If you had the bad luck running a Microsoft Exchange server last week, you don’t need me to tell you about the Y2K22 issue. To catch up with the rest of us, when Exchange tried to download the first malware definitions update of 2022, the version number of the new definitions triggered a crash in the malware detection engine. The date is represented by the string
2201010001, where the first two digits represent the year. This string is converted to a signed long integer, which peaks at
2,147,483,647. The entire overflows and the result is undefined behavior, causing the engine to crash. The server fails safely, processing no messages without a functioning malware engine, which means no email goes through. Good year!
Android 911 denial of service
Calling 911 for emergency services is about the worst time for a software bug to show up. Google just fixed such a bug in the January Android update. This is one of those weird unintentional app interactions – in this case, Microsoft Teams triggers the Android bug. If the Teams app is installed, but no account is signed in, Teams creates and saves a new
PhoneAccount object at each launch. It seems to be rare, but Teams on Android has also been known to log the user out spontaneously. When you dial 911, Android performs a routine to determine which
PhoneAccount should be used to route the call and resolve links by comparing hashes. This comparison is just a naive subtraction, which means that there is a 50% chance of getting a negative result. This was not planned, which led to the accident.
Garage Door Reverse Engineering
Reverse engineering a 30-year-old wireless authorization system might not be the most interesting feat, but sometimes the journey is its own reward. [Maxwell Dulin] brings us history, and this trip is certainly worth it. The fundamentals of this hack are definitely still viable, starting with the hardware. The garage door is synchronized with the garage door opener by holding a push button on the receiver while sending a code. Inside the opener there are nine DIP switches, each with three positions. What are they doing? He pulled out his trusty SDR to grab the traffic and try to decode the signals. Inspectrum and GNU Radio were the heroes here, giving an overview of this simple authentication scheme. The conclusion on this real garage door? You can brutally force an unknown code by sending all possible combos, and it only takes 104 minutes.
If you are a system administrator, you know that there are problems that require immediate action. If you were running Java servers, the Log4J vulnerability was a stress test of your response protocol. The delay between public disclosure and when you heard about it may have been enough to spark a disaster. While there are several bug reporting services and frameworks out there, nothing really fits this niche use case: letting you know ASAP that your hair may really be on fire. This unoccupied doghouse has bugged [Matthew Sullivan], which announced a new project, Bug Alert. Everything is open source, so you can host your own instance if you really want to. You can choose to receive a tweet, a text or even a phone call. This has the potential to be a useful tool, check it out!
I feel like I have to get Bug Alert to trigger a certain Weird Al song…
The SSRF Zombie[David Schütz] was looking for obscure Google APIs and found out
jobs.googleapis.com, which you can demonstrate yourself. This demo is interesting because it is not a fully fleshed out service, but speaks to the real back end. The requests go through a proxy,
cxl-services.appspot.com, which manages the authentication step for the demo page. If it could trigger a server-side request forgery (SSRF), it might be able to access authenticated requests and possibly trick the proxy into sending traffic on its behalf. URL parsing is difficult. The trick that worked? A backslash in the url.
GET /proxy?url=https://[email protected]/ HTTP/1.1
With an access token in hand, [David] began to carefully explore other Google APIs to see what this token gave him access to. It gives the warning that we have already talked about, be careful how far you push. He could have reported the bug right away, but wanted to confirm that he actually did have a live access token. After confirming that the token worked for read access, he returned the result and got a very nice $ 3,133.70, plus an extra $ 1,000 for a good report and careful consideration of lateral movement. . That’s all there is to it, right? No. Just before the 90 day deadline for disclosure expires, [David] discovered a workaround fix. Adding any text between the backslash and @ was enough to break it. Another $ 3,133.70. Just for fun, he probed the old URLs, which shouldn’t be up and running after the patch. Yes, he found another security token and got $ 3,133.70. This SSRF Zombie is still not dead, as evidenced by Twitter:
– David Schütz (@xdavidhu) January 2, 2022
If you haven’t configured your WordPress instance to update automatically, it’s time to check for the latest version. There are four potentially dangerous issues here, although details are scarce at this point. First, there is a cross-site scripting vulnerability in post slugs, the part of the URL that corresponds to the name of the post. The second problem mentioned is the injection of objects in some multi-site configurations. The last two vulnerabilities are SQL injections, worthy of “What year is it?” even.