Header Ads

This Week in Security: Text Rendering on Windows, GNU Poke, and Bitsquatting

Project Zero just unrestricted the details on CVE-2021-24093, a potentially nasty vulnerability in Windows 10’s DirectWrite, a text rendering library. The flaw got fixed in this month’s patch Tuesday roundup. The flaw is accessible in all the major browsers on Windows 10, as they use DirectWrite for font rendering. The trick here is to use a malicious font that uses some nonsense values. Those values result in a buffer allocation that is too small for complex characters such as Æ.

Because the vulnerability is a Windows library, it’s possible that an exploit would automatically work as a sandbox escape, but I haven’t seen confirmation either way. Let us know if you have some insight there.

Via Bleeping Computer

GNU Poke

The good folks at GNU have minted the 1.0 release of poke, a new binary editing tool. The real killer feature of poke is that it can interpret binary data, decoding it back into readable data structures. If you’re familiar with the way Wireshark can decode packets and give useful, organized output, it seems that poke will provide a similar function, but not limited to network traffic.

It looks like it could become a useful tool for getting a look inside otherwise opaque binaries. What poke brings is a system where you can write pretty-printing templates on the fly, which should be very useful when mapping out an unfamiliar binary. Distros will likely pick up and start packaging poke in the coming weeks, making it even easier to get and play with.

Legitimate Malware Makers?

The chickens may be coming home to roost for The NSO Group. So quick review, NSO makes complex spyware. NSO produced malware targeting Whatsapp users around the world. NSO makes the case that they simply make the tools and sell them legally to governments, and can’t be held liable for what those governments do with those tools. Well, the US Department of Justice isn’t convinced, and has slowly been working on a case against NSO.

The case has the potential to be an important one, as it will set precedent for whether a malware maker is liable for how that malware is used. Some very big names, like Google and Microsoft, have thrown their weight behind the potential prosecution. Their stance is that immunity granted to a spyware maker will result in poorer security for everyone. I do wonder what such a ruling would mean for a security researcher releasing a proof-of-concept for a vulnerability. If a malware campaign went on to adapt and use research code, is that a liability?

Cisco Vulnerabilities

Cisco just recently released a set of patches and vulnerabilities, and a handful of them are really serious. First up is CVE-2021-1393, a bug in the Cisco Application Services Engine. The vulnerability is described as “insufficient access control” on a specific service. An unauthenticated attacker can connect to the service over TCP and make system changes. The description is quite vague, but this could be something like a debug port that was accidentally enabled in production. A very jaded and cynical guess would be that they simply left a telnet port wide open.

Next up is CVE-2021-1388, a similar bug in Cisco’s ACI Multi-Site Orchestrator. In this case, it’s an API that can be fooled into providing a administrator token. Once in possession of this token, one can access the entire API as an administrator, all without having a login at all.

And finally, CVE-2021-1361 is a file system management service that was unintentionally exposed to the outside network on port 9075. A vulnerability in that service means that an attacker can make arbitrary file creation, deletion, or modification.

Exchange 0-days

Microsoft Exchange just got patched for a set of vulnerabilities that were discovered because of active exploitation. Microsoft has attributed attacks to Hafnium, a group believed to be in the employ of the Chinese government.

Volexity seems to have been the firm that first discovered the attack. They have network monitoring services in place for various customers, and that service detected mass data exfiltration on two seperate customer networks. After tracking down the odd traffic, they discovered compromised Exchange servers, and were able to identify the 0-day that was used to compromise the machines.

Xerox

If you happen to discover a vulnerability in something made by Xerox, the appropriate response is apparently to release it anonymously online, as Xerox will send you a cease-and-desist order for anything else. [Raphaël Rigo] was scheduled to give a talk February 18th on a set of Xerox printer vulnerabilities, as part of the Infiltrate security conference. The day the talk was scheduled, Infiltrate announced that it had been canceled due to a legal threat from Xerox. The vulnerabilities were disclosed to Xerox back in 2020, so it’s not as if they didn’t have sufficient time to fix the problems.

Bitsquatting

Cosmic rays get blamed for the occasional computer problem. The theory is that a cosmic ray can hit a memory location and actually cause individual bits to flip. I don’t know whether cosmic rays are always to blame, but I do know that RAM problems are fairly common, and can cause hard-to-troubleshoot problems. We’ve talked about Rowhammer and associated attacks, where manipulating certain ram bits can cause changes in physically nearby bits. One of the security talks about unintentional bit flips suggested that the world’s computers see something like 600,000 mis-flips every day.

Now, bitsquatting is essentially a form of typosquatting. Typosquatting is picking a name a human is likely to accidentally mis-type, like “goggle.com”. Bitsquatting is selecting names likely to be reached through a bit flip. I was introduced to this idea through the work of [remy], who decided to finally test the theory of bitsquatting using the windows.com domain. I’ll use his research to demonstrate how this works. The string “windows” translates into binary as 01110111 01101001 01101110 01100100 01101111 01110111 01110011. A single bit flip can change that second character from 01101001, an “i”, to 01101000, an “h”. Suddenly your computer is looking for “whndows.com” for updates, or to get the current time, etc.

How often do connections intended for the windows domain end up at a bitsquatted domain instead? [remy] calculated that there are 32 such valid domains, and was able to purchase 14 of them — just under half. He set up wildcard DNS so that “*.whndows.com” would also resolve to the IP address where he was listening for traffic. On his 14 domains, in a two week period, he received 199,180 NTP requests. Those came from 626 discrete addresses.

There was one event that was of particular interest. A computer on a Chinese IP address made an HTTP request to time.wiodows.com, which may have been a typo made by a human, as this wasn’t actually an NTP request. The odd thing is that soon after this request came in, a second request arrived from the Baidu search spider, to the same bogus domain. [remy] found it odd, but I believe I know exactly what this is. The “Great Firewall of China” is known to detect HTTP connections to unknown domains, and follow with a connection of its own, scraping the new site’s content. This unexpected connection was almost certainly the GFW’s probing.

An earlier experiment ran for much longer, on a different set of bitsquatting domains. In this case, [Artem Dinaburg] observed the domains for just over seven months, and averaged 59 different IP addresses per day, trying to connect to the bogus domains. He points out that some of these connections are likely typos rather than bit flips. One other observation is that he found mobile devices to be overrepresented in connections to his bitsquatted domains. I can think of two possible explanations for this. First, it’s possible that mobile devices are more susceptible to bit flips, possibly because they are used outside so often. Alternatively, I suspect that mobile on-screen keyboards are just easier to typo on. In any case, bitsquatting is a very clever technique that really does have real-world impact.


No comments