This week in security: QueueJumper, JS VM2 Escape and CAN Hacking

You may not be familiar with Microsoft Message Queuing (MSMQ) service, a kind of storage and forwarding service for inter-process and inter-system communication. MSMQ has become a legacy product, but is still available as an optional component in Windows. And in addition to other enterprise software solutions, Microsoft Exchange enables the service by default. That’s why it’s a little scary that there’s a remote code execution (RCE) vulnerability to a package that was just patched in the service.

CVE-2023-21554, also known as QueueJumper, is this unauthenticated RCE with a CVSS score of 9.8. This requires sending a packet to the service on TCP port 1801. Check Point’s research team analyzed MSMQ listening endpoints on the public Internet and found about 360,000. doubt much more listen on internal networks. A one-package exploit is a prime example of a wormable issue, and now that the story has broken and the fix is ​​out, expect some quick reverse engineering. Watch out, the free riders are coming.

JavaScript VM escape

The VM2 library is a fairly large JavaScript package that sandboxes code, allowing a project to run untrusted code safely. Or, that’s the idea. CVE-2023-29017 is an example of how difficult sandboxing is to succeed. This is another CVSS 9.8 vulnerability, and this one allows sandbox escaping and code execution.

This one now has public proof-of-concept code, and this package has over 16 million monthly installs, so the attack surface is potentially quite large. The flaw is fixed in version 3.9.15.

Oldsmar Errata

Do you remember the creepy hack at Oldsmar sewage treatment plant? Someone tried to increase sodium hydroxide levels from a reasonable 100ppm to an unpleasant 11,000ppm. We even had a little fun thinking that it could have been a watering hole attack on a real watering hole. A few of our more skeptical readers pointed out that the new value looked a bit like a forgotten decimal point or a legitimate change attempt.

And to my surprise, it’s starting to look like the null hypothesis. “[T]During the investigation, the FBI was unable to confirm that this incident was triggered by a targeted cyber intrusion by Oldsmar. The city manager said it may even have been the employee reporting, accidentally hitting the keyboard. So it’s embarrassing. Although that suggests a new pastime, similar to trainspotting: looking for debunked attacks in presentations. This particular non-incident seems to be one of the favorites that government officials mention when asking for money or pushing for new regulations.

CAN Bus Zero Day

Modern cars are technological marvels. Components that were once very simple, like headlights, are now full-fledged microcomputers, all networked on a data bus. The traditional data bus is the Controller Area Network (CAN) bus, although automotive Ethernet threatens to throw CAN onto the heap of legacy technology. That time has not yet come and most vehicles still have a CAN bus. Which brings us to the story of [Ian Tabor]safety researcher driving a RAV4.

This vehicle was vandalized one day, with trim around the headlight ripped off in a seemingly random act of mayhem. A few days later, when the car was stolen, it became clear that it was not vandalism at all. The headlight happens to be an easy place to access the CAN bus. When the car was stolen, she encountered a major system failure and uploaded a log of everything broken. It turns out that almost all connected devices have dropped this CAN bus. It’s an interesting part of what’s going on here.

This vehicle and many others use a smart key. It’s a bit of hardware that performs a reasonably secure cryptographic handshake over wireless, with the wireless receiver. This receiver, when validating the key, sends a message on the CAN bus which unlocks the vehicle. Wireless encryption: good. CAN cryptography? Non-existent. The hack is self-contained in a $10 hardware kit, which is inserted into the car’s CAN bus where the headlight connects to it. He first does some sort of DOS attack, knocking the real key receiver off the bus, then sends a burst of forged messages, telling the rest of the car that the smart key is present. And hence, the start button works smoothly.

This is an ongoing zero-day attack against a group of vehicle vendors. The researchers behind this discovery attempted to report their findings and ran into a brick wall trying to make normal responsible disclosure. The research report ends with a request for an automaker or industry group to reach out and help with the next steps in research and trying to fix this mess for the various vulnerable vehicles.

Bits and Bytes

How do you make sure a printer doesn’t unwittingly spy on you? Root the printer and do an audit, of course. It’s a potential problem for printers to save copies of documents on a built-in hard drive, and RedTeam Pentesting wanted to know if their local printer was guilty of this indiscretion. The hack was to hijack the printer through the… literal back panel and find a serial port. Many embedded devices have a TTL level serial port, and this port is often not well secured. In this case, the connection was consoleand one of the menu options was sh mode. Which of course fell into a root shell on the device. Too bad. At least they confirmed that their documents were properly erased after printing!

There’s a weird trick with Github account names. When you change your account name, Github is nice enough to set up redirects, so the old URLs still work. But the old name is actually an unused account name, which anyone can use to register. And now those redirects disappear, or if the new user recreates the repositories, they access the new code. All is well, until you realize that sometimes the build systems point to old usernames. That’s exactly what [Joren Vrancken] found in the Arch User repository, as well as for a single package on the official Arch repositories. The attack to take advantage of this quirk is called repo jacking, and it’s worth considering if you’re a software developer or maintainer.

Eve Online saw a heist this week, where the equivalent of $22,300 was drained from an in-game company. The approach was sadly similar to a real-world corporate takeover. In this case, [Flam_Hill] managed to get a handful of voting shares, then applied to become a member of the company with a few accounts. Once accepted, these voting shares gave the right to call an early election for the position of CEO. This voting process is open for 72 hours, and because this corporation did not have a particularly active pool of voters, only fictitious accounts voted, giving our attacker full control. It turns out that attacker was none other than [Sienna d’Orien], the company’s original founder, has returned from a hiatus to resume his business. The game truly imitates life.

And finally, Juice Jacking! It sounds like the latest bodybuilding technique whose legality is questionable, but it’s actually a rather old idea for cell phone hacking. Offer free mobile phone recharge, but secretly use USB data connection to install malware. It’s such a persistent problem that the FCC and FBI recently issued warnings against using unreliable USB charging. Except that no one seems to have actually seen this attack in the wild. And digging into those warnings a bit, the main source is a district attorney’s warning, which was later removed due to a lack of actual cases on file. So let us know, have you ever seen a juice jacking attack?

#week #security #QueueJumper #VM2 #Escape #Hacking

Leave a Reply

Your email address will not be published. Required fields are marked *