Harry Sintonen
Infosec consultant at REVƎЯSEC https://reversec.com/ - Coding, Research + various other interests
- 25 Posts
- 16 Comments
Post mortem:
This issue was made possible by a misconfiguration whereas “AllowOverride none” was used by accident. That made it possible to read the configuration file even though .htaccess file preventing it is in place.
So this in part this specific issue was a mistake by the admin (read: myself). I think it still highlights an issue that could occur in many other ways as well. It is best to restrict network access to servers when upgrading them.
PS: If you can’t do things right at least make it possible for others to learn from your mistakes. 🙂
@jerry It largely depends on how well the initial impact is cleaned up. I’m hoping we won’t see a ton of backdoors in various components next.
The httpget 0.2 doesn’t quite work in the form it was uploaded.
First it uses hardcoded argv, argc instead of getting from the app invocation (as args in main, the code uses void main).
Second obtaining any data from the socket will result in the app stopping and leaving behind an empty file (if (nread) break;).
This program could never download anything. It is likely some work in progress or modified test version of httpget. Since it includes some windows specific headers and has disabled the unix ones I can only presume it was some earlier attempt to get the tool running on windows.
So while the code has a local stack buffer overflow it can’t be triggered for this early version.
If this trend continues, we will be losing the ability to use secure means of communication with UK friends and colleagues. For example, #signalapp will rather get out of the UK than add backdoors: https://www.bbc.com/news/technology-64584001
“#Nordnet admits that it was possible to trade in other people’s depots during the IT breakdown”
Nordnet has a lot of technical issues to sort out. If the malfunction allowed unauthorized parties to operate the accounts it will be quite messy to sort out.
Among with technical part, they will have to deal with the regulatory issues, in particular the Financial Supervisory Authority. They will demand answers.
@[email protected] Curl will likely address this eventually even though they don’t consider it a vulnerability. See https://github.com/curl/curl/issues/16197
The latest curl version 8.12.0 (released today) is affected.
The details of the #AMD Microcode Signature Verification #Vulnerability are out:
- https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
- https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
#infosec #infosecurity #cybersecurity
So what could you do if the microcode signature verification can be bypassed? While not directly applicable, this #defcon presentation “DEF CON 31 - Backdoor in the Core - Altering Intel x86 Instruction Set at Runtime - Krog, Skovsende” gives some ideas: https://www.youtube.com/watch?v=Zda7yMbbW7s
@gabrielesvelto Yeah, information for that vulnerability is non-existent as well. In all the vulnerability management doesn’t seem to be going great here.
Update: The “PeCoffLoader memory overflow issue for security” likely is CVE-2024-38796: https://nvd.nist.gov/vuln/detail/cve-2024-38796
I had actually forgotten I still had Docker installed on this system. I’ve now fixed this issue by uninstalling the malicious app. I’m using #podman elsewhere already, just had this install lingering still. Apple: Thanks for the warning!
@[email protected] Oof, that’s not good at all.
@[email protected] Yep, that’s the one.
@[email protected] No kidding? I can only recommend anyone doing research on N-Able to avoid going through their “bug bounty” program. They actively cite the program rules to shut down disclosure, namely I cannot show how trivial the attack is to pull off by using mitmproxy. So there is no way for me to challenge their obviously flawed scoring of the vulnerability.
ref https://infosec.exchange/@harrysintonen/112999715864274188