This week in security: Android and Linux, VirusTotal, more psychological signatures

To start our week of vulnerabilities in everything, there’s a potentially huge vulnerability in Android phones, but it’s Apple’s fault. Well, maybe this is a little tricky – Apple released the code to the Apple Lossless Audio Codec (ALAC) in 2011 under the Apache License. This code was captured and shipped as part of a driver package for multiple devices by various vendors, including Qualcomm and MediaTek. The problem is that Apple’s code was awful, and one researcher described it as a “mobile filter” of security issues.

Apple has fixed its code internally over the years, but it hasn’t pushed those updates into the public code base. It’s a shooting version, and it can cause problems like this. The fact that the ALAC was released under an authorized license may contribute to the problem. It’s possible that someone (plus Apple) found and fixed the security issues, but the license allowed doesn’t require that those fixes be shared with a wider community. It’s worth considering if a Copyleft license like the GPL will get a fix that was distributed years ago.

Regardless, CVE-2021-0674 and CVE-2021-0675 are fixed in Qualcomm and MediaTek’s December 2021 security updates. These vulnerabilities are triggered by malicious audio files, and can lead to RCE. Any application can use this trick to escape from sandbox mode and escalate privileges. This kind of flaw has been used by reps like the NSO group to hack devices via messaging apps.

Nimboson

Microsoft researchers have been looking at the D-Bus, and the various demons that listen to it. It’s interesting, because many of these programs run as root, but a non-rooted program can make calls to the D-Bus. It seems likely that some unintended interactions could lead to security issues. Immediately, there are a pair of problems in networkd-dispatcher It can be restricted to elevate privileges from the user to the root. Problems have been fixed in networkd-dispatcher Version 2.2, so look for at least this version in your Linux distro.

CVE-2022-29799 and CVE-2022-29800 are the two flaws, the first being the directory traversal defect. A message can be sent, specifying a status field for a directory name such as ../../maliciousScripts/. The second is a time-of-use (TOCTOU) check-in error, in which the script control is checked by root, but the execution is not started immediately. Since symlinks can be used in these directories, the trick is to properly set up symlinks for what appear to be secure scripts, and after the scan is done, switch the link to attacker-controlled scripts.

Via Ars Technica

VirusTotal got total

Dealing with live malware is tricky, and running a public site dedicated to security research tends to attract good and bad attention. In this case, fellow security researchers discovered that VirusTotal was vulnerable to the attack. The flaw was CVE-2021-22204, a vulnerability in exiftool. VirusTotal uses this as part of its file analysis feature, and has not yet integrated patches. It was easy to include the malicious command and send the file to be inspected. When the individual hosts went to work on the malware sample, they exploited the vulnerability and fired back bombs at the researchers. Total win. After confirming that they had indeed run into a pay issue, researchers from Cysrc forwarded their results to Google, which runs VirusTotal, and the vulnerable binary has since been updated.

Yes I agree, what can go wrong?

Do you read the end user license agreements on the apps you install? Have you ever found an end user license agreement so cumbersome that you refused to agree to it? We may all want to kick the habit of mindlessly agreeing to the Terms of Service. Many of these apps use GPS location data, and many of these end user license agreements specify that your location data can be sold to advertisers. The data is “anonymised,” meaning that instead of names or email addresses, location data is tied to pseudo-random numerical identifiers. Surely no one would take the trouble of getting your data and exposing your identity, right? right?

According to The Intercept, two intelligence companies collectively ingested the location data and completed the anonymization process. How many people have their data captured in this real-world version of The Machine? Nearly three billion devices. Yikes.

So about this Pentest…

Red Team exercises are the source of some of the most impressive security stories. How a pessimistic team overcame adversity to emerge with the ultimate hack is a matter of legend. (Seriously, go watch Sneakers again.) But what happens when you go through all that work, try multiple approaches, and still don’t make a successful breach?

That was the question [DiabloHorn] Meditate, with some good tips to help any of us in this embarrassing situation. The first task is the question, what led to the null result? Was the scope of the test defined too narrowly? Too many limitations on technologies? Not enough time? This is all good information to report, so the next test can be more profitable. Additionally, what worked? If the code used is bulletproof because there is a really good test suite with really obfuscation, that’s good info too. Full writing is a thought-provoking exercise, even for the rest of us, who are just trying to stay safe.

Psychological signatures continued

Last week we brought the Java Psychic Signatures story, and less than a week later, there’s a particularly fun proof of concept to look at: Breaking TLS. Since the faulty application can be used to secure HTTPS traffic over TLS, this means that the malicious server can authenticate as any requested host. This would seem to defeat HSTS and certificate stapling as well. The attack extends to Man-in-the-Middle attacks as well. Remember that this vulnerability only applies to Java clients that have not been updated. See last week’s coverage for more information.

Leave a Comment

Your email address will not be published.