First up this week is the story of EvilVideo, a clever telegram exploit that disguises an APK as a video file. The earliest record we have of this exploit is on June 6th when it was advertised on a hacking forum.

Researchers at ESET discovered a demo of the exploit, and were able to disclose it to Telegram on June 26th. It was finally patched on July 11. While it was advertised as a “one-click” exploit, that’s being a bit generous, as the ESET demo video shows. But it was a clever exploit. The central trick is that an APK file can be sent in a Telegram chat, and it displays what looks like a video preview. Tap the “video” file to watch it, and Telegram prompts you to play it with an external player. But it turns out the external player in this case is Android itself, which prompts the target to install the APK. Sneaky.

Traffic Control

We briefly covered this story a couple months ago, focusing on how bad of an idea it is to threaten a good faith researcher with legal action. Well the details of this traffic controller hack are available, and it’s about what you’d expect. Part one is all about getting the hardware and finding a trivial security bypass. The “web security” tab in the user interface seems to be an iframe, and navigating directly to that iframe address simply doesn’t trigger a login prompt. That’s the issue that [Andrew Lemon] first disclosed to Q-Free, leading to the legal nastygram.

Well now we have part two of that research, and spoilers: it doesn’t get any better. A couple false starts led [Andrew] to a desperation move. He had a new box to test and no login for it, so he started at the basics with the Burp proxy. And lo and behold, in the request was an odd string. 1.3.6.1.4.1.1206.3.36.1.6.10.1*IDO_0=2&

That is an Object IDentifier (OID) for the Simple Network Management Protocol (SNMP). These things use a version of SNMP known as National Transportation Communications for Intelligent Transportation System Protocol, or NTCIP. And this device not only uses that protocol, it seems to do so without authentication. Among the fields that are readable and writable without auth are the system username and system password. No hashing in sight. Now we can only hope that this is ancient hardware that isn’t in use any longer, or at least no longer connected to the Internet. And we’ll also hope that vendors like Q-Free have learned their lessons since this software was written. Though given their response to the vulnerability disclosure, we’re not holding our breaths.

The Rest of the Crowdstrike Story

You may have noticed a bit of weirdness around the world last Friday. Early in the morning of the 18th, Croudstrike pushed a rapid response content update to their Falcon antivirus platform. Rapid Response data does get tested, but does not get a staged roll out. And in this case, a bug in the testing platform led to the invalid file being pushed out, and because the rollout was not staged, it went everywhere all at once.

This bogus configuration data triggered an out-of-bounds memory read in the Falcon kernel driver, leading to system crashes. The particularly bitter context is that Crowdstrike had done the same thing to Linux machines a few months earlier. It’s beginning to seem that antivirus kernel drivers are a bad idea.

Microsoft has made it clear that this wasn’t a Microsoft incident. And the little known fact is that Microsoft tried to put an end to antivirus kernel drivers years ago, and was blocked by government regulators. And why didn’t Windows offer to boot without the crashing driver? The Crowdstrike kernel driver marks itself as a boot-start driver. The one ray of hope is that it’s possible for the system to stay up just long enough for Crowdstrike to pull an update before the system crash. It only takes something like 15 reboots.

This time it was Microsoft

There was, apparently, another Blue Screen crash this month. The July Patch Tuesday update dropped some computers into the BitLocker recovery screen, which just happens to be that same shade of blue. It’s not yet clear what about this set of fixes triggered the problem, but it seems that getting the recovery key does get these machines running again.

LetsKill OCSP

Let’s Encrypt surprised a few of us by announcing the end of OCSP this week. The Online Certificate Status Protocol is used to query whether a given certificate is still valid. One of the problems with that protocol is that it requests status updates per DNS address, effectively sending a running browsing history over the Internet. There’s a technical issue, in that the attacks that OCSP is designed to defend against also place the attacker in a position to block OCSP requests, and clients will silently ignore OCSP requests that time out.

The replacement is the Certificate Revocation List (CRL), which is a simple list of revoked certificates. The problem is that those lists can be huge. Mozilla and Google have rolled out a clever solution, that uses data compression and aggressive optimization to handle those CRLs like any other browser update. And hence, OCSP is destined to go away.

InSecure Boot

Binarly is sounding the alarm on Secure Boot. The biggest problem is that at least five device manufacturer used demo keys in production. The master key predictably leaked, and as a result about 200 devices have broken secure boot protections. That key is labeled DO NOT TRUST - AMI Test PK? Perfect, ship it!

Bits and Bytes

Docker Engine had a nasty regression, where a flaw fixed in 2019 wasn’t properly forward-ported to later versions. CVE-2024-41110 is a CVSS 10.0 issue, where an API call with Content-Length of 0 is forwarded without any authentication.

An interesting bug was just fixed in curl, where a TLS certificate could trigger the curl ASN.1 parser to fail and return an error. When it did this, the function in question can call free() on a stack buffer, which is particularly bad idea. This is notable as the curl developers refer to it as a “C mistake (likely to have been avoided had we not been using C)”. Time to add some Rust code to curl?

And finally, there’s something you should know about Github. Code is forever. This is all working as intended, but can catch you if you’re not aware. Namely, private or deleted commits that are attached to a public repo are still accessible, if you know or guess the short commit hash. This has some important ramifications for cleaning up data leaks, and developing private forks. Knowing is half the battle!