Super(conductive) Graphene, Yandex Leak, No Fly Lists, & Thinkpad Servers – PSW #771
In the Security News for this week: defending against cleaning services, catastrophic mutating events and the future, myths and misconceptions, finding vulnerabilities in logs (And not log4j), SSRF leads to RCE with a PoC, SQLi with XSS bypasses WAF FTW, thinkpad as a server, RPC directory traversal for the win, just directory traversal for the win, Paul gets a Flipper Zero and how he thinkgs he's some sort of hero, sh1mmer your chromebook, and superconductive magic angle graphene!
You can now find us on Instagram! Follow us for highlight reels, giveaway announcements, and more at SecWeekly.
- 1. Flipper-IRDB
This is a massive collection of IR files for the flipper. I've tested a few on Unleashed firmware, and they are working great! I mean, who doesn't want to carry around a pre-programmed universal remote with them at all times?
- 2. Security Advisory: Remote Command Execution in binwalk
- Ah, right, so this: print(os.path.abspath('/home/username/../../etc/passwd')) results in this: '/etc/passwd'
- But this: print(os.path.join('/home/username/../../etc/', 'passwd')) results in this: /home/username/../../etc/passwd
- And now you understand the vulnerability :)
- 3. Hacker finds bug that allowed anyone to bypass Facebook 2FA
"With a victim’s phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make." - I think this means the victim still gets an SMS message with a code they did not request...
- 4. VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive
This is great, chaining some exploits, unauthenticated RPC with directory traversal for the win! Summary: "We create a Thrift client and are allowed unauthenticated access to the Log Insight Thrift server. We create a malicious tar file containing a directory traversal using a valid Pak file. Using remotePakDownloadCommand, we upload the malicious Pak file to /tmp/
.pak. We cause the Pak file to be extracted using pakUpgradeCommand. This writes our file to where we want on the filesystem."
- 5. Linux Developers Evaluating New “DOITM” Security Mitigation For Latest Intel CPUs
Interesting: "Last summer Intel published guidance around the Data Operand Independent Timing (DOIT) instruction mode that can be enabled with recent generations of Intel processors to ensure constant time execution for a subset of the Intel instruction set, which can be particularly important for cryptographic algorithms. Linux kernel developer discussions fizzled out last year over handling this DOIT functionality for what is described as a CPU vulnerability with recent Intel CPUs. However, now a Linux kernel patch from a Google developer would enable this change unconditionally for newer Intel CPUs but raises performance concerns." - This is in response to the Hertzbleed attack from last year that we covered.
- 6. Serious Security: The Samba logon bug caused by outdated crypto
Hrm, and it looks like older Debian versions are vulnerable: https://security-tracker.debian.org/tracker/source-package/samba
- 7. Bypassing Cloudflare WAF: XSS via SQL Injection
Wow, parameter SQL injection along with XSS in an error message that gets displayed. This opens up too many possibilities, so bypassing the WAF was the next logical step. This just should not exist today, but it does, because bugs never die...
- 8. Lexmark warns of RCE bug affecting 100 printer models, PoC released
SSRF leads to RCE, PoC exists, haven't found it yet. Also, Shodan did not have much to say about port 65002 (where the service runs that is vulnerable).
- 9. offsec.tools
- 10. ThinkPad as a server: the follow-up
This is a really neat use-case for a laptop, rip out as much as you can, get some airflow to it, and use it as a server!
- 11. Lambda risks – Rami’s Wiki
- 12. Threat and Vulnerability Hunting with Application Server Error Logs
This is really awesome; we should all pay attention to it: "The basic assumption of our monitoring idea is that certain exceptions should never appear in production applications that were written securely. For example - SQL ‘syntax errors’ should not occur when a query is written ‘properly’ (i.e. using a valid parameterized query library). Such exceptions may indicate that the actual syntax of the SQL query changed due to a runtime aspect (for example user input) that was not properly handled or was unexpected...If you ‘reverse’ this logic, the process becomes clear - instead of searching for injections using penetration tests (and then finding evidence in the log), find errors in the logs and then reverse-engineer them to build the injection payload and find the vulnerability."
- 13. CVE-2023-20025 – RCE in End-of-Life Cisco Routers
- "Cisco noted that an exploit is floating around the internet, although it has not been made publicly available. But the good news is that Cisco is unaware of these exploits being used maliciously." - I don't seem to remember a requirement that malicious actors report exploitation of vulnerabilities in the wild to the vendor, unless I missed the memo.
- This is also really bad on all fronts: *"Cisco stated in their advisory that they have “not released software updates to address the vulnerabilities described in [the] advisory.” and that “there are no workarounds that address these vulnerabilities.”. Given that these devices are End of Life (meaning they are entirely unsupported by Cisco), there will not be an official fix for the vulnerabilities.""
- You should just disable the web interface on these devices. This also begs the question of support for firmware-based systems, when does it end and how long are you keeping the device? It's frustrating that we could use devices for longer periods of time, but OEMs do not want to support them that long, or allow you to run your own firmware in most cases.
- 14. Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI
- 15. U.S. ‘No Fly List’ Leaks After Being Left in an Unsecured Airline Server
What happened to innocent until proven guilty?
- 16. CoolElectronics/sh1mmer: source tree, website, and writeup for the sh1mmer chromebook jailbreak
"The tool works because, as one of the hackers involved (CoolElectronics#4683) explains, only kernel partitions are checked for signatures by ChromeOS firmware. Other partitions can be edited after the forced readonly bit is removed." - Not entirely sure how this works (and shim is an overloaded term), but it sounds like you can obtain a package that includes a signed bootloader and kernel, which then allows you to install any other software you want because the rest is not checked for a signature.
- 1. A Catastrophic Mutating Event Will Strike the World in 2 Years, Report Says
I don't generally look to Popular Mechanics for articles on Cybersecurity, but who am I to judge? The article cites a presentation at the recent World Economic Forum (WEF) highlighting the WEF Global Security Outlook Report 2023, which asserts that “93 percent of cyber leaders, and 86 percent of cyber business leaders, believe that the geopolitical instability makes a catastrophic cyber event likely in the next two years." Given the state of our industry, I'm not sure we prevent this from occurring, so what should be our strategy?
- 2. Cybersecurity Myths and Misconceptions
Spaf is very excited about his latest book release - so go grab a copy today!
In Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us, three cybersecurity pioneers don't just deliver the first comprehensive collection of falsehoods that derail security from the frontlines to the boardroom; they offer expert practical advice for avoiding or overcoming each myth.
- 1. Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover
- 2. Outrageous Stories From Three Cyber Incident Responders
- 3. Google Fi says hackers accessed customers’ information
- 4. DocuSign Brand Impersonation Attack Bypasses Security Measures, Targets Over 10,000
- 5. US Marines Defeat DARPA Robot by Hiding Under a Cardboard Box
- 1. The generative AI revolution has begun—how did we get here?
AI has made progress at an incredible pace. Why? Because of a new class of AI models that are more flexible and powerful than anything that has come before: foundation models. The main drivers of this success are programmable GPUs, large training data sets, and a model from Google called "the transformer." Inputs are reduced to a matrix of numbers so large data inputs can be efficiently processed.
- 2. New US ransomware strategy prioritizes victims but could make it harder to catch cybercriminals
The FBI's new strategy prioritizes helping victims of cybercrime over gathering evidence for prosecution. The FBI had extraordinary access for six months to the computer infrastructure of a Russian-speaking ransomware group known as Hive, and passed keys to victims so they could decrypt their systems and thwart $130 million in ransom payments.
- 3. Study: Superconductivity switches on and off in ‘magic-angle’ graphene
Graphene is an atom-thin material made from carbon atoms that are linked in a hexagonal pattern resembling chicken wire. Two sheets of graphene stacked together and rotated by the magic angle of 1.1 degrees create a new material with an amazing property: superconductivity that can be turned on and off with an electric pulse, much like a light switch.
The discovery could lead to ultrafast, energy-efficient superconducting transistors for neuromorphic devices—electronics designed to operate in a way similar to the rapid on/off firing of neurons in the human brain.
- 4. Massive Yandex code leak reveals Russian search engine’s ranking factors
Nearly 45GB of source code files, allegedly stolen by a former employee, have revealed the underpinnings of Russian tech giant Yandex's many apps and services. This exposes the internal workings of Yandex and also Google, since Yandex purportedly employs several ex-Google employees.
- 1. Ukraine Humanitarian Aid Village | Ukraine Humanitarian Aid Village
The Ukraine humanitarian aid village was established with the purpose of providing a safe, nurturing shelter, and refuge for individuals fleeing violence and hardship from the war in Ukraine. Here, those who come to our humanitarian village can find a stable new home that provides 3 nutritious hot meals a day, medical care, education, and safety from harm. Many of the women and children in our facility have grown together and formed strong bonds of friendships, turning this village into a safe haven in an otherwise tumultuous environment.
Your donations will ensure that these residents receive the love, support, vital care, and safe environment they require to survive and thrive. It will help to provide nutrition assistance; trauma-informed care; warm clothing; educational resources; quality winter-proof housing; mental health services; security; and play therapy tools for young children. By supporting us through your donations, you’ll be giving us the means to continue to make a positive impact and save lives in Ukraine.