Security this week: Good faith, easy forgery, and I18N

There is a danger in safety research that we have discussed several times before. If you discovered a security vulnerability in a production system and there were no bug bounties, you probably broke a few computer laws. Reverse the error you found, and you might get a “thank you”, but there is a small chance that you will be charged with a computer crime instead. Security research in the United States is now a bit safer, as the U.S. Department of Justice has issued a new policy stating that “good faith security research should not be charged.”

While this is a welcome transition to feeling good, it would be better to have legislation for such protection. Another caveat is that this policy only applies to federal cases in the United States. Other nations, or even individual states, are free to bring charges. So when it comes to good news, be careful. There are also some caveats about what counts as good faith – if a researcher uses an error detection to extort money, it is not good faith.

Digital ID

Citizens of New South Wales, Australia can use a digital driving license. This is done through the NSW app, a service available on Android and iOS. What could be the possible mistakes? There is an obvious problem with this, voluntarily handing over your phone to a law enforcement officer is a terrible idea. On the one hand, the app creates a flying ID image from the data stored on the device. On a Jelboken phone, this change is trivial, but on any other iPhone, one can manipulate the app’s data using backup and restore. ServiceNSW encrypts this data … using a 4 digit numeric code. Manipulating the data stored on the phone is trivial, and so the ID is presented. Oddly enough, after the initial pull, the app never verifies its data store against the official database. The app even has a pull-to-refresh function that claims to update ID data. This function updates the date, time, and QR code, but not potentially spoofed data.

The ability to change an ID, as well as cheat on someone else, means that the app makes pain theft easier. Scanning QR codes highlights up-to-date information, but only names and conditions under 18 years of age. The image is not part of that data. Steal an ID, slap your picture on it, and the QR code will be checked out. The service NSW responded by issuing a statement stating that they did not understand the issue:

This issue is known and does not pose a risk to customer information. Bloggers use their own digital driver’s license (DDL) information on their local devices. No other customer information or data sources were compromised. It also does not pose any risk of unauthorized access or alteration to a backend system like Drive. Importantly, if the tampered license is scanned by the police, the real-time check used by NSW police (scanned by Mobipole) will show accurate personal information as it calls DRIVES. After scanning the license, it will be clear to law enforcement that it has been tampered with. Changing DDL is against the law. DDL has been independently evaluated by cyber experts and is more secure than plastic cards.

Just here for i18n translation

Bonita is a business automation platform, primarily designed to integrate businesses into a workflow with minimal code. It is a Java application, usually running on Tomcat and distributed as a docker image among other channels. Docker images, with more than five million downloads, were a big problem. The web.xml The file contains filter columns that are used to control how requests are handled. The purpose of a pair of these filters was to match i18n (internationalization) files, and provide those endpoints without any authorization checks. This makes sense because it allows the user to change the language of the interface on the login page. This is an impeccable filter, matching literally any url i18ntranslation. Thus, can be associated with any endpoint ;i18ntranslation, And an unauthorized user has access. Oops! Docker images and other releases have been updated to fix the issue.

Zoom fixed, update!

First, if you have Zoom installed, check out the version. If you are over 5.10.4, trigger an update. And if you run Zoom on Linux, you’ll probably need to re-download the installer manually to update, although this makes things a bit safer in this case.

Beyond that, let’s talk about a series of issues that can allow remote code execution (RCE). Zoom does XMPP messaging, which massages over XML. Zoom also sends control messages over this XML stream. The strategy is that the server uses a library to verify those XML messages and the client uses a different library with different variations. Familiar words? Smoke classic request material. A fun strategy is to send clusterswitch The message, pointing a client to a different server, is controlled by a potential attacker.

If a MitM attack isn’t bad enough, an attacker can send an “update” to Windows that contains .exe Installer, and a .cab Files to install. The running zoom client checks the exe to make sure it is signed, then executes. A modern zoom installer also ensures cab File signature, but a downgrade attack is possible. Send an older version, such as 4.4, and a malicious .cab The file exe is signed, so Zoom runs it, and does not check it .cab, Easy RCE leading. Server-side request smuggling was fixed in February, but Client Fix 5.10.4 did not arrive until April.

Quick instructions

This week, I was helping a friend figure out how to configure a Google Account to use some obsolete utilities. He was forced to turn on two-factor authentication, but found that it was quite painful, as he often reinstalled Android for development and testing. If we think, you can install Google Authenticator on a Linux machine and back up the key manually. And thus this tip, as you can really do it. Google Authentication is just a TOTP, time-based one-time password. It takes a secret key and current time and executes them by an algorithm to generate a (in this case) 6-digit code.

So how do you get that secret key from your device? Easy enough to get out of it on a rooted phone sqlite Database. Fortunately, the authentication app can export a saved key as a QR code. Capture the data in the QR code, and then use this simple Python script to convert it to raw secret. (In many cases, you can get the secret key directly because the QR code did not work.) From there it is a simple command: oathtool --totp -b secret_key

If you want to see how TOTP works under the hood, we wrote about it a while ago.

Leave a Reply

Your email address will not be published.