![this-week-in-security:-three-billion-ss-numbers,-ipv6-rce,-and-ring-2-[hackaday]](https://i0.wp.com/upmytech.com/wp-content/uploads/2024/08/205022-this-week-in-security-three-billion-ss-numbers-ipv6-rce-and-ring-2-hackaday.jpg?resize=800%2C445&ssl=1)
This Week in Security: Three Billion SS Numbers, IPv6 RCE, and Ring -2 [Hackaday]
You may have heard about a very large data breach, exposing the Social Security numbers of three billion individuals. Now hang on. Social Security numbers are a particularly American data point, and last time we checked there were quite a few Americans shy of even a half of a billion’s worth. As [Troy Hunt] points out, there are several things about this story that seem just a bit odd.
First up, the claim is that this is data grabbed from National Public Data, and there’s even a vague notice on their website about it. NPD is a legitimate business, grabbing data on as many people as possible, and providing services like background checks and credit checks. It’s not impossible that this company has records on virtually every citizen of the US, UK, and Canada. And while that’s far less than 2.9 billion people, it could feasibly add up to 2.9 billion records as was originally claimed.
The story gets strange as we consider the bits of data that have been released publicly, like a pair of files shared with [Troy] that have names, birthdays, addresses, phone numbers, and social security numbers. Those had a total of 2.69 billion records, with an average of 3 records for each ID number. That math is still just a little weird, since the US has to date only generated 450 million SSNs and change.
So far all we have are partial datasets, and claims on the Internet. The story is that there’s a grand total of 4 TB of data once uncompressed. The rest of the details are unclear, and it’s likely to take some time for the rest of the story to come out.
Windows IPv6 RCE
Microsoft has patched a Remote Code Execution (RCE) in Windows 10, 11, and server systems. By all accounts, it’s a nasty one, but there’s a redeeming wrinkle to the story, that may also be bad news. It’s an IPv6 vulnerability. The actual details are scarce, for obvious reasons. By next week, I anticipate someone will have reverse engineered the patch enough to have some details on the flaw.
What we do know is that Microsoft scores this a 9.8 out of 10 for severity, and considers it a low complexity attack that is likely to be used in the wild. Trend Micro considers it a wormable flaw. The built-in Windows firewall doesn’t block it, because the vulnerability triggers before processing by the firewall. This leads to a theory that it’s another problem related to defragmenting incoming IPv6 packets, or a similar process.
The good news is that it requires actual IPv6 connectivity, which at least in my corner of the world is a rather rare thing. It’s hard to know definitively without more details, but it’s at least likely that a proper stateful firewall would block these unsolicited IPv6 packets from the wider Internet. There’s still a lot of room for trouble inside the network — where you probably have working IPv6 connectivity even without routable IPv6 from your ISP. In conclusion, get this one patched ASAP.
Considering its harm, I will not disclose more details in the short term.
— wei (@XiaoWei___) August 14, 2024
Don’t Roll Your Own Crypto!
There’s a rallying cry, aimed at anyone responsible for build secure systems: “Don’t roll your own crypto!” But why? Surely a secret algorithm that only you understand is more secure, right? No. Particularly not when tools like Ghidra that put firmware reverse engineering within grasp of every security researcher. Case in point, the Vstarcam CB73 security camera that [Brown Fine Security] took a look at.
The first clue that somethign was wrong was that packets were being repeated, byte-for-byte identically. As [Brown] points out, a good cryptography scheme has some sort of protection against replay attacks. This one had none at all. Another issue with this homebrew crypto scheme is that it only has 256 possible internal states, and once you know the trick the whole thing is trivially decryptable, no key required. This is why you don’t roll your own crypto.
Old School CSS Trick
This write-up from Adepts of 0xCC is a trip down memory lane, to a time when browsers let websites get away with way more, like detecting whether links had been visited by detecting the style that the browser used to display them. Browsers eventually locked down those sorts of tricks, but what’s old is new again, with just a bit of cleverness. In this case, generate a captcha, and set the page’s CSS to make the visited links blend in with the background. The user completes the captcha, and based on which characters were typed, you have some basic history information. Clever!
Ring -2
The classic x86 architecture has a four ring system, where userspace applications run in Ring 3 and the kernel runs in Ring 0. But the sneaky truth is that our X86 processors are actually emulating the x86 instruction set, Rings 1 and 2 are never used, and there’s a CPU management engine running all the way down at Ring -3. This suggests to the security minded, that it would be particularly bad for something malicious to run at one of those hidden ring levels. And that’s exactly what [jjensn] managed to pull off.
In this case it’s in the motherboard firmware, in the System Management Engine. A bit of vulnerable code in a couple places allows writing data into protected SMRAM memory, into Ring -2. A bit of clever work corrupts the SMRAM just enough to jump into shellcode without crashing the machine. And suddenly an attacker can own a machine on a level two layers below the OS.
Bits and Bytes
Careful with your artifacts. Apparently quite a few Github CI scripts take the easy wqy out, and just zip up the entire work directory as an artifact. That’s not great, as generally artifacts are accessible to anyone with a GitHub account, and the .git folder very likely has a Github token in it.
Speaking of GitHub, another Chrome type confusion vulnerability was written up there in detail. As objects in JavaScript are manipulated, the engine is continually updating the underlying data structures. Cloning objects can be particularly tricky, and changing the properties of an object after a shallow copy can result in memory corruption. Memory corruption, fake objects, and finally code execution outside the JavaScript sandbox.
In Windows, the mark of the Web is rather important for security, warning users when they’re about to access or execute something from the Internet. It’s also been broken in many interesting ways over the years. Most recently, Web-based Distruted Authoring and Versioning (WEBDAV) shares are used, as they can be accessed by either the browser, or the Windows File Explorer. The most recent fix here adds Mark of the Web to files copied from WEBDAV shares using Explorer. Sneaky.