We finally have some answers about the Windows IPv6 vulnerability — and a Proof of Concept! The patch was a single change in the Windows TCP/IP driver’s Ipv6pProcessOptions(), now calling IppSendError() instead of IppSendErrorList(). That’s not very helpful on its own, which is why [Marcus Hutchins]’s analysis is so helpful here. And it’s not an easy task, since decompiling source code like this doesn’t give us variable names.

The first question that needs answered is what is the list in question? This code is handling the option field in incoming IPv6 packets. The object being manipulated is a linked list of packet structs. And that linked list is almost always a single member list. When calling IppSendErrorList() on a list with a single member, it’s functionally equivalent to the IppSendError() in the fixed code. The flaw must be in the handling of this list with multiple members. The only way to achieve that criteria is to send a lot of traffic at the machine in question, so it can’t quite keep up with processing packets one at a time. To handle the high throughput, Windows will assemble incoming packets into a linked list and process them in batch.

So what’s next? IppSendErrorList(), takes a boolean and passes it on to each call of IppSendError(). We don’t know what Microsoft’s variable name is, but [Marcus] is calling it always_send_icmp, because setting it to true means that each packet processed will generate an ICMP packet. The important detail is that IppSendError() can have side effects. There is a codepath where the packet gets reverted, and the processing pointer is set back to the beginning of the packet. That’s fine for the first packet in the list, but because the function processes errors on the entire list of packets, the state of the rest of those packets is now much different from what is expected.

This unexpected but of weirdness can be further abused through IPv6 packet fragmentation. With a bit of careful setup, the reversion can cause a length counter to underflow, resulting in data structure corruption, and finally jumping code execution into the packet data. That’s the Remote Code Execution (RCE). And the good news, beyond the IPv6-only nature of the flaw, is that so far it’s been difficult to actually pull the attack off, as it relies on this somewhat non-deterministic “packet coalescing” technique to trigger the flaw.

CVE Hunting Made Easy

[Eddie Zhang] wanted to take the easy road to finding CVEs. To his immense credit, he did not ask ChatGPT to hallucinate vulnerabilities for him, but instead built an automation chain to find possible vulns. The idea is simple: Download as many WordPress plugins as he could, run Semgrep over the corpus, throw the results in a SQL database, and take a closer look at the most promising findings.

That starts by writing a SQL query, naturally. The interesting flaws were SELECTed, and then the different plugins run in a test bench setup to try to trigger actual vulnerable code. And it’s not a bad approach, judging by the 14 CVEs found in 3 afternoons of work.

Moodle

RedTeam Pentesting got to have a field day with the Moodle platform. Moodle is a web-based distance learning solution written in PHP. And to get the flavor of how this went, the test grading logic is written in PHP — and eval()‘d on the server during grading. Now it’s not quite as bad as it sounds. There is sanitization done, and the set of symbols, characters, and functions are rather limited.

PHP has a pretty interesting type system. Something like acos(2), inverse of the cosine of 2, returns a result of Not a Number, or NAN. The dot . symbol does string concatenation in PHP, and putting those together, acos(2) . acos(2) results in a string, NANNAN. It gets better, as it’s then possible to do bitwise manipulation of those strings, eventually unlocking the entire alphabet. A few more tricks like PHP’s variable functions, variable variables, and other fun language contortions. Eventually we get to system() and escape into the system.

Hacking the TSA

[Ian Carroll] and [Sam Curry] bring an unfortunate tale of clever hacking, cover ups, and incompetence. The actual hack is pretty straightforward, a SQL injection in a login system. The real problem is that this login is in the official airline security systems that controls the Known CrewMember and Cockpit Access Security System. That’s the list of people that get to skip TSA checkpoints altogether, and that get access to airplane cockpits in flight. Not good.

The good news is that after disclosure, the Department of Homeland Security quickly secured the vulnerable site. The takes a turn for the worse, when it came time for disclosure. TSA issues a factually incorrect statement about what is required to use the KCM system. [Ian] and [Sam] reached out again to try to set the record straight about the severity of the finding. In response, the TSA quietly deleted the FAQ that spells out how bad the vulnerability could be. Not a great look.

Bits and Bytes

For your data and packet capture needs, Wireshark 4.4 is out. Among the normal improvements, there’s better VoIP support, a handful of new protocols, and some IPv6 tweaks to make life easier.

Ever wondered how to do effective sandboxing in Linux? Hardened Linux has you covered. There are some obvious things like limited filesystem access, but it might be more useful to read about seccomp to limit the available system calls to your sandboxed program. The article is an overview of the individual techniques, and then some of the more popular all-in-one solutions like firejail, bubblewrap, and landlock.

Volt Typhoon, a collection of hackers believed to be working on behalf of the Chinese government has begun using a vulnerability in Versa Director to attack businesses. Version 22.1.4 of the network management platform fixes the vulnerability, which allowed for executable java filew to be disguised as PNGs and uploaded to the platform.

And finally, one of the sneakier ways to stay on a Linux system is to use udev. For attackers, it’s always a challenge to make sure the malware starts up on each boot, and yet doesn’t attract any attention. There are plenty of places to hide a startup hook, but this one creates a udev rule to automatically run early in boot when the /dev/random device is created. How often do you audit your udev files? Sneaky!

There have been some hilarious issues on mobile devices over the years. The HTC Dream had a hidden shell that was discovered when a phone rebooted after sending a text containing just the word “reboot”. iOS has gotten in on the fun from time to time, and this time it’s ""::. Type the double quotes, a colon, and any other character, and Apple’s Springboard service crashes.

Another hacker dug in a bit, and realized that Springboard is trying to jump execution to a null pointer, leading to a crash. It’s very odd that user input breaks the query parser badly enough to jump to null like that. There are a couple interesting questions that we have to ask. Given that the crash trigger is quite flexible, "anything goes":x, is it possible to manipulate that function pointer to be something other than null? And perhaps more importantly, why is the code crashing, instead of an invalid address error as one would expect from a Pointer Authentication Code (PAC) violation? Regardless, the bug seems to be fixed in the latest iOS 18 builds.

Typing “”:: in various search bars (e.g. in Settings .app) on iOS, will cause a crash! https://t.co/P4Ax0z9W9F (by: @lorenzofb)

….let's dig into why

— Patrick Wardle (@patrickwardle) August 21, 2024

OpenBMC

OpenBMC is something of a reference Baseboard Management Controller, and as such it’s the upstream for other implementations. And it has a fairly serious issue, in the slpd-lite service, which just happens to be installed and enabled by default. SLP is the Service Location Protocol, a service discovery protocol, which is something of a predecessor to Zeroconf. Slpd-lite has a pair of issues that result in trivial heap reads and writes, beyond the intended buffer.

The slpd-lite project patched the issues about a week after disclosure, back in May. In June, the patch and an advisory was applied to OpenBMC itself. Nice and speedy action. Now to get all the downstream vendors to apply it, too.

WordPress LightSpeed Falls to Weak Hash

The LightSpeed Cache plugin for WordPress does something really clever, but in a way that managed to allow admin authentication bypasses. To cache pages that a logged-in user would see, the plugin’s crawler simulates each user loading the site, and caches that. To protect that cache, a random string is generated. The problem is that this random generation is seeded using the current time, only the microsecond portion of the time. So one of only a million possible values. And while a million is a lot when talking about physical objects, it’s not nearly enough when talking about cryptography.

To log in as a user using this weak hash, an attacker only has to guess te proper user ID (usually 1 is an admin) and then hit the right hash value. Lightspeed hash released a fix, but this is a severe issue, and we should expect to see exploitation attempts — And that didn’t take long. This one could be nasty, as something like 3.5 million sites are still running the vulnerable version of the plugin. Wordfence has already blocked 48,500 in the first 24 hours of this attack being publicly known.

Insulin, Privacy, and Firewalls

[Remy] fron Greynoise Labs is on a bit of a crusade against insecure Bluetooth. And make no mistake, Bluetooth can be a problem. Case in point, the FDA has issued a recall on a particular insulin pump, because the iOS app could enter a crash loop, and the continual Bluetooth re-connections drained the device’s batteries. Battery drain may seem like a mild inconvenience, but apparently over 200 people have reported injuries as a result.

So in this push for more secure use of Bluetooth, [Remy] mined a collection of Android applications for Bluetooth UUIDs. Those are unique identifiers of what kind of device is advertising Bluetooth. With this new treasure trove of identifiers, it was only natural to write a Bluetooth UUID scanner. And this is where a bit of a bizarre coincidence took place. At the some moment [Remy] fired up this scanner, his local Internet access dropped. As a result, his Firewalla firewall started advertising a Bluetooth Low Energy interface. The database returned a hit, and [Remy] had the Android APK to look at.

The Firewalla scheme for authenticating that BLE interface was lacking, with a handful of possible issues, like only checking the first 8 characters of a UUID key. And once past that initial hurdle, further administration tasks are secured using a JSON Web Token. That token’s signing key was global for all Firewally devices, and trivially derived from either firmware or the Android APK. And that’s not even all, since there were also command injection issues over the same Bluetooth link. Firewalla has released version 1.979 to address these issues.

Moar Bluetooth

If that wasn’t enough Bluetooth, the Zero Day Initiative has us covered, with coverage of a pair of flaws in the Autel Maxicharger vehicle charging station. The first was a simple buffer overflow in the Bluetooth data handling, leading to possible Remote Code Execution (RCE). The second issue was the presence of “Backup credentials” in the firmware’s WiFi handling.

Bits and Bytes

“Insufficient sanitization” is not a feature you want in your microservices. Spring’s Cloud Dataflow is a tool to plug data flows in to various other applications. Before a recent patch fixed it, Dataflow was doing some basic checks on file uploads, like looking for nulls or empty files. The problem was some very simple path traversal attacks. Name a package name with ../../../poc, and while the service may throw an error, it still creates the files as requested. 2.11.3 has shipped with the fix, so time to update!

And speaking of bypasses, ingress-nginx has a validation bypass, allowing unauthorized access to Kubernetes clusters using that controller. Kubernetes supports annotations as a sort of metadata system, and ingress-nginx was failing to properly validate those annotations, which could then be used for command injection.

And finally, I think I’ve played this video game. Except this time, someone actually tried to hack himself out of existence. The FBI discovered that a criminal had not only used stolen social security numbers to commit fraud, he had gone so far as to register his own death in a Government system, using stolen credentials. It didn’t turn out so well, as he was discovered alive, and sentenced to jail time for the effort.