Right here’s a enjoyable thought experiment. UDP packets might be despatched with an arbitrary supply IP and port, so you possibly can ship a packet to at least one server, and will goal the response at one other server. What occurs if that response triggers one other response? What when you may craft a packet that continues that cycle endlessly? That’s basically the idea behind Loop DoS (Denial of Service).
This distinctive avalanche of packets has been managed utilizing particular implementations of a number of completely different community companies, like TFTP, DNS, and NTP. There are a number of CVEs getting used to trace the problem, however CVE-2024-2169 is especially odd, with the outline that “Implementations of UDP utility protocol are susceptible to community loops.” This appears to be a blanket CVE for UDP, which is especially inappropriate on condition that the first DoS of this sort was first reported in 2009 at the latest.
Extra particulars are available in a Google Doc. There some attention-grabbing tidbits there, just like the existence of cross-protocol loops, and a number of other legacy protocols which might be susceptible by design. The essential factor to recollect right here is you need to have an accessible UDP port for this kind of assault to happen, so when you’re not utilizing it, firewall it.
Flipper Flips Again
We’ve lined the saga of the Flipper Zero vs the Canadian authorities, within the context of automotive theft. The brief model is that Canada has seen an uptick of automotive thefts from organized crime. Relatively than meaningfully coping with this downside, the Canadian authorities went on the lookout for scapegoats, and found the Flipper Zero.
Nicely now, Flipper has responded, and put merely, the message is “cease the insanity”. There has by no means been a confirmed case of utilizing a flipper to steal a automotive, and it’s most unlikely it’s ever occurred. On a contemporary automotive with correct rolling-code safety, it’s not meaningfully doable to make use of the Flipper Zero for the theft. The 2 main methods criminals really steal vehicles are with devoted keyfob repeaters and CAN bus hackers.
There may be a petition to sign, and for Canadians, Flipper suggests contacting your native member of parliament.
Information-only EoP
In a publish on the state of contemporary exploitation, [Connor McGarr] explores the world of post-shellcode Elevation of Privilege (EoP) exploits. Why are we speaking about exploitation with out shellcode? Particularly as a result of the newest and biggest of Home windows kernel hardening: kCET, kCFG, and HVCI. That’s kernel Management-flow Enforcement Know-how, kernel Management Circulation Guard, and Hypervisor-Protected Code Integrity. These applied sciences collectively basically assure that any space of kernel reminiscence can both be writable or executable, however not each. That’s a reasonably exhausting restrict.
So what’s left? Apparently lots. Beginning with the only, a data-only exploit, an attacker can sniff the token of a system course of and use it to raise their very own. The remainder of the publish is an in-depth remedy of how an attacker course of can sniff and manipulate its technique to an almost kernel-level place. Spectacular stuff.
Fortinet Previous and New
We now have a deep dive into a Forticlient vulnerability, CVE-2023-48788, a SQL injection within the FcmDaemon course of. The susceptible discipline right here was “FCTUID”, and a WAITFOR DELAY message was sufficient to show it was the vulnerability. Turning this into an RCE is trivial because of the extraordinarily useful xp_cmdshell perform of Microsoft SQL server. That’s off by default, however might be turned again on… by way of SQL statements. *sigh* It’s a bit jarring to cowl Microsoft’s stellar work on hardening the Home windows kernel, solely to search out previous cruft of their SQL server nonetheless inflicting issues like this.
After which there’s the newer Fortinet challenge, within the Fortigate SSL VPN. Researchers at Assetnote give us all the details on how they tracked this one down, beginning with patch diffing and fuzzing the probably susceptible endpoint. That led to a crash, which was an awesome begin, however even a Ghidra decompile wasn’t fairly sufficient to work out tips on how to flip the crash into an exploit. What was actually wanted was to hook a debugger to the crashing perform.
And that will get into the hack earlier than the hack. As usually occurs, the Assetnote of us needed to take a system picture and backdoor it to get true root entry and a usable system terminal. That was an journey in itself. With that finished, GDB did its magic, revealing that the crash they discovered was practically ineffective for exploitation. However a little bit of manipulation with main 0s within the packet that brought on the crash, and so they had a primitive: The bytes 0x0a0d could possibly be written to the stack, at a principally managed location. Is that sufficient for an exploit? Simply two bytes?
When you possibly can ship packets that get saved on the heap, and you’ve got a debugger to observe what occurs, it seems that is sufficient. A return pointer was chosen, that could possibly be corrupted with this two-byte write, to leap program execution by a gadget proper right into a fastidiously managed heap location. Write the payload that pops /bin/sh, and victory! Besides, bear in mind all that hacking they did on their check copy of Fortigate? A kind of steps was changing the /bin/sh binary with one thing helpful. After a bit extra wrangling, and borrowing a perform or two from the system SSL library, the exploit was lastly completed, utilizing a nodejs reverse shell. Whew! At the least fixes are available.
How To ROP
Have you ever at all times puzzled how Return Oriented Programming (ROP) really works within the context of writing an exploit? [Vandan Pathak] has the step-by-step guide for the rest of us. The very fundamental rationalization is that you just manipulate the return handle of a perform, to leap to an unintended perform. One of the vital widespread tips is to leap into libc, the usual C library.
Bits and Bytes
At the moment I realized a couple of nifty safety characteristic for Linux, in addition to an exploit to bypass it. USBGuard is a ruleset to permit and deny USB gadgets. The trick is that not each USB system is what it claims to be, like a Raspberry Pi or Arduino in gadget mode.
In the identical method because the detailed exploit write-ups above, Github has revealed an impressive hack of the Pixel 8, that makes use of GPU reminiscence to bypass the ARM Reminiscence Tagging Extension. We’re out of room to cowl this one in depth, however it’s value a learn.
And eventually, Linux hit a brand new milestone: We’ve received malware. The Canonical Snap Store has a problem with hosting fake Bitcoin wallet apps. Such a malicious app was eliminated again in February, however it appears to be like just like the dangerous penny has turned up once more. However this time it was a complete dime. Ten malicious wallets on the Snap Retailer. For a really very long time the Linux ecosystem has been reliable as a spot to not get malware, particularly if putting in software program from system repositories. Sadly, the Snap Retailer doesn’t appear to be such a reliable software program supply. Caveat Emptor and Downloader Beware.
