Have you considered all the complexities of single sign-on (SSO) implementation? A lot of engineering work has been used to strengthen cross-site attacks-you don’t want every site you visit to be able to hijack your Google or Facebook account. At the same time, SSO is a useful feature that can use your identity verification on a service to authenticate to unrelated sites. Will SSO compromise this reinforcement? If you make a mistake, absolutely, As [Zemnmez] I found out when I checked the Apple ID SSO system.
It all starts with observation icloud.com
There is a login to talk to apple.com
, Two independent domains.The sneaky trick used to do this is an iframe that embeds the Apple login page into icloud.com
Place. There are various security measures designed to prevent abuse of the embedded site. The first thing that must be overcome is Oauth2 redirect_uri
Used to check whitelisted domains and set allowed domains content-security-policy
title.In short, the attack must be set up to look like icloud.com
To the Oauth2 backend, but OurEvilSite.com
Go to the browser to check the security policy header. How is this seemingly impossible foot accomplished? By abusing the extreme flexibility inherent in URI encoding. https://OurEvilSite.com;@icloud.com
Two different security mechanisms understand it differently and allow embedding.
The next problem to be solved is embedded iframe and icloud.com
Page, if the handshake is not completed, nothing will happen. Except for a small detail, this kind of handshake can be easily deceived.Specify the domain again, based on the same redirect_uri
. The trick here is to realize that this URI passes decodeURIComponent
Run twice at different time points in the page loading process. The double-encoded question mark character allows for the extra tricks required to control what this security check sees.
The last obstacle to overcome is the source check, which is a similar security feature. This is not a clever parser attack, but is overcome by another vulnerability. If the message source is NULL, this check will never be performed. How to achieve this goal?Leave allow-same-origin
banner. This will create an iframe that is sandboxed with the rest of the page. Sounds useless? The solution is to embed two iframes in the attacker’s page and pass the message through a frame that is authorized to do so.Through this crazy combination, the attacker can successfully embed apple.com
Log into the widget on their own page.
I know what you are thinking. so what? Simply extract the HTML, CSS, and images from the iframe, and you can copy it yourself without fuss. Another vulnerability makes this attack very impressive.To understand it, you first need to understand handlebar JavaScript library for HTML templates.The library allows you to write page templates and include {{someObject}}
expression. Then run the template and specify the data to be called by the expression. The apple.com SSO page uses this library to display custom information from the calling page, such as private information.
The handlebar library has a special way of expression, {{{the triple handlebar}}}
, Which allows insecure HTML insertion.Putting them together, you can create an effective “Sign in with Apple” button that redirects the user to Apple’s idmsa.apple.com
Page, but inject arbitrary code into the page. Check out the demo below to learn about the product.
Hacker activism and Iran
Checkpoint Research brings us Report on recent cyber attacks Oppose Iran’s transportation infrastructure. The attack uses Active Directory to deploy payloads to connected computers, which are wiped and then modified to hang on startup, displaying messages from the attacker. The goal seems to be to disrupt the traffic system, and a clever anomaly is coded in the wiper program. Machines with a small number of hostnames containing “PIS” are automatically skipped. This acronym stands for “Passenger Information System”-a large digital billboard that displays status and delays. The attacker hopes that the waiting passengers can accurately understand the impact on the system.
Checkpoint believes that this is the same participant as the previous attack on Iran and the two incidents targeting Syrian targets. The self-proclaimed name is Indra, named after the Hindu god of war. For those of us who do not understand Hindu theology, Indra can be considered a character similar to Thor. The organization claimed to be basically targeting Iran and its hacktivists who fund terrorist organizations. Although Indra did not claim responsibility for the recent attack, Checkpoint proved very well that they are using the same attack.
CVE detection-and Perl’s quirks
[Justin Kennedy] From Atredis is performing a red team exercise, and He encountered the Sophos UTM9 threat management device. This particular installation has not been updated to mitigate CVE-2020-25223 (pre-authentication RCE). This is a major breakthrough in demonstrating an attack on the client, but there is a small problem. This CVE has never been fully disclosed, and no one seems to have exploited the details. He obtained a pair of installation ISOs and ran virtualized instances of vulnerable and patched devices. It is easy to compare the two versions on some systems, but these systems use some tricks to obfuscate the code.First compile Perl into plx
binary file. This can be overcome by using a debugger and copying the anti-obfuscation script from memory. The second problem is that the Perl module that does the heavy lifting is not part of the recovery code. An engineer colleague of Atredis discovered that the required modules are actually hidden in the BFS file system and attached to the end of the web server plx
. Now that he has the original Perl source code, he can start a business.
All changes have been made to the code itself, and Perl regular expressions have been added asg_connector.pm
, It checks the incoming SID (session ID), and may consider it invalid and discard it. Now, Perl regular expressions have a reputation for being clumsy and difficult for humans to parse. This is an example.if ($sid =~ m/[^a-zA-Z0-9]/) { #SID is invalid .... }
[Justin] Looking at this, I thought,’Oh, this is a matching string, looking for alphanumerics. It starts with a caret, which means it only checks the first character of the string.I know this is probably his thought process, because he wrote, “The updated code shows that a check was added to switch_session
The subroutine ensures that the SID (session ID) does not start with any alphanumeric characters. In his defense, he accepted the prompt and studied how to abuse the SID value on the incoming connection as a possible vulnerability, but this is not what regular expressions do.
It’s worth Quickly bypass Perl regular expressions explain.this =~ m/MyRegex/
Construct is a matching operator, and it returns true if the string it acts on contains the text described by the pattern. The parenthesized character class is one way to describe these patterns.so [a-z]
Will match a single lowercase alphabetic character. You can combine them, just like you do in the Sophos code: [a-zA-Z0-9]
Will match any uppercase or lowercase alphanumeric characters. Now insert the symbol “^”, what does it do? Here we see the complexity. Usually, the caret in Perl regular expressions indicates the beginning of the line. This will match SIDs that start with alphanumerics. However, when the caret is in brackets *, it has a completely different effect. In this case, it can reverse the selection. In summary, the regular expression above is actually checking any characters other than simple alphanumeric characters, and if they are found, the SID is marked as invalid. Regular expressions are sometimes difficult.
In addition to completion, what harm will be caused by passing a SID that contains special characters? To answer this question, we must delve into the code to see where it is used. The Sophos system creates a file on the device file system with the name of each valid SID, and tries to use Perl to read the file on the new connection open()
call. I hear you moaning, another Perlism. Yes. Perl has a very convenient mechanism, you can open()
The pipeline for another command on the system.It looks like open(Handle, "netstat -i -n |")
Perl will make a system call and collect the output for you, as if you were reading it from a file. It is very convenient, but if the end user can control the file name, then there will be a terrible security problem-just like the SID in this example.
Our protagonist discovered this and was ecstatic! He found a loophole! He tried…it didn’t work. The pipe symbol was deleted, and his SID was strangely changed. But wait, although there has been a change in the code itself, the configuration file has also changed, Apache vhost
Configuration. The version with bug fixes removed some settings, the most notable being an input filter that removed the pipe symbol.He worked for a while, trying to find a hole sed
String, to no avail.Then the answer is obvious: there is a rewrite rule that allows requests to be sent to /var
, It will reroute to the webadmin endpoint, skipping the filter. This is the pre-certified RCE.Just to /var
On the device and set the SID to | touch /tmp/pwned
.
T-Mobile violation
T-Mobile was hit hard Another huge data breachThe names, dates of birth, social security numbers and driver’s license information of 40 million customers-anyone applying for credit at T-Mobile. In addition, the data of approximately 8.6 million current customers has been compromised in some way. If you are a T-Mobile customer, please be aware of scams and frauds against you and your account. So far, apart from the standard official statement that this is a “highly sophisticated cyber attack,” little is known about how the leak occurred.
QNX Baddalloc
A series of vulnerabilities Just surfaced in the QNX embedded operating systemThis Unix system developed by BlackBerry may not be one of the systems you are familiar with, but it appears in many devices around us. for example, Driverack PA2 speaker management system Run the old version of QNX. (The old version happened to have its own pre-certified RCE through the debug port, but that’s another matter) The most worrying aspect of QNX is in transportation and medical workloads. As a real real-time operating system, it is very suitable for handling some time-critical workloads, which is why CISA has strengthened its warnings.
Justice Aviation label
Finally, an exciting story, the stolen electric scooter was recovered through technology. [Dan Guido] When his ride is swiped, it is not your normal victim. He hid a pair of Apple Airtags inside in advance. Sure enough, he got a ping through Apple’s system and knew the location of the stolen device. He contacted the police and tried to persuade them to help him retrieve it, but met with understandable resistance.
Airtags are new, and the police are the target of scams just like the rest of us. After taking a vacation for the Black Hat, he returned to the police station and tried again to recruit official help. He took a crash course on Airtags and made some proficient persuasion, but he did manage to get the escort to look around the scooter’s indicated location. The second-hand electric bike store seemed to be an obvious starting point, and when he walked in the door, his phone was connected directly to his Airtag. He was able to prove ownership and take his scooter home.
My scooter was stolen last week. The thief didn’t know, I hid two Airtags inside. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today. That’s what happened:
— Dan Guido (@dguido) August 10, 2021
At the end of the thread, [Dan] Provide suggestions to replicate his success. First, hide the tags, because the thief is already looking for them. Second, don’t use Lost Mode. The audible tone made the game disappear. Third, time is important. If Airtag seems to be following too closely, Apple has properly implemented a system to alert potential tracking victims. Finally, don’t try to be a hero. Let the police intervene and recover in the right way.