It looks like there’s finally hope for sane password policies. The US National Institue of Standards and Technology, NIST, has released a draft of SP 800-63-4, the Digital Identity Guideline.

There’s password guidance in there, like “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords” and “SHALL NOT require users to change passwords periodically.” NIST approved passwords must be at least 8 characters long, with a weaker recommendation of at least 15 characters. Security questions like name of first pet get the axe. And it’s strongly recommended that all ASCII and Unicode characters should be acceptable for passwords.

This is definitely moving in the right direction. NIST guidelines are only binding for government services and contractors, though they do eventually get picked up by banks and other industries. So there’s hope for sane password policies eventually.

Tank Hacking

Researchers at Bitsight are interested in infrastructure security, and they opted to take a closer look at Automatic Tank Gauging (ATG) systems. Those are found at gas stations, as well as any other facility that needs automated monitoring of liquids or gasses in a tank. There is an actual ATG message format, originally designed for RS-232 serial, and woefully unprepared for the interconnected present. The protocol allows for an optional security code, but it maxes out at only six alpha-numeric characters.

Among the vulnerabilities getting announced today, we have a pair of CVSS 10 command injection flaws, a quartet of 9.8 authentication bypass flaws, with one of those being a hardcoded credential — AKA a backdoor. The other CVSS9+ flaw is a SQL injection, with a trio of slightly less serious flaws.

The really interesting question is what could theoretically be done with admin access and escape to shellcode in one of these systems? There’s the obvious path of Denial of Service. Once you have root, just delete files, flash random noise over the firmware, and walk away. The more interesting approach is to make changes that have physical consequences. If a fuel tank is reprogrammed to indicate that holds twice the volume, will it overflow? Researchers realized that relays have a maximum operation rate, and driving them on and off at faster rates has interesting effects — glowing and letting the magic smoke out.

More Tank Hacking?

Also this week is the story of a Kansas water treatment plant that has gone to manual mode after a cyberattack. It’s not clear whether this was actually an aimed attack at infrastructure, or just a ransomware attack that is impacting the water treatment facility as a side-effect.

The Linux Mystery 9.9 CVE

This week we’ve been watching a story develop after [Simone Margaritelli] sounded the warning about a very serious GNU/Linux vulnerabiltiy on Twitter/X. The claim was a CVSS 9.9 in all Linux systems. Well apparently it’s time, because the details have dropped, and it’s a wild ride.

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR

— Simone Margaritelli (@evilsocket) September 23, 2024

So first, the actual vulnerabilities: Part of the Common Unix Printing System (now just CUPS) is cups-browsed, a helper daemon that automatically installs printers discovered on the local network. This binds to all IP addresses on UDP port 631, and an incoming UDP packet will trigger a printer install. The quirk here is that this incoming request can include an arbitrary URL as the source of the IPP printer driver information. That IPP data isn’t sanitized, allowing for arbitrary information upload and subsequent file creation with that arbitrary data. The cherry on top is the foomatic-rip driver that includes the helpful feature of running a shell command as part of the printing process. Oh, and to be clear, the CVSS 9.9 isn’t strictly accurate, because it does require a user interaction to print to the malicious printer, to trigger the code execution.

Now here’s the tricky question: How many of those quirks are vulnerabilities? Cups-browsed seems obviously architected without an authentication layer, and therefore not at all intended to be exposed to the Internet. Downloading an arbitrary IPP file seems to be working as intended, and the FoomaticRIPCommandLine is a documented feature, not a vulnerability.

And yet, pretty obviously, a printer on the local network shouldn’t be able to trigger arbitrary code execution when printing to it, especially when it’s so easy for any computer to fake being a printer. It’s very surprising that there are over 100,000 systems that expose UDP port 631 and the cups-browsed service to the Internet. I look forward to other researchers double-checking that claim. If it wasn’t obvious, don’t expose CUPS to the Internet. It shouldn’t have taken a CVE to make that abundantly clear. That is probably why it was so hard for [Simone] to get the CUPS developers to take this seriously.

As per the Red Hat notice, you can check your Linux systems for this issue by running sudo systemctl status cups-browsed and check a remote machine using sudo nmap -sU -p 631 -v ip.address.of.machine watching for “631/udp open|filtered ipp” in the output. There is already a Proof of Concept that has leaked, so do check and pull the plug on any systems that expose this service.

The Other One

The “9.9” CVE was just a bit of a letdown, but we do have CVE-2024-20017, a confirmed high severity vulnerability in MediaTek’s wappd daemon that seems to weigh in at 9.8.

The vulnerability is specifically in the handling of the Security Block message that’s part of WiFi roaming handoffs. wappd allocates a fixed-size buffer, and doesn’t validate the actual message size before copying that data. This can overflow by up to 1433 bytes, and that’s certainly enough to trigger full RCE. There’s Proof of Concept code available, so watch for updates for Wireless gear.

Bits and Bytes

Kaspersky has done something unexpected, pulling a switcheroo. Users who still had Kaspersky installed have found UltraAV now automatically installed on their machines. It’s reported that Kaspersky was sending email notices out earlier this month that the update was coming.

There’s a really impressive chain of tricks that redirects from a Youtube URL to an arbitrary Google Docs URL. That may not sound particularly interesting, but the whole chain of redirects means that a page that looks like a Google Form with a simple poll could actually grant permissions to arbitrary Google Drive files on submit. Google paid a juicy $4133.70 for the find, and rolled the fix out on the same day.

ChatGPT has a new feature, long-term memory. The idea is that your conversations with the LLM can become part of the training data, making the model even more useful as you use it. There is a really powerful feature available in ChatGPT now, that the LLM can pull data from the Internet in real time. Turns out if you can get one of these instances to pull some manipulated data, the model can keep it in long term storage. The real trick is that this injection can convince the model to keep revisiting an arbitrary URL, leaking data. Impressive.

And finally, the Kia dealer and owners websites leak a bit too much data. With nothing more than the car’s VIN, an attacker can generate a fake dealer token, and demote and replace the previous owner. From there, it’s trivial to remote start, honk, or otherwise mess with the vehicle. It wasn’t great, but Kia got it fixed over a month ago.

Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.

Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.

A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.

Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.

Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops.

Trains!

[Bertin Jose] has a bit of a side hobby, of scanning the Internet for interesting endpoints, with an emphasis on industrial control systems. In an automated scan, a CZAT7 device popped up — a traction power substation controller. This is a miniature power station that supplies power to electric railways. And this one was not only connected to the Internet, it exposed a web interface that probably wasn’t intended to be public. And it included coordinates. It’s delightful that we can point to a picture on Google Maps, to the little building in Poland where this controller lives.

[Bertin] has enough experience with control devices like these, to know that 1111 is a common password. It’s wild that for these devices, both 1111 and 2222 worked for read/write access to the devices. This is where there was clearly a line, where fiddling around further inside these real devices would be ill-advised. What turned out to be more of a problem is finding the right people to disclose the device to. There was never a response, but the device seems to be finally off the Internet.

Raptor Train

We have news this week of a joint effort between Lumen Technologies and the US DoJ to take down the Raptor Train, a botnet that lives on a variety of routers, IoT devices, and cameras and NVRs. This botnet is interesting, that each device was only compromised for an average of 17 days at a time, with the infection only persisting until the next reboot.

What’s always fun about watching malware activity like this is to line up activity with timezones around the world. This one roughly corresponds to a 10:00 AM to 7:00 PM working day in China Standard Time, which checks out with the likely attribution to the Chinese group, Flax Typhoon. The count of total devices was somewhere around 260,000, with exploitation due to a combination of 0-day and n-day vulnerabilities. Turns out maybe it’s not a great idea to put those cameras on the Internet.

Discord and DAVE

Discord has rolled out DAVE, Discord Audio and Video end-to-end Encryption. This new solution will provide encryption for voice and video for DMs, Group DMs, and other live calls on Discord. The solution is Open Source, and was designed in collaboration with trailofbits.

Lots of established cryptography was used, and at a brief look the scheme seems to check out. Notably missing is any mention of quantum-resistant cryptography. That’s not entirely unexpected, as we’re still several years away from practical quantum computers, and the cryptography schemes designed to be immune to quantum cryptography are still quite new and immature.

The Other Side of the Coin

In an interesting counterpoint to Discord’s new scheme, Interpol has taken down Ghost, an end-to-end-encrypted communications platform widely used for organized crime. It seems that Ghost was designed and marketed specifically for criminal use, but one has to ask the question about whether Discord will also face repercussions for the move to strong encryption.

Bits and Bytes

The folks at Cyber Security Associates have the scoop on doing a Patch Diff on a vulnerability fixed in a recent Windows Patch Tuesday. The short explanation is that incoming calls to the driver weren’t checked for whether they originated in the kernel or in userspace.

And finally, there’s a real mystery on the Internet. GreyNoise describes Noise Storms of spoofed packets flooding the Internet. These seem to be malicious, coming in waves since January 2020. The inclusion of the string LOVE in recent packets suggests the name LOVE Storm. GreyNoise has made packet captures available, if any of our readers feel like joining in on the sleuthing to figure out what these packets are up to.

It’s time to talk about Microsoft’s patch Tuesday, and the odd vulnerability rollback that happened. CVE-2024-43491 has caught some attention, as it’s a 9.8 on the CVSS scale, is under active exploitation, and results in Remote Code Execution (RCE). Yikes, it sounds terrible!

First off, what actually happened? The official statement is that “build version numbers crossed into a range that triggered a code defect”. We don’t know the exact details, but it’s something like an unsigned integer that was interpreted as a signed integer. A build number could have rolled over 32767, and what was intended to be 32768 or higher suddenly became −32767. Lots of “if greater than or equal” logic breaks down in that situation. Because of a logic flaw like this, certain versions of Windows 10 were unintentionally opting out of some historical security fixes.

And that’s where the high CVSS score and active exploitation descriptor comes from. This is simply the highest score of the resurgent flaws, and an acknowledgement that they have been exploited in the past. The good news is that this only applies to Windows 10 build 1507, so either the original install without any of the major updates installed, or one of the Windows 10 Enterprise Long-Term Servicing Branch (LTSB) versions. It seems that the March 2024 monthly security update introduced the problem, and it wasn’t fixed until this month’s updates.

Tracking Bikes, Busting Thieves

This is a bit different from our normal fare. [Bryan Hance] started the Bike Index, an online registry for high value bikes, with the goal of tracking and recovering bikes after they are stolen. After years of success tracking down bikes, there was something new brewing. Stolen bikes from California were showing up on Facebook Marketplace, for sale down in Mexico. It was a literal international theft ring, racking up a score of over $2 million worth of bicycles.

You know that feeling that you’re probably giving away too much personal information by having a Facebook account? It turns out that’s a good way to get busted for international crime, too. In this case, an account selling the bikes south of the border had a Facebook friend close to where the crimes were being committed. And some of the bike pictures included orange shelves. That was enough to identify an auto shop that was being used to stage the stolen bikes. One criminal arrested, but the rest of the operation is still running. Similar to the challenges of going after cybercriminals that operate from overseas, it’s a challenge for law enforcement to go after bike thieves across the southern border.

Don’t Let Those Domains Expire

Researchers at Watchtowr just wanted to find a few vulnerabilities in WHOIS handling. WHOIS is part of the domain name system, and returns contact information for domains. How exactly does that lookup happen? Broadly speaking, each top level domain has a WHOIS server, and the Internet Assigned Numbers Authority (IANA) just publishes a list of server domain names for each TLD. What happens when a TLD changes their server name?

The .mobi TLD did just this, retiring whois.dotmobiregistry.net to move to a new domain. And by retire, we definitely mean abandon and completely forget about. Because the domain name registration was allowed to expire. And because they couldn’t help themselves, researchers at Watchtwr ran out and registered the domain. Surely there wouldn’t be any hosts in the wild still looking to this retired domain name for WHOIS data, right? Right? Based on the 76,085 unique IP address that hit the domain doing WHOIS lookup within the first three hours, we’re guessing that stale data is quite widespread.

The original attack was to prove that an exploit in WHOIS handling could actually be useful in the real world. But WHOIS data is actually used for some interesting cases. Like verifying SSL certificate requests. While they didn’t actually generate a forged certificate, it certainly looks like multiple certificate authorities would have gladly issued a microsoft.mobi certificate.

Sextortion Comes to your House

[Krebs] has the low-down on a new low in sextortion scams. If you haven’t seen this exact breed of scammy spam messages, it’s usually an email that claims that compromising pictures were taken using your webcam. You’re supposed to then pay Bitcoin to get the scammer to delete the non-existent images. Once you understand that it’s just spam it’s easier to ignore. Until now. These spam messages are generally generated using information from data breaches, and sometimes those include street addresses.

The new trick is to grab an image from the Internet of that address, and include it in the spam message. It’s just a bit harder to ignore a spam email when it includes a picture of your house and front yard. But ignore them you should, as well as being careful with webcams and cell phones, because while this is just a spam message, illicit image capture does happen, and that’s worse than a simple spam email. That said, you’ll probably know when it happens to you — we presume they’ll show you a copy of the goods as motivation.

Bits and Bytes

Adobe Acrobat Reader has released an update that fixes CVE-2024-41869, a use-after-free vulnerability that could lead to RCE. To make it worse, there is an proof-of-concept exploit publicly available.

Elastic Kibana has a deserialization flaw related to its integration assistant in version 8.15.0. This YAML parsing issue was fixed with version 8.15.1, and requires both Elastisearch and Kibana privileges to exploit, but it’s a CVSS 9.9, so considered very severe and likely to be exploited.

The Apache Customer Relationship Management software, OFBiz, has had a series of unauthenticated RCEs on both Linux and Windows. It’s a series because of several incomplete patches of the root issue, followed by finally fixing it. The core flaw is that the server logic and the web client can desync, leading to incomplete security checking. 18.12.16 finally lands the fix.

[Thomas Roche] of NinjaLab is out with EUCLEAK, (pdf) a physical attack against Infineon security microcontrollers, and the security tokens that contain them. The name is a portmanteau of Euclidean and leak. And no surprise, it’s a data leak in some implementations of the Extended Euclidean Algorithm (EEA), a component of an Elliptical Curve Digital Signature Algorithm (ECDSA).

OK, time to step back. Infineon microcontrollers are the digital smart parts inside popular security tokens like the Yubikey 5, some Java smart cards, and even the Infineon TPMs. These devices all serve a similar purpose. They store one or more secret keys, and are guaranteed to never disclose those keys. Instead, they use their secret keys to do cryptographic functions, like ECDSA signatures, and output the result. There’s even a special set of tests, the Common Criteria, that are intended to backstop these guarantees. What’s interesting is that an otherwise excellent product like the Yubikey 5, that passes all these auditing and certification processes, is still vulnerable.

The actual attack is to perform ECDSA signatures while monitoring the physical chip with an electromagnetic probe. This tiny directional antenna can pick up on EM noise generated by the microprocessor. That EM noise leaks timing information about the internal state of the cryptography, and the secret key can be derived as a result.

This process does require physical access to the token for several minutes. To get useful readings, the plastic case around the security token does need to be disassembled to get the probe close enough to pick up signals. From there it’s at least an hour of post-processing to actually get the key. And most of these security tokens intentionally make the disassembly process rather difficult. The point isn’t that it’s impossible to open up, but that it’s impossible not to notice that your token has been tampered with.

Infineon has updated their libraries, doing more active countermeasures to make cryptography state indistinguishable from other CPU activity noise. If you have one of the affected devices, if a firmware update is not an option, setting a PIN or other biometric is quite effective at preventing the attack.

What might be most notable about this attack isn’t the attack itself, but that none of the test and audit framework around these devices protected against it. Our take here isn’t that those things are without merit, but instead that no certification can anticipate every way such a system could go wrong.

Revival Hijack on PyPI

We’ve repeatedly covered Typosquatting in various repositories, and even the more subtle dependency confusion over the years. Revival Hijack probably isn’t completely new, but researchers at JFrog have announced it and taken a major step towards preventing it in the PyPI repository, partially in response to finding it in use in the wild.

The idea here is pretty simple. For various reasons, packages on PyPI get deleted. PyPI makes it abundantly clear to the dev deleting the package, that among other things, the package name will become available for others to register. If someone else registers that name, and releases a new build with a higher version number, pip will gladly perform the update where the old package is installed.

The danger, of course, is that this quirk will be used to ship malicious packages. That’s not a theoretical issue, either. The pingdomv3 package was first published in 2019, retired and deleted in March 2024, and republished shortly after. Within a few days, the package was updated to include a malicious payload. Interestingly, the payload checked for a Jenkins environment, and downloaded and ran a script. JFrog’s automated monitoring caught the suspicious behavior, and PyPI removed the malicious package soon after. That one in particular got added to PyPI’s list of permanently retired package names.

Going forwards, JFrog is grabbing deleted package names with significant download counts, and holding them safely in a dedicated user account. It will be interesting to see if this attack or mitigations against it start showing up in other repositories.

SIM Card WiFi

WiFi security is a bizarre mish-mash of modern and legacy tech. Case in point, you can use a RADIUS server and a 2G SIM card to handle WiFi authentication. The authentication server generates a random challenge, and the SIM generates a signed response and temporary encryption key. It’s a cool, quirky idea, with a significant drawback. For effective authentication, the central server has to know the secret key of the authenticating SIM. Since that’s the primary thing SIMs are designed to prevent, the whole idea is of limited use, without a source for custom SIM cards.

Bits and Bytes

To really understand what a program is doing, running a system trace is hard to beat. That is a capture of every system call, which effectively captures every interaction with the rest of the system. The only real problem is that that much information is often like drinking from the firehose. To try to help with that problem, we now have Traceeshark, which loads system trace captures into Wireshark, which already has great tools for dealing with an overabundance of information.

And finally for this week, researchers at Praetorian took a look at the Rspack GitHub repository, and found several GitHub Actions vulnerabilities. GitHub Actions are automated actions in response to things like changes and pull requests. Projects often set up continuous integration pipelines in Actions, and run a test suite and build for each change. That does get a bit dicey, when running on pull requests from untrusted contributors. And that’s what was found at Rspack. New contributors could make pull requests that would automatically launch an Action run. From within the action, it was possible to leak both an NPM deployment token, as well as a GitHub Person Access Token. Whoops!

We finally have some answers about the Windows IPv6 vulnerability — and a Proof of Concept! The patch was a single change in the Windows TCP/IP driver’s Ipv6pProcessOptions(), now calling IppSendError() instead of IppSendErrorList(). That’s not very helpful on its own, which is why [Marcus Hutchins]’s analysis is so helpful here. And it’s not an easy task, since decompiling source code like this doesn’t give us variable names.

The first question that needs answered is what is the list in question? This code is handling the option field in incoming IPv6 packets. The object being manipulated is a linked list of packet structs. And that linked list is almost always a single member list. When calling IppSendErrorList() on a list with a single member, it’s functionally equivalent to the IppSendError() in the fixed code. The flaw must be in the handling of this list with multiple members. The only way to achieve that criteria is to send a lot of traffic at the machine in question, so it can’t quite keep up with processing packets one at a time. To handle the high throughput, Windows will assemble incoming packets into a linked list and process them in batch.

So what’s next? IppSendErrorList(), takes a boolean and passes it on to each call of IppSendError(). We don’t know what Microsoft’s variable name is, but [Marcus] is calling it always_send_icmp, because setting it to true means that each packet processed will generate an ICMP packet. The important detail is that IppSendError() can have side effects. There is a codepath where the packet gets reverted, and the processing pointer is set back to the beginning of the packet. That’s fine for the first packet in the list, but because the function processes errors on the entire list of packets, the state of the rest of those packets is now much different from what is expected.

This unexpected but of weirdness can be further abused through IPv6 packet fragmentation. With a bit of careful setup, the reversion can cause a length counter to underflow, resulting in data structure corruption, and finally jumping code execution into the packet data. That’s the Remote Code Execution (RCE). And the good news, beyond the IPv6-only nature of the flaw, is that so far it’s been difficult to actually pull the attack off, as it relies on this somewhat non-deterministic “packet coalescing” technique to trigger the flaw.

CVE Hunting Made Easy

[Eddie Zhang] wanted to take the easy road to finding CVEs. To his immense credit, he did not ask ChatGPT to hallucinate vulnerabilities for him, but instead built an automation chain to find possible vulns. The idea is simple: Download as many WordPress plugins as he could, run Semgrep over the corpus, throw the results in a SQL database, and take a closer look at the most promising findings.

That starts by writing a SQL query, naturally. The interesting flaws were SELECTed, and then the different plugins run in a test bench setup to try to trigger actual vulnerable code. And it’s not a bad approach, judging by the 14 CVEs found in 3 afternoons of work.

Moodle

RedTeam Pentesting got to have a field day with the Moodle platform. Moodle is a web-based distance learning solution written in PHP. And to get the flavor of how this went, the test grading logic is written in PHP — and eval()‘d on the server during grading. Now it’s not quite as bad as it sounds. There is sanitization done, and the set of symbols, characters, and functions are rather limited.

PHP has a pretty interesting type system. Something like acos(2), inverse of the cosine of 2, returns a result of Not a Number, or NAN. The dot . symbol does string concatenation in PHP, and putting those together, acos(2) . acos(2) results in a string, NANNAN. It gets better, as it’s then possible to do bitwise manipulation of those strings, eventually unlocking the entire alphabet. A few more tricks like PHP’s variable functions, variable variables, and other fun language contortions. Eventually we get to system() and escape into the system.

Hacking the TSA

[Ian Carroll] and [Sam Curry] bring an unfortunate tale of clever hacking, cover ups, and incompetence. The actual hack is pretty straightforward, a SQL injection in a login system. The real problem is that this login is in the official airline security systems that controls the Known CrewMember and Cockpit Access Security System. That’s the list of people that get to skip TSA checkpoints altogether, and that get access to airplane cockpits in flight. Not good.

The good news is that after disclosure, the Department of Homeland Security quickly secured the vulnerable site. The takes a turn for the worse, when it came time for disclosure. TSA issues a factually incorrect statement about what is required to use the KCM system. [Ian] and [Sam] reached out again to try to set the record straight about the severity of the finding. In response, the TSA quietly deleted the FAQ that spells out how bad the vulnerability could be. Not a great look.

Bits and Bytes

For your data and packet capture needs, Wireshark 4.4 is out. Among the normal improvements, there’s better VoIP support, a handful of new protocols, and some IPv6 tweaks to make life easier.

Ever wondered how to do effective sandboxing in Linux? Hardened Linux has you covered. There are some obvious things like limited filesystem access, but it might be more useful to read about seccomp to limit the available system calls to your sandboxed program. The article is an overview of the individual techniques, and then some of the more popular all-in-one solutions like firejail, bubblewrap, and landlock.

Volt Typhoon, a collection of hackers believed to be working on behalf of the Chinese government has begun using a vulnerability in Versa Director to attack businesses. Version 22.1.4 of the network management platform fixes the vulnerability, which allowed for executable java filew to be disguised as PNGs and uploaded to the platform.

And finally, one of the sneakier ways to stay on a Linux system is to use udev. For attackers, it’s always a challenge to make sure the malware starts up on each boot, and yet doesn’t attract any attention. There are plenty of places to hide a startup hook, but this one creates a udev rule to automatically run early in boot when the /dev/random device is created. How often do you audit your udev files? Sneaky!

There have been some hilarious issues on mobile devices over the years. The HTC Dream had a hidden shell that was discovered when a phone rebooted after sending a text containing just the word “reboot”. iOS has gotten in on the fun from time to time, and this time it’s ""::. Type the double quotes, a colon, and any other character, and Apple’s Springboard service crashes.

Another hacker dug in a bit, and realized that Springboard is trying to jump execution to a null pointer, leading to a crash. It’s very odd that user input breaks the query parser badly enough to jump to null like that. There are a couple interesting questions that we have to ask. Given that the crash trigger is quite flexible, "anything goes":x, is it possible to manipulate that function pointer to be something other than null? And perhaps more importantly, why is the code crashing, instead of an invalid address error as one would expect from a Pointer Authentication Code (PAC) violation? Regardless, the bug seems to be fixed in the latest iOS 18 builds.

Typing “”:: in various search bars (e.g. in Settings .app) on iOS, will cause a crash! https://t.co/P4Ax0z9W9F (by: @lorenzofb)

….let's dig into why

— Patrick Wardle (@patrickwardle) August 21, 2024

OpenBMC

OpenBMC is something of a reference Baseboard Management Controller, and as such it’s the upstream for other implementations. And it has a fairly serious issue, in the slpd-lite service, which just happens to be installed and enabled by default. SLP is the Service Location Protocol, a service discovery protocol, which is something of a predecessor to Zeroconf. Slpd-lite has a pair of issues that result in trivial heap reads and writes, beyond the intended buffer.

The slpd-lite project patched the issues about a week after disclosure, back in May. In June, the patch and an advisory was applied to OpenBMC itself. Nice and speedy action. Now to get all the downstream vendors to apply it, too.

WordPress LightSpeed Falls to Weak Hash

The LightSpeed Cache plugin for WordPress does something really clever, but in a way that managed to allow admin authentication bypasses. To cache pages that a logged-in user would see, the plugin’s crawler simulates each user loading the site, and caches that. To protect that cache, a random string is generated. The problem is that this random generation is seeded using the current time, only the microsecond portion of the time. So one of only a million possible values. And while a million is a lot when talking about physical objects, it’s not nearly enough when talking about cryptography.

To log in as a user using this weak hash, an attacker only has to guess te proper user ID (usually 1 is an admin) and then hit the right hash value. Lightspeed hash released a fix, but this is a severe issue, and we should expect to see exploitation attempts — And that didn’t take long. This one could be nasty, as something like 3.5 million sites are still running the vulnerable version of the plugin. Wordfence has already blocked 48,500 in the first 24 hours of this attack being publicly known.

Insulin, Privacy, and Firewalls

[Remy] fron Greynoise Labs is on a bit of a crusade against insecure Bluetooth. And make no mistake, Bluetooth can be a problem. Case in point, the FDA has issued a recall on a particular insulin pump, because the iOS app could enter a crash loop, and the continual Bluetooth re-connections drained the device’s batteries. Battery drain may seem like a mild inconvenience, but apparently over 200 people have reported injuries as a result.

So in this push for more secure use of Bluetooth, [Remy] mined a collection of Android applications for Bluetooth UUIDs. Those are unique identifiers of what kind of device is advertising Bluetooth. With this new treasure trove of identifiers, it was only natural to write a Bluetooth UUID scanner. And this is where a bit of a bizarre coincidence took place. At the some moment [Remy] fired up this scanner, his local Internet access dropped. As a result, his Firewalla firewall started advertising a Bluetooth Low Energy interface. The database returned a hit, and [Remy] had the Android APK to look at.

The Firewalla scheme for authenticating that BLE interface was lacking, with a handful of possible issues, like only checking the first 8 characters of a UUID key. And once past that initial hurdle, further administration tasks are secured using a JSON Web Token. That token’s signing key was global for all Firewally devices, and trivially derived from either firmware or the Android APK. And that’s not even all, since there were also command injection issues over the same Bluetooth link. Firewalla has released version 1.979 to address these issues.

Moar Bluetooth

If that wasn’t enough Bluetooth, the Zero Day Initiative has us covered, with coverage of a pair of flaws in the Autel Maxicharger vehicle charging station. The first was a simple buffer overflow in the Bluetooth data handling, leading to possible Remote Code Execution (RCE). The second issue was the presence of “Backup credentials” in the firmware’s WiFi handling.

Bits and Bytes

“Insufficient sanitization” is not a feature you want in your microservices. Spring’s Cloud Dataflow is a tool to plug data flows in to various other applications. Before a recent patch fixed it, Dataflow was doing some basic checks on file uploads, like looking for nulls or empty files. The problem was some very simple path traversal attacks. Name a package name with ../../../poc, and while the service may throw an error, it still creates the files as requested. 2.11.3 has shipped with the fix, so time to update!

And speaking of bypasses, ingress-nginx has a validation bypass, allowing unauthorized access to Kubernetes clusters using that controller. Kubernetes supports annotations as a sort of metadata system, and ingress-nginx was failing to properly validate those annotations, which could then be used for command injection.

And finally, I think I’ve played this video game. Except this time, someone actually tried to hack himself out of existence. The FBI discovered that a criminal had not only used stolen social security numbers to commit fraud, he had gone so far as to register his own death in a Government system, using stolen credentials. It didn’t turn out so well, as he was discovered alive, and sentenced to jail time for the effort.