In the second to last episode for 2019, we look at security updates for
Samba, Squid, Git, HAProxy and more, plus Alex and Joe discuss Evil Corp
hacker indictments, unsecured AWS S3 buckets and more.
Show Notes
Overview
In the second to last episode for 2019, we look at security updates for
Samba, Squid, Git, HAProxy and more, plus Alex and Joe discuss Evil Corp
hacker indictments, unsecured AWS S3 buckets and more.
Failed to treat malformed headers as invalid - HTTP/2 allows encoding
headers as binary and these can then contain characters which would be
invalid when converted to HTTP/1.1 - as such these should be treated as
invalid, otherwise allows to send on invalid headers to HTTP/1.1 servers
and could be used to launch attacks against them - so test for and reject
in valid chars (CR, LF and NUL)
2 issues in URN handling (uniform resource name, globally unique
identifier within a particular namespace - e.g. urn:ietf:rfc:2648):
When handling URN requests Squid makes a corresponding HTTP request but
the various access control checks that are normally done for HTTP
weren’t done so could end up accessing restricted HTTP resources (such
as servers that listen to localhost etc)
Heap buffer overflow if response received from a server that is
handling a URN request does not fit within the buffer
Failure to NUL terminal strings - buffer overflow on read -> crash in
cachemgr cgi process - DoS to all clients using the cachemgr
Able to redirect traffic to origins that should be disallowed due to use
of append_domain setting
Nonces used for HTTP digest authentication were generated from a raw byte
value of a pointer from a heap memory allocation - this allows attackers
to deduce this pointer value and therefore help to defeat ASLR
Integer overflow if a client sent a frame of size close to UINT32_MAX - a
resulting size is calculated that could overflow, and then memory
allocated with this overflowed (and hence small) size, resulting in a
heap buffer overflow when the frame is copied to that resulting buffer -
so instead just reject frames greater than INT32_MAX
Kerberos delegation allows to be configured as non-forwardable - but this
would not be honored properly by the Samba AD DC - so could allow
delegation to be forwarded by clients even when was disabled by config
Able to read invalid memory and so crash AD DC if a DNS record was
created that matched the name of a DNS zone due to type confusion
eglibc was used as the standard libc in Ubuntu in older releases like
Trusty/Precise etc - posix_memalign integer overflow - allocates memory
of a given size aligned to a certain size - could return a smaller area
than requested -> heap overflow as a result
libssh ssh_scp_new() function takes a 3rd argument - if this could be
attacker influenced then could possible inject arbitrary commands which
will then be run on the server - so requires the API to be used in a
particular way - but could then allow users to execute commands on the
server even if they should only have been able to copy files
RCE if clone a malicious repo with a crafted .gitmodules file (used to
specify git submodules for the parent repo)
Mishandling of CLI arguments during cloning of repos via SSH URLs allowed
possible RCE
Arbitrary path overwrite during a fast-import due to incorrect handling
of the export-marks option
WSL relevant issues:
On Windows would write out filenames that contained backslashes even
though these then act as directory separators on Windows
Wouldn’t enforce NTFS protections in the working directory
Didn’t take into account NTFS Alternate Data Streams, allowing files
inside the .git dir to be overwritten during clone (file attribute
specific to NTFS, allowing to store data for a file alongside the
actual file itself)
Second attack via NTFS ADS via name squatting on the git~2 short-name
Didn’t handle Window virtual drives which can be named as not just say
A: but a full name - git would handle these as relative paths, allowing
writing outside the worktree during a clone
Possible buffer overflow when handling PHB headers - confusion upstream
about which commit fixes which part but have included all the various
commits from upstream - thanks Steve for taking the time to dig into this
issue
Goings on in Ubuntu Security Community
Alex and Joe discuss Evil Corp hackers and unsecured S3 buckets [11:06]