I found a particularly annoying 0day in the wild, CVE-2021-40444, The way that Microsoft’s MSHTML engine processes Office documents is flawed. Not all details are clear, but the result is that opening an office document can trigger remote code execution. However, the situation gets worse because the vulnerability can work when simply previewing the file in Explorer, making it a potential 0-click vulnerability.So far, the attack has been used to target specific targets, but POC released.
It seems that there are multiple techniques that should be the discrete CVE behind the exploit.First, a simple call mshtml:http
Trigger the download and processing of the URL through the Trident engine (also known as our old friend IE) in the Office document.The really interesting question is that in Trident, an iframe can be used .cpl
URI points to a inf
or dll
File and execute it without any prompts.This is Prove here [Will Dormann]. This month’s Patch Tuesday’s fix rollup includes a patch, so be sure to update.
Forcibly enter
Another 0-click 0-day, this time in Apple products, CVE-2021-30860 was found as part of the NSO Group exploit kit. Citizen Lab refers to the vulnerability as FORCEDENTRYThis is an issue in Apple’s image rendering code, which allows malicious PDFs to trigger RCE. Since Apple shares this library across devices, the vulnerability can run on iOS, MacOS, and even watchOS before the patch. Basically all the technical details come from Apple’s patch notes, which they call integer overflow.
ProtonMail logging IP
ProtonMail has been in a slight mess since then Hand over the IP address of one of its users to the Swiss authoritiesOne of the understandable responses is disappointment because they are even capable of doing so because their position is not recorded.
The reality is that ProtonMail is a Swiss company and is subject to Swiss law. It seems that when a binding request for information is received, the administrator of ProtonMail opens the log record of the specific account specified in the request. They pointed out that if the target user used their VPN product or TOR, they could have kept the IP confidential. ProtonMail also pointed out that their encryption has not been broken, so law enforcement still cannot access attachments or e-mails on the service.
Spell check plus symbolic link
GitHub has very useful operational features, some of which can be automated in workflow steps. One such workflow is spell checking, which follows the instructions on the can. There is a strange interaction, When the pull request contains spelling errors and comes from .github/actions/advice.md
arrive /proc/self/environ
. Advice.md
It is intended to include instructions on how to proceed if a spelling error is discovered, and to be published as part of the automated comment on the pull request. The symbolic link in the pull request means that the actual comment is the environment information of the process runner, including a secret GitHub authentication token.
The token will expire soon after the workflow is completed, so the trick is to win the race to use the token in time. The proof-of-concept demonstrates how to poll for comments, find the token, and make an “emergency release”, which is actually a binary file provided by the attacker. Implemented fix-simply prohibit such symbolic links when running workflows.
However, this is actually a bigger problem because the workflow configuration settings are contained in the same code base as the pull request. In short, any GitHub operation triggered on a pull request may be insecure, and you need to be very careful to reinforce similar issues.
Router leaks IP
Fidus researchers have A very clever attack to expose the real IP Some VPNS users. The attack relies on the Simple Network Management Protocol (SNMP) web wrapper that exists on some consumer routers. SNMP is a useful protocol that can programmatically obtain statistical information and other status information from networked devices. The research was done on a Virgin Media router, which happened to allow unauthenticated requests to the SNMP wrapper. One of the accessible data points is the public IP address assigned to the router.
So all the attacker has to do is let the victim load their webpage and use some JS code to perform a GET request from the router’s IP, right? In addition to browsers, security features have been added to prevent such abuse. The trick here is DNS rebinding, where the DNS record of the malicious site is set to a very low time-to-live (TTL), and the record will change once the page is loaded. This allows the page JS to make another request to the same domain name, and the request actually goes to any IP. The router’s web interface does not have any protection against this technology, so it is happy to give up the IP address.
This does not apply to every VPN. Some clients block access to local IP addresses, possibly just to prevent such attacks. It is worth noting that TOR works in this way. However, for VPNs that do not do this, this may leak public IPs. Another interesting problem with this story is that it was first discovered in October 2019. Liberty Global, the owner of Virgin Media, asked for a full year to resolve this vulnerability. Since then, Liberty has not coordinated the disclosure, but “ghosted” the researchers. It seems that no fix has been rolled out, so this should be considered as 0 days unless otherwise proven. The solution is to only use VPN clients that block access to the local IP, if you are worried about not disclosing identification information to the sites you visit.
Microsoft Azure Linux — OMIGOD
Are you running a Linux VM on Microsoft’s Azure? You may now be running a vulnerable service on this VMThe service in question is the Open Management Infrastructure (OMI), which is automatically installed as part of multiple Azure services. The most serious vulnerability is CVE-2021-38647, which is an RCE that performs pre-authentication as root and only needs to access the exposed HTTPS port. This is a simple authentication logic flaw, in which a request without an Authorization header runs as root by default. Updates are available, but it is not clear whether the patch will be rolled out automatically.an examination omi
pack. If it exists, version 1.6.8.1 is the version that contains the fix.
Bits and bytes
I recently realized Gluu server, To provide your own one-stop solution for OpenID authentication services. If you ever needed to launch a single sign-on solution, Gluu seems to be a strong competitor.We even FLOSS Weekly interview with the founder of GluuIf you want to learn more.
Firefox is fed up with Microsoft’s pranks. You may have noticed how difficult it is to change program defaults in Windows 10. There is a list of file types, and you must set all of these types to your favorite applications — of course, unless you want to use Microsoft products by default. Then it is a single click. Some very smart engineers at Mozilla reverse-engineered the way Edge set itself as the default value, and Firefox can now use the same technique.