stats count
Wednesday, August 10, 2022
Home Technology This Week In Security: Chrome 0-day, Cassandra, And A Cisco PoC

This Week In Security: Chrome 0-day, Cassandra, And A Cisco PoC


Running Chrome or a Bhromium-based browser? Check for version 98.0.4758.102, and update if you’re not running that release or better. Quick tip, use chrome://restart to trigger an immediate restart of Chrome, just like the one that comes after an update. This is super useful especially after installing an update on Linux, using apt, dnfor the like.

CVE-2022-0609 is the big vulnerability just patched, and Google has acknowledged that it’s being exploited in the wild. It’s a use-after-free bug, meaning that the application marks a section of memory as returned to the OS, but then accesses that now-invalid memory address. The time gap between freeing and erroneously re-using the memory allows malicious code to claim that memory as its own, and write something unexpected.

Google has learned their lesson about making too many details public too early, and this CVE and associated bug aren’t easily found in the Chromium project’s source, and there does not seem to be an exploit published in the Chromium code testing suite.

Apache Cassandra

Cassandra LogoCassandra is a popular distributed database built on the NoSQL paradigm. It’s vulnerable to CVE-2021-44521, a potentially nasty RCE ranking in 8.4 CVSS. The saving grace here is it’s a non-default configuration that’s vulnerable, requiring three specific configuration flags to be changed from defaults to be vulnerable. On the other hand, those flags all relate to Cassandra’s User Defined Functions (UDFs), something of a killer feature for the project. Those three flags are: enable_user_defined_functions and enable_scripted_user_defined_functions set to true, and enable_user_defined_functions_threads set to false.

Let’s break that down a bit, and understand what’s going on here. First, enable_user_defined_functions is self-explanatory, in that it enables UDFs. This allows a user to provide a Java function that runs on the server, doing data manipulation. The second flag enables scripted functions, meaning JavaScript in this context. Note that it is known to be unsafe to allow these user defined JavaScript functions, but this is mitigated by running them in a sandbox, which happens automatically. The last flag, enable_user_defined_functions_threads, is set to true by default, and forces those UDFs to run on separate threads. Most importantly, these threads run with a security manager set with no special permissions.

Setting that boolean to false means that each function runs in the main program thread. What is not apparent is that this means that the security manager settings are inherited from the main program, too. One of those settings simply allows the security manager to be disabled. From there, the simplest escape is to call this.enginewhich has functions to execute non-sandboxed code, including a Java .exec() call.

NAS Breaking

A very clever attack went awry at Pwn2Own, and we’re lucky enough to get a write-up about it. It’s the Western Digital My Cloud Pro, and the vulnerability is a command injection resulting from an HTTP response being included in a shell command. The device does an HTTP call every five minutes, checking for internet connectivity. The response is eventually logged used the analyticlog binary, and of course simply includes part of the response in the system call. If you’re not familiar with this class of vulnerability, on Unix systems, the backtick ` character can be used to include an command as part of an argument. It’s extremely useful to include the output of date in a filename, for instance, but a security nightmare in instances like this.

The twist to this story is that the attack failed at Pwn2Own. It was a simple exploit, just a Man-in-the-Middle attack against the HTTP Domain, sending a malicious command back in response. The problem was that the attack did this by returning an attacker-controlled IP address, and they forgot to change this address for the Pwn2Own network layout. The timing just did not quite work out to allow for fixing the IP address and catching a connectivity check in the allotted time.

Proper PoC for Cisco

Last week we talked about the vulnerability in several of Cisco’s small business VPN gateways, and now a PoC has been published. It’s a simple pair of buffer overflows on incoming HTTP packets. The first happens when combining the HTTP headers and body into a 16k buffer. Because both the headers and body can be up to a max of 16k, and no further size checks are done, this can neatly overflow the packet buffer, but does not cause a crash or exploit, as a second 16k buffer comes directly after it in memory. What does happen, is this is later copied into yet another 16k buffer, but this one does not have accidental overflow protection. It’s a naive memcpy() of null-terminated data, so the whole double-buffer worth of data is copied, smashing the stack and leading to exploitable corruption.

Bits and Bytes

Sanity wins in the Missouri “hacking” incident. We brought you the story of the researcher / journalist that found Social Security numbers embedded in a state website. After responsibly disclosing the find, the governor went off-script, and threatened the researcher with legal action. This week the state prosecutor assigned to the case released a statement, a portion of which is embedded here.

Upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means. As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case.

(Ed Note: That’s almost an apology, right?)

Google has turned up the incentives for certain exploitable 0-day bugs turned in to their Vulnerability Reward Program, particularly those involving the Linux Kernel, Kubernetes, and a couple of other projects. The maximum payout for an exploit is now a whopping $ 91,337, and the rules for what is eligible for reward have been relaxed. If this is at all in your wheelhouse, now is the time to go bug hunting.

And finally, the researcher behind kazet.cc has published a slew of WordPress plugin problems, found through his custom fuzzing framework. It does not look like the code has been published, but it’s a detailed write-up of how he found well over 100 CVEs this way. It’s great inspiration for finding new ways to look for bugs.



Source link

RELATED ARTICLES

Game #109: San Diego Padres at Los Angeles Dodgers

San Diego Padres vs. Los Angeles Dodgers, August 5, 2022, 7:10 pm PT Location: Dodger Stadium, Los Angeles, CA TV: Bally Sports...

Observations from day 8 of 49ers training camp; Trey Lance gets it going

Here is what stood out from the 49ers eighth practice during training camp in Santa Clara. Trey Lance Lance had one of his better days...

Can the OnePlus 10T 5G be the flagship Android phone of 2022?

Within less than a few hours, the OnePlus 10T 5G will be officially released on the global market. The launch event...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Game #109: San Diego Padres at Los Angeles Dodgers

San Diego Padres vs. Los Angeles Dodgers, August 5, 2022, 7:10 pm PT Location: Dodger Stadium, Los Angeles, CA TV: Bally Sports...

Observations from day 8 of 49ers training camp; Trey Lance gets it going

Here is what stood out from the 49ers eighth practice during training camp in Santa Clara. Trey Lance Lance had one of his better days...

Can the OnePlus 10T 5G be the flagship Android phone of 2022?

Within less than a few hours, the OnePlus 10T 5G will be officially released on the global market. The launch event...

Trent Alexander-Arnold: ‘We have to deliver trophies every season – minimum one!’ – Liverpool FC

Trent Alexander-Arnold admits it will be a "massive failure" if Liverpool do not win at least one trophy this season. Jurgen Klopp's side narrowly...

Recent Comments