Minggu Iki Ing Keamanan: Git Deep Dive, Mailchimp, Lan SPF

Kaping pisanan, git wis diaudit. Iki minangka upaya sing disponsori dening Open Source Technology Improvement Fund (OSTIF), sawijining organisasi nirlaba kanggo ningkatake keamanan proyek Open Source. Audit kasebut dhewe ditindakake dening peneliti saka X41 lan GitLab, lan loro kerentanan kritis ditemokake, loro-lorone disebabake kebiasaan coding sing padha – nggunakake int kanggo nahan dawa buffer.

Ing sistem modern, a size_t tansah unsigned, lan dawa dicokot padha arsitektur dicokot-jembaré. Iki minangka jinis data sing tepat kanggo dawa senar lan buffer, amarga dijamin ora kebanjiran nalika nangani dawa nganti memori sing bisa dialamatake ing sistem kasebut. Ing tangan liyane, an int biasane dawane patang bita lan ditandatangani, kanthi nilai maksimal 2^31-1, utawa 2147483647 – kira-kira 2 GB. A buffer amba, nanging ora jumlah unheard data. Uncalan soko sing gedhe ing git, lan bakal break ing cara sing ora dikarepke.

Conto pisanan kita yaiku CVE-2022-23521, tulisan sing metu saka wates sing disebabake dening int overflowing menyang negatif. wis .gitattributes file bisa setya menyang repositori karo klien git sing diowahi, banjur mriksa repositori kasebut bakal nyebabake num_attrs variabel kanggo overflow. Push kebanjiran kabeh cara watara menyang nomer negatif cilik, lan git bakal vastly under-nyedhiyakake buffer atribut, lan nulis kabeh data liwat mburi buffer diparengake.

CVE-2022-41903 minangka overflow integer liyane sing ditandatangani, wektu iki nalika format cetak sing apik disalahake kanggo nindakake perkara sing ora dikarepake. Deleng blok kode iki:

        int sb_len = sb->len, offset = 0;
        if (c->flush_type == flush_left)
                offset = padding - len;
        else if (c->flush_type == flush_both)
                offset = (padding - len) / 2;
        /*
         * we calculate padding in columns, now
         * convert it back to chars
         */
        padding = padding - len + local_sb.len;
        strbuf_addchars(sb, ' ', padding);
        memcpy(sb->buf + sb_len + offset, local_sb.buf,
               local_sb.len);

Format eksploitasi bakal katon kaya %>(2147483647)%a%>(2147483646)%x41ing ngendi kode ing ndhuwur mlaku kanggo saben conto padding (The %>(#) pamblokiran) ditemokake ing format. Kaping pisanan liwat kode iki nambah (2^31) -1 spasi ing ngarep string output. Nomer kasebut mung dadi nilai maksimal saka integer sing ditandatangani papat byte. Nanging pemblokiran kode ing ndhuwur bakal mbukak ing wektu liyane, lan teks maneh ditambahake menyang buffer, nyurung dawane liwat nilai integer maksimal. Baris pisanan saka pemblokiran sing nindakake cast implisit saka size_t kanggo intsetelan sb_len menyang nilai negatif.

Banjur ing memcpy() telpon, sb->buf punika pitunjuk kanggo wiwitan buffer, sb_len punika kita overflowed nomer negatif gedhe, lan nutup kerugian bakal nilai pangguna-kontrol. Iki tegese lokasi tujuan sing dikirim menyang memcpy() ora sengaja bisa disetel menyang lokasi memori luwih murah tinimbang wiwitan buffer dimaksudaké. Tulisan sing dikontrol penyerang. Aku wis nambah sawetara debug printf () statements kanggo blok teks iki, lan mbukak test-kasus:

$ ./bin-wrappers/git log -1 --pretty="format:%>(2147483647)%a%>(2147483635)%s" >/dev/null Padding: 2147483647 sb_len: 0 offset: 38144 Memcpy: Padding: 2147483635 sb_len: -2147483647 offset: 2147483591 Memcpy: CI: upgrade menyang macos-12, lan pin versi OSX ========================= ============================================== 844038==KESALAHAN: AddressSanitizer : heap-buffer-overflow ing alamat 0x7fd8989f97c8 ing pc 0x7fdb15e49d21 bp 0x7ffe8fa5c100 sp 0x7ffe8fa5b8b0 TULIS ukuran 44 ing 0x7fd8989f90c8 kiwa saka 9fd8989f97c8 0x7ffe8fa5c100 sp. [0x7fd8989f9800,0x7fd9b89f983c)

The first quartet of outputs there is the setup, priming the log line with padding to be max int long. The second quartet is the buffer overrun, where sb_len is set to negative, and then added to the offset to give us a location 56 bytes to the left of the start of the buffer. The content that gets printed to that location is in this case %s, which gets replaced by the subject line of the commit — 44 bytes long. The authors suggest that this could be weaponized against a “git forge”, AKA GitHub and GitLab, as those software suites run the git archive command, which can invoke a user-controlled pretty string.

Fixes were pushed to the git source code back on December 8th, but new releases containing those fixes are just now available. There are approximately 2200 instances of the raw int issue, and those will take a while to clean up, even with some fun hacks like cast_size_t_to_int(), an inline function that just kills the program if a 2 GB+ size_t is handled. So go update!

Mailchimp — Again

It seems the folks at Mailchimp can’t catch a break, as their internal administration tools were accessed once again by attackers, leading to the exposure of 133 customer accounts, including WooCommerce. This is the third time Mailchimp has fallen to a social engineering or phishing attack in the last year, and each time has resulted in spear-phishing emails sent to end users. So if you’re on any Mailchimp mailing lists, keep this breach in mind next time a related email arrives. (Editor’s note: Hackaday’s two newsletters use Mailchimp, and we were not notified, so we believe that we’re good.)

Royal Mail Ransomware

In a story that could have some big consequences, the UK’s Royal Mail has suffered a ransomware attack on their system for handling international mail. The attack uses Lockbit ransomware, a group suspected to be a Russian-speaking ransomware gang. This could be significant, as an attack on an actual government agency is way more serious than an attack on a business. Since Lockbit runs as ransomware-as-a-service, it’s going to be very difficult to determine exactly who actually pulled off the attack. For now, the recommendation is simple: don’t send any international mail. Oof.

Scanning SPF Records

[Sebastian Salla] wis apa bisa dianggep hobi aneh, ing wangun mindhai cathetan SPF kanggo misconfiguration aneh. Ing petualangan paling anyar, pindai kasebut minangka 3 yuta domain sing paling kerep dibukak. Lan misconfiguration ditemokake.

Nanging tetep, apa SPF lan kenapa kita peduli? Kerangka Kebijakan Pangirim minangka rekaman txt sing minangka bagéan saka cathetan DNS domain. Lan nemtokake alamat IP apa sing bener-bener diidini ngirim email kanggo domain kasebut. Dadi yen email sing mlebu ngaku saka domain kanthi rekaman SPF sing bener, lan alamat IP sing dikirim ora ana ing cathetan kasebut, cukup jelas dudu saka domain sing diklaim.

Lan nduwe email domain sampeyan ditolak amarga masalah SPF minangka salah sawijining cara sing paling apik kanggo nyekel flak. Dadi nggodho kanggo nggawe rekor SPF dicokot liyane … *liberal* saka mbok menawa ngirim. Lan pengulangan paling nemen iki mung tamparan a +all ing cathetan SPF lan rampung karo. Mesthine, iki ngandhani jagad yen saben spammer ing ngendi wae sing nggunakake domain sampeyan bener-bener ngirim email sing nyata, nanging paling ora email sing metu saka bos bisa digunakake maneh. Kanthi luwih saka sewu domain disetel menyang SPF +allketoke sing luwih umum fault saka diantisipasi.

Sing paling menarik yaiku sapa domain sing salah konfigurasi kasebut, kayata sawetara lembaga pemerintah AS, domain pemerintah liyane ing saindenging jagad, lan pirang-pirang universitas. Sing paling menarik yaiku kementerian pertahanan Ukraina, ing ngendi rekaman SPF dipotong saka a -all kanggo +all bab 4 sasi kepungkur.

Bit lan Byte

Tailscale nemokake masalah sing serius, sing ngerti ID simpul klien liyane bakal ngidini panyerang nambahake simpul kasebut menyang tailnet dhewe. Iki bakal nggawe panyerang ing njero VPN sampeyan, mesthine skenario sing ala. Nanging sadurunge sampeyan entuk pitchforks, kode sing rawan disebarake kurang saka patang wulan sadurunge didandani. Kacarita kanthi pribadi tanggal 11 sasi iki, lan tetep tanggal 12. Lan kanggo boot, serangan ninggalake tandha log sing bisa dipindai Tailscale, lan nyimpulake yen diisolasi menyang tes bukti-konsep. Sampeyan bisa mriksa dashboard dhewe kanggo node sing dituduhake metu saka tailnet dhewe kanggo konfirmasi. Lan nalika iku kerentanan ala, apik kanggo Tailscale kanggo mbukak. Akeh vendor sing bakal lungguh ing siji iki lan ora tau nggawe umum.

Kernel Linux duwe buffer overflow ing kode Netfilter, ing ngendi buffer overflow bisa nyebabake kebocoran data lan eksekusi kode. Ora ana dalan kanggo eksploitasi jarak jauh, nanging email sing disambung ing ndhuwur ngemot PoC lengkap kanggo eskalasi hak istimewa lokal. Lan yen eksploitasi Kernel minangka perkara sampeyan, Project Zero Google duwe tulisan anyar babagan subyek, kabeh babagan null dereferencing.

Lan yen sampeyan nggunakake ManageEngine saka Zoho, saiki rambute bisa murub, yen sampeyan durung nganyari rilis sing ndandani CVE-2022-47966. Peneliti ing Horizon3 wis reverse-engineered patch, lan spilled kacang buncis ing RCE iki. Iku masalah carane SAML single-sign-on dileksanakake, amarga sebagian saka perpustakaan lawas banget rangkep minangka bagéan saka produk. Iku eksploitasi cukup gampang kanggo narik mati, supaya wektu kanggo pindhah pindho mriksa sing nginstal!

Leave a Comment

Your email address will not be published. Required fields are marked *