Uncategorized

THIS WEEK IN SECURITY: printing SHELLZ, MS-OFFICECMD, as well as AI security

Researchers at f-secure have established an impressive new attack, leveraging HP printers as an unforeseen assault surface. printing Shellz (PDF) is a one-click attack, where just visiting a malicious webpage is sufficient to get a shell as well as reverse proxy installed to a printer on the exact same network. The demo below utilizes a cross-site printing (XSP) assault to send the malicious print task to the printer without any type of further interactions.

The vulnerability utilized to get a foot in the door is in exactly how type 2 font styles are parsed. The charstrings utilized in these font style descriptors are essentially bit small programs of their own, that run on the printer to define each sign in the font. It should come as no surprise that the interpreters for these bit programs, being obscure as well as quickly forgotten, are full of sketchy code as well as vulnerabilities. The HP printer they are dealing with is no exception, as well as right here the tons operator is the culprit. This command has been officially eliminated from the type 2 specification, likely because of the security difficulty it represents, however older parsers may still have support for it. tons is bit more than a memcpy(), as well as since the parser doesn’t properly validate the arguments, this enables for arbitrary memory overwrites. The researchers selected to overwrite a function pointer of one more function, providing them the capability to jump to any type of code device they might find. with judicious utilize of the longjmp() function, they might build a fake stack, as well as jump directly to it, resulting in arbitrary code execution.

There’s rather a long section about exactly how they reverse engineered the printer’s firmware update data format, to determine which designs were still vulnerable to the attack. It [turned out to be] an unnecessary distraction, as an extraction tool was already available. let this be a lesson to us all, utilize a browse engine before costs hours doing work somebody else may have already done as well as published. The final thought of their research study was that 38 different HP printers were vulnerable to the attack. Updates are available, as well as the circumstances of this vulnerability makes exploitation more likely. First, the review right here is rather good, as well as one would expect the exploit to be recreated quickly sufficient by interested parties. Second, updating printer firmware is commonly rather a chore, so it’s likely that unpatched gadget will be ubiquitous for many years to come.

ms-officecmd

Remote code execution exploits are sometimes extremely difficult, as well as then there’s instances like ms-officecmd. This is yet one more instance of OS mishandling of URI schemes. [Fabian Bräunlein] as well as [Lukas Euler] were looking with the URI handlers in Windows 10, as well as discovered the ms-officecmd scheme. A bit of checking out exposed that the plan expected JSON arguments, which truly got them excited, as it implied complexity.

Once they discovered the appropriate JSON style for the URI scheme, they started looking for a method to abuse it. The vulnerability they discovered is introducing teams with the –gpu-launcher flag. This flag enables specifying an arbitrary application to run on startup. utilizing Chromium-derived browsers, there is a popup requesting permission to run the URI. On the other hand, tradition edge as well as IE11 enable a Javascript click() command to trigger the link as well as phone call the URI without individual interaction. Microsoft took a look at the bug report, as well as closed it saying, “Unfortunately your report appears to depend on social engineering to accomplish, which would not satisfy the meaning of a security vulnerability.” Thankfully that misunderstanding was quickly cleared up, however the very first patch didn’t repair the issue, as well as Microsoft paid 10% of what the vulnerability should have been worth. The zero-click vulnerability has been fixed, however it’s still as well simple to inject commands into the URI field.

AI Detects weird TLS Certificates

NCC group obviously misses the great old days, when TLS encryption generally meant web traffic was valid. OK, perhaps it was never that simple. Regardless, [Margit Hazenbroek] noted that malware sometimes hides its activity inside TLS, however when you really look at the TLS certificate in use, it has a tendency to look odd. The example provided of the Ryuk ransomware is a great one — the organization listed is “lol”. It’s quite obvious to a human that this is strange, however it’s not precisely practical to inspect every certificate utilized on your network.

We do have a tool that may be able to do an automated test for weirdness, machine Learning. If we might provide sufficient great examples of valid certificates as well as doubtful ones, an AI design may be able toflag doubtful certs in genuine time. utilizing Half-Space-Trees, a clever method to classify the oddness of a provided example. NCC group has had success at trials, as well as has now deployed the concept in their SECOPS centers. With the availability of open source ML frameworks, extremely bit stops any type of of us from re-implementing the concept ourselves, or utilizing AI for other, similar tasks.

More NPM Malice

The stream of rotton NPM bundles doesn’t seem to be abating, as 17 more were just eliminated from the repository. most of them are the garden range typosquatting that we’ve seen before. At least one, however, is utilizing the dependency confusion attack, where the malicious bundle is named the exact same as a proprietary package, in the really hopes that the target’s develop tools will grab the malicious version instead of their own personal package. likewise fascinating is that a number of of these malicious bundles are attempting to take Discord tokens, while many just grab atmosphere variables, hoping to discover secrets.

Air Gaps

And finally, if you get your kicks from reading about high complexity malware, as well as you most likely do provided that you’re right here reading this column, then you’ll appreciate ESET’s 15-year summary of jumping the air-gap. There’s none of the hypothetical wizardry you may expect from APT groups. whatever discovered in the wild utilizes the lowly USB key to make the jump. While Stuxnet was definitely the most famous, it wasn’t the very first such malware program deployed. The overview is great, as well as serves as a reminder that the easiest of devices, the USB drive, can be so effective.