THIS WEEK IN SECURITY: UNICODE STRIKES, NPM AGAIN, as well as very first steps TO PS5 fracture
perhaps we truly were much better off with ASCII. Back in my day, we had area for 256 characters, didn’t even utilize 128 of them, as well as we took what we got. Unicode opened up computers to the languages of the world, however likewise opened an invisible backdoor. This is a similar method to last week’s Trojan source story. While Trojan source utilized right-to-left encoding to manipulate benign-looking code, this hack from Certitude utilizes Unicode characters that appear to be whitespace, however are acknowledged as valid variable names.
const { timeout,ㅤ} = req.query;
Is actually:
const { timeout,\u3164} = req.query;
The additional comma may provide you a hint that something is up, however unless you’re extremely familiar with a language, you may reject it as a syntax quirk as well as move on. utilizing the exact same technique once again enables the hidden malicious code to be included on a listing of commands to run, making a hard-to-spot backdoor.
The second technique is to utilize “confusable” characters like ǃ, U+01C3. It appears like a typical exclamation mark, so you wouldn’t bat an eye at if(environmentǃ=ENV_PROD){, however in this case, environmentǃ is a new variable. Anything in this development-only block of code is really always enabled — envision the chaos that might cause.
Neither of these are ground-breaking vulnerabilities, however they are definitely methods to be wary of. The authors suggest that a job might mitigate these Unicode methods by just restricting their source code to containing only ASCII characters. It’s not a great solution, however it’s a solution.
More REvil Arrests
Apparently making yourself an opponent of the whole Western world is a great method to get arrested, as REvil members are continuing to learn. operation GoldDust has netted seven arrests this year, the most recent in Romania. This is the exact same legislation enforcement effort that has resulted in the No more Ransom project.
Breaking the PS5
We haven’t heard anything from Fail0verflow for a while, however they’re back with new work targeting the PS5. They’ve discovered the root encryption secrets for the system. This isn’t rather as huge a offer as it originally seemed, as the signing key would still be needed to run custom software application on the device. What this should enable is decrypting the gadget firmware, as well as then looking for bugs in the bootloader as well as firmware, potentially leading to a PS5 jailbreak in the future. If you’ve been expecting a homebrew scene for the PS5, your time may be coming.
Translation: We got all (symmetric) ps5 root keys. They can all be acquired from software application – including per-console root key, if you look difficult enough! https://t.co/ulbq4LOWW0
— fail0verflow (@fail0verflow) November 8, 2021
NPM Again
Last week, the coa as well as rc bundles temporarily updated to versions containing malicious code. The timing, as well as almost similar added code, indicates that it was the exact same private or group behind both packages. While the malware seemed to be non-functional on some systems, it should be presumed that anywhere these malicious versions were deployed is compromised. At a integrated 20 million regular downloads for these two packages, there are sure to be many compromises, even provided the short time the malicious bundles were offered on the 4th. NPM was holding the malicious version of coa for one hour as well as twelve minutes. The rc bundle pushed the malicious update a couple hours later, as well as it’s uncertain exactly how long that version was available.
The malicious code was run utilizing a preinstall script, which seems to be the typical vector for these hacks. There have been tips that set up scripts should be disabled by default. While that would prevent these extremely simple attacks, it wouldn’t really protect against the underlying problem. supply chain attacks are a growing problem, however they seem to be especially problematic in the world of full-stack JavaScript. If the popularity of node.js as well as npm are to continue, we will requirement a much better solution to this pernicious problem.
Palo Alto as well as Disclosure
Researchers at Randori have found a pair of vulnerabilities in Palo Alto firewalls, which chained together can result in full gadget jeopardize without any prior authorization required. The attacks are an HTTP-request-smuggling vulnerability that leads to a buffer overflow. The overflow is normally not exploitable, however the request-smuggling enables an attacker to reach the vulnerable code. The flaws were fixed in version 8.1.17, as well as versions 9.0+ were never vulnerable. An in-depth analysis is due in December, however there’s one more fascinating angle to this story. Randori’s researchers discovered the bugs in November 2020, as well as didn’t disclose them up until September 2021 — almost a year later.
What did they do during that time? obviously they utilized this as well as other 0-day vulnerabilities to perform red-team penetration tests for their clients. The motivation seems to be that a genuine assault is likely to utilize 0-days, as well as to truly test a company’s defense-in-depth, unknown attacks have to be part of the equation. What do you think? great concept or unethical?