We have introduced the maintenance rights legend, and one of the notorious companies is John Deere. The other side of poorly managed interconnect chaos is security. The beginning of the story is a bit ironic: Someone noticed that John Deere’s device did not have any CVE at all. Ordinary people may think that this must mean that their products are very safe, but security researchers know that more interesting things are happening.Our old friend [Sick Codes], [John Jackson], Many others see this as a clear sign that a large number of vulnerabilities exist, and It seems they are correct.
Vulnerabilities include a small number of cross-site scripting attacks, request smuggling to bypass authentication, misconfiguration of security, SQL injection, RCE, etc. In short, these vulnerabilities allow complete control of the John Deere system, including the ability to manipulate all devices connected to the system.
In the Defcon presentation, the link is as follows, [Sick Codes] Thinking back to the moment they realized they were solving an important problem. One writer did not complain that he was not paid for the loopholes discovered, but simply pointed out that he valued having food to eat. A coordinated attack on JD’s equipment may cause major problems for a bunch of farms across the country.
They finally got in touch CIA, Due to lack of serious response from suppliers. CISA took the threat seriously, and the problem began to be resolved. This is not a problem limited to one company. Case has similar issues that have also been fixed, and suggests that other vendors have similar issues that are still being resolved.
Octal IP strikes again
When we are talking [Sick Codes] With his group of happy researchers, some examples of incorrect IP address resolution in octal format have been published.That is Rust std::net and Golang net Libraries, both of these libraries just remove the leading zeros from the IP address. In both cases, the solution is to treat it as an invalid address. Why is there a problem?Because you can use sneaky IP addresses, for example 0127.0.0.1. The octal library treats this as 87.0.0.1, And the library with this vulnerability treats it as a local host. The real problem arises when the various parts of the Web service use these two methods at the same time. If you can control or spoof one of these magic addresses, you can connect to the service and have privileges, just as you would use an internal IP.For more information, see DEF CON talk about this issue.
Exchange RCE
Remember ProxyLogon? This is the Microsoft Exchange attack that we have been fighting together since the beginning of this year.finally reached The rest of the story. Continuing our report on the conference, [Orange Tsai] This vulnerability was introduced in detail, and a pair of new Exchange vulnerabilities were announced on Black Hat, Including another link to RCE via port 443. If this is not enough, There are already active attacks that exploit this new flaw.
This new research stems from architectural changes in Exchange 2013, where web services have been split into front-end and back-end. This has various weird consequences, such as the fact that the backend listens to all interfaces by default. other? The front-end does not verify the host of the incoming request, so the attacker can fill in arbitrary text. This includes completely different host names and ports, as well as unexpected characters. Combining them correctly will produce arbitrary SSRF-the attacker can specify any endpoint, whether it is on the public Internet or the backend itself. Once the normal front-to-back flow is compromised, it is easy to abuse internal endpoints to obtain arbitrary write permissions and RCE. In short, this is the ProxyLogon attack.
The new RCE is called Proxy shell. It abuses pre-auth auto-discovery of endpoints and aims to enable auto-configuration for clients. Attach the required endpoints to a valid auto-discovery request as an SSRF tool. The attack is to use this SSRF to make a request to the /powershell endpoint. Combined with the webshell load uploaded as a draft, this leads to another pre-certified RCE. Fortunately, these attacks have been patched, but there are still too many systems that have not been updated.
Pulse safety is defeated by tar
This story starts with CVE-2020-8260, which is an arbitrary file writing vulnerability in the Pulse Connect Secure device, where the path of the uploaded configuration is not checked during extraction.A malicious tar file can put the file anywhere in the following ways ./../ path. This was fixed in 2020, but after a few versions, CVE-2021-22900 was disclosed and fixed.This is a strange similar problem, and [Rich Warren] NCC Group’s Decide to investigate. The original fix added a validateTarFile Function, this seems to be a very good job.It checks ../ Mode, symbolic link or hard link. Most importantly, it has a whitelist of allowed files. If you use it every time you upload a file, it will be the perfect solution. Unfortunately, this powerful solution is only used when uploading configuration files.The second fix is to add the call to validateTarFile To all other upload functions.
With this understanding, the natural question to ask is whether each file upload situation has been properly cleaned up. Now that we are discussing it, you may have guessed that something was missed. When uploading a configuration file, the parameters of the POST message define the upload type. The profiler database is handled differently, and the code path does not include the verification function, resulting in CVE-2021-22937. It seems that this code path is inaccessible for normal use, but it is trivial to modify the request parameters. This series of vulnerabilities is limited to attackers who have administrator access to the device, greatly reducing its severity. In other words, access to the underlying file system opens up a whole new world full of constant threats. According to its implementation, such rootkits can continue to exist after restoring factory settings.
API test 101
Good people Detectify released an interesting starter to test Web API. The first half of the post is dedicated to use postman For that research. It looks like a useful tool, but unfortunately it seems to be closed source. The second half of the article introduces some common problems and mitigation measures in Web API. Discussed some obvious flaws, such as accidentally exposed private APIs. On the other hand, there are some good techniques to find more hidden flaws, such as XXE injection (XML external entities). All in all, it is worth a quick read, especially if you are not opposed to running closed source tools as part of the toolkit.
Pneumatic tube series
You may be most familiar with pneumatic pipe systems (PTS) from banks or pharmacy cars (or watch Futurama), but they are also widely used in hospitals and other places.Researchers in Armis just announced PwnedPiper, Swisslog Healthcare’s PTS implementation has a series of problems. One of the most serious problems? Their control panel is a Linux system, running the 2.6.35 kernel. That is a 10-year kernel.please remember The Stern Google Security Blog of Last Week? This is the kind of nonsense in their heads.
The rest of the system is equally bad, with an open telnet service listening for connections, and a hard-coded password common to all devices. Multiple memory corruption errors allow RCE, and the main communication protocol is unencrypted and unauthenticated, let alone based on UDP. Finally, the firmware upgrade process is based on the same protocol, and there is no firmware signature function at all. In short, if you have access to the Ethernet network running this PTS, you can easily own the entire system.
If it were really used, how bad would it be? Imagine that not only biological samples are sent through the system, but also medicines. It is conceivable that disrupting the destination will bring much trouble. More malicious attackers may use this attack to steal or substitute drugs.It sounds like a plot from the “Mission Impossible” episode, but The truth is sometimes a lot of More bizarre than novels.
Last minute headlines
Foxit PDF Readers recently released 11.0.1, Fixed a series of issues, including 8 independent CVEs that may cause RCE. If you are one of the users of this popular Adobee alternative, please make sure you have updated!
It seems that we need something else to interrupt the electronic supply chain, Gigabyte suffers from ransomware attack, There is an additional threat of 112GB data leakage. To make matters worse, according to reports, most of the data is under non-disclosure agreements. If disclosed, it may bring further consequences to Gigabyte. So far, there is no news about the amount of the ransom.
Another story that we thought was dead reappeared.have Another print spooler 0 daysThis is another vulnerability related to point-and-print, but this time it is for a machine trying to use a malicious remote printer. As long as pointing and printing is disabled (this is the default setting), you cannot access previous such vulnerabilities.This The Microsoft announcement does not list it as a workaround For this. This seems to apply to the standard configuration. Worse, Report researchers disclosed this flaw as early as December 2020.