The RIGHT Software, Docker vs. Root, CORS, Vuln Risk Scoring, & Cisco Attacks – PSW #772

"While the double-free vulnerability in OpenSSH version 9.1 may raise concerns, it is essential to note that exploiting this issue is no simple task," Abbasi explained. "This is due to the protective measures put in place by modern memory allocators and the robust privilege separation and sandboxing implemented in the impacted sshd process." - While true, how many embedded systems, IoT devices, appliances, OT systems do not have this protection?

Named pipes are strange. Also, I thought this was going to be a Docker privilege escelation, which, as it turns out, is really easy and works on several implementations (including my own systems). Check out: * https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md * https://hub.docker.com/r/chrisfosterelli/rootplease/

Neat collection of patterns that you could easily integrate with existing tools or scripts to search for API keys and the like, either as a red team or as developers.

Exploiting a game's V8 JavaScript engine: "One such issue affected the massively popular Dota 2 video game. Dota used an outdated build of v8.dll that was compiled in December 2018. It’s no surprise that this build was vulnerable to a range of CVEs, many of them even being known exploited vulnerabilities with public proof-of-concept (PoC) exploits."

A LOT of information about CORS, very interesting: "Cross-Origin Resource Sharing (CORS) is a mechanism that lets servers instruct browsers to relax, for select clients, some restrictions (in terms of both sending and reading) enforced by the Same-Origin Policy (SOP) on cross-origin network access." - Seems developers hate it. This typically is bad news for security.

"In a recent APT Simulation engagement, the Ocelot team identified that ImageMagick was used to process images in a Drupal-based website, and hence, the team decided to try to find new vulnerabilities in this component, proceeding to download the latest version of ImageMagick, 7.1.0-49 at that time. As a result, two zero days were identified" - Not a high risk (DoS and arbitrary file read that is permission dependent), but an interesting read.

Is this a vulnerabilty or not? "The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target's system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control."

Run hidden and persistent processes on Cisco devices: "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets. Still, in this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. CVE-2023-20076 gains unrestricted access, allowing malicious code to lurk in the system and persist across reboots and firmware upgrades. Side-stepping this security measure means that if an attacker exploits this vulnerability, the malicious package will keep running until the device is factory reset or until it is manually deleted. At this point, countless damages could have occurred."

"A global memory corruption vulnerability exists in the upnpd server. A specially-crafted SUBSCRIBE request can lead to a stack buffer overflow. An attacker can send a malicious request to trigger this vulnerability and modify the execution flow to an arbitrary address somewhere in the memory of the upnpd process. This vulnerability can be exploited from the WAN or LAN." - Weird though, they have ASLR support, but not for this particular case: "The upnpd binary is not ASLR compiled and the executable addresses are in the range 0x2a000000 and 0x2a055000. All other mapped modules run with ASLR." Also, I mean, why do we not do this: "Also, it is necessary to replace sprintf() with safer functions -- such as snprintf() -- to control the size of the processed data in order to avoid memory safety problems. Use appropriate compiler options (like -Wformat-overflow=2, -Wformat-security, -Wfortify-source, -Wformat=2, ...) to detect these issues preemptively." - Does it break stuff? Laziness? Ignorance? Whyyyyy?

"As it currently is implemented, there is a buffer overflow in the HTTP Client implementation. I was able to take control of the Instruction Pointer ($PC) using a relatively simple proof of concept rogue web server" - So keep in mind this is a feature that allows the bootloader code (U-Boot) to download any file via HTTP, and it has a buffer overflow...

Make sure you read the write-up, its awesome: https://github.com/blasty/lexmark/blob/main/writeup/writeup.md (And shows how multiple vulnerabilities are chained to gain remote code execution as root).

I really like this idea, though I believe refactoring to be a tad more difficult than Rob describes: "As the above function shows, the OpenSSL code is already somewhat memory safe, just based upon the flawed principle of relying upon diligent programmers. We need the compiler to enforce it. With such features, the gap is relative small, mostly just changing function parameter lists and data structures to link a pointer with its memory-bounds. The refactoring effort would be small, rather than a major rewrite. This would be a soft-fork. The memory-bounds would work only when compiled with new compilers. The macro would be ignored on older systems. " - Lets just say there are a lot of variables that determine the difficulty (e.g. complexity of the code, platform, developer skill, etc...)

"Ronin is a free and Open Source Ruby toolkit for security research and development. Ronin contains many different CLI commands and Ruby libraries for a variety of security tasks, such as encoding/decoding data, filter IPs/hosts/URLs, querying ASNs, querying DNS, HTTP, scanning for web vulnerabilities, spidering websites, install 3rd party repositories of exploits and/or payloads, run exploits, write new exploits, managing local databases, fuzzing data, and much more."

"An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust." Turns out vendors either assign a lower score or don't even classify it as a vulnerability: "Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1" and "typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences."

Both France’s and Italy’s Computer Emergency Response Teams (CERTs) have issued alerts warning “of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.” The vulnerability (CVE-2021-21974) affects ESXi 7.0, 6.7 and 6.5. Support for ESXi 6.7 and 6.5 ended in October 2022. The flaw was disclosed, and a fix was released in February 2021.

If you're not using it, disable SLP service, also if you're still on 6.x look to ESXi 8.0a.

CISA has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.

In a blog post, researchers from Aqua Nautilus detail their findings about malware called HeadCrab that has infected more than 1,200 Redis database servers in the past year-and-a-half. The threat actor has been using their access to the servers to mine virtual currency.

his malware takes advantage of trust relationships, such as SLAVEOF, between Redis servers to load and transfer modules which add C&C commands to the targeted server. Make sure you've secured your Redis installations; don't expose them directly to the Internet, enable protected mode for cloud installations, bind the instance to a specific address to limit communication to trusted hosts and disable the slaveof feature if not actively used.

OpenSSH maintainers have released an updated version to fix three security issues. OpenSSH 9.2/9.2p1 includes a fix for a pre-authentication double-free memory vulnerability that was introduced in OpenSSH 9.1.

Spamhaus researchers say they have seen a significant surge in malvertising affecting Google Ads. The spike involved ads impersonating well-known brands, including Adobe, Microsoft Teams, Thunderbird, Slack, and Tor.

While Google is raising the bar on advertisers, threat actors are still finding ways to slip through. Detection is tricky, and your best defense is going to be a combination of ad blockers and encouraging users to only download software from known, verified sources.

hile Google is raising the bar on advertisers, threat actors are still finding ways to slip through. Detection is tricky, and your best defense is going to be a combination of ad blockers and encouraging users to only download software from known, verified sources.

Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 cyber crimes was arrested this week in France.

This guy has been at it since he was a teenager, and was convicted of over 50,000 cybercrimes, yet as he was a minor, given a 2-year suspended sentence with a fine of 6,558 Euros. As he is now an adult, and the prior conviction didn't seem to quelch his desire to commit malfeasance,

Atlassian has released a security advisory warning of a critical authentication bypass issue in Jira Service Management. The vulnerability affects Jira Management Server and Jira Service Manager Data Center versions 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0. Users are urged to update to versions 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later. The vulnerability does not affect Atlassian Cloud sites.

You can update to the fixed version or manually replace the "servciedesk-variable-substitution-plugin" JAR file as a workaround. Since you have to stop and start Jira to deploy the JAR file, you may as well schedule the update.

The first-ever Linux variant of the Clop ransomware has been detected in the wild, but with a faulty encryption algorithm that has made it possible to reverse the encryption. This is not a direct port of the windows version which means it's likely to evolve and change rapidly.

Cybercrime Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.

Samsung sells space in its devices to the highest bidder via pre-installed crapware from Facebook, Netflix, Microsoft Office, Spotify, Linkedin, and more. The Pixel 7's system partition is 15 GB, but Samsung's is 60 GB. And they even removed the rapid update feature to free up space to sell, so updates can cause 30 minutes of downtime.

A Greek question mark looks like a semicolon. Inserting it in JavaScript code will cause a mysterious error, difficult to debug. However, the Rust compiler efficiently finds the problem and provides a useful error message. This is one of the many reasons developers love Rust.

One in nine online stores accidentally expose private backups. It is a common practice to make ad-hoc backups during store platform maintenance. The problem, however, is that these backups often end up in a public folder. We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks.

The European Space Agency is exploring a unique way to dramatically cut carbon emissions by tapping sunlight closer to the source. Various systems of satellites are proposed, each with systems to beam the concentrated power down to the ground using lasers of microwaves. If this concept comes to fruition, by sometime in the 2030s Solaris could begin providing always-on space-based solar power. Eventually, it could make up 10 to 15 percent of Europe’s energy use, playing a role in the European Union’s goal of achieving net-zero carbon emissions by 2050.

An encrypted messaging service that has been on law enforcement's radar since a 2019 raid on an old NATO bunker has been shut down after a sweeping series of raids across Europe last week. The Dutch police spent five months monitoring its communications, so they could identify and trace the developers, administrators and owners of the service, many of whom were arrested in the raids. Police also seized two drug labs, several kilos of narcotics, more than €4 million in cash, "various luxury goods and several firearms."

Duolingo teaches language skills using a gamelike approach and a cast of bright cartoon characters. But behind the scenes, sophisticated artificial-intelligence (AI) systems are at work. One system in particular, called Birdbrain, is continuously improving the learner’s experience with algorithms based on decades of research in educational psychology, combined with recent advances in machine learning. Birdbrain tracks the learner's skill and the difficulty of the problems to keep the learner engaged and happy, but also challenged and progressing.

A copper deficit is set to inundate global markets throughout 2023, fueled by increasingly challenged South American supply streams and higher demand pressures. The reopening of China and growth in the automotive and energy transition industry have stoked demand for copper. This could fuel global inflation and compel central banks to maintain their hawkish stances for longer.

In the last several fiscal years, some 217 city vehicles have had their catalytic converter stolen. This represents some 7.3 percent of the city’s fleet, and came at a cost of nearly $600,000. 1 in every 14 city vehicles is a Prius. But they made up over a third of catalytic converter thefts Thieves also gravitate toward big Ford trucks, like the F-150s, 250s and 350s cruising around city streets. These are easy to get underneath and, on some models, have two catalytic converters.

Hydrogen fuel is a clean energy source that only produces water when burned. Researchers at the University of Adelaide have split natural seawater into oxygen and hydrogen with nearly 100 per cent efficiency, to produce green hydrogen by electrolysis, using a non-precious and cheap catalyst in a commercial electrolyser. The team says its results, using cobalt oxide with chromium oxide on its surface as the catalyst, had similar performance to a standard process of applying platinum and iridium catalysts to highly purified and deionized water.

"The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators," NIST said. "They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles." The suite comprises authenticated ciphers ASCON-128, ASCON-128a, and a variant called ASCON-80pq that comes with resistance against quantum key-search. It also offers a set of hash functions ASCON-HASH, ASCON-HASHA, ASCON-XOF, and ASCON-XOFA.