This Week in Security: Geopolitical Hacktivism, Antivirus Mining, and Linux Malware
The CIA The hacktivists have launched a sort of ransomware campaign against the Belarusian railway system, but instead of cryptocurrency, they want the release of political prisoners and the dismissal of Russian soldiers. This could be called an example of cyber-terrorism, although there is a reasonable theory that it is a state-sponsored hack disguised as hacktivism. What seems certain is that something has interrupted rail transport, and a group on Twitter produced convincing evidence of a breach.
Your antivirus now includes a CryptoMiner
Don’t look now, but your latest Norton 360 or Avira update may have installed a cryptocurrency mining module. The silver lining is that some sanity has been retained and you need to sign up for the encryption scheme before your machine starts devoting its spare cycles to mining. For users who do, they are put into a mining pool, which generates small payouts for most hardware. Norton, naturally, takes a 15% fee on top for their annoyances.
The State of Linux Malware
There was a saying that Linux machines don’t get malware. That was never quite true, but the continued conquest of the server landscape has had the side effect of making Linux malware an even greater danger. Crowdstrike saw a 35% increase in Linux malware in 2021, with three distinct categories topping: XorDDoS, Mozi, and Mirai.
And speaking of Linux, a pretty serious Linux vulnerability has just been announced, and a working exploit has already been released. The problem is simple in the
Polkit binary, which for this purpose can be thought of as a
sudo alternative. The important part is that it is a setuid binary, which elevates its own privileges to root when run by an unprivileged user. “Now wait,” I hear you say, “That sounds like a terrible security issue!” It can be, when things go wrong. But the simple truth is that there are times when a user needs to perform an action that would otherwise require root privileges. A simple example,
ping, must open a raw network socket to work. These binaries are carefully designed to only allow limited actions, but sometimes a bug breaks out of this “sandbox”.
So what’s the story with
argv. OK, Linux programming 101 times. When a program is launched under Linux, it passes two parameters, normally named
argv. It is respectively an integer and an array of character pointers. If you’re not a programmer, think of it as the number of arguments and the list of arguments. This information is used to parse and manage command line options inside the program.
argc is always at least equal to one, and
argv will always contain the name of the executed binary. Except that’s not always the case. There is another way to run binaries, using the
execve() a function. This function allows the programmer to directly specify the list of arguments, including the 0 argument.
So what if this list is just NULL? If a program has been written to account for this possibility, such as
sudo, so everything is fine.
pkexec, however, does not include a check for an empty
argv or one
argc of 0. It acts as if there is an argument to read, and the way program initialization happens in memory, it actually accesses the first environment variable instead and treats it as an argument . It checks the system PATH for a matching binary and rewrites what it thinks is its argument list, but is actually the environment variable. This means that uncontrolled text can be injected as an environment variable in
pkexec, the setuid program.
It’s interesting, but not immediately useful, because
pkexec clears its environment variables shortly after the injection. So what trick could we use to exploit this? Throw an error message.
pkexec will use the
gconv shared library to print an error message, and it starts by looking for the
gconv-modules config file. This file defines the specific library files to open. The environment variable
GCONV_PATH can be used to specify another configuration file, but this environment variable is blocked when running a setuid binary. Ah, but we have a way to inject an environment variable after this happens. This is the feat. Prepare a
payload.so which contains our arbitrary code, a fake
gconv-modules file that points to the payload, then use the NULL argv trick to inject the
GCONV_PATH environment variables. Who am I? Root.
There are some fascinating twists in this story. First of all, [Ryan Mallon] painfully nearly discovered this vulnerability in 2013. And secondly, in 2007, [Michael Kerrisk] reported the NULL
argv quirk like a Linux kernel bug.
Attack random passwords
The safest password is one that is randomly generated, right? Yeah, but what if that random generator isn’t as random as it looks? Now, we’re not talking about intentional backdoors this time, but seemingly insignificant patterns that sometimes make a big difference. The puzzle machine, after all, was cracked partly because it would never encode a letter as itself. [Hans Lakhan] from TrustedSec looked at a million passwords generated by LastPass and tried to generalize something useful from the data. Most of these passwords have 1 or 2 digits. Note that this is not a weakness of the algorithm, just the expected result of the available characters. Would there be any benefit to brute-forcing passwords with the rule that each guess must contain one or two digits? This would certainly reduce the attack space, but it would also miss passwords that don’t match the pattern. Would the trade be worth it?
The answer is unclear. In some circumstances, there is a slight advantage to be gained from using the suggested rules. But this advantage disappears as the process of brute force continues. Either way, it’s a fascinating attempt to apply statistics to password cracking.
WordPress and backdoor themes
One of the largest WordPress theme and plugin producers, AccessPress, suffered a breach on their website that took an ugly turn. The issue was discovered by researchers at Jetpack, who were performing post-mortem analysis of various compromised sites, and found malware embedded in an AccessPress theme. The original breach occurred in September 2021, so beware of any content from AccessPress if downloaded between September and mid-October 2021. Note that if installed from the WordPress.org directory, these themes were safe. A list of known infected plugins and themes is available at the link above, along with other indicators of compromise.
Bits and Bytes
There is yet another secret token that is accidentally leaked in the source code, the Twitter Access Token. Github already performs automated scanning of credentials accidentally included in repositories, but this does not include Twitter tokens. [IncognitaTech] wrote a quick scanner and found about 9500 valid tokens. (Insert over 9,000 memes here.) How do you tell so many people about the problem? Create a bot, tweet, then use the tokens to retweet. It’s sure to capture attention.
If you don’t remember retweeting this, that means you leaked your Twitter access token to a public GitHub repository. That’s not best practice, is it?
For more details, read our latest article: https://t.co/6WBC6DRNDS #InfoSec #Cyber security #GitHub
— PinataHub_Bot (@PinataHub_Bot) January 24, 2022
The Sonicwall SMA 100 series hardware has a series of vulnerabilities which have now been patched and disclosed. The worst is an unauthenticated buffer overflow, rating a CVSS of 9.8. These devices are relatively popular for small businesses, so keep an eye out for potentially vulnerable hardware and get them patched if you can.
Crypto.com suffered a breach on January 17. They initially downplayed the incident, but have since released a statement with more details. The attack was a two-factor authentication bypass, allowing an attacker to initiate transactions without passing the normally required 2FA process. They claim to have caught the problem early enough to avoid any real currency loss, which is actually quite impressive.
Google Chrome has released an update, and it includes fixes for some costly bugs. Six separate reports have earned researchers more than $10,000 each, with the first two earning $20,000. These six bugs, plus a seventh reported internally, all seem to have the potential to be pretty serious, so go update!
And finally, in the category of things that won’t end well, the UK is flirting with the idea of regulating security researchers, making security research a registered business. The most disturbing part of this system is the idea that any unregistered researcher could face criminal charges under certain circumstances. This seems like a terrible idea for obvious reasons.