Security this week: IoT in the Hot Tub, App Double Fail and FreeBSD

[Eaton Zveare] Bought a Jacuzzi hot tub, and splurged for the SmartTub add-on, which connects the whirlpool to the Internet so you can remotely control temperature, lighting, and more. Little did he realize that he was about to discover a nightmare of security problems. Because we all know, S means security in IoT. In this case, the registration email came from, so it’s normal to drag that URL into a web browser to see what’s there. The page presents a login prompt, so [Eaton] He has just made a dent in the certificate. “Unauthorized” Well it’s not surprising, but very strange was a dashboard flash that appeared just before the approval complaint. Could this be real data that was sent unintentionally? A screen recorder answered that question, revealing that a table was actually loaded with valid-looking data.

The page comes with a login stream dug into JavaScript. The page uses the Auth0 service to manage logins and that service returns an access token. The page sends that access token directly to the Auth0 service for the benefit of the user. If the logged in user is not an administrator, a redirect occurs. However, we already know that some real data is loaded. It appears that data constraints have been applied to all clients, and the backend only requires a valid access token for data requests. What happens if I change the response from Auth0? There are several ways to do this, but he chose to use Fidler. Rewrite the response so that the front-end believes you are an administrator and you are.

Although this method seems to gain access to all administrators of the SmartTub admin controls [Eaton] He didn’t even try to change to see if he had access to the writing. That was enough to show the error, and the change would be flirting with that dangerous line that separates research from computer crime. The real problem starts when he tries to express weakness. SmartTub had no security contact, but their support gave an answer to an email address asking for an email address. And after providing the details, complete radio silence. Excited, he finally turned to Auth0, asking them to intervene. Their solution was to plug in one of the two URL endpoints. Finally, after six months of trying to inform Jacuzzi and SmartTub about their serious security issues, both admin portals were secure.

Jogging away from safety

There are two levels of failure in this story about the Strava Exercise app. Strava’s allows users to track their races, cycling and hiking. Due to privacy concerns, there is an option to hide the user’s location, but a clever use of heatmap and segment functions may lose that protection. The upload goes from a fake user, and the app compares your race to other users in the area, hidden or not. This list of users will allow a dedicated investigator to map where individuals have spent their time. The emphasis of this study was on tracking military members, which revealed some predictably interesting results.

And this is the second security failure. The Israeli military allows its soldiers, even members of the special forces, to use an app that calls home with GPS location. While the app doesn’t have easy-to-exploit security vulnerabilities, it’s still a terrible operation security issue. The study was published to Strava, who removed the duplicate user used in the study. It’s not clear if the app developers actually solved the problem. The Israeli military says it is working to prevent such leaks in the future.

OpenSSL AVX512 bug

There is a bug in OpenSSL 3.0.4, and it can be a big bug, but it only happens on CPUs with the AVX512 extension. The problem is triggered ossl_rsaz_mod_exp_avx512_x2()Which makes a call off bn_reduce_once_in_place(). Call value included factor_size, Which was supposed to be the number of words to process, but the old code was sending bit sizes instead. It works most of the time, but in some cases, a hip buffer turns into an overflow. The scary part of it is that it can be triggered by a TLS handshake and other potential attacker-controlled inputs. The only downside to calling it 10.0 CVSS CVE is a real demonstration of exploitation. As such, it is easy to display a crash. A 3.0.5 release will be made soon, including a fix, but it’s not clear when that will happen. Most Distro 3.0.4 releases seem to be delaying shipping, waiting to resolve this potentially serious issue.

FreeBSD Badbicon

I have taken the liberty of choosing the obvious name for this weakness, Badbicon. Discovered by [m00nbsd], This is a normal hip overflow, but it controls exactly how many bytes the attacker has to write and the content of those bytes. This is a problem with FreeBSD’s WiFi beacon frame management. A frame is basically a WiFi packet, and a beacon is a packet that announces the details of a WiFi network. A beacon has many potential fields and many of them require dedicated code-paths to process them.

One such field is the mesh ID value. It has a length and value and the FreeBSD kernel takes them as input for a memcpy() Call a buffer of a certain size. The way data is stored in the contained structure, this buffer overflows and overwrites other data structures, ending with a data pointer and a length value. That data pointer is then used as someone else’s target location memcpy() Call It a “What-What-Where” primitive, AKA is a simple technique to write data almost randomly anywhere.

Set up a kernel backdoor in the unused memory segment, then hook that code into part of the frame processing code. It acts as a one-way kernel backdoor. Their proof-of-concept code simply prints a message on the kernel log, but will be fairly easy to operate on. FreeBSD corrected the error in April. It is unclear when or if pfSense published an update with the fix, although it probably happened, and did not advertise only CVE-2022-23088.

Linux Sislock Rootkit

Here is a particularly secret kernel rootkit, Syslogk, hidden in the wild. The version of the rootkit that Avast researchers have tested seems to be targeted at Kentells of Sentos 6 and similar eras. It takes a long time for it to disappear, hide its files, and even delete itself from the list of loaded kernel modules. There is a hidden feature, written from a 1 /proc/syslogk, That stops stealing features. So if you have an older server that may be compromised, try tapping that position to see if something happens.

IOS infection via DCP

If you can’t crack the security of the main processor, maybe you can go through the backdoor of a co-processor? A fake Vodafone app on the iPhone does just that. The Display Co-Processor (DCP) is a new division of the M1 SoC, and this malicious app uses it to exploit a bundle of it. The text is detailed and in-depth, as is usually the case with Google Project Zero posts. Instead of digging into the details, I’ll just leave you [Hector Martin]Thinking about it, perhaps as the foremost expert on the M1 chip outside of a few Apple engineers:

Leave a Reply

Your email address will not be published.