Matthew Bryan

A CyberArk researcher, Ido Hoorvitch, identified that many urban areas have unsafe and weak WiFi passwords that can be easily cracked. Hoorvitch collected 5,000 Wifi hashes around his neighborhood using network sniffing equipment. These were run through CyberArk’s “monster” password cracking rig which used an exploit found in PMKID hashes.

Hoorvitch noted that many people use cell phone numbers as their WiFi password. This allowed him to crack numerous hashes, obtain passwords, and then access their networks. In the cases where a phone number was used, it took approximately nine minutes for each crack. If routers do not support roaming modes, then they are not susceptible to this attack. It is recommended that complex passwords should be used with secure encryption protocols. WAP/WAP1 should be disabled.

Author: Matias Madou
Published: October 20, 2021
Link

I thought this was timely given this week’s topic. OWASP recently refreshed their list of web application vulnerabilities which saw Code Injection Vulnerabilities being replaced by Broken Access Control as #1.

The article notes that this shifting in order was not due to “solving” Code Injection Vulnerabilities, but rather it illustrates how widespread Broken Access Control is in the field.  Broken Access Control “encompasses a wide range of coding flaws” that could “enable attackers to modify a URL, internal application state, or part of an HTML page.”  The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.

The updated OWASP list also debuted new categories on the list, including Insecure Design, Software & Data Integrity Failure, and Server-Side Request Forgery.

 

Author: Matias Madou

Published: October 20, 2021

Link

I thought this was a pretty funny, although risky prank, that took advantage of a zero day vulnerability in Exterity’s IPTV system.  Minh Duong, a former student at Township High School District 214, identified this vulnerability and was able to take control of every TV within the district.  This allowed him to pull off the “Big Rick” which played Rick Astley’s classic “Never Gonna Give You Up” on every IPTV across the district.

The Exterity IPTV system runs networked Projectors and TVs across the Township School District.  The TV players can receive serial commands via a web interface and an SSH server which allows for centralized control. Duong noticed this set-up earlier on in highschool and was able to exploit the vulnerability, but didn’t do much with it initially.  He later got the idea for the “Big Rick” as a senior prank.

Duong was very clear that he was lucky that the administration didn’t pursue criminal charges against him for unauthorized access.  He notes in the article that people should  “never access other systems in an unauthorized manner without permission.”  The vulnerability has been reported to the manufacturer, although it’s unclear if this has been fixed.

 

Author: Becky Bracken

Published: October 14, 2021

Link: https://threatpost.com/rickroll-exterity-iptv-bug/175491/

I thought this was interesting and relevant to our recent discussions about social engineering. Apple Air Tags are used to locate frequently lost devices. Finders of a tag can scan the device on their iPhone to reveal information about the tag’s owner if it’s in “lost mode.”  During the scan, the finder’s iPhone displays a custom web page with the owner’s phone number.

The Air Tag “Good Samaritan Attack” exploits a flaw in this process which does not sanitize the input to the phone number field.  This allows the bad actor to input anything they’d like into the field, e.g. a redirect to an iCloud phishing page.  The deployment is similar to USB baiting attacks where USB devices are dropped outside the target location.  The Good Samaritan picks up the device, scans the tag, and is redirected to the attack page. This is concerning as users are not as diligent with checking sites on mobile devices and it may not be clear that they are being redirected to a malicious site.

The researcher who found the bug, Bobby Rauch, reported that Apple was not responsive to his attempts to disclose the issue.  This has been a trend among security researchers that report issues to Apple.  Rauch stated that they never answered his questions about the bug bounty program and did not follow-up with their remediation plan.  Apple did ask that Rauch avoid publicizing his findings; however, he did not comply with this request, due to their lack of communication.

 

Article: Apple AirTag Bug Enables ‘Good Samaritan’ Attack

Author: Brian Krebs

Published: September 28, 2021

Link

 

Researchers discovered a flaw in Apple’s MacOS Finder which allows for arbitrary command execution on Mac devices.  This was previously thought to be remediated, notably without a CVE number, but a workaround was found. The exploit occurs when an INETLOC file is opened which contains the File:// prefix.  These files are bookmarks that can be used to open online resources such as: (news://, ftp://, afp://) or local files (file://).

Apple’s previous patch only blocked the all lowercase file:// prefix.  Different cases, e.g. File://, fiLe://, can bypass the check added by the prior patch.  The vulnerability can be exploited via email  by including an INETLOC file as an attachment. This is particularly concerning as commands embedded by an attacker can be executed without prompting the user. Exploit proof of concepts went undetected by antimalware programs.

 

Article: New macOS zero-day bug lets attackers run commands remotely

Author: Sergiu Gatlan

Published: September 21, 2021 

Site: bleepingcomputer.com

Link: https://www.bleepingcomputer.com/news/apple/new-macos-zero-day-bug-lets-attackers-run-commands-remotely/