![Apple Officially Announces Return of 'Ted Lasso' for Fourth Season [Video]](https://www.iclarified.com/images/news/96710/96710/96710-640.jpg)
![Apple Plans Live Translation Feature for AirPods in iOS 19 [Report]](https://www.iclarified.com/images/news/96712/96712/96712-640.jpg)
![Apple Shares Official Trailer for 'F1' Starring Brad Pitt [Video]](https://www.iclarified.com/images/news/96714/96714/96714-640.jpg)
![[Update: Fix] Chromecast (2nd gen) and Audio can’t Cast in ‘Untrusted’ outage](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2019/08/chromecast_audio_1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
_Tanapong_Sungkaew_Alamy.jpg?#)
_JIRAROJ_PRADITCHAROENKUL_Alamy.jpg?#)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
This Week in Security: The X DDoS, The ESP32 Basementdoor, and the camelCase RCE
We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make …read more
We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.
The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.
We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.
There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.
The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.
Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.
That ESP32 Backdoor
As Maya says, It Really Wasn’t a backdoor. The Bleeping Computer article and Tarlogic press release have both been updated to reflect the reality that this wasn’t really a backdoor. Given that the original research and presentation were in Spanish, we’re inclined to conclude that the “backdoor” claim was partially a translation issue.
The terminology storm set aside, what researchers found really was quite interesting. The source of information was official ESP32 binaries that implement the Bluetooth HCI, the Host Controller Interface. It’s a structured format for talking to a Bluetooth chip. The official HCI has set aside command space for vendor-specific commands. The “backdoor” that was discovered was this set of undocumented vendor-specific commands.
These commands were exposed over the HCI interface, and included low-level control over the ESP32 device. However, for the vast majority of ESP32 use cases, this interface is only available to code already running on the device, and thus isn’t a security boundary violation. To Espressif’s credit, their technical response does highlight the case of using an ESP32 in a hosted mode, where an external processor is issuing HCI commands over something like a serial link. In that very narrow case, the undocumented HCI commands could be considered a backdoor, though still requires compromise of the controlling device first.
All told, it’s not particularly dangerous as a backdoor. It’s a set of undocumented instructions that expose low-level functions, but only from inside the house. I propose a new term for this: a Basementdoor.
The Fake Recruitment Scam
The fake recruitment scam isn’t new to this column, but this is the first time we’ve covered a first-hand account of it. This is the story of [Ron Jansen], a freelance developer with impressive credentials. He got a recruiter’s message, looking to interview him for a web3 related position. Interviews often come with programming tasks, so it wasn’t surprising when this one included instructions to install something from Github using npm and do some simple tasks.
But then, the recruiter and CTO both went silent, and [Ron] suddenly had a bad feeling about that npm install command. Looking through the code, it looked boring, except for the dependency NPM package, process-log. With only 100-ish weekly downloads, this was an obvious place to look for something malicious. It didn’t disappoint, as this library pulled an obfuscated blob of JSON code and executed it during install. The deobfuscated code establishes a websocket connection, and uploads cookies, keychains, and any other interesting config or database files it can find.
Once [Ron] new he had been had, he started the infuriating-yet-necessary process of revoking API keys, rotating passwords, auditing everything, and wiping the affected machine’s drive. The rest of the post is his recommendations for how to avoid falling for this scam yourself. The immediate answer is to run untrusted code in a VM or sandbox. There are tools like Deno that can also help, doing sandboxing by default. Inertia is the challenge, with a major change like that.
Camel CamelCase RCE
Apache Camel is a Java library for doing Enterprise Integration Patterns. AKA, it’s network glue code for a specific use case. It sends data between endpoints, and uses headers to set certain options. One of the important security boundries there is that internal headers shouldn’t be set by outside sources. To accomplish that, those headers are string compared with Camel and org.apache.camel as the starting characters. The problem is that the string comparison is exact, while the header names themselves are not case sensitive. It’s literally a camelCase vulnerability. The result is that all the internal headers are accessible from any client, via this case trickery.
The vulnerability has been fixed in the latest release of Camel. The seriousness of this vulnerability depends on the component being connected to. Akamai researchers provided a sample application, where the headers were used to construct a command. The access to these internal values makes this case an RCE. This ambiguity is why the severity of this vulnerability is disputed.
Bits and Bytes
Researchers at Facebook have identified a flaw in the FreeType font rending library. It’s a integer underflow leading to a buffer overflow. An attacker can specify a very large integer value, and the library will add to that variable during processing. This causes the value to wrap around to a very small value, resulting in a buffer much too small to hold the given data. This vulnerability seems to be under active exploitation.
We don’t normally see problems with a log file leading to exploitation, but that seems to be the situation with the Below daemon. The service runs as root, and sets the logfile to be world readable. Make that logfile a symlink to some important file, and when the service starts, it overwrites the target file’s permissions.
Microsoft’s Patch Tuesday includes a whopping six 0-day exploits getting fixed this month. Several of these are filesystem problems, and at least one is an NTFS vulnerability that can be triggered simply by plugging in a USB drive.
The ruby-saml library had a weird quirk: it used two different XML parsers while doing signature validations. That never seems to go well, and this is not any different. It was possible to pack two different signatures into a single XML document, and the two different parsers would each see the file quite differently. The result was that any valid signature could be hijacked to attest as any other user. Not good. An initial fix has already landed, with a future release dropping one of the XML parsers and doing a general security hardening pass.
