Security of the Week: Malicious Clipboards, Snakes on Domains, and Binary Golf

Chromium, Google Chrome, the system clipboard, and most of all, the Google Doodle on the new tab page is causing a bit of a panic. This is all about Chromium issue 1334203, “NewTabPageDoodleShareDialogFocusTest.All test fails when user gesture is forced”. As you can see, Chromium has a very large regression test suite, and our engineers want to make sure Google Doodle works all the time. A security feature added to the clipboard processing API happened to break the Doodle test, so the security feature was partially reverted to fix Doodle. Missing feature now? User interaction is required before the page can read from or write to the clipboard.

Now I know why I panicked a little. Yes it sounds really bad. Unauthorized reading of pages from the clipboard is downright malicious and dangerous. If you don’t want any interaction, you can do it on any page, right? That’s why Chrome has a set of protections, and there are some things a page can’t do if the user isn’t interacting with it. Discord may experience this issue when trying to refresh a page that contains a video call. “Click anywhere on this page to enable video.” It aims to prevent annoying autoplay videos and other frustrating page behavior. And most importantly, it’s not the only protection against pages reading the contents of the clipboard. see for yourself. Clipboard reading is a site permission, as is camera and microphone access.

It is true that sites are now potentially *writable* to the clipboard and may try to exploit this. for example, rm -rf / A site that claims to show off Linux command line tips. But it always was. So you should always paste into a simple text editor instead of pasting directly from your site into the console. So no need to panic really. Chromium’s developers tried to roll out a little more aggressive security measures, but realized that it was breaking unrelated things, so they partially rolled it back. The sky is not falling

the sky is falling

If you’re running a Gitlab instance, haven’t gotten the update released on the 22nd, and have imports from Github enabled, you may run into issues. CVE-2022-2884 can lead to arbitrary code execution when importing a malicious Github repository. Although it has the advantage that only registered users can perform this action, two dangers still exist: compromised accounts and users unintentionally importing malicious repositories. If you can’t update immediately, you can mitigate the problem by disabling Github imports.

If you’re running a Bitbucket Server or Bitbucket Data Center instance and haven’t installed any updates since the 21st, you may be in trouble. Multiple endpoints in these Atlassian products have command injection vulnerabilities, and if your server contains public repositories, it’s a pre-authentication attack. CVE-2022-36804 scores an impressive 9.9 CVSS scale.

Also, if you use Foxit PDF Editor or PhantomPDF, these two programs have just released critical security updates that fix multiple RCE vulnerabilities. The most notable element of the update is to bring the V8 javascript engine up to date. This is because older bundle versions contained known vulnerabilities. I had to deploy Foxit to the client because the Adobe PDF reader crashed when trying to view certain PDFs generated in Adobe Photoshop. No matter why you use Foxit, keep Foxit up to date!

snake on domain

sysmon.lnk It will appear in your Startup folder. That’s, uh, probably not good, right? A link to an executable file in a suspicious folder. c:users\appdataroamingPpvcbBQhctfmon.exeand path as an argument. Is this the situation the Huntress researchers were investigating and the story definitely falls down a rabbit hole, a snake hole? ctfmon.exe It’s actually an IronPython interpreter, a nifty runtime that lets you communicate with your Python code. .net Library. Now we are left with a Python script. malicious? yes. This is called Stage 1.Stage 2 is a very large base64 encoded string, given a random variable name, decoded and then exec()‘d. Typical obfuscation stuff.

So what does the payload do? To safely inspect the contents of this and other obfuscated variables, Huntress researchers discovered a nifty open source code for this kind of deobfuscation. I turned to CyberChef, a project. And then load some libraries and then deobfuscate another huge string. This time it’s a .net executable, stage 3. What do you do? There is a tool for that, dnSpy.

Stage 3 decodes yet another obfuscated string and turns it into a non-malicious msbuild.exe process. It then performs a “process hollowing” operation, launching the victim’s process and injecting external code to run it. MSBuild is a trusted program and should not be a problem with most antimalware tools. This injection is stage 4, but the fun isn’t over. This code is not .Net, but an open source executable assembly, essentially reverse engineered code from Cobalt Strike. Yes, this is also a loader and starts another .net binary, stage 5.

Yes, I’ve also heard Samuel L. Jackson sick of snakes on planes. Remove another barrier. Finally, another obfuscated string was included, but this obfuscation was more than a simple base64 routine. They wrote a decryptor in Python and ended up with a Stage 6 binary, a real Remote Access Trojan (RAT). This ensures persistence, downloads updates, contacts the command and control server for instructions, etc. and does what you expect.

What a ride. Someone wanted to hide their malware. This persistence chain appears to have been created to avoid leaving his IoC static, but there are some indications of compromise in the post.

binary golf 3

Binary Golf Grand Prix 3 has finished. A fun contest to find the smallest file that crashes your program of choice. This is a great method of vulnerability hunting as the goal is simple crashes and not complex vulnerability chains that you would normally cover. A minimum file size challenge usually means that the competitor knows exactly what caused the crash. The biggest bonuses come from writing articles, manipulating program counters, running arbitrary code, and merging fixes for discovered crashes. Everyone wins!

Now that the contest is over, some entries have been published and more will be added. We’re closing out the week with two entries that are particularly fun. Because they are retro!

2 bytes only

[Pierre Kim] When [Alexandre Torres] Since you’re sending files over a network connection to the telnetd service, the rules might be a little more extended. At 2 bytes, that’s an impressive feat. 0xff0xf7 A payload that crashes all telnetd clients based on the old BSD telnetd from 1991. 0xff is IAC, interpret it as a command, 0xf7 It is understood as a character erase command. The problem is that the telnetd binary is still in the connection negotiation and authentication phase and has not completed all initialization steps. Since input processing code is shared between these states, uninitialized pointers are dereferenced and kablam.

Pokémon RCE

This wasn’t the official entry for BGGP3, but it’s still a great story. Nintendo has a legacy of designing add-ons for consoles that sold only briefly in Japan and never saw the light of day in other countries. (Looking at you, 64DD.)

One such device is the Mobile Adapter GB, which tethered a Gameboy Color/Advance to a mobile phone for online connectivity. Pokemon Crystal supports this gadget, Nintendo made a deal by sending an HTTP request to his endpoint and later checking for a response using her POP protocol. The response was a base64 encoded data structure.Messing with values ​​in that struct crashed, but that wasn’t enough [Harvey Phillips]he wanted to run arbitrary code on the GBC emulator.

Don’t worry. Pokemon Crystal also supports Battle His Colosseum, allowing you to dial your friends in the same game and play together over their mobile network. Again, in 2001! Pokemon Crystal has another quirk, and it’s already used for crazy speedruns. 0x15 It is used as a control character in the Japanese version of the game, and the game’s text engine performs a code jump when attempting to display this character. It’s not exactly clear what the original use of these control characters was, but it could be a workaround for running the game on GBC’s very limited hardware.of 0x3F Control characters do a similar jump, but they just happen to jump a few bytes further in the mobile adapter’s buffer.

And the exploit was finally discovered.Start a battle, replace the save and transfer code with your own then use 0x3F 0x00 0x00 as the name of the trainer. The remote device tries to display the text “I want to fight”, but the control code triggers a jump to this “mobile script”. Although I didn’t enter the contest, [Harvey] Writes “3” to the screen using 43 bytes of shellcode. beautiful.

Leave a Comment