin.com/in/tonyzeoli

Did you know you can watch the live recording of the show right in the Hackaday Discord? Next week we’re interviewing Matt Ray of the Opencost project.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

It appears we have something of a problem. It’s not really a new problem, and shouldn’t be too surprising, but it did pop up again this week: bogus CVEs. Starting out in the security field? What’s the best way to jump-start a career? Getting a CVE find to your name certainly can’t hurt. And as a result, you get very junior security researchers looking for and reporting novel security vulnerabilities of sometimes dubious quality. Sometimes that process looks a lot like slinging reports against the wall to see what sticks. Things brings us to an odd bug report in the OBS Studio project.

A researcher put together a script to look for possible password exposure on Github projects, and it caught a configuration value named “password” in a .ini file, being distributed in the project source. Obvious credential leak in Git source, right? Except for the little detail that it was in the “locale” folder, and the files were named ca-es.ini, ja-jp.ini, and similar. You may be in on the joke by now, but if not, those are translation strings. It wasn’t leaked credentials, it was various translations of the word “password”. This sort of thing happens quite often, and from the viewpoint of a researcher looking at results from an automated tool, it can be challenging to spend enough time with each result to fully understand the code in question. It looks like this case includes a language barrier, making it even harder to clear up the confusion.

Things took a turn for the worse when a CVE was requested. The CVE Numbering Authority (CNA) that processed the request was MITRE, which issued CVE-2023-34585. It was a completely bogus CVE, and thankfully a more complete explanation from OBS was enough to convince the researcher of his error. That, however, brings us back to CVE-2023-36262, which was published this week. It’s yet another CVE, for the same non-issue, and even pointing at the same GitHub issue where the alleged bug is debunked. There’s multiple fails here, but the biggest disappointment is MITRE, for handing out CVEs twice for the same issue. Shout-out to [Netspooky] on Twitter for spotting this one.

Bogus PoC

Don’t run untrusted code. Don’t run untrusted code, even if it’s claimed to be a Proof of Concept (PoC) from a security researcher. The background is CVE-2023-35829, a use-after-free in the Rokchip video driver in Linux kernel versions prior to 6.3.2. There’s not a lot of details about this flaw, except that in certain instances it could be used to achieve escalation of privilege. What’s newsworthy is that there was a PoC published on Github, and shared fairly widely on Twitter, but turns out that PoC also included a nasty little surprise.

For anyone that has ran this PoC, consider your data stolen. This is what eventually runs on your host after a few stages. If you wanna analyse it, don't use a web browser or your IP will get blacklisted. #CVE_2023_35829 #backdoor https://t.co/gafdPfDc0r pic.twitter.com/fUIqclSARX

— Andrei Scutariu (@xnand_) July 4, 2023

The tweets and GitHub repositories have been yanked, but a bit of Google-fu can find the cached repos. (Warning, running that PoC is not a good idea.)

Bogus Breach Claim — Maybe

There’s a relatively new hacktivist group making itself a pain to the Western world recently, working under the name Anonymous Sudan. This group has made it’s name by doing Distributed Denial of Service attacks against Western targets like Microsoft. This week, the group made claims that they had hit Microsoft with a breach, and exfiltrated 30 million customers’ data. The only problem is that Microsoft can’t find any sign of a problem. The 100 samples of stolen data that were released with the announcement seem to be from an old incident, so we’re rating this one “probably bogus”.

WordPress Plugin: Ultimate Member

On the other hand, the attack against WordPress installs using the Ultimate Member plugin seems to be very real. The vulnerability involves setting a user’s wp_capabilities value to jump to administrator privileges. That was accomplished by side-stepping security code through the use of wp_capabiliti\\es, wp_caPabilitiEs, and a few other creative bypasses. With version 2.6.7 of the plugin, a whitelist of those allowed keys has been added, finally putting the issue to rest.

ServiceNow

Researcher [R3zk0n] has found a series of issues in the ServiceNow platform that could lead to Admin access. This cloud system provides IT software as a service, and is used widely worldwide. The issue allows any standard user account to become an administrator. The PoC is published, and a ServiceNow update is available. While it is a welcome relief that this attack requires a valid user account, it still ranks a CVSS of 9.9, and may prove to be quite a problem.

Bits and Bytes

We do have an interesting problem in the Linux Kernel, nicknamed StackRot. It’s a very broad privilege escalation, introduced in kernel 6.1 with the addition of the Maple Tree memory structure. This vulnerability actually ended up provoking Linus Torvalds to sling some C code himself to fix it. The fix is in versions 6.1.37, 6.3.11, 6.4.1, and the in-process 6.5 code.

PortSwigger is back with a guide to GraphQL. Turns out that there are some common ways to find GraphQL endpoints, and potentially quite a bit of information that can be gathered from looking at what’s available at that endpoint.

Similarly, HAKAI Offensive Security has a primer on finding Nginx traversal flaws. The most common one seems to be a location configuration that lacks the final slash on a path, opening up the server to path traversal and other fun tricks. Go forth and learn! And hack responsibly.

There’s a really nasty CVSS 10.0 severity vulnerability in Gitlab 16.0.0. The good news is that this is the only vulnerable version, and the fix came a mere two days after the vulnerable release. If you happened to be very quick to go to 16.0.0, then be very quick to get the fix, because CVE-2023-2825 looks like a bad one.

An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

That’s a very specific set of requirements for vulnerability, so it seems like hardly any installs would be vulnerable. The rest of the story is that regular users can create groups, and many installs allow for open user registration. So if you’re running Gitlab 16.0.0, update now!

KeyPassMini

A Redditor got a surprising notice that someone attempted to access a bank account, but failed two-factor authentication. That seemed odd, and led the Redditor down the rabbithole of auditing applications. And one iOS app in particular stood out as maybe problematic — KeyPassMini.

The app was a mobile client for KeyPass, the password manager. The problem was some analytics. It looks like KeyPassMini was bundling up some system information and uploading it to a server controlled by the creator. Analytics are often unpopular, but this app was including the system clipboard contents in the uploaded data. Yikes! And it gets worse: The app does password fills by using that same clipboard, so some of the protected passwords may have been scooped up into that analytics data. And sent unencrypted. Oof.

This is crazy. An iOS KeePass app was sending the clipboard contents *unencrypted via UDP* to a server. The developer "fixed" it by still sending it via UDP, but this time with fixed key and IV.

The app is simply a credential stealer and probably in violation of some laws. pic.twitter.com/yjzok2jkB1

— stacksmashing (@ghidraninja) May 21, 2023

Now, the app author has pulled the plug on the app altogether, and responded on the old Github project page. It’s a bit odd, but it’s perfectly believable that there were no ill intentions here. Regardless, code to send the clipboard is a big problem, and definitely undoes a lot of trust in a project.

And KeyPass itself has a problem, though much less worrying. KeyPass attempts to keep sensitive data out of its own memory when possible. This approach aims to protect even in the event of a compromised machine. [vdohney] on Sourceforge discovered that there is a channel to recover the master password, by being just a bit clever. When a user types in the master password, by default, KeyPass will show the last letter typed, and replace the previous letters with bullets. But each iteration of that string ends up in program memory, so a privileged attacker can get a memory dump, look for the bullet characters, and find a set of leftover strings like •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. It’s an easy password grab. Now remember, this essentially implies an attacker has memory access on your system, so it’s not a gaping weakness in KeyPass.

As you can see from the POC on GitHub, the problem is that a .NET text box keeps the strings in memory, so it probably hits both Windows and Linux users under Mono. The proposed solution that the KeyPass team is taking is to poison the well with enough random characters that retrieving the correct password is a lot harder. It’s still getting fixed in the next release.

Horse Shell for MIPS Routers

Checkpoint Research brings us news of the Horse Shell, a bit of malware specifically for MIPS architecture routers running Linux. It’s been found in TP-Link firmware images so far, but as so many of those routers are essentially based on the same Linux SDK, the malware appears to be applicable to many models. The exact firmware images being examined were found in a collection of tools used by Camaro Dragon, a rather catchy name for a Chinese APT group.

The firmware images have some of the normal bits you would expect, like data collection, remote shell, and remote proxy support. They have some really sneaky tricks, too, like storing part of the data on the partition reserved for WiFi calibration data. One has to wonder if hijacking that partition negatively affects the router’s wireless performance. In the firmware images examined, the quickest tell is to go to the firmware upgrade page. If it’s blank, without a form to upload new firmware, you may have the malicious image.

WordPress

WordPress 6.2.1 has a security fix, that is then improved upon in 6.2.2, where block themes could parse user-generated shortcodes. A shortcode is tags inside [brackets], that gets replaced by more complicated data. We use a code shortcode all the time here on Hackaday, to try to get source code to render nicely, angle brackets and all.

It turns out, the fix in 6.2.1 went a little overboard, breaking quite a few sites by disabling shortcodes in block themes altogether. The situation in 6.2.2 is a bit better, with most of the problems being dealt with. Sometimes it’s hard to tell the bugs and the features apart.

And a WordPress plugin, Beautiful Cookie Consent Banner, is under active attack for a Cross-Site Scripting vulnerability. The attack is odd, as WordPress.org shows just 40,000 active installs, and almost 1.5 million sites have been sent the malicious payload to try to exploit the plugin. And the kicker? It looks like the payload on this attack is a dud, and fails to actually infect a vulnerable site. It can still goober a vulnerable site, so make sure to check your plugins.

Bits and Bytes

Speaking of plugins, be careful what VScode plugins you use. They’re not all friendly. Microsoft has been working to keep malicious plugins off the official marketplace, but that arms race never seems to have an end. And as such, there were a couple known malicious plugins with nearly 50,000 installs.

For some in-depth fun, check out this PDF paper on Android Fingerprint Reader attacks. It seems simple, right? Take a screenshot of a finger, compare it to a known data set, and lock the phone if the test fails too many times. It is, of course, not quite that simple. Researchers formulated two loopholes, Cancel-After-Match-Fail and Match-After-Lock, both of which abuse user-friendly features to manage way more attempts at a fingerprint read. Read the paper for the juicy details.

And finally, Troy Hunt had some fun at the expense of a scammer. Troy’s wife was selling a fridge on Gumtree, and they decided to play along with a suspicious “buyer”. Turns out, it’s the old agent fee scam. I’ll give you the money you asked for, plus $800 to cover the fee. Can you forward that extra money on? But of course, the Paypal confirmation message was faked, and there was no money paid. Troy managed to get an impressive bit of information, including that the scam is actually being run out of, you guessed it, Nigeria. Shipping would be a pain. ><

So @Charlotte_Hunt_ is selling a fridge on Gumtree and immediately starts getting messages like this. The first one gets a bit of “no, we can discuss here” and they disappear. This one… gets a burner address to see how weird shit gets. What’s the angle? There’s always an angle… pic.twitter.com/MRWep1MukS

— Troy Hunt (@troyhunt) May 22, 2023

In what’s being described as a Humpty-Dumpty incident, Rackspace customers have lost access to their hosted Exchange service, and by extension, lots of archived emails. The first official word of trouble came on December 2nd, and it quickly became clear that this was more than the typical intern-tripped-over-the-cable incident. Nearly a week later, Rackspace confirmed what observers were beginning to suspect, it was a ransomware attack. There’s not a lot of other answers yet, and the incident FAQ answers are all variations on a theme.

Our investigation into the incident is ongoing and will take time to complete. To ensure the integrity of the ongoing investigation, we do not have additional details to share at this time.

Knowing the security issues that have plagued Microsoft Exchange over the last couple of months, one has to wonder if Rackspace was breached as a result of the PowerShell problems. What’s staggering is that a week after the incident, Rackspace still has no timeline for service restoration.

Rackspace isn’t the only major ransomware attack this week, as a hospital in Versailles has partially shut down due to another ransomware attack. Operations were canceled, and work has to be done the old fashioned way, without the network to support.

Hikvision Rebadge Gotcha

There’s a joke that’s halfway serious, that claims that there’s actually only one manufacturer of security cameras. While not entirely implausible, it’s common knowledge that many cameras on the market are rebadged Hikvision or Dahua hardware. That rebadge means that a security issue in one brand may affect far more devices than initially suspected. In this case, a vulnerability in Hikvision Ezviz cameras appeared to be limited to that brand, but research by IPVM confirmed that other Hikvision-manufactured cameras share the same issue. That is, bad crypto makes the admin password recoverable. Even worse, Ezviz cameras are a cloud solution, but many other Hikvision models are exposed to the Internet. A Shodan scan suggests over 400,000 devices are unpatched and accessible. As they’re not current models, there’s not a security update planned.

And speaking of cameras, Anker’s Eufy system seem to have some severe security issues that fly in the face of all the privacy assurances made about the system. Anker claims the cameras only store data locally, streaming is end-to-end encrypted all the way to the user’s devices, etc. The truth seems to be that anyone with a camera’s serial number could trivially brute-force the 16-bit key to produce an unencrypted stream. So far, this looks ugly. Some fixes have been rolled out, but the entire system appears to be much less secure and private than Anker advertised them to be.

Ping

FreeBSD’s ping utility has a bit of an issue, made more serious by the requirement for it to run setuid root. When sending a ping, the response from the remote server gets copied into local memory, and that response can include a quoted packet. That quoted packet can include extra, unexpected options, which can lead to buffer overflow during processing. This may be possible to chain into a Remote Code Execution (RCE), leading to a whole new meaning to ping of death. Patches were made available November 29th.

Android Keys Leaked

There are problems over in Android-land, too. It seems that multiple vendors have lost control of their secret keys, and malware is currently being distributed using those signing keys. The list includes Samsung, LG, and Mediatek. It’s bad in multiple ways. One in particular is that these keys are “platform certificate keys”, which allow a signed app to run as a system user — nearly worst-case for malware. Questions abound, like how multiple vendors are affected. Even more puzzling is the fact that VirusTotal has a malicious sample using Samsung’s signing key from 2016. How or why the key has been compromised for six years, and still in use is unknown. If more information becomes available, we’ll revisit this very odd story in the future.

The WordPress Race

How many of us have done WordPress installs? Remember how quick and easy it is? Just get the installer extracted to the right place, open it in a web browser, and punch a few details in. Give it your database information, and your site is quickly online. There’s a gotcha that may surprise you. The “5-minute install” is actually a window for exploit. The usual process puts the installer on the public internet, but since there aren’t any links pointing to the installer, it’s vanishingly unlikely to be found by an attacker before the install finishes. However, many services automate acquiring a valid SSL certificate, and every new certificate generates an entry on the Certificate Transparency Log. (Side note, every Let’s Encrypt certificate does the same, meaning your private project may not be as private as you thought.)

The actual attack, which is happening in the wild, is fiendishly clever. A single POST sets the WordPress database to the attacker’s server. When the legitimate user runs the installer, it looks just as expected, save without prompting for database settings. The result is that the attacker, who is hosting the database, is the ultimate authority over the WordPress install. When researching sites that had been compromised in this way, the researcher that caught this campaign, [Vladimir Smitka], found various compromises like web shells, malicious plugins, and more! In response, he set up an automatic service, that watches the malicious database and emails the legitimate site owner for every new compromised domain.

KmsdBot Does Us a Favor: The Fatal Typo

It’s hard to imagine a better poetic ending for KmsdBot. This botnet was written using Go, and the payload runs in memory without writing any permanent changes to disk. The author seems to have skimped on the error handling part of the code. And to our great delight, the good folks at Akamai were watching when the botnet operator sent a typo’ed command. !bigdata http://www.bitcoin.com443 / 30 3 3 100 should have included a space between the URL and port number. It didn’t, and it looks like the entire botnet crashed as a result. One less to worry about.

Bits and Bytes

Not to be left out, Kaspersky researchers have found a wiper masquerading as a fake ransomware campaign, this time targeting machine solely in Russia. CryWiper checks in with a C&C server before actually scrambling files, and once it gets clearance it runs every 5 minutes. The malware goes out of its way to stop SQL services, Exchange servers, and other such services. This likely ensures that the database on disk is corrupted, rather than access denied because the service has a lock on the file. Also of interest, it disables Remote Desktop Protocol on the affected system.

There’s a Google Chrome release that dropped on the 2nd, and it includes a fix for CVE-2022-4262, a type confusion problem in the V8 Javascript engine. It’s notable, because there’s an in-the-wild exploit for it. This sort of bug is usually the foot in the door — visit a malicious website, it runs some weird looking Javascript, and triggers the exploit. Once enough time has gone by, the bug details should become available on Google’s bug tracker.

And finally, something novel in the world of physical security. Picking some locks is laughably easy, if you have the proper tools. A skilled thief might carry a tension wrench and lock rake tool, and give a lock a few seconds of effort before giving up — or turning to an angle grinder. The traditional way to defeat a trivial picking attempt is to make a better lock. Tighter tolerances and security pins make raking very difficult. The Curt Coupler Lock has taken a different approach. The lock core is trivially raked, but the core locks in four different orientations, and the unlock procedure works by unscrewing the lock through nearly three turns. Yes, this lock has to be picked eleven times to get it open without the key. Now it’s not a perfect solution — the whole video is only three minutes long after all. But it’s clever, and that’s something.