That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network). For example, one can do RCE in just powered-on Samsung Chromebook. So just to summarize:
- It doesn’t require any user interaction.
- It can be triggered every 5 minutes in case of GNU/Linux operating system.
- It doesn’t require the knowledge of a Wi-Fi network name or passphrase/key.
- It can be triggered even when a device isn’t connected to any Wi-Fi network, just powered on.
Source: Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE – Embedi
In this research, I used ALFA networks wireless adapter in the monitor mode, which is based on Realtek 8187 wireless chipset. The exploit can be implemented with python Scapy framework. For some reason, Ubuntu GNU/Linux distrubution isn’t good enough to inject Wi-Fi frames fast, so it is better to use Kali.
The bugs exist in ‘journald’ service, tasked with collecting and storing log data, and they can be exploited to obtain root privileges on the target machine or to leak information. No patches exist at the moment.
Source: Linux systemd Affected by Memory Corruption Vulnerabilities, No Patches Yet
In researchers’ own words “every system on which HeadSetup […] was installed at any time in the past […] remains vulnerable” until users manually review the Trusted Root Certificate Store and remove the two certificates, or until the certificates expire –which could be January 13, 2027, or July 27, 2037, respectively.
Source: Microsoft warns about two apps that installed root certificates then leaked the private keys | ZDNet
The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.
Source: Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months | ZDNet
Since registry keys are also boot persistent, any modifications made to an account’s RID remain permanent, or until fixed.
Court says an attacker was only required to send malformed UDP packets to a target’s Steam client, which would have triggered the bug and allowed him to run malicious code on the target’s PC.
Source: Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years
The attack worked first by getting Bogner’s malicious file quarantined by the AV program running on the targeted computer. The pentester then exploited vulnerabilities in the AV programs that allowed unprivileged users to restore the quarantined files. He further abused a Windows feature known as NTFS file junction point to force the restore operation to put his malicious file into a privileged directory of Bogner’s choosing. The technique took advantage of another Windows feature known as Dynamic Link Library search order. With that, Bogner’s malware ran with full privileges.
Source: How AV can open you to attacks that otherwise wouldn’t be possible | Ars Technica
That vulnerability, according to a report on the data breach by William Baird & Co., was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017. One was announced in March, and another was announced earlier this week on Sept. 4. At the moment, it’s unclear which vulnerability the Baird report was referring to.
Source: The hackers who broke into Equifax exploited a flaw in open-source server software — Quartz
The bug specifically affects a popular plugin called REST, which developers use to handle web requests, like data sent to a server from a form a user has filled out. The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur.
Source: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency – The New York Times
So in order to trigger this behaviour, someone with root-level privileges needs to edit a Unit file and enter a “invalid username”, in this case one that starts with a digit.
But you need root level privileges to edit the file in the first place and to reload systemd to make use of that Unit file.
Source: Giving perspective on systemd’s “usernames that start with digit get root privileges”-bug
It’s an obvious bug (at least on RHEL/CentOS 7), since a valid username does not get accepted by systemd so it triggers unexpected behaviour by launching services as root.
However, it isn’t as bad as it sounds and does not grant any username with a digit immediate root access.
To exploit the flaw, Caballero says that an attacker can use server redirect requests combined with data URIs, which would allow him to confuse Edge’s SOP filter and load unauthorized resources on sensitive domains. The expert explains the attack step by step on his blog.
In the end, the attacker will be able to inject a password form on another domain, which the built-in Edge password manager will automatically fill in with the user’s credentials for that domain. Below is a video of the attack.
Source: Edge Security Flaw Allows Theft of Facebook and Twitter Credentials