A vulnerability in wget exposes more flaws in commonly used tools, the major flaw in Drupal that just got worse & the new protocol built into your router you need to disable.
Plus a great batch of your feedback, a rocking round up & much much more!
Thanks to:
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Become a supporter on Patreon:
— Show Notes: —
wget vulnerability exposes more flaws in commonly used tools
- wget is a command line downloading client from the GNU project, often found on linux and unix servers, and even available for windows
- It was originally designed for mirroring websites, it has a ‘recursive’ mode where it will download an entire website (by crawling links) or an entire FTP site (or subdirectory) by traversing the directory tree
- It is this mode that is the subject of the vulnerability
- Versions of wget before the patched 1.16 are vulnerable to CVE-2014-4877, a symlink attack when recursively downloading (or mirroring) an FTP site
- A malicious FTP site can change its ‘LIST’ response (the directory listing command in the FTP protocol) to indicate the same file twice, first as a symbolic link, then the second time as a directory. This is not possible on a real FTP server, since the file system can not have 2 objects with the same name
- This vulnerability allows the operator of the malicious FTP site you are downloading from, to cause wget to create arbitrary files, directories and symlinks on your system
- The creation of new symlinks allows files to be overwritten
- An attacker could use this to overwrite or create an additional bash profile, or ssh authorized_keys file, causing arbitrary commands to be executed when the user logs in
- So an attacker could upload malware or an exploit of some kind, then cause the user to run it unintentionally the next time they start a shell
- “If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc”
- Note: wget is often mislabeled as a ‘hacker’ tool because it has been used to bulk-download files from websites. Most times it is merely used an an HTTP client to download a file from a url
- Redhat Bug Tracker
- Some have proposed calling this bug “wgetmeafreeshell” or “wtfget” or “wgetbleed”, thankfully, we were spared such theatrics
- HD Moore Tweets
- HD Moore Blog Post
- Metasploit Module
Drupal flaw from 2 weeks ago, if you have not patched, assume your site is compromised
- Drupal 7 included a new database abstraction API specifically designed to help prevent SQL injection attacks
- It turns out to be vulnerable, a specially crafted request results in the execution of arbitrary SQL commands
- “Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks”
- All users running Drupal core 7.x versions prior to 7.32 need to upgrade
- Drupal Security Advisory
- One line patch — It seems the code assumed $data would always be a simple array, and if it was an associative array (had named keys instead of integers) it would have unintended affects
- Additional Coverage: Threat Post
- It was announced today that a wide spread automated attack has been detected against unpatched Drupal instances
- Because of the nature of the vulnerability, a valid user account is not required to exploit the vulnerability, and no traces are left behind when a site is compromised
- “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” says a statement released by the Drupal maintainers on Wednesday
- Drupal Public Sevice Announcement
- Additional Coverage: Thread Post
- It is entirely possible that attackers could have dumped the contents of databases in Drupal, it is probably best to reset all passwords
NAT-PMP flaw puts 1.2 million home routers at risk
- NAT-PMP is a UDP protocol designed in 2005 and standardized in 2013 RFC6886 to replace part of uPNP with a more simple implementation
- It allows hosts on the internal network to request ‘please open tcp (or udp) port XXXX on the internet interface and forward that traffic to me’, and ‘what is our internet facing IP’
- This allows hosts to accept incoming connections (like game servers, skype calls, etc) without having to manually create a ‘port forwarding’ rule
- However, it seems some implementation are configured incorrectly, and accept requests from both the internal (expected) and external (very bad!) interface
- The NAT-PMP protocol uses the source IP address of the request to create the mapping, to help prevent abuse (so host A on the LAN cannot open up ports on host B, exposing it to the internet), however, because it is UDP, the source address can be spoofed
- Researcher Post
- Of the 1.2 million internet exposed devices Project Sonar found to be in some way vulnerable:
- 2.5% are vulnerable to ‘interception of internal NAT traffic’, specifically, an attacker can create a mapping to forward attempts to connect to the router itself, to an external address, allowing the attacker to take over DNS and other services, as well as the administrative interface of the NAT device
- 86% are vulnerable to ‘interception of external traffic’, allows the attacker to create a mapping on the external interface, for example, since more routers have the HTTP server disabled on the external interface for security reasons, an attacker could use your router to ‘reflect’ their website. Allowing them to keep the true address of their site secret, by directing traffic to your router, which would then reflect it to their address.
- 88% are vulnerable to ‘Access to Internal NAT Client Services’, because NAT-PMP is over UDP, it is often times possible to send a spoofed packet, with a fake from address. This allows an attacker to basically create port-forwarding rules from outside, gaining access to machines behind the router, that are normally not exposed to the Internet.
- 88% are vulnerable to a Denial of Service attack, by creating a mapping to the NAT-PMP service, the device will forward all real NAT-PMP requests off to some other host, basically breaking the NAT-PMP feature on the device
- 100% of the 1.2 million devices were vulnerable to ‘Information Disclosure’, where they exposed more data about the NAT-PMP device than they should have
- Also found during the SONAR scan: “7,400 devices responses were from a single ISP in Israel that responds to unwarranted UDP requests of any sort with HTTP responses from nginx. Yes, HTTP over UDP”
- Because of the nature of project SONAR and the wide spread of the vulnerability, it is not possible to tell which brands or models of device are vulnerable. It may be easier for users to test known routers with the metasploit module, and attempt to create a database
Feedback:
Round Up:
- FBI cut hotel Internet access, sent agents to “fix” it without warrants
- Interview with the developers of the Gopher protocol
- Brazil Is Keeping Its Promise to Avoid the U.S. Internet
- Botnet uses gmail drafts as a “dead drop” for command and control
- Lawyer doesn’t know what Java is, thinks Bill Gates is trying to get out of a question.
- Don’t run the gnu ‘strings’ command on untrusted files
- SQL Injection attack against speed cameras in France
- Paul Vixie: “Abuse of CPE Devices and Recommended Fixes”
- Whitehouse unclassfied network breached by attackers
- Twitter possibly vulnerable to command injection via new ‘card’ URLs
- Researchers publish report investigating the bitcoin theft from CryptoRush.in
- Security is hard
- Computer hardware identification chart
