Hack Naked News #195
Recorded October 30, 2018 at G-Unit Studios in Rhode Island!
A one-liner exploit for X, the danger of searching for Chrome in Bing, exposing your Docker API, you can find sensitive data in the cloud, exploit users by embedded videos in Word documents, dead web apps, hacking BGP routes, a new DHCP vulnerability and hacking your brain!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Join us for our Webcast with Signal Sciences about Which way should you shift testing in the SDLC?, November 8th @3-4pm EST. Go to securityweekly.com/signalsciences to register now!
- Easy-to-exploit privilege escalation bug bites OpenBSD and other big name OSes - Several big-name Linux and BSD operating systems are vulnerable to an exploit that gives untrusted users powerful root privileges. The critical flaw in the X.org server—the open-source implementation of the X11 system that helps manage graphics displays—affects OpenBSD, widely considered to be among the most secure OSes. It also impacts some versions of the Red Hat, Ubuntu, Debian, and CentOS distributions of Linux."" It is important to note there are limitations: With the exception of OpenBSD, most other OSes running a vulnerable version of X.org require attackers to have an active console session. That means attackers must be using the physically attached keyboard and mouse, not a remote session. The requirement “is a huge limitation,
- Search for Chrome on Bing, and you might get a nasty surprise - Twitter user Gabriel Landau who, immediately upon firing up his brand new Windows 10 laptop and trying to download Google Chrome, was directed instead by Bing (the default search engine used by Windows 10’s default Microsoft Edge browser) to a bogus website. Landau discovered that Bing was displaying a promoted search result to users who searched for the phrase “download Chrome” that linked to a non-official site (googleonline2018[dot]com). This instance was removed: Microsoft responded to Landau, saying that it has removed the offending Bing ads and banned the associated account. It has also pointed to a webpage where “low quality” ads (such as malvertising) can be reported by users.
- Exposed Docker Apis Used By Attackers In Creation Of New Containers That Perform Cryptojacking - This happens, and its easy to not be "vulnerable": Trend Micro lately detected an attacker scanning explicitly for insecure and exposed Docker Engine APIs and its utilization to deploy containers that download and execute a coin miner. Docker containers are redistributed on a rostrum referred to as the Docker Engine, wherein they may run within the background together with different containers deployed to the system. If Docker Engine isn't accurately safeguarded, attackers can remotely make use of the Docker Engine API to redistribute the containers in their very own advent and start them at the insecure system. While not a vulnerability related to a bug, mis-configuration often leads to compromise.
- 21% of all files in the cloud contain sensitive data - Speaking of mis-configuration: McAfee released its Cloud Adoption and Risk Report, which analyzed billions of events in anonymized customers production cloud use to assess the current state of cloud deployments and to uncover risks. The report revealed that nearly a quarter of the data in the cloud can be categorized as sensitive, putting an organization at risk if stolen or leaked. The study found that while organizations aggressively use the public cloud to create new digital experiences for their customers, the average enterprise experiences more than 2,200 misconfiguration incidents per month in their infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances.
- Researchers exploit Microsoft Word through embedded video - Researchers at online breach and attack platform vendor Cymulate found the vulnerability inside Word’s online video feature, which allows users to embed a reference to a remote video (such as a YouTube video) directly into a document, so that it can be played when opened. Attackers can pull off the exploit by manually altering the reference to a remote video inside a DOCX file so that it points to some malicious code instead of a video.
- ThreatList: Dead Web Apps Haunt 70 Percent of Financial Times 500 Firms - Researchers at High-Tech Bridge used the Financial Times 500 list of leading companies and unearthed a number of concerns when it comes to forgotten web applications. “Abandoned, shadow and legacy applications undermine cybersecurity and compliance of the largest global companies, despite growing security spending,” according to the aptly named research report, According to the report, 70 percent of FT Global 500 firms have a portion of their websites being sold on the internet black market. An additional 92 percent of external web applications have exploitable security flaws or weaknesses.''
- No Surprise, China Has Been Hijacking BGP Routes - A Chinese state-owned telecommunications company has been "hijacking the vital internet backbone of western countries," according to an academic paper published this week by researchers from the US Naval War College and Tel Aviv University.
- A Nasty DHCPv6 Packet Can Pwn A Vulnerable Linux Box - Interesting: The flaw puts Systemd-powered Linux clients – specifically those using systemd-networkd – at risk of remote exploitation as maliciously crafted DHCPv6 packets could exploit the vulnerability and arbitrarily change parts of memory in vulnerable systems, leading to potential code execution. The vulnerability – which was made public this week – sits within the written-from-scratch DHCPv6 client of the open-source Systemd management suite, which is built into various flavors of Linux. The DHCP client is activated automatically if IPv6 support is enabled, and relevant packets arrive for processing. A rogue DHCPv6 server on a network, or in an ISP, could transmit specially crafted router advertisement messages that wake up these clients and exploit the bug
- Kaspersky Warns Of Hackable Brain Implants - Yes, brain implants are a thing, and not just in Black Mirror: The hardware and software to underpin this exists too: deep brain stimulation (DBS) is a neurosurgical procedure that involves implanting a medical device called a neurostimulator or implantable pulse generator (IPG) in the human body to send electrical impulses, through implanted electrodes, to specific targets in the brain for the treatment of movement and neuropsychiatric disorders. and like so many IoT devices they are vulnerable: Kaspersky Lab and the University of Oxford Functional Neurosurgery Group warn in a joint report that the brain stimulation devices used to treat disorders like Parkinson's and OCD carry with them security vulnerabilities that would potentially allow an attacker to manipulate the medical implants. Those flaws include things like vulnerabilities in the web apps used to administer the devices and bugs in the tablet and smartphone applications doctors use to set up and record data from the implants, as well as poor practices like using default passwords or unencrypted data transmissions.
Expert Commentary: Jason Wood, Paladin Security
Here is yet another warning to watch out for typos when pulling down remote resources. In this case, I’m referring to Python libraries. Zdnet reports that a software engineer who goes by the nick of Bertus found and reported 12 different packages on the Python Package Index (PyPI) that were malicious. The packages have already been removed from PyPI, so they cannot be downloaded and used accidentally at this time. Props to Bertus for finding and reporting them.
The malicious packages all seemed to follow the pattern of picking a popular Python package and creating a new package that is named very similarly. For example, Zdnet states that four packages were slight misspellings of the Django project. The creator of the packages would download the original package and then modify it to perform whatever actions they decided on. They then uploaded them into PyPI as a new package and then waited for victims to accidentally load their malicious packages. The packages actually retained the functionality of the original one, so the victim would be unaware that something had gone wrong. The actions performed by the packages varied from each other, but they generally would leak data, gain persistence on the system, or even create a reverse shell back to the attacker.
This is an interesting play by an attacker and is one that certainly isn’t new. Similar issues have happened before on PyPI and on npm. However, I wonder at how effective it really is. The attacker has to spend a fair bit of time creating the new package and making sure their modifications don’t break the original functionality. Then they upload them to the repository and wait. And wait… Eventually someone typos the library they want to install and the actions get carried out. But who is the victim? What industry do they work in? What might they have that is of interest to the attacker? It’s hard to say what the attacker will really get out of it. They have no control over who gets targeted other than a user of Python. They might get lucky and get rolled out into a large number of servers in a valuable target. Or they could get someone’s dev box. Or are their goals so generic that it doesn’t matter where they get access to? A spammer, for example, might not care who gets infected as long as they do.
It does serve as a bit of a warning to anyone (almost all of us) who use coding libraries. Make sure you are evaluating the libraries you use for trustworthiness. Make sure that you are spelling the library name correctly. Do updates to your libraries. We are downloading someone else’s code and running it on our systems in order to save time and increase our ability to solve problems. We are trusting in the ecosystem to protect us as we hope to be protected. If we skip on any of these due diligence steps, we could get bitten.