_.png)
![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Michael_Vi_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![watchOS 26 May Bring Third-Party Widgets to Control Center [Report]](https://www.iclarified.com/images/news/97520/97520/97520-640.jpg)
![AirPods Pro 2 On Sale for $169 — Save $80! [Deal]](https://www.iclarified.com/images/news/97526/97526/97526-640.jpg)
This Week in Security: Roundcube, Unified Threat Naming, and AI Chat Logs
Up first, if you’re running a Roundcube install prior to 1.5.10 or 1.6.11, it’s time to update. We have an authenticated Remote Code Execution (RCE) in the Roundcube Webmail client. …read more
Up first, if you’re running a Roundcube install prior to 1.5.10 or 1.6.11, it’s time to update. We have an authenticated Remote Code Execution (RCE) in the Roundcube Webmail client. And while that’s not quite the level of chaos that an unauthenticated RCE would cause, it’s still to be taken seriously. Mainly because for the majority of the 53 million Roundcube installs out there, the users aren’t entirely trusted.
The magic at play in this vulnerability is the Roundcube user session code, and specifically the session deserialization scheme. There’s a weird code snippet in the unserialize function:
if ($str[$p] == '!') {
$p++;
$has_value = false;
The exclamation mark makes the code skip a character, and then assume that what comes next has no value. But if it does actually have a value, well then you’ve got a slightly corrupted deserialization, resulting in a slightly corrupted session. This really comes into force when combined with the file upload function, as the uploaded filename serves as a payload delivery mechanism. Use the errant exclamation mark handling to throw off deserialization, and the filename can contain arbitrary session key/value pairs. A GPG class from the PEAR library allows running an arbitrary command, and this can be hijacked with the session manipulation.
NetMRI Tackled By Rhino
The folks at Rhino security labs took on NetMRI, a network automation suite from Infoblox. The results are entertaining, like https:///webui/application/get_saml_request?saml_id=1%26http://$(whoami) in a browser or via curl being enough to demonstrate unauthorized code execution. It’s not terribly difficult to understand what’s happening there. %26 is the HTTP encoding for the ampersand symbol, &. On a Linux terminal, that runs a command in the background, and most importantly, allows a second command to be run in the same string of text. The SAML request is used to generate a terminal command, and isn’t properly sanitized for special characters like the ampersand.
There are also a couple of hard coded credentials that made appearances in the released image, and a SQL injection attack right inside a URL GET parameter. One more particularly interesting problem was the arbitrary file read by an authenticated user. A Java servlet that is normally used for creating reports can be manipulated to return files. Interestingly, these files are fetched with root permissions, indicating the Java code is probably running as root as well. The vulnerabilities were reported September of last year, and Infoblox responded right away, though the actual fixes took several months to roll out.
Credit Card Terminal Shell
The Worldline Yomani XR credit card terminal is an interesting device. The hardware design has extensive anti-tamper protections, enough that [Stefan Gloor] tripped them when disassembling and reassembling the device. After this, he opted to desolder the flash chip and dump the firmware. The hardware was well built, but the software leaves much to be desired. It’s Linux 3.6 built with a 2010 release of buildroot, but apparently built in 2023. That’s a bit scary, and there are likely plenty of vulnerabilities to choose from due to the firmware age.
But as with essentially all of these embedded Linux devices, there is a serial debug port available. And to log in as root, there is no password required. It’s a good thing the device has all that tamper protection, right? The serial port is accessible via a removable panel, that does not trigger tamper protection. So it’s game over for this device, right? That’s where things get a bit murky. The secure side of the device is not running under the Linux system. It seems like it is working as a bootloader and network co-processor for the secure chip. That’s as far as [Stefan] got with this project, but it’s an interesting look into the security boundaries of this sort of device. [Stefan] is a Siemens employee, which is the parent company of Hackaday.
Midnight Blizzard, or Cozy Bear
CrowdStrike and Microsoft have announced a new cooperative effort, to unify their threat actor naming schemes. You may remember, that Microsoft’s scheme results in some delightful monikers like Cinnamon Tempest. Though on the other hand, CrowdStrike has produced winners like Gothic Panda and Remix Kitten. This new effort isn’t bringing an end to either naming scheme, but indicates that the two companies will cooperate to keep their list of threat actors synced together.
Tnok vs Fwknop
There’s new security tool, Tnok, and hits rather close to home. Tnok is a port knocking solution based on the Time-based One Time Password (TOTP) algorithm, that aims at allowing non-root users to send secure port knocking requests using either UDP or TCP. One of the stated goals is to allow for TCP knocking without requiring the full 3-way TCP handshake. The solution [Sean] discovered was to send a couple characters of that TOTP code as the Max Segment Size of the TCP SYN packet.
I spent a couple years working on the Open Source Fwknop codebase, that also implements a port knocking scheme with real cryptography. While I’m thrilled that more research is being done into modern port knocking, I do worry that this approach will have a Denial of Service issue. Because the token space of TOTP is small, Tnok includes a built-in temporary IP blocking feature. Try to authenticate too many times without a valid TOTP token, and your IP is blocked. Normally it’s essentially impossible to make spoofed TCP connections over the Internet, but eliminating the need for the 3-way handshake may make it all to easy to spoof a victim IP, triggering that IP block.
Court-ordered Privacy Violations
There are times that legal systems are a bit out of sync with the realities of modern technology. The court order that OpenAI must preserve all ChatGPT logs seems to be a great example of this. The background is that news organizations are suing OpenAI for copyright violations, and requested the extra log retention to try to demonstrate that users are using ChatGPT to defeat paywalls.
The real problem here is that refusing to delete user logs upon request is a crime itself under California and European privacy laws. This order puts OpenAI in a very difficult position, and users are understandably concerned. OpenAI is fighting the order through their own legal filings. This one should be interesting to watch.
Bits and Bytes
Google has delisted a pair of certificate authorities in Chrome. Chunghwa and Netlock were both removed as a result of “a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.” The offending actions seem to be things like issuing bad certificates and then failing to quickly revocation certificates with problems.
The GitHub Security Blog has the story of DNS Rebind attacks. This style of attack is particularly useful to defeat Same Origin Policy on a service hosted on a machine’s localhost. Manipulate a domain name to point to one IP upon first load, and then a different IP, and those two IPs are unintentionally both accessible from scripts using that DNS name.
The WooCommerce WordPress plugin had an arbitrary file upload issue, where a PHP factory was unintentionally disabling the the upload validation features in WordPress. This problem was announced while there was still silence from WooCommerce, but before the normal 90 day time period had passed. Version 4.1.8 is now available fixing the issue.
