{"id":24479,"date":"2024-10-11T13:28:18","date_gmt":"2024-10-11T17:28:18","guid":{"rendered":"https:\/\/twiar.net\/?p=24479"},"modified":"2025-01-17T10:21:27","modified_gmt":"2025-01-17T15:21:27","slug":"via-hackaday-this-week-in-security-the-internet-archive-glitching-with-a-lighter-and-firefox-in-the-wild","status":"publish","type":"post","link":"https:\/\/twiar.net\/2024\/10\/11\/via-hackaday-this-week-in-security-the-internet-archive-glitching-with-a-lighter-and-firefox-in-the-wild\/","title":{"rendered":"via Hackaday: This Week in Security: The Internet Archive, Glitching With a Lighter, and Firefox In-the-wild"},"content":{"rendered":"
<\/div>\n

The Internet Archive has been hacked<\/a>. This is an ongoing story, but it looks like this started at least as early as September 28<\/a>, while the site itself was showing a creative message on October 9th, telling visitors they should be watching for their email addresses to show up on Have I Been Pwnd.<\/p>\n

Hi folks, yes, I’m aware of this. I’ve been in communication with the Internet Archive over the last few days re the data breach, didn’t know the site was defaced until people started flagging it with me just now. More soon. https:\/\/t.co\/uRROXX1CF9<\/a><\/p>\n

\u2014 Troy Hunt (@troyhunt) October 9, 2024<\/a><\/p>\n\n

There are questions still. The site defacement seems to have included either a subdomain takeover, or a long tail attack resulting from the polyfill takeover<\/a>. So far my money is on something else as the initial vector, and the polyfill subdomain as essentially a red herring.<\/p>\n

Troy Hunt has confirmed that he received 31 million records, loaded them into the HIBP database, and sent out notices to subscribers. The Internet Archive had email addresses, usernames, and bcrypt hashed passwords.<\/p>\n

In addition, the Archive has been facing Distributed Denial of Service (DDoS) attacks off and on this week. It\u2019s open question whether the same people are behind the breach, the message, and the DDoS. So far it looks like one group or individual is behind both the breach and vandalism, and another group, SN_BLACKMETA, is behind the DDoS.<\/p>\n

<\/span><\/p>\n

Palo Alto Expedition<\/h2>\n

Researchers at HORIZON3 started with a known vulnerability in Palo Alto\u2019s Expedition application<\/a>. This follows a pattern we\u2019ve seen many times before. A vulnerability is found, usually in a codebase or niche that hadn\u2019t been considered interesting to researchers. A new vulnerability is announced, and suddenly the boring code seems interesting.<\/p>\n

The new vulnerability was pretty straightforward \u2014 an HTTP call to a specific endpoint resets the admin password to default. The obvious next step was to look for something to do with this new admin power. Expedition uses cron to schedule tasks, and while there didn\u2019t seem to be a way to directly set the command, the start time wasn\u2019t sanitized, and ended up part of a string executed in bash. Yes, it\u2019s a simple command line injection. Sometimes the simple approach just works.<\/p>\n

The flaws were fixed with 1.2.96. As Expedition is intended for network migration, it\u2019s not expected to be run indefinitely. Shodan lists a whopping 23 Expedition servers on the Internet. Don\u2019t be like those guys.<\/p>\n

Arbitrary Write, But Read Only Filesystem<\/h2>\n

[Stefan Schiller] from Sonar had an interesting challenge<\/a>. He had found an arbitrary file upload widget in a node.js application. This sort of write anything anywhere flaw is usually an instant exploit, with many options to choose from. This particular application was hardened: The filesystem was read only. This is a great strategy for making exploitation harder. But as we see here, it\u2019s not foolproof. In Unix, everything is a file. And that means that file write vulnerabilities are useful even with a read-only FS.<\/p>\n

In this case, the weak point was an anonymous pipe, an inter-process communication (IPC) construction. The Linux procfs puts those pipes on the filesystem. Listening on the other end of one of those pipes was libuv, a signal handling library. One of the things this library does with these messages is to jump execution to a pointer in the message, as a callback function implementation. Build this data structure properly, and you have shell code execution. Nifty!<\/p>\n

Glitching With a Lighter<\/h2>\n

Memory glitching attacks are really cool. And most of the time, they\u2019re pretty difficult to pull off. Getting access often means physically attacking a chip, or using some expensive EM generator. [David Buchanan] wanted to know if that style of attack is possible with makeshift tools. So, he channeled his inner MacGyver, and looked at the junk in his pockets<\/a>. A scrap of wire and a pocket lighter? Perfect!<\/p>\n

That lighter didn\u2019t use flint and steel, but instead a piezo-electric trigger. Solder the wire onto the memory chip of a laptop, and flick the lighter right next to it. That scrap of wire is suddenly an antenna, and the em burst from the lighter is enough to flip a bit. It\u2019s rowhammer, with an antenna.<\/p>\n

And yes, using similar techniques to rowhammer, it\u2019s quite possible to use this to compromise a machine, assuming you can get some arbitrary data somewhere in memory. It\u2019s a clever bit of magic, and while not particularly useful as an attack, it\u2019s really great to see someone working with these attacks on a shoestring budget and making it work.<\/p>\n

Firefox 0-day<\/h2>\n

It\u2019s time to update Firefox. Mozilla has released an emergency update<\/a>, version 131.0.2, to fix a critical use-after-free vulnerability in Animation timelines, part of the Web Animations API. Not much is known about this vulnerability, but it\u2019s being used in real-world attacks already. We know that ESET discovered the flaw, but not yet whether that discovery was from observing it in use. Regardless, the fix is now available.<\/p>\n

Bits and Bytes<\/h2>\n

We normally think of data breaches as leaking personal information, and then brace for the inevitable targeted spam. Here\u2019s your reminder that it can be worse than that. AT&T seems to have an ongoing data breach<\/a> where someone with access to shipping information for new iPhones is sending it to organized porch pirate rings.<\/p>\n

And finally, Google Project Zero has a new post out, from [Nick Galloway]<\/a>, chatting about OSS-Fuzz and the Dav1d AV1 decoder. [Nick] expanded the fuzzing setup for Dav1d, and managed to find an integer overflow while at it. And while you\u2019re here, maybe check out the OSS-Fuzz Bounty program<\/a>, where Google offers to pay programmers for adding Open Source software to the OSS-Fuzz project.<\/p>\n

Blog \u2013 Hackaday Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

The Internet Archive has been hacked. This is an ongoing story, but it looks like…<\/p>\n","protected":false},"author":5,"featured_media":21629,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rop_custom_images_group":[],"rop_custom_messages_group":[],"rop_publish_now":"initial","rop_publish_now_accounts":{"twitter_16139062_16139062":""},"rop_publish_now_history":[],"rop_publish_now_status":"pending","footnotes":""},"categories":[176,1994,88,109,4],"tags":[2541,1462,466,2612,110,1530,5042,115,3410,4527],"class_list":["post-24479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-computers","category-crime","category-follow-up","category-hackaday","category-newsreel","tag-cyber-attack","tag-cyberattack","tag-cybersecurity","tag-firefox","tag-hackaday","tag-internet-archive","tag-it-security","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/posts\/24479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/comments?post=24479"}],"version-history":[{"count":1,"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/posts\/24479\/revisions"}],"predecessor-version":[{"id":24499,"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/posts\/24479\/revisions\/24499"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/media\/21629"}],"wp:attachment":[{"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/media?parent=24479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/categories?post=24479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/twiar.net\/wp-json\/wp\/v2\/tags?post=24479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}