This week in security: Malwarebytes Goes Nuts, Uber

I got a rude awakening on a Wednesday morning this week. HaD writers don’t necessarily maintain normal business hours – don’t judge. A local customer called, complained that Google Maps was blocking one of their computers, and the browser stated that it was a malicious site. Well this caught my attention the standard incident response: “Turn off affected computers, I’m on my way.” It turns out that it was Malwarebytes that was complaining and blocking Google Maps, as well as many other Google domains. This particular device happened to have a fresh installation of the software, and it was still in the trial period of Malwarebytes premium, which includes IP and malicious domain blocking.

Oops, this could be bad. The first possibility that came to mind was DNS hijacking. The desktop DNS is set to the router, and the router’s DNS is set to the ISP’s. Maybe your ISP’s DNS servers have been hacked? The cell phone, not connected to WiFi, went out to look up DNS on some Google domain. Since Google operates on such a massive scale, it has multiple IP addresses serving each domain, but since the two different results were coming from the same subnet, the suspicious DNS server is probably fine. a whois On the blocked IP also confirmed that it is an address owned by Google. Explanations were running out, and as one fictional investigator is known for saying, “All that remains, however improbable, must be the truth.” and yes, Malwarebytes has already accidentally added Google to its bad list. The upside was that my client was not hacked. What is the downside? I had to answer a phone call before my first cup of coffee. eloquent.


In this week’s p0wnage news, Uber is in danger Through the employee’s VPN account. Uber uses two-factor authentication for these accounts, and the attacker used an “MFA stress” attack to defeat him. Basically, I send repeated 2FA requests, hope the user gets tired of them and confirms that. Alternatively, call them after a few tries, claiming to be from the IT company, and ask them to accept the claim, or re-read the number. This is the attacker [Tea Pot]somehow belonging to Lapsus $.

The VPN got TP access to the company’s intranet, and some sniffed found an accessible post with Powershell scripts on it. And in those scripts were some administrator credentials encrypted with Uber’s Thycotic account – the service that runs all of their authentication. In short, they were the keys to the kingdom. “Using this I was able to extract the secrets for all services, DA, DUO, Onelogin, AWS, Gsuite.”

Uber issued a statement Which basically states that there is no evidence of code tampering or access to user data. As much as TP has managed to hack Uber’s systems, this seems somewhat surprising, despite the welcome news. Of course, more serious manipulation may eventually be revealed.

Highest weaknesses in the rack

I’m not sure if the PDU is considered IoT, but the S still seems to be security. iBoot PDU encountered some serious issues. The first was a page on the web interface, apparently abandoned by the manufacturer, and did not include an authentication code. It is very usual, when writing a web interface in PHP, to have the auth token in one file, and just include that from every page that needs to be protected. Code git-update.php The endpoint is missing which includes. That shouldn’t be a problem, it’s statically coded to download updates from manufacturer GitHub repositories, and used an access token that is no longer supported by GitHub. Dead code, no need to worry.

Yes, it was weak. This endpoint takes two arguments as HTTP POST parameters, branchAnd the token. Neither is purged at all, so the branch parameter can use a traversal to point to a completely different GitHub account, and the token parameter can be set to &, which basically means it was emptied in the request sent to GitHub. Ask for one authentication, and the device politely downloads the Webshell for you.

Ah, but we are not fools. Never expose this kind of thing to the unfiltered internet. They have cloud access functionality for that. To connect, you authenticate, then send the deviceID parameter in the URL request. But these hardware identifiers are concatenated, and any valid authentication cookie works to connect to any device. So if you can connect to one PDU, you can connect to all of them. And since accessing the cloud is a simple reverse proxy, the update page can be abused as described above. Ouch! Issues are fixed, and if you have a Dataprobe PDU, go check out the updated firmware! And maybe disconnect it from the internet completely, and make it available for VPN only. A big thank you to Team82 at Claruti for finding it and reporting it especially.

Escalation of the Seagate franchise

in beautiful writing, [x86matthew] Participates in a very simple exploit using Seagate Media Sync, to add an arbitrary service to a Windows device. Media Sync uses the UI and Service model, where the service runs as a system to do the heavy lifting, and the UI application runs as a logged-in user. A little snooping and debugging finds that the format used for interprocess communication (IPC) is a simple named pipe. This pipe supports quite a few commands, but the most interesting one calls a function in the service, MXOSRVSetRegKey.

As one might expect, it sets the registry key to a value, and creates the key if it is absent. In this particular case, there are no checks on where this key is generated, so anyone who can talk to the pipe can generate a key in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices. And if you can create a random service on a Windows machine, you own the device.

OpenRazer Escalation – Approx.

And because Linux exploits also deserve our love, The OpenRazer project encountered a similar exploit issue that was fixed recently. For those of us who aren’t in the know, we Linux experts love ultra-highlighted, LED-lit keyboards just as much as Windows users, but unfortunately Razer only publishes Windows drivers and tools. To fill the void, projects like OpenRazer have brought back the Razer LED control and other functionality for Linux. Part of the OpenRazer project is an out-of-the-tree Linux kernel, which allows some of the hard-to-use USB communication modules to talk to on-device controllers. It’s kind of a hack, and the code quality doesn’t quite live up to the mainline kernel, as evidenced by the classic buffer bypass discovered by Cyberark. It should have been a straightforward path to exploit, but starting with kernel 5.18, source fortress The feature is enabled to prevent memcpy() Jobs from redundant fields in the structure. So in a fresh enough kernel, with this protection turned on, you just get a crash instead of an exploit. salary!

super tips

One of the tasks in performing the red team test is to search for user accounts. The problem you could run into is that brute coercion of potential usernames leaves registry entries, and this can land you. [Lars Karlslund] LDAP Ping requests caught, and the connection was immediately made to enumerate the user. This was originally intended to easily test domain controllers for their accessibility, as well as for certain capabilities or configurations. One of the test specifications you choose is your username. [Lars]new tool, ldapnomnom, this facility is used to query 10,000 usernames per second. Find all users!