This Week in Security: Drama at the C-Level, Escape Injection, and Audits

There was something of a mystery this week, with the root DNS server falling out of sync with it’s 12 siblings. That’s odd in itself, as these are the 13 servers that keep DNS working for the whole Internet. And yes, that’s a bit of a simplification, it’s not a single server for any of the 13 entities — the C “server” is actually 12 different machines. The intent is for all those hundreds of servers around the world to serve the same DNS information, but over several days this week, the “C” servers just stopped pulling updates.

The most amusing/worrying part of this story is how long it took for the problem to be discovered and addressed. One researcher cracked a ha-ha-only-serious sort of joke, that he had reported the problem to Cogent, the owners of the “C” servers, but they didn’t “seem to understand that they manage a root server”. The problem first started on Saturday, and wasn’t noticed til Tuesday, when the servers were behind by three days. Updates started trickling late Tuesday or early Wednesday, and by the end of Wednesday, the servers were back in sync.

Cogent gave a statement that an “unrelated routing policy change” both affected the zone updates, and the system that should have alerted them to the problem. It seems there might room for an independent organization, monitoring some of this critical Internet Infrastructure.

ANSI Injection One

On to vulnerabilities, there were a pair of interesting ANSI escape sequence injection flaws discovered this week. ANSI escape codes are strings sent to the terminal that don’t get directly written to the screen, but instead instruct the terminal how to write to the screen.

Just for example, to get green text on the terminal, you can run:

printf 'Hello 33[32mTHIS IS GREEN33[0m07'

The first vulnerability was in WinRAR, in the handling of the comments field of a RAR file. You may already see where this is going, but the problem is that ANSI escape sequences were blindly passed through as part of a comment, when doing something like listing the contents of a directory. This would be particularly useful to overwrite the file name to be extracted, to hide an executable or even path traversal attack. It’s worth noting that the rar and unrar had and have patched similar problems.

ANSI Injection Two

The second ANSI injection is a bit trickier. On the Mac, terminals like iterm2 can register as the default handler for URIs, like x-man-page://. The issue here is that some of those URIs aren’t necessarily safe, like the man link above, which supports the -P pager option. That flag specifies which paging utility to use to show multiple pages of text, like less, more, etc. Opening that from a browser will at least show a warning before launch. ANSI codes lets an attack be quite sneaky, hiding the full text inside an in-terminal clickable link. The terminal won’t warn the user about what they’re about to do, so instant execution on click. Clever.

QNAPping At The Wheel

QNAP has had its share of problems over the years. The fine folks at Watchtowr decided to pitch in and try to find a few more, and then do a responsible disclosure to try to fix them the right way. And they didn’t disappoint. The unofficial audit found fifteen issues, but this write-up focuses on CVE-2024-27130, an unauthenticated overflow leading to Remote Code Execution (RCE).

Given the history of vulnerabilities, this shouldn’t be a big surprise, but the source of QNAP OS is a mess. The underpinnings are a Linux system, but the web interface on top of that is a tangle of a custom web server written in C, CGI scripts also written in C, strange leftover code bits in languages like PHP, and at least one code snippet that looks suspiciously like a backdoor.

And that’s all before we get to the real vulnerability. The cgi-bin/filemanager/share.cgi endpoint segfaults when providing a valid “ssid” and then an overlong file name. Inside the vulnerable code, it’s a simple strcpy() call, that copies an arbitrary, user-provided string into a fixed-length buffer. Write past the end of it, and you overwrite local variables, and then the return address, too. And because of how returns work, you also get to set some registers, like r0, the traditional first argument register. So… what if you just set the return address to the system() function, and put a pointer to shellcode in r0? It’s pretty much that easy, except a real exploit would also need to overcome Address Space Layout Randomization (ASLR). Watchtowr researchers opted to leave that step out, to hopefully give QNAP users a few extra days before attacks happen in the wild.

Boost Got Audited, Too

And in a win for the Open Source way, the Boost C++ library came through an audit with mostly flying colors. The most severe finding was a CRLF injection in HTTP Headers, that’s only ranked medium severity. There are four low severity flaws, and two that only rank as informational. For the breadth of code that Boost covers, that seems pretty impressive. The entire report is available.

Where’d that come from?

The Justice AV Solution Viewer is an interesting new target for malware. It was discovered that the official website was hosting a backdoored installer for this software. The installer was signed by another valid signing key, and included an fffmpeg.exe binary that gets up to no good on install.

The malware then proceeds to steal authentication cookies and passwords. As this software is primarily used in courtrooms, it’s unclear what the exact motivation is. One possibility is that the viewer software is used by lawyers outside the courtroom, and a law office could be a very interesting target. For any computers infected, the recommendation is to re-image, and then also do a mass password rotation, to invalidate any stolen credentials.

Phishing Fire Drills

[Matt Linton], a “chaos Specialist” at Google has some thoughts about Phishing, specifically the style of phishing tests that get routinely aimed at users at larger companies. The TL;DR here is that phishing tests are a bad idea, and we should collectively stop it. A powerful argument he makes is that the Federally mandated phishing tests require existing anti-phishing protections to be disabled. A real attack is guaranteed not to look like the tests. And the data bears this out. Phishing tests are measurably counterproductive.

His suggestion is to stop doing phishing tests, and start doing phishing drills. Just an email to remind users that phishing is a thing, with links to more information, and instructions on what to do when the real thing comes along. And just for fun, take a look at Google’s slick phishing quiz, and see how you score. Let us know in the comments!

Bits and Bytes

It’s time again to update your GitLab installs. There’s a handful of medium severity bugs, as well as one high severity fixed with this round of updates. That last one is a weakness in the GitLab VS code editor, that can enable Cross-Site Scripting attacks. It’s unclear if that results in information exfiltration, or full account compromise, or perhaps the information loss can lead to compromise. Regardless, it’s worth pulling out your console and running the update.

Lastpass has finally fixed one of its longstanding weak-points, now encrypting URLs in your secure vault. When the service first launched, URLs were deemed to computationally expensive to encrypt. In the handful of security breaches at LastPass since then, it’s become very clear that unencrypted URLs was a terrible choice, as it gave that much more information away about users. Good for LastPass for continuing to work to right the ship.

And finally, you should go check out the FLOSS Weekly interview from earlier this week! We interviewed François Proulx, and talked about Poutine, a project from Boost Security, that scans code bases for vulnerable CI pipelines. If you work with GitHub actions or GitLab pipelines, it’s worth checking out!

This post was originally published on this site