Security this week: iPhone Unpowered, Python Unsandboxed and Wizard Spider

As for conspiracy theories, it is even more admirable that a cell phone can run malicious firmware on its baseband processor and listen to and transmit data even when power is off. Nowadays, this kind of behavior is called a feature, at least if your phone is made by Apple, with their Find My functionality. Even when the phone is off, the Bluetooth chip runs happily in low-power mode, which makes these features work. The problem is that this chip does not sign signed firmware. The Bluetooth chip requires root-level access to the phone’s primary OS to load potentially malicious firmware images.

Researchers at TU Darmstadt in Germany demonstrated this method by writing a great paper on their work (PDF). There are a few really interesting possibilities that this study recommends. The easiest way to hijack Apple’s Find My system is to track someone with a powered down phone. The bigger danger is that it can be used to keep surveillance malware on a device even through power cycles. Devices are reasonably protected against attacks from external networks, and rarely from attacks on chips. Unfortunately, since unsigned unsolicited firmware is a hardware limitation, a security update can do little to alleviate it, without the usual attempt to prevent attackers from compromising the OS.

Bluetooth low power

This is another Bluetooth related issue, this time Bluetooth Low Energy (BLE) used as an authentication token. You’ve probably seen this concept in one form or another, like the Android option for staying unlocked while connected to your BLE earbud. It is used for various vehicles, once the appropriate phone to unlock within the BLE range.

Using BLE for this type of authentication is always a bad idea, as BLE is susceptible to in-flight relay attacks. One half of the attack is next to your phone, acting like the car’s BLE chip, and the other half is next to the car, evading your phone. Connect the two spoofing devices and the car thinks the authorized phone is still there To make this “secure”, vendors have added encryption features, as well as signal timing analysis to try to catch spoofing.

The real invention of the hack here is to use dedicated hardware that is sniffing and replaying the link layer. This avoids the issue of encryption, since the signal is simply passed rudely. This speeds up the process so much that delays on the Internet are hundreds of miles away. Perhaps the next iteration of this technique could simply be to reproduce the signal at a lower level using software-defined radio. The solution is to ask the user for approval or embed location information in the encrypted payload before unlocking the vehicle.

Python buffer blow

This is one of the problems that is not a big issue, and can still be a problem in certain situations. It all started in 2012, when it was discovered that Python memoryview The object can crash a program when it points to a memory location that is no longer valid. A memoryview It is basically a pointer to the underlying C buffer, and does not receive the same automatic reference calculations as a normal Python object. Object de-allocate memoryview At point, then redirects this “pointer” to some C-style undefined behavior. (We don’t mean cursed code here, but more garden variation UD – Dereferencing a pointer that is no longer a valid pointer.) Some memory manipulation can control what the raw pointer value will be and it crashes predictably by setting NULL. Interpreter.

It is actually a primitive reading and writing. Snoop around Python’s memory, find ELF titles and then find out where glibc system The dynamic library system sits at the linkage table. Find it, use the memory corruption bug to get the memory right, and boom, you’ve got a shell pop from Python!

The more intelligent of you must be already thinking, Gee, this is a complicated way to call os.system(). And yes, as an exploit, it’s quite unimpressive. [kn32], Our tour guide in this disguise of Python indicates that it can be used to survive a Python sandbox, but it is a very special use-area. Even if we conclude that it’s not really an exploit, it’s a great learning tool and some fun hackers.

Wizard Spider

What happens when a team of intelligent and highly motivated researchers like the people at PRODRAFT set up their sites in a large ransomware gang? Well first, they have to come up with an interesting name. They decided to call this anti-slinging malware gang Wizard Spider – which has some powerful D&D vibes.

The PDF report details the results, and they are impressive. The investigation mapped out WS’s preferred tools, as well as some of their infrastructure, such as the web of the Wireguard tunnel that they use to proxy their activities. The most interesting was the discovery of a backup server, believed to be in Russia, which also contains backups related to the REvil attack. There are lots of theories about what that search really means. There is another version of the report that has been handed over to law enforcement, possibly with more identifying information.

Here are some notable techniques discussed, including a machine learning engine that looks at the writing and tries to determine the local language of the writer. This is called quoting articles, such as “the”, and using the wrong verb tense. Some weird looking English phrases are literal word-for-word translations of common expressions in the mother tongue. In a conclusion that did not surprise anyone, PRODRAFT determined that the official spokesman for the WS was a local Russian speaker. Hopefully the rest of the story behind this collection of information can be shared. It promises to be a hacking story for hackers, as well as some old-fashioned trade-craft.

Parallel hack release

During Pwn2own 2021, [Jack Dates] RET2 managed to break the parallel VM of the system. To our delight, he wrote the process of exploiting our education. A series of bugs in the guest add-on code allows a chain to avoid the guest. The first bug used is a data leak, where 0x20 bytes is written on a 0x90 size buffer and then the whole buffer is exposed to the guest. This is 0x70 bytes of host VM hip memory that can be read at once, enough to create some base addresses.

The next bug is a buffer overflow in the drag-and-drop handling code. The string sent to the host contains a string for null-terminating and allows a buffer to overflow over the null-avoiding stack. This overflow can be used to break the exception of running guest additions code running on the host. A third bug, a so-called “megasmash” doesn’t seem very useful, as it triggers a huge buffer overflow by overflowing an integer. The problem with using it is that when it overflows, it tries to write 0xffffffff Bytes on program memory. Chain uses it to change a callback pointer to point out malicious code. However, some memory is guaranteed to read only, triggering an exception.

The main point there is that the exception is tampered with handling, so when the exception is triggered, the handling code immediately becomes erroneous and hangs, which prevents normal program cleanup. Other threads can then hit the tampered-width function pointer, resulting in code execution. The bugs discovered were all corrected late last year, and [Jack] Made an excellent 40,000 for the exploitation chain. Enjoy!

Leave a Reply

Your email address will not be published.