This week in safety: the Log4j which will not disappear, WebOS, etc.


Over the past two weeks, Log4j has continued to generate security insights, with the discovery of more vulnerable platforms and the release of additional CVEs. The first is the work done by TrendMicro, looking at EVs and chargers. They discovered a log4j attack in one of the published charger frameworks and also managed to observe evidence of vulnerability in the Tesla in-car infotainment system. It is no exaggeration to imagine malware that could work on both a charger and an EV. And since these systems communicate with each other, they could spread the virus in cars going from charger to charger.

Log4j is now at 2.17.1, as there is yet another RCE to fix, CVE-2021-44832. This one only gets a score of 6.6 on the CVSS scale, unlike the original, which weighed in at 10. 44832 forces the attacker to exercise control over the Log4j setup first, making much more difficult operation. This chain of tracking vulnerabilities demonstrates a well-known pattern, where a high-level vulnerability attracts the attention of researchers, who find other problems in the same code.

There are now reports that Log4j is being used in Conti ransomware campaigns. In addition, a company based in Marai a worm has been observed. This self-propagating attack appears to target Tomcat servers, among others.

WebOS drops in an instant

[David Buchanan] acknowledges that while this is an interesting feat, it doesn’t have much use at this point. That could change, but let’s look at the flaw for now. Snapshots are a great feature of the V8 JavaScript engine. When you access a web page, the JavaScript context for that page must be generated in memory, including loading any libraries called by the page. It doesn’t take too long on a desktop computer, but on an on-board device or mobile phone loading a local interface, this initialization step can be a large percentage of the time it takes to draw the requested page. Snapshots are a great hack, where the context is initialized and then saved. When the interface is opened later, the V8 engine can be called with this file and the context is pre-initialized, which makes launching the application or interface noticeably faster. The only problem is that V8 expects snapshots to load only from a trusted source.

Let’s move on to the WebOS platform itself. Individual apps are sandboxed, but web apps run their code in the context of WebAppMgr (WAM), their Chromium / V8-based browser. While individual applications are sandboxed, WAM is not. The kicker is that a web application can specify its own snapshot to load in V8. Loading a corrupted snapshot gave [David] JS-like confusion, and an arbitrary read / write primitive as a result. From there, exiting JS execution and switching to the actual shellcode was pretty easy. This RCE runs as a “wam” user, but it is a slightly privileged account. In particular, wam has access to /dev/mem – direct access to system memory. Climbing to the root is almost trivial.

[David] released the full PoC, noting that LG is noticeably underpaying bug bounties. I don’t agree with his claim that this attack relies entirely on the side-loading of a malicious app, for the simple reason that LG is running its content store for that platform. A malicious developer may be able to bypass all of the malware detection routines LG uses to control apps. Malicious apps on the App Store are certainly nothing new, after all. The worst part of this feat is that it is difficult to pinpoint the vulnerability.

Team four bugs into teams

[FABIAN BRÄUNLEIN] found interesting unexpected behavior in Microsoft Teams‘ link preview feature. The first problem is a spoofed server side request. The link preview is generated on the Teams server side and by definition requires the page to be opened to generate the preview. The problem is the lack of filtering – binding to generates a preview of what is on the local host of the Teams server.

The next step is a simple link spoofing technique. This uses a tool like Burp to modify the data sent by the Teams client. Part of the message that is sent when embedding a link is the URL to call for preview generation. No further validation is done, so it is possible to generate a preview from a benign URL, while the actual link points to an arbitrary page. The third issue is related, as the link to the thumbnail itself is also in this post and may be forged. The interesting use case here is that an attacker could set this to a URL they control and extract information from a target, namely the public IP address. Now this is blocked by the target client on most platforms but on Android the checks were missing.

And finally, also an Android only issue, an attacker can send a “Death Message”, basically a malformed message that crashes the application just by trying to render the preview. This crashes the app every time the user tries to access the chat, thus completely locking the user out of the app. Now, those aren’t heartbreaking issues, but Microsoft’s collective shrug in response is… disappointing. They stealthily fixed the IP address leak, but it’s apparently still possible to spoof link previews, as well as crash the Android app.

PBX back doors

Researchers at RedTeam Pentesting examined a PBX designed by Auerswald, a German manufacturer of telecommunications equipment. What caught their attention was an advertised service, where Auerswald could perform an administrator password reset for a customer locked out of their equipment. It’s a manual backdoor, and an investigation that is certainly warranted.

If only it was that kind of backdoor:

Their approach, rather than directly attacking the hardware, was to grab the latest software package from the Auerswald website and analyze it. Using the file, gunzip, and dumpimage utilities gave them the root filesystem they needed. While working on the web of configuration files, they settled on the web server binary which probably contained the password reset backdoor. Just a note, it’s very common for on-board devices to include all of their user interface and configuration logic in a single httpd binary.

Given a binary, they turned to what quickly became the preferred tool of security researchers around the world, Ghidra. They had another clue, the user “sub administrator”, so they searched for this channel using Ghidra. Pay the dirt. While exploring the functions, the hard-coded username “Schandelah” was there. A little more sleuth came up with the password feature. For each of these PBXs, the backdoor password consists of the first 7 characters of the MD5 hash of the unit’s serial number + “r2d2” + today’s date.

Just for fun, the researchers used Ghidra to research other uses for the backdoor password feature. It turns out that if the admin user is specified and the password does not match the password configured by the user, it is compared to this algorithm. If it matches? You are logged in as an administrator on the hardware. This is obviously more useful than resetting the administrator password, as it allows access without any obvious system changes. The whole article is a great tutorial on using Ghidra for this type of research.

Auerswald very quickly pushed the firmware changes to correct the identified issues. A backdoor like this, which is publicly disclosed, is not at all a legal and ethical landmine like some of the others we have discussed here. There is still an issue with the implementation – a password reset should also reset the device to factory settings and delete user data. Anything less invites major data disclosure.

SAM spoofing

This Windows Active Directory elevation of privilege vulnerability is fascinating in its simplicity. It is a combination of CVE-2021-42287 and CVE-2021-42278. Windows Active Directory has two separate types of accounts, user and machine accounts. Machine accounts are used to bring specific hardware into the domain and usually end with a dollar sign (MyMachine1 $). By default, a user can create machine accounts, as well as rename these accounts. The first problem is that a user can create and then rename a computer account just like a domain controller, without the last dollar sign. For example, I could create MyMachine1$, then rename it to DomainController1. DomainController1$ would still exist and the domain would treat them as separate machine accounts.

Modern Windows domains use Kerberos under the hood, and Kerberos uses the ticket paradigm. An account can request a Ticket Granting Ticket (TGT) which acts as a temporary authentication token. Think of it as a password replacement, which can be automatically sent with requests. The attack is to request a TGT for the renamed machine account and then rename that account once more, back to MyMachine1. The key is that the attacker always has a valid ticket for the DomainController1 account, even if an account no longer exists with that exact name. Then, the attacker requests a session key from the Key Distribution Center (KDC) using this TGT. The KDC notes that the requesting account does not exist and helpfully adds the dollar sign and re-checks. He sees the valid TGT for DomainController1, and returns a session key authorizing the attacker as DomainController1$, which happens to be a domain administrator account.

The pains of aging from Chromium

They say we didn’t get Windows 9 because too many old apps were written with regular expressions that would prevent execution, complaining that the app wouldn’t work on Windows 95 or 98. Chrome is trying to ‘Avoid a similar problem, because Google developers see version 100 on the horizon. This sort of thing has bit the web browser before, especially when Opera released version 10, further breaking the user-agent chain in the process. Firefox is having fun too, and the developers of both browsers have one request from you: browse the web with a spoofed user agent string and let them know what happens after version 100. That would be a good possibility to test your own sites, too. Let us know if you see any particularly weird results.


Comments are closed.