Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zero Click Exploit. Show all posts

Two Critical Zero-Day Bugs Identified in Zoom Users and MMR Servers

 

Two critical bugs in videoconferencing app 'Zoom' could have led to remote exploitation in users and MMR servers. Natalie Silvanovich of Google's Project Zero bug-hunting team on Tuesday released an analysis of the security bugs; the vulnerabilities were uncovered as part of an investigation after a zero-click attack was demonstrated at Pwn2Own.

The researcher spotted two different flaws, a buffer overflow issue that impacted both Zoom users and Zoom Multimedia Routers (MMRs), and the second one transmits audio and video content between clients in on-premise deployments. Additionally, the platform possessed a lack of Address Space Layout Randomization (ALSR), a security mechanism that helps to guard against memory corruption assaults.

"In the past, I hadn't prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user," the researcher explained in a blog post. "That said, it's likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios."

"ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective," Silvanovich noted. "There is no good reason for it to be disabled in the vast majority of software." 

As MMR servers process call content including audio and video, the researcher says that the bugs are "especially concerning" – and with compromise, any virtual meeting without end-to-end encryption enabled would have been exposed to eavesdropping, 

As per recent reports, the vulnerabilities were reported to the vendor and patched on November 24, 2021, and Zoom has since enabled ASLR. While most video conferencing systems use open-source libraries such as WebRTC or PJSIP for implementing multimedia communications, Project Zero called out Zoom's use of proprietary formats and protocols as well as its high licensing fees (nearly $1,500) as barriers to security research.

"These barriers to security research likely mean that Zoom is not investigated as often as it could be, potentially leading to simple bugs going undiscovered," Silvanovich said. "Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it." 

Last year in November, Zoom rolled out automatic updates for the software's desktop customers on Windows and macOS, as well as on mobile. Previously, this feature was only accessible to business users.

University of California Researchers Develop a Technique to Discover Inconsistencies in Smart Contracts


Researchers from the University of California, Santa Barbara, presented a "scalable technique" to check smart contracts and minimize state-inconsistency bugs, finding forty-seven zero-day vulnerabilities on the Ethereum blockchain during the process. Smart contracts are programs stored on the blockchain that are executed automatically when default conditions are met, depending on the encoded terms of the agreement. 

These programs let authorized transactions agreements be used by unknown parties without having the need of a central authority. In simple terms, the code is in itself a final party of the trade it is presenting, the program controls all the execution aspects, also provides an immutable evidentiary audit chain of transactions, both irreversible and trackable. As per the paper and researchers, "since smart contracts are not easily upgradable, auditing the contract's source pre-deployment, and deploying a bug-free contract is even more important than in the case of traditional software."

About Sailfish 

It aims to find inconsistencies in smart contracts, that allows an attacker to meddle with execution order or transactions, affecting control flow in a single transaction, for instance, reentrancy. Sailfish is a tool that converts a contract into a dependency graph, capturing control and data flow relations between state-changing instructions and storage variables of a smart contract. The tool helps to find potential inconsistencies. The researchers analyzed Sailfish on 89,853 contracts retrieved from Etherscan. 

Finding forty-seven zero-day vulnerabilities that can be exploited to extract Ether and might also comprise application-specific metadata. This will include vulnerable contracts implementing a house tracker that may be exploited so that house owners can do multiple active listings. "This is not the first time problematic smart contracts have attracted attention from academia. In September 2020, Chinese researchers designed a framework for categorizing known weaknesses in smart contracts with the goal of providing a detection criterion for each of the bugs," reports the hacker news.

New Zero-Click iMessage Exploit Used to Deploy Pegasus Spyware

 

Citizen Lab's digital threat researchers have discovered a new zero-click iMessage exploit that was exploited to install NSO Group's Pegasus spyware on Bahraini activists' smartphones. In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq) had their iPhones hacked in a campaign conducted by a Pegasus operator linked to the Bahraini government with high confidence, according to Citizen Lab. 

After being compromised using two zero-click iMessage exploits (that do not involve user participation), the spyware was installed on their devices: the 2020 KISMET exploit and a new never-before-seen exploit named FORCEDENTRY. 

In February 2021, Citizen Lab first noticed NSO Group deploying the new zero-click FORCEDENTRY iMessage attack, which bypasses Apple's BlastDoor protection. BlastDoor, a structural change in iOS 14 aimed to stop message-based, zero-click attacks like this, had just been released the month before. BlastDoor was designed to prevent Pegasus attacks by operating as a "tightly sandboxed" service responsible for "almost all" of the parsing of untrusted data in iMessages, according to Samuel Groß of Google Project Zero.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.” 

Attacks like the ones revealed by Citizen Lab, according to Ivan Krstić, head of Apple Security Engineering and Architecture, are highly targeted and hence nothing to worry about for most people, at least. Such attacks are "very complex, cost millions of dollars to design, often have a short shelf life, and are used to target specific individuals," according to Krstić. 

In addition to Apple's iMessage, NSO Group has a history of using other messaging apps, such as WhatsApp, to spread malware. Nonetheless, Citizen Lab believes that disabling iMessage and FaceTime in this circumstance, with these specific threats, may have blocked the threat actors. Researchers emphasized that disabling iMessage and FaceTime would not provide total security from zero-click assaults or adware.

NSO Group stated in a statement to Bloomberg that it hasn't read the report yet, but it has concerns about Citizen Lab's techniques and motivations. According to the company's statement, "If NSO gets reliable evidence relating to the system's misuse, the company will thoroughly investigate the claims and act accordingly."

Tesla Car Hacked Remotely by Drone Via Zero-Click Exploit

 

Two researchers have shown how a Tesla and probably other cars can be remotely hacked without the involvement of the operator. 

Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris conducted research last year that led to this conclusion. The investigation was conducted for the Pwn2Own 2020 hacking competition, which offered a car and other substantial prizes for hacking a Tesla, but the results were later submitted to Tesla via its bug bounty programme after Pwn2Own organizers planned to temporarily exclude the automotive category due to the coronavirus pandemic. 

TBONE is an attack that includes exploitation of two vulnerabilities in ConnMan, an internet connection manager for embedded devices. An intruder may use these bugs to take complete control of Tesla's infotainment system without requiring any user interaction. 

A hacker who exploits the vulnerabilities may use the infotainment system to perform any normal user task. This involves things like opening doors, adjusting seat positions, playing music, regulating the air conditioning, and changing the steering and acceleration modes. 

The researchers explained, “However, this attack does not yield drive control of the car”. They presented how an intruder could use a drone to launch a Wi-Fi assault on a parked car and open its doors from up to 100 meters away (roughly 300 feet). The exploit, they said, worked on Tesla S, 3, X, and Y models. 

“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however,” Weinmann stated. 

Tesla apparently stopped using ConnMan after patching the vulnerabilities with an update released in October 2020. Intel was also notified because it was the original creator of ConnMan, but according to the researchers, the chipmaker believed it was not its responsibility. 

According to the researchers, the ConnMan component is commonly used in the automotive industry, suggesting that similar attacks may be launched against other vehicles as well. Weinmann and Schmotzle sought assistance from Germany's national CERT in informing potentially affected vendors, but it's uncertain if other manufacturers have responded to the researchers' findings. 

Earlier this year, the researchers presented their results at the CanSecWest meeting. A video of them using a drone to hack a Tesla is also included in the presentation. In recent years, several corporations' cybersecurity researchers have shown that a Tesla can be hacked, in most cases remotely.