This Week In Security: Sudo, Database Breaches, And Ransomware

Obligatory XKCD

Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

In response to this command, my machine throws this error, meaning it’s vulnerable:

malloc(): corrupted top size
Aborted (core dumped)

To understand the problem with sudo, we have to understand escape characters. It really boils down to spaces in file and folder names, and how to deal with them. You want to name your folder “My Stuff”? That’s fine, but how do you interact with that directory name on the command line, when spaces are the default delimiter between arguments? One option is to wrap it in quotation marks, but that gets old in a hurry. The Unix solution is to use the backslash character as an escape character. Hence you can refer to your fancy folder as My\ Stuff. The shell sees the escape character, and knows to interpret the space as part of the folder name, rather than an argument separator. Escape characters are a common vulnerability location, as there are plenty of edge cases.

Sudo is no exception. The edge case here is a second bug. The sudoedit command launches sudo in editor mode, and is intended to be equivalent to sudo -e. In fact on many systems, sudoedit is a symlink to sudo. The problem is in the command-line parsing code. If you try to invoke sudo with both the -e and -s flags, it treats the command as invalid, and helpfully prints the usage notes. However, when sudoedit is used to launch the editor mode, the -s flag can also be specified, putting sudo into an unintended state, with undefined behavior. After looking over the vulnerability, I’m convinced that this is the more serious of the two bugs. There are likely quite a few other vulnerabilities that could be found as a result of being able to put sudo in two modes of operation at once.

The other problem is how sudo handles an escape character with no following character to escape. The code hops over the null string termination, and keeps copying characters. In a normal usage mode, this code is impossible to execute in this strange way, but because of the odd dual-mode state, this bug can be exploited.

Updated versions of sudo have shipped in the major distros, so make sure you update! Thankfully, while there is a proof-of-concept one-liner that will crash sudo, no actual exploit code has been published. There will likely be full exploit POCs available soon, though.

Load a Webpage, Get iPwned

Apple has published an advisory about what appears to be an attack chain found in the wild against the iOS platform. The chain is a trio of CVEs, two in webkit and one in the kernel. This is likely the work of yet another state-sponsored actor, who put the attack chain together to gather information on a specific group of people. The two webkit CVEs are probably an initial RCE and a sandbox escape. The kernel vuln is then used to elevate to system privileges and run the spyware. It’s typical to see these malware packages run in memory only, and not make any permanent modifications to the device’s OS. If the rest of the story gets released, we can come back and check my guesses for accuracy.

Brazill Leaks Entire Taxpayer Database

It may not be the biggest database leak for raw size, but this must set a per capita record. One of Brazil’s government agencies seems to have let their database escape (in Portuguese), as a whopping 220 million records of CPF number, full name, and date of birth are floating around the shadier side of the internet. This is probably the identifying information of every Brazilian citizen alive, and even some who are no longer with us, because their official population is only 213 million. While the immediate uses for targeted phishing and fraud is obvious, it will be interesting to see what the long term effects are of publishing the equivalent of everyone’s social security number.

And not to be outdone, the dating site MeetMindful has leaked their entire user database as well. If there is any silver lining for the site’s users, it is that no private messages or pictures were part of the leak.

Dovecat. Wait What?

Recently both a Synology user, and a QNAP user discovered a dovecat process pegging their device processors at 100%. What is this strange process, clumsily trying to look like an innocent mail daemon?

Thankfully [Matthew Ruffel] has already done an analysis on this malware. Dovecat is nothing more than the open source XMRig crypto miner, with some hard coded configuration. It’s very possible that any system that has a dovecat process also has the “hy4” malware on it. What might be the most fascinating about this little crypto-mining malware campaign is that it seems to be targeting NAS devices. Alternatively, it may be simply targeting SSH servers with weak passwords.

NetWalker Takedown

The image to the right caught my attention, as there have just been a handful of successful TOR page takedowns like this. The NetWalker infrastructure has been seized, along with over $450,000 in cryptocurrency. A Canadian citizen has been arrested as part of the operation.

Krebs has more details on this story. NetWalker is a ransomware system, and has been called “ransomware-as-a-service”. It remains to be seen if the head of this particular snake has been cut off, or if instead it’s a hydra, and will pop right back up.

Odds’n’ends

VLC has released version 3.0.12. Most of the changelog is normal bug fixes, with support for Apple designed processors being the stand-out new feature, do note that this release also fixed “some security issues”. What issues might those be? While we don’t have the details spelled out, the security bulletin points out a pair of buffer overflows and some invalid pointers being dereferenced. Put clearly, these bugs could probably be used to build an exploit that triggers as a result of viewing a video.

The IObit forums were breached recently, and the user database is being used to spread ransomware. To make the whole scheme seem even more legitimate, the attacker hosted the malicious installer on the compromised site. Here’s where the story takes a humorous turn. The ransom process is also a crypto-currency ponzi scheme! You send us 200 DERO coins to decrypt your files, and once DERO hits $100 a coin, we’ll send you back $500 worth of the coin. It’s a 5X return on your investment!

Drupal just released an update that fixes a potentially severe vulnerability. The Archive_Tar library is used in Drupal core, and contained a directory traversal vulnerability, CVE-2020-36193. This usually means that even if an archive is unzipped in a safe directory, it can overwrite important files elsewhere on the server. Regardless, Drupal considers this a critical issue, and recommends updating right away.