Breaking
November 22, 2024

This Week in Security: Zimbra, DNS Poisoning, and Perfctl | usagoldmines.com

Up first this week is a warning for the few of us still brave enough to host our own email servers. If you’re running Zimbra, it’s time to update, because CVE-2024-45519 is now being exploited in the wild.

That vulnerability is a pretty nasty one, though thankfully requires a specific change from default settings to be exposed. The problem is in postjournal. This logging option is off by default, but when it’s turned on, it logs incoming emails. One of the fields on an incoming SMTP mail object is the RCPT TO: field, with the recipients made of the to, cc, and bcc fields. When postjournal logs this field, it does so by passing it as a bash argument. That execution wasn’t properly sanitized, and wasn’t using a safe call like execvp(). So, it was possible to inject commands using the $() construction.

The details of the attack are known, and researchers are seeing early exploratory attempts to exploit this vulnerability. At least one of these campaigns is attempting to install webshells, so at least some of those attempts have teeth. The attack seems to be less reliable when coming from outside of the trusted network, which is nice, but not something to rely on.

New Tool Corner

What is that binary doing on your system? Even if you don’t do any security research, that’s a question you may ask yourself from time to time. A potential answer is WhoYouCalling. The wrinkle here is that WYC uses the Windows Event Tracing mechanism to collect the network traffic strictly from the application in question. So it’s a Windows only application for now. What you get is a packet capture from a specific executable and all of its children processes, with automated DNS capture to go along.

DNS Poisoning

Here’s a mystery. The folks at Assetnote discovered rogue subdomains from several of their customers, showing up with seemingly random IP addresses attached. A subdomain like webproxy.id.customer.vn might resolve with 10 different addresses, when querying on alibabadns.com.

That turned out to be a particularly important clue. These phantom subdomains were all linked to the Chinese Internet in some way, and it turns out that each subdomain had some interesting keyword in it, like webproxy or VPN. This seems to be a really unique way to censor the Internet, as part of the Chinese Great Firewall. The problem here is that the censorship can escape, and actually poison DNS for those subdomains for the rest of the Internet. And because sometimes the semi-random IPs point at things like Fastly CDN or old cPanel installs. A bit of legwork gets you the equivalent of subdomain takovers. Along with the story, Assetnote have shared a tool to check domains for this issue.

Virtual Name Tags Bring the Creep Factor

What do you get when you combine Internet-connected smart glasses with LLM doing facial recognition? The optimistic opinion is that you get virtual nametags for everybody you meet. I’ve played a video game or two that emulates that sort of ability. Taking a bit more cynical and realistic view, this auto-doxxing of everyone in public strays towards dystopian.

perfctl

There’s a newly discovered Linux malware, perfctl, that specializes in stealth, combined with Monero mining. The malware is also used to relay traffic, as well as install other malware in compromised machines. The malware communicates over TOR, and uses some clever tricks to avoid detection. Log in to a compromised machine, and the Monero mining stops until you log back out.

The malware is particularly difficult to get rid of, and as always, the best solution is to carefully back up and then wipe the affected machine. One of the tells to look for is a machine that’s hard charging when it has no business being spun up to 100% CPU usage, and then when you log in and look for the culprit, it drops to normal.

Bits and Bytes

[nv1t] found a kid’s toy, the Kekz Headphones, and they just begged to be taken apart. This toy has a bunch of audio on an SD Card, and individual NFC-enabled tokens that triggers playback of the right file. This one is interesting from an infosec perspective, because the token actually supplies the encryption key for the file playback, making it a nominally secure system. After pulling everything apart, it became apparent that the encryption wasn’t up to the task, with only about 56 possible keys for each file.

Something we’ve continually talked about is how the subtle mismatches in data parsing often lead to vulnerabilities. [Mahmoud Awali] has noticed this, too, and decided to put together a comparison of how different languages handle HTTP parameters. Did you know that Ruby uses the semicolon as a parameter delimiter? There are a bunch of quirks like this, and this is the sort of material that you’ll need to find that next big vulnerability.

And finally, speaking of Ruby, are you familiar with Ruby’s class pollution category of vulnerabilities? It’s akin to Python and JavaScript’s prototype pollution, and not entirely unlike Java’s deserialization issues. If Ruby is your thing, go brush up on how to avoid this particular pitfall.

 

This articles is written by : Nermeen Nabil Khear Abdelmalak

All rights reserved to : USAGOLDMIES . www.usagoldmines.com

You can Enjoy surfing our website categories and read more content in many fields you may like .

Why USAGoldMines ?

USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.

Recent:

Gear Up: A 15-Minute Intro on Involute Gears Heidi Ulrich | usagoldmines.com
Custom Mouse Rocks Neat Thumbstick Design Lewin Day | usagoldmines.com
FREE-WILi Turns DC32 Badge Into Hardware Dev Tool Tom Nardi | usagoldmines.com
USB-C For Hackers: Reusing Cables Arya Voronova | usagoldmines.com
There’s Now a Wiki For Hacking Redbox Machines Lewin Day | usagoldmines.com
Blended Wing Body Passenger Airplanes and the End of Winged Tubes Maya Posch | usagoldmines.com
Measuring the Mighty Roar of SpaceX’s Starship Rocket Tom Nardi | usagoldmines.com
Simple Hydrogen Generator Makes Bubbles and Looks Cool Lewin Day | usagoldmines.com
Simple Stack of Ferrites Shows How Fluxgate Magnetometers Work Dan Maloney | usagoldmines.com
Stepping On LEGO For Science Kristina Panos | usagoldmines.com
A Tube Stereo Amplifier, From Scratch Jenny List | usagoldmines.com
A Cyberpunk Pocketwatch Navarre Bartz | usagoldmines.com
If Life Gives You Lemons, Build this Lemontron Heidi Ulrich | usagoldmines.com
FLOSS Weekly Episode 810: Pi4J – Stable and Boring on the Raspberry Pi Jonathan Bennett | usagoldmin...
With Core ONE, Prusa’s Open Source Hardware Dream Quietly Dies Tom Nardi | usagoldmines.com
FreeCAD Version 1.0 Released Maya Posch | usagoldmines.com
Boss Byproducts: Calthemites Are Man-Made Cave Dwellers Kristina Panos | usagoldmines.com
An Animated Walkthrough of How Large Language Models Work Donald Papp | usagoldmines.com
Junk Box Build Helps Hams with SDR Dan Maloney | usagoldmines.com
Most Extreme Hypergravity Facility Starts Up in China With 1,900 Times Earth’s Gravity Maya Posch | ...
Alleged Corrupt Los Angeles Police Officers Implicated in Crypto ‘Godfather’ Extortion Scheme Daily ...
Batteries Not Included: Navigating the Implants of Tomorrow Heidi Ulrich | usagoldmines.com
Dial-up Internet Using the Viking DLE-200B Telephone Line Simulator Maya Posch | usagoldmines.com
Raspberry Pi Compute Module 5 Seen in the Wild Elliot Williams | usagoldmines.com
Supercon 2024 SAO Petal KiCad Redrawing Project Chris Lott | usagoldmines.com
The Vecdec Cyberdeck is More than a Pretty Case Tom Nardi | usagoldmines.com
Supercon 2024 SAO Petal KiCad Redrawing Project Chris Lott | usagoldmines.com
The Great Redbox Cleanup: One Company is Hauling Away America’s Last DVD Kiosks Lewin Day | usagoldm...
Power Supply With Benchtop Features Fits In Your Pocket Donald Papp | usagoldmines.com
The Barcode Beast Likes Your CDs Jenny List | usagoldmines.com
Tearing Down A SLA Printer With The Engineers Who Built It Danie Conradie | usagoldmines.com
Hacking Haptics: The 19-Sensor Patch Bringing Touch to Life Heidi Ulrich | usagoldmines.com
A Very Fast Camera Slider For The Glam Shot Danie Conradie | usagoldmines.com
Crowdsourcing Ionosphere Data with Phones Al Williams | usagoldmines.com
Gloriously Impractical: Overclocking the Raspberry Pi 5 to 3.6 GHz Maya Posch | usagoldmines.com
Do You Dream in Color? Al Williams | usagoldmines.com
Exploring the Gakken FX Micro-Computer Alexander Rowsell | usagoldmines.com
Keebin’ with Kristina: the One With the Typo Kristina Panos | usagoldmines.com
The Laser Shadow Knows Al Williams | usagoldmines.com
Ruined 1993 ThinkPad Tablet Brought Back From The Brink Lewin Day | usagoldmines.com
Analog Shift Register Revealed Al Williams | usagoldmines.com
Completing the UE1’s Paper Tape Reader and First Squiggles Maya Posch | usagoldmines.com
Hackaday Links: November 17, 2024 Dan Maloney | usagoldmines.com
US’s UFO-Hunting Aerial Surveillance System Detailed In Report Maya Posch | usagoldmines.com
Schooling ChatGPT on Antenna Theory Misconceptions Dan Maloney | usagoldmines.com
ESP32 hosts a USB keyboard in this Typewriter Adam Fabio | usagoldmines.com
A Handheld Gaming PC With Steam Deck Vibes Bryan Cockfield | usagoldmines.com
Classic LED Bubble Displays Ride Again Dan Maloney | usagoldmines.com
Register Renaming: The Art of Parallel Processing Heidi Ulrich | usagoldmines.com
Open Source Universal ROM Programmer Grows Up Al Williams | usagoldmines.com
Nearly One-Third of All Customers at US Banks Have Experienced Fraud in Last 12 Months: Study Alex R...
Ethernet From First Principles Bryan Cockfield | usagoldmines.com
World’s First Virtual Meeting: 5,100 Engineers Phoned In Heidi Ulrich | usagoldmines.com
$500,000 Drained From American Bank Accounts As Insider Allegedly Steals Customers’ Sensitive Inform...
Playing Chess Against LLMs and the Mystery of Instruct Models Maya Posch | usagoldmines.com
Hackers, Patents, and 3D Printing Elliot Williams | usagoldmines.com
Spotted at Supercon: Glowtape Wearable Display Tom Nardi | usagoldmines.com
WiFi Status Indicator Keeps Eye on the Network Tom Nardi | usagoldmines.com
It’s a Soldering Iron! It’s A Multimeter! Relax! It’s Both! Al Williams | usagoldmines.com
BASIC Co-Inventor Thomas Kurtz Has Passed Away Jenny List | usagoldmines.com
Six US Banks Issue Urgent Debit Card Alerts, Forcing Mandatory Replacements for Many, After Third-Pa...
RISC-V Pushes 400 Million Forth Words Per Second Al Williams | usagoldmines.com
Bypassing Airpods Hearing Aid Georestriction With a Faraday Cage Maya Posch | usagoldmines.com
I Want To Believe: How To Make Technology Value Judgements Jenny List | usagoldmines.com
Hackaday Podcast Episode 296: Supercon Wrapup with Tom and Al, The 3DP Brick Layering Controversy, a...
This Week in Security: Hardware Attacks, IoT Security, and More Jonathan Bennett | usagoldmines.com
Homebrew pH Meter Uses Antimony Electrode Dan Maloney | usagoldmines.com
Desert Island Acetylene from Seashells and Driftwood Dan Maloney | usagoldmines.com
Retro Calculator Build Proves the Space Age Isn’t What It Used to Be Dan Maloney | usagoldmines.com
Nebraskan Farmers Were Using Wind Turbines Before Environmentalism Was Invented Jenny List | usagold...
Repairing The Questionable £25,000 Tom Evans Audiophile Pre-Amp Maya Posch | usagoldmines.com
Bluetooth Dongle Gives Up Its Secrets with Quick Snooping Hack Dan Maloney | usagoldmines.com
US DOE Sets New Nuclear Energy Targets Navarre Bartz | usagoldmines.com
Microfluidic Motors Could Work Really Well For Tiny Scale Tasks Lewin Day | usagoldmines.com
Retrotechtacular: The TV Bombs of WWII Dan Maloney | usagoldmines.com
The Life Cycle of Nuclear Fission Fuel: From Stars to Burn-Up Maya Posch | usagoldmines.com
Smart Thermostats Pitched for Texas Homes to Relieve Stressed Grid Maya Posch | usagoldmines.com
Building a Reproduction Apple I Al Williams | usagoldmines.com
Laser Sound Visualizations Are Not Hard To Make Lewin Day | usagoldmines.com
AI Face Anonymizer Masks Human Identity in Images Donald Papp | usagoldmines.com
Man Set Up and Extorted of $500,000 Worth of USDT by Criminals in Hotel Room: Report Daily Hodl Staf...
Open Cardiography Signal Measuring Device Navarre Bartz | usagoldmines.com
Landscape Motif Makes This E-Ink Weather Display Easy to Understand Dan Maloney | usagoldmines.com
FLOSS Weekly Episode 809: Pi4J – Stable and Boring on the Raspberry Pi Jonathan Bennett | usagoldmin...
Making Sense of Real-Time Operating Systems in 2024 Maya Posch | usagoldmines.com
A Vintage Radiator Core, From Scratch Jenny List | usagoldmines.com
A Teletype by Any Other Name: The Early E-mail and Wordprocessor Al Williams | usagoldmines.com
NASA Announces New Trials for In-Space Laser Welding Maya Posch | usagoldmines.com
Intuition about Maxwell’s Equations Al Williams | usagoldmines.com
Remember the Tri-Format Floppy Disk? Lewin Day | usagoldmines.com
The End of Ondsel and Reflecting on the Commercial Prospects for FreeCAD Maya Posch | usagoldmines.c...
WAV2VGM Plays Audio Via OPL3 Synthesis Lewin Day | usagoldmines.com
Founder of Security Firm SlowMist Warns Against Copy-and-Pasting Sensitive Crypto Information Daily ...
Teaching Computers to Read — Sort Of Al Williams | usagoldmines.com
A Brief History of Cyrix, or How to Get Sued By Intel a Lot Maya Posch | usagoldmines.com
Retrotechtacular: Color TV Al Williams | usagoldmines.com
You Wouldn’t Download a Chair…But You Could Lewin Day | usagoldmines.com
Ubiquitous Successful Bus: Version 3 Arya Voronova | usagoldmines.com
Minuteman ICBM Launch Tests Triple Warheads Maya Posch | usagoldmines.com
Z80 Testing the 80s Way Al Williams | usagoldmines.com

By

Leave a Reply