Skip to content

Lariva Business

Lariva Blog

Menu
  • Privacy Policy
  • Tech Sharing
  • animate sharing
  • Science Sharing
  • Happening
Menu

Security of the week: Ghoscript, Solarwinds and DHCP pranks in Imagemagick

Posted on September 10, 2021September 10, 2021 by William

A proof of concept Just published For potentially serious flaws in the Ghostscript interpreter. Ghostscript can load Postscript, PDF and SVG, and it has a feature of Postscript, which has always been an ongoing security issue: %pipe% Order. This command requires the interpreter to spawn a new process-it is part of the specification. For untrusted images and documents, this is obviously a problem. Over the years, Ghostscript has fixed the security vulnerabilities surrounding this incorrect feature many times.

This particular loophole be found [Emil Lerner], And described in ZeroNights X. That talk is available, But in Russian.This problem seems to be some kind of bypass, the pipeline command seems to be /tmp/ Directory, but a simple semicolon allows arbitrary commands to be executed. Why is this a big problem now? Because ImageMagick uses Ghostscript to open SVG images by default on some distributions, and ImageMagick is often used to automatically resize and convert images for websites.exist [Emil]In the introduction, he used this vulnerability as part of an attack chain against three different companies.

I was unable to reproduce the defect in my Fedora installation, but I also did not find any notice to fix it in the Ghostscript or Imagemagick update logs. It is unclear whether this problem has been fixed, or whether this is a true 0-day for some platforms. Either way, it is hoped that attackers will begin to try to exploit it.

SIP client is cut

CVE-2021-33056 It is a strange error in the way the Linphone SIP client parses SIP headers. Multiple header fields in SIP packets need to be valid URIs, and should be SIP URIs—for example sip:[email protected]The problem is that there is a lot of flexibility in what is considered a valid URI. In this case, a single slash “/” is a valid URI. The code attempts to extract the scheme and returns a NULL pointer if it is not found. Then the pointer is passed to the next function without verification, which causes a crash. Null pointer references are particularly difficult to turn into simple DoS attacks, and this seems to be no exception. The biggest challenge here is that the Linphone stack has entered various mobile and IoT clients.

Solar wind again

In the past few weeks, the Solarwinds device suffered another 0-day attack, this time it was aimed at the SSH service. Microsoft researchers determined that the main attacker was APT from China and was able to relaunch the attack. main problem? Solarwinds launched its own SSH server instead of using mature solutions like OpenSSH. The randomization of the address space layout was turned off on the service, and a strange behavior was discovered. When running the fuzzing tool and using the debugger to observe the process, Microsoft researchers observed multiple anomalies that should have caused the process to crash. Instead, log the exception, try to clear the damage, and then continue the process. Although a successful RCE chain was found and repaired, it is not certain whether this is the same as the one used in the wild. If you do not make major changes to the service, you should assume that it is still vulnerable.

DHCP tricks

If an attacker controls the DHCP response sent to the router, what kind of trouble would they cause? This obviously depends on the service provided by the router, Beyond routing. Researchers at Anvil Secure use the term “smart router” to mean a device that performs functions such as providing files, hosting VPN, or managing IP cameras. In this case, some strange edge cases will be found when the IP range conflicts.

In short, you can use a more specific DHCP range to route the internal IP to the attacker on the WAN side of the router. This can be used to set up man-in-the-middle attacks and intercept file transfers or VPN traffic. Although very interesting, this kind of attack will not play a role in the entire network, so the impact is limited. This can be pulled down by an attacker who takes over the modem or additional hardware between the router and the modem.

Overflow makes smuggling possible

Another clever method of requesting smuggling was released this week, this A vulnerability in HAProxy. CVE-2021-40346 is an integer overflow, triggered by a malicious header: Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...: The actual attack has more than 240 “a” characters, bringing the total number of characters to 270. The header name is stored in a data structure that uses an 8-bit integer to track the length of the string.Since 270 is greater than the maximum value of 256, the value overflows and is treated as length 14, which happens to be the length of the effective appearance Content-LengthIt happens that the next field in this data structure is the length of the value (the part after the colon). Overflow sets it to 1. Although this is all stored as a possible header, the next line is actually a valid content-length header and is honored immediately, causing the rest of the message to be read into memory.

POST /index.html HTTP/1.1
Host: abc.com
Content-Length0aaaa...:
Content-Length: 60

Get /admin/add_user.py HTTP/1.1
Moderator: abc.com
ABC: xyz

Now that the data packet has been loaded into the memory, the next processing stage will write it into the data packet sent to the backend.Here, the apparently invalid header is processed based on the manipulated length value, and the result is Content-Length: 0 Set the header on the outgoing packet. Then attach the rest of the data to the same packet, which is now the smuggled request. Once the backend receives this single data packet, the content length header is understood to mean that two separate messages are sent in the same data packet. Therefore, the second request has passed the security control on the front-end server.

OpenWRT released

OpenWRT has Just released 2021.02.0, A new major version based on the 5.4.143 LTS kernel. There are some notable new security features, including default WPA3 and SSL support, and ASLR for binary files. SELinux is now also supported, although it is not enabled by default. Another disadvantage of the new function is that due to higher system requirements, various old devices are no longer officially supported. 8 MB flash memory and 64 MB memory are now the minimum requirements required for full support.

Recent Posts

  • F5 About 100 jobs will be cut due to the “current macroeconomic environment”
  • Neoriver decoration lights up Christmas
  • Naveen Jain’s microbiome and diagnostics startup Viome is raising more money
  • Cutting the wearable display in half is more difficult and easier than it looks
  • Oculus Studios acquired Camouflaj, a Seattle regional studio behind “Iron Man VR”
©2023 Lariva Business | Design: Newspaperly WordPress Theme