This Week in Security: Fail2RCE, TPM Sniffing, Fishy Leaks, and Decompiling
Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker to take over a machine by being blocked by Fail2ban. The problem is in the mail-whois
action, where an email is sent to the administrator containing the whois information. Whois information is potentially attacker controlled data, and Fail2ban doesn’t properly sterilize the input before piping it into the mail
binary. Mailutils has a feature that uses the tilde key as an escape sequence, allowing commands to be run while composing a message. Fail2ban doesn’t sanitize those tilde commands, so malicious whois
data can trivially run commands on the system. Whois
is one of the old-school unix protocols that runs in the clear, so a MItM attack makes this particularly easy. If you use Fail2ban, make sure to update to 0.10.7 or 0.11.3, or purge any use of mail-whois
from your active configs.
Breaking Encryption by Sniffing the TPM
“All bets are off once you have physical access.” This seems to be a mantra proven true once again, even when modern techniques are at play to try to defeat it. This story starts when the red team at Dolos Group were sent a “stolen” laptop from their client. The challenge was to see whether an attacker with access to a company laptop could use it to break in to the protected corporate network. The laptop was locked down well, with full disk encryption via a Trusted Platform Module (TPM) and Bitlocker being the cherry on top.
That makes it impossible to make any progress, right? Not quite. The laptop wasn’t configured to require a password or PIN to boot. In this configuration, the TPM automatically sends the encryption key to the boot loader during boot. This key is sent over an SPI interface in plaintext. All that is needed is to probe the SPI bus during boot. While the TPM is physically small enough to make this quite difficult, the SPI interface is a bus, meaning that it connects to multiple chips on the board. One of which is a CMOS chip, with much larger pins. The capture was successful, and they soon had access to the filesystem on the encrypted drive. There wasn’t much of interest on this particular machine, aside from a VPN client.
To gain access to this client, the attackers opted to use a very old trick to bypass the Windows login — the sticky keys backdoor. If you’re not familiar with this clever hack, take notes. When you have access to a machine’s drive, but not a user account on the machine, you can copy cmd.exe
over one of a handful of system binaries in order to bypass login. The virtual keyboard binary is a popular choice, but in this case Utilman.exe
(sticky keys) was chosen. They booted the modified image as a virtual machine, and at the login screen, used the Windows + U key combo to launch their command shell. Since the machine itself was already connected via VPN, and logged in to the domain via a machine account, they had a toehold to play in the internal network. Uploading a file to the scanner directory on one of the servers was enough to score a win for the penetration test.
Fishy Clubhouse Dataset
Clubhouse, the trendy audio social network is the center of a new data scraping story. On one of the darknet forums, a user is offering to sell a database of 3.8 billion phone numbers, allegedly taken from Clubhouse servers. It’s odd, because all that the database consists of is the phone numbers. Clubhouse has announced that it is not a valid leak, and that they believe the numbers to have been randomly generated. The sheer amount of numbers, with basically no additional information, is enough to make the database useless even if it is real. There seems to be very little to worry about here.
Guessing Names at Linkedin
A scraping technique that isn’t all hype is the revealin
tool, from [mxrch]. The tool takes the profile of a user with a hidden last name, and reveals the complete name one letter at a time. It’s a nifty tool, but you can do this yourself, by hand, on the Linkedin homepage. The problem is the Linkedin search function, which sends each keystroke to the server, to update the list of possible matches. The matching algorithm has access to the full last names, so you can figure out the name one character at a time. Take [Thomas H.] for instance. Type that much in, and the link to his profile shows up in the list. Add an “a” to it, and it disappears. Keep trying till you guess an “e”, and the profile is still there. Now you know the second letter is an “e”. Revealin
does the exact same process, just much faster. I did test it out, and found that it worked until I started hitting Linkedin’s rate-limiting. Rinse and repeat on a thousand cloud instances? All told, it’s a clever little tool.
16 year old Bug
You probably have a vulnerable driver installed on your Windows machine. HP, Xerox, and Samsung printer drivers all install the SSPORT driver, and that contains CVE-2021-3438, a 16 year old vulnerability. Look for C:\windows\system32\drivers\ssport.sys
. It contains a trivial buffer overflow that can be used for local privilege execution. The updated driver is available, or you can uninstall the driver if you no longer use a printer that relies on it.
Dependency Security
Supply chain attacks have been a big issue for a long time. The danger of an upstream package or library being compromised has played out a few times in recent history, like event-stream
and the Dependency Confusion attacks. Gitlab and Github have both announced projects to try to improve the situation. Gitlab’s Package Hunter is a behavior profiling tool that assembles your code and dependencies in a sandbox, and puts it though its paces looking for odd behavior. The downside is that it’s currently limited to NodeJS and Ruby projects. Even at that, it should be a useful addition to a CI pipeline to find problems right away.
Github already has a handful supply chain security features, like the security advisory database entry we linked to in the Fail2ban story at the beginning of the article. The news is that they are bringing those features to Go. That includes the advisories, the dependency graph, automated alerts on announced vulnerabilities, and even automated pull requests to update the vulnerable dependency. It’s a useful set of tools, and great to see them available to yet another language.
Reverse Engineering for Dummies Beginners
You have a binary, and you need to know what it’s doing under the hood. Easy, just decompile it! Now that we have tools like Ghidra, it’s fairly easy to make that jmp into assembly. But if you’ve never done any assembly programming, the list of push
, mov
, and pop
commands aren’t much more helpful than the raw machine code. Well, add this quick guide from [Sami ALAOUI KENDIL] to your reading list. He covers the basic assembly commands and patterns you should know to follow the flow of execution. Just like it says on the tin, it’s an excellent guide to reading decompiled code.
Post a Comment