The pair of Outlook vulnerabilities we’ve been tracking have finally been patched, along with another handful of fixes this Patch Tuesday, a total of six are 0-day exploits. The third vulnerability was also a 0-day, discovered by the Google Threat Analysis Group. This resulted in arbitrary code execution when a Windows client connected to a malicious server.
A couple of privilege escalations were fixed, one was yet another print queue issue, and the other part of a key management service. The last zero-day fix was a mark-of-the-web bypass, which is the tag added to file metadata to indicate that it’s a download from the Internet. If you deliver malware in an ISO or marked read-only in a zip file, it won’t show the warning when run.
Will typo for Bitcoin
One trend that shows no sign of abating is Typosquatting, the simple malware distribution strategy of uploading tainted packages using misspelled variations of legitimate package names. The latest such scheme, discovered by researchers at Phylum, delivered a crypto-thief in Python packages. These packages were hosted on PyPi, under names such as baeutifulsoup4 and cryptograpyh. The packages install a JavaScript file that runs in the background of the browser and monitors for a cryptocurrency address on the clipboard. When detected, the intended address is replaced with an attacker-controlled address.
Old mistakes
Speaking of clipboards, Google’s Project Zero let us in on a story from 2020 where Samsung devices were exploited by an exploit chain that starts on the clipboard. Samsung built a custom clipboard service that supported image files on the clipboard. An oversight allowed any app on the device to request a handle to any file. This was used to release a stage 2 binary. Another app, Samsung’s Text to Speech system, is hijacked by overwriting a settings file, causing the malicious binary to launch instead of a valid speech engine. This step escalates privileges because the speech engine is launched as one system_app SELinux context.
The second vulnerability was an information leak, where the core log is copied to a readable file system_app context. Triggering of a warning in the GPU driver caused address information to be logged to this file. Leak it a few times and you’ve cracked Kernel Address Space Layout Randomization, not to mention a pointer value used in the third vulnerability.
This last is a use-after-free in the DECON driver, the display and enhancement controller, part of the graphics stack. DECON opens a file descriptor and shares it with the user area. Userspace can free the descriptor and the driver continues to treat it as valid. Between freeing and accessing, many malicious copies of the file descriptor are sprayed into memory, with the hope that such a copy will occupy the freed address. This false description allows malware to jump into kernel space, and elevate the userspace component to run as vold context, AKA Volume Daemon. Malware that reaches this level is the king of the Android castle.
This exploit chain was found in the wild and fixed in March 2021, but it’s still a neat look at how exploits are done. In this case it is believed to be from a commercial supplier – NSO Group or a similar outfit.
Code signing
Let’s Encrypt is great. You control a domain, you can generate a free SSL certificate to encrypt and verify that domain for HTTPS traffic. You may have asked yourself at some point, can you use Let’s Encrypt to sign binaries? That would be useful, but unfortunately not an option. So very welcome this week is the news that Sigstore is now widely available, and Trail Of Bits has the story.
The key here is that you can get your code signed with a short-lived certificate, attested to an OpenID identity. Examples of useful OpenID services are Github, Google and Microsoft accounts. So you can get a signature, linked to your public identity, and not have to worry about certificate management at all. Keep an eye on Sigstore as it looks to have a bright future, like Let’s Encrypt for code signing.
Pixel Lock Bypass
It was a simple yet critical flaw in Android’s lock screen, discovered by [David Schütz] in June, and strangely sat on Google for months before they were finally fixed in the November security patch. The discovery happened by accident, due to a forgotten PIN code for the SIM card. Did you know that your SIM card has a PIN code that you can use to lock the card? And if you forget, the documentation with the SIM card contains a PUK, a personal unblocking key.
Start the phone with PIN protected SIM, fail three times to unlock the card and it goes into locked mode, requiring PUK to unlock it. This process is handled by an Android security screen, and successfully unlocking the SIM via a PUK triggered a .dismiss() function call. The problem is that several security screens can be active at the same time, including the lock screen and .dismiss() the call is handled by the top of the stack. The SIM gets unlocked, which changes the stack of screens, and the unlock screen often lands on top of that stack, unlocking the phone.
Now note that this exploit does not decrypt a phone. It does not work from a cold boot. But a booted phone that has been authenticated once, and just locked, can be unlocked this way. It’s likely that the Google engineer triaging the bug wasn’t quite able to reproduce the problem, so it wasn’t handled as quickly as it should have been. After demonstrating the problem in person, the wheels of change began to move and the solution was finally released, and [David] earned a very nice bounty of $70,000. This is also an AOSP issue, so downstream projects like LineageOS are pulling the update and working on shipping the fix as well.
Bits and bytes
25 different Lenovo laptops were inadvertently shipped with development drivers that allowed the manipulation of NVRAM variables from the operating system. Or to put it more simply, you can turn off secure boot from Windows. Updates for the affected models fixed the firmware to disable manipulation of such settings after boot.
A collection of malicious apps on the Google Play Store has managed one million downloads. These apps delay all malicious activity for a few days after installation, but eventually start loading phishing pages in new Chrome tabs. The really worrying part is that these apps entered the Play Store and were not flagged in any of Google’s app scans. It makes one wonder what else might be lurking.
And some positive news, the Open Bug Bounty has passed the milestone of fixing one million vulnerabilities. This alternative bug bounty system is designed for smaller websites and organizations to attract security talent to find problems with their infrastructure. And it seems to be working, congrats on the milestone!
