When there’s a vulnerability in a system library, we install updates, and go on with our lives. When there’s a vulnerability in a Java library, jars get rebuilt, and fixed builds slowly roll out. But what happens when there’s a vulnerability in a library used in firmware builds? And to make it even more fun, it’s not just a single vulnerability. All three major firmware vendors have problems when processing malicious images. And LogoFail isn’t limited to x86, either. UEFI Arm devices are vulnerable, too.
You may ask why computer firmware needs an image parser. Obviously, every machine needs to show a full-screen logo on boot. And because reasons, that logo is often configurable by the end user. In other cases, firmware updates contain logos in unsigned sections of the firmware. The kicker is that this runs as part of the firmware, before any OS-level protections are loaded. It’s outside the secure boot stack, and has complete access to the system memory.
A followup post shares more details, and the PDF of the slides from the BlackHat Europe presentation are available.
National DNS Poison
We’ve discussed DNS poisoning here before. The quick explanation is that DNS queries are sent over UDP, so it’s possible to send spoofed DNS responses to a DNS resolver. To prevent the resolver treated those spoofed responses as legitimate, both the 16-bit DNS ID and 16-bit UDP source port must match the real request. Make those random, and you have 32-bits of entropy protecting your UDP requests. But what if one of those values isn’t random? Then you have a problem.
Researchers at SEC Consult found an odd data set, showing one of those DNS resolvers doing a stepwise walk up the source ports. Definitely a predictable pattern. It’s not quite as simple to exploit as you might think, as this source port pattern has a different offset for each remote host. Is this an odd DNS daemon? Probably not. The Theory is that this DNS resolver is actually sitting behind a Carrier-Grade Network Address (and Port) Translation device, a CGNA(P)T.
And that is interesting. There is an attack where one attacker can “use up” all of the open DNS ports, forcing real traffic to flow through a known port. A similar technique turned out to be valid. Here an attacker sends traffic over all but a very few of the available outgoing UDP ports on the CGNAPT device. Then a valid DNS query is sent, forced to go through one of the available ports. And then the attack is “reset”, allowing all the ports to fall back to unused. That’s enough, as the CGNAPT gateway will fall right back to its known pattern, starting at the port where it was forced to send traffic.
The kicker is that this flaw was present in the Internet connectivity of a developed nation. That nation is staying anonymous, and the flaw was fixed quickly after disclosure.
It’s always DNS! Maybe not always, but once again DNS is at the heart of a vulnerability. It started with a screenshot worker — a server that load websites to capture a screenshot. That server could be fooled with a simple HTTP redirect, potentially capturing the web console from an Amazon EC2 instance, or other interesting tidbits of data. That particular problem was quickly fixed, but raised a question about what other interesting techniques could be used, like DNS rebinding.
DNS Rebinding is the simple technique of changing the IP address that a DNS name points to, in the middle of a session. If a browser connects to a web page on an attacker’s domain, the DNS changes, and then the browser triggers a new DNS lookup, that lookup could get redirected to a different host. In this case, once again the Amazon dashboard at 169.254.169.254.
There’s even a service from column-favorite, Tavis Ormandy, just to help test for rebind flaws. This led to a round of tightening of the servers at intruder, and a fun write-up of what this sort of vulnerability might look like.
Lateral movement through DNA
We now know a bit more about the 23andMe breach from the fall. About a tench of a percent of the company’s users were exposed directly. What’s really interesting here is the lateral movement. 23andMe users can opt in to expose their information to other users via the DNA Relatives and Family Tree features. It seems that about 14,000 accounts were access directly, but information from nearly seven million accounts were accessed through this information sharing feature. The breach is still thought to have been due to credential stuffing, taking known usernames and passwords and attempting to log in to many accounts with the information.
Hardening is Hard
The Sonos Era 100 was one of the target devices at Toronto Pwn2Own 2023, and this device has obviously had some real work done to make it a hard target to break into. Nonetheless, the NCC Group brought the goods, explaining exactly how to get in. As with most embedded devices, it starts with a TTL-level serial port on the board. Next was identifying and tapping pins to dump the eMMC data.
The first discovery was that U-Boot on this device is slightly misconfigured, attempting to load environment data from the flash memory. That data isn’t signed, so it’s possible to slip any environmental variable in there. That’s not as useful as it seems, as this U-Boot image is fairly locked-down otherwise. There is one other oversight, that the boot process calls the
setenv() command to set up the boot instructions, but never checks that this succeeded. A flag that can be set as part of the environment to make those variables read-only. Suddenly the Linux kernel boot arguments are attacker-controlled.
The last bit was that the Linux kernel can be loaded to any memory offset, leaving plenty of room for a custom initramfs, giving full system control. And to top this one off, there’s a published exploit that could be adapted to read back the One-Time Programmable (OTP) memory, containing system keys and the firmware encryption key. Pwned.
Bits and Bytes
There are still between 20,000 and 30,000 End-of-Life’d Exchange servers on the Internet. These are Exchange 2007 and 2013 servers that just refuse to die. And while these old releases do get the occasional update for particularly nasty vulnerabilities, there are still multiple known exploit chains that target these old boxes. Ouch.
There’s a large network vendor we don’t hear about often here: Extreme Networks. Rhino Security Labs took a crack at the EXtreme Operating System (EXOS), and found some fun bugs, like the path traversal bug that let authenticated users read arbitrary files. This one chained nicely with a Server-Side Request Forgery attack, causing the EXOS machine to make a request of itself. That request succeeds automatically, and produces a valid JSON Web Token (JWT)… that can be read via the arbitrary file access. Extreme Networks has patched the problems in just over 3 months from report.
And finally, we have to let you know about a Hacking book bundle from Humble Bundle. The books are all from No Starch Press, and the charity supported by this bundle is the EFF. There look to be some good finds among the list, both Red and Blue team titles. Enjoy!