Musings tagged as security

There is a new exploit out in the wild that can pretty much crash most windows computers within seconds.

Actually, this bug has been around at least since July 2017 and consists of a malformed NTFS image which, when placed on a USB thumb drive and inserting it into a Windows computer will crash it within seconds. One of the reasons this automatic BSOD generation works is due to the auto-play functionality. But even if it is disabled, manually opening the file, or having it opened by anti virus software snake oil will achieve the same effect.

Marius Tivadar, a researcher that has discovered this flaw in 2017, told Microsoft about it. Microsoft declined to classify the issue as a security bug and also downgraded the bug’s severity because

exploiting it requires either physical access or social engineering (tricking the user)

Now, when did “tricking the user” ever work? And of course Microsoft apparently has never heard of malware which can just download additional features such as this to your pc for your bluescreening pleasures.

A proof of concept code is available on github so everyone can have fun with this now. Also Marius published two videos of the exploit in action, showing that it can also crash locked pcs.

Authorities in Innsbruck, Austria have shut down the Patscherkofelbahn ski lift after two security researchers managed to gain access to the controls for operating the lift.

Settings for controlling the ski lift’s speed, the distance between cable cars, and cable tension were all exposed in the open, along with logs and other data.

Of course the big question is: How did the researchers get access? After all, a transportation “vehicle” carrying thousands of passengers a day is reasonably secured against tampering from the outside, right?

The two were surprised because there wasn’t any login screen to prevent Internet user from accessing and interacting with the HMI [Human Machine Interface] panel.

Oh, ok.

Researchers have used the officially available Alexa SDK from Amazon in order to hack the Amazon Echo and turn it into an eavesdropping device.

They created a calculator app and simply set a parameter called shouldEndSession to false, leading to the app expecting a second question from the user right after the reply to the first. The fun thing is that this does not require another command phrase like “Alexa, open calculator”. Effectively Alexa remained open and listening, converting the speech into words that were stored as text and visible to the app developers via the app’s logs.

Every day I am puzzled by the stupidity of people paying Amazon in order to place a bug in their appartments.

There is a new security vulnerability, affecting pretty much all Windows versions (CVE-2018-09886), which combines all things that make up for a great failure story. Using outdated open source software, not updating it despite the open source community basically handing you updates on a silver platter, fucking up the code yourself, and then mixing this with anti virus. What could possibly go wrong?

Microsoft has forked a very old version of the open source tool unrar, which is - as the name suggests - used to unpack rar files. They then incorporated the unrar code into their own anti virus solution Windows Defender. However, before doing so they changed parts of the code, in particular they modified signed integers into unsigned integers and removed some checks against values having negative values, even if those values were still unsigned integers.

What this means is that you can tell the software to start writing at address + offset, and if you set offset to -2 you end up in the memory space before your allocated buffer memory. With this you can not only make the av engine crash, but you can also execute arbitrary code. This code then gets executed with the rights of the av engine which runs as LocalSystem and can basically do pretty much everything that is of interest.

All you need is a compromised raw file that sets a negative offset and the victim only has to download it. No manual execution is required afterwards as the av engine will automatically scan the rar file, get its memory corrupted, and things proceed from there. If you do not use av, you are safe. Even if you open the rar manually with winrar, or anything that uses the official open source unrar code, you are safe because that bug is not present there and the code stops if offset < 0. This only works with the av engine enabled.

It also looks like this bug might have been around since 2012 and Sophos av was affected back then as well. Fun times with anti virus software, the modern version of snake oil. And some people even pay for this shit.

Privilege Level 15

Fri, Mar 30, 2018

Cisco, the company who always has one more backdoor hidden in their products, just brought you a new one. Oh, but wait, “This is no backdoor” they say. It is an undocumented user account with privilege level 15 that has a default username and password ^^

AMD Confirms CPU Bugs

Sat, Mar 24, 2018

AMD has confirmed the existence of recently disclosed bugs MasterKey, Fallout, RyzenFall, and Chimera. They promise to deliver patches soon, however in order to exploit these bugs you already need administrative access beforehand. Compared to Meltdown and Spectre this is not as bad. They are still security flaws though.

The encrypted messaging service Telegram has been compromised by the Russian legal system. Telegram has lost a court ruling and is now forced to hand over encryption keys. The FSB argued in court that this does not constitute a violation of privacy because they keys themselves are not considered private information and they are only allowed to actually use those keys for snooping purposes if they have a court order.

Yeah… right…

Another reason to use Signal instead. It’s open source and can not be taken to court that way.

Telegram wants to appeal the decision but Russia’s legal system being what it is, I guess that case is already decided.