This Week in Security: Git, Patch Tuesday, Anti-Cheat, and Vulnerable Documentation

Git released an update on Tuesday, fixing an issue that could result in leaking credentials. The vulnerability was in how Git handles an HTTP URL containing a newline. Looking at the commits in 2.26.1, we can find an example of an attack:
url = "https://one.example.com?%0ahost=two.example.com/foo.git"

So doing a git pull against this repository will connect your git instance to an attacker’s server, but using the credentials from an arbitrary server. It seems like this could potentially be used to steal Github credentials, for instance. So go make sure you have an updated Git client.

Commercial VPNs and Open Source

Commercial VPN providers are a dime-a-dozen these days, and they’re not all exactly reputable. Rather than report on the bad actors, today we’re looking at a provider who’s doing something right. IVPN has open-sourced their client software, and has gone through the process required to get their Android client hosted on F-Droid. F-Droid, by the way, is an open-source only 3rd party app store for Android. (See my FLOSS Weekly interview for more info.)

IVPN on F-droid

IVPN even has plans to open-source their server-side software. While having a fully open-source stack doesn’t absolutely guarantee good behavior by a provider, it goes a long way to demonstrate good intentions, and buys a lot of community goodwill.

Patch Tuesday

Remember the Windows 0-days we’ve talked about the last few weeks? Patch Tuesday is finally here, and three actively exploited bugs are finally getting fixed. Two of those flaws were RCEs in a DLL used to render fonts, and the third a local privilege escalation flaw in the Windows kernel.

Another important bug in Internet Explorer was fixed this week, too: CVE-2020-0968. This one is a remote execution bug that can be triggered simply by visiting a malicious page. In some places this is being called a 0-day, but Microsoft claims that they haven’t found evidence of it being exploited in the wild.

The last bit of related news is that the security researcher known as [SandboxEscaper] is now working at Microsoft, and is responsible for some of the bugs fixed in the last few months.

Anti-Cheat

Riot Games has rolled out a new anti-cheat system, Vanguard, for their recently released game, Valorant. Vanguard is apparently attracting some attention, as it installs a kernel-level driver as part of the anti-cheat measures. On one level, it’s understandable that a really robust anti-cheating solution needs more than just user-level system access. At the same time, a vulnerability in that driver means the entire system is exposed, not to mention the possibility of intentional misbehavior.

One could observe that the other ubiquitous anti-cheat solutions like BattlEye and EAC also use kernel drivers to function. (And as a result, have been a huge hindrance to running games on Linux through Wine.) I haven’t been able to confirm this, but word is that Vanguard is different in that it is always loaded, rather than only loading while the game is running. One humorous tidbit is that antivirus applications have a tendency to mark anti-cheat software as malicious applications.

Windows COM Vulnerability and Documentation

This vulnerability isn’t particularly dire, and is a few months old, but the write-up just released, and has a really interesting wrinkle. First, the Windows Component Object Model (COM) is essentially just part of the Windows API. (I know that’s not quite technically correct, but it’s a useful simplification for our purposes.) [Phillip Langlois] and [Edward Torkington] of nccgroup discovered a flaw in a COM interface related to program installations. By creating a symlink and then calling the vulnerable interface, an under-privileged user could trick the system into creating a readable copy of any file on the system.

As expected, Microsoft was responsive and pushed a patch fixing the issue within 90 days. Doing a followup check on vendor patches is always a good idea, and something strange was noticed — The original exploit still worked on a patched machine! After some decompiling and double-checking, the culprit turned out to be a Windows function, “GetFileAttributesW”. A quick check of the MSDN documentation shows that in the case of a symlink, this function returns information about the link instead of the target. In practice, however, the function was following the link and reporting on the target file.

Documentation is super important when tracking down security problems, and incorrect documentation can cause all sorts of headaches like this. This also highlights the importance of double-checking by actually running the code, rather than just depending on your understanding of the problem. And finally, if you report a security vulnerability that gets fixed, make sure to re-visit the issue to make sure it was actually fixed!

Odds and Ends

A Juniper virtual router image was accidentally shipped with root level credentials. While that’s obviously a problem, this isn’t nearly as bad as some of the previous stories we’ve covered. First off, this isn’t a hidden or unchangeable password, and it’s recommended to set the root password during initial setup. The other difference is that Juniper researchers found this issue themselves, and fixed it without any in-the-wild abuse. On the other hand, those credentials have been present in Juniper’s VM for 3 years.

Firefox 75 has been released, with yet another set of bugs being fixed. None of them have been found in the wild, but a couple bugs are considered high impact and likely to be exploitable. A new Firefox ESR release was also made, fixing some of the same bugs. That update has triggered both a Tails update and a Tor browser update.

Google Chrome has finally made their next release, jumping to Chrome 81. This contains 32 security fixes, with a handful of those being high importance fixes.

The next entry in “Don’t Connect Your Management Interface to the Internet” comes from Dell, as their iDRAC (integrated Dell Remote Access Controller) was just updated to fix a nasty buffer overflow flaw. This flaw is accessible without authentication, and could likely be used to execute arbitrary code.

Zoom just can’t catch a break, as the latest word is that a pair of exploits have been found, one of which is on sale for a cool $500,000. This exploit is a full RCE for Windows, while the other is a less useful Mac only flaw.