This Week in Security: NSO, Print Spooler, and a Mysterious Decryptor

The NSO Group has been in the news again recently, with multiple stories reporting on their Pegasus spyware product. The research and reporting spearheaded by Amnesty International is collectively known as “The Pegasus project”. This project made waves on the 18th, when multiple news outlets reported on a list of 50,000 phone numbers that are reported as “potential surveillance targets.” There are plenty of interesting people to be found on this list, like 14 heads of state and many journalists.

There are plenty of questions, too. Like what exactly is this list, and where did it come from? Amnesty international has pointed out that it is not a list of people actively being targeted. They’ve reported that of the devices associated with an entry on the list that they have been able to check, roughly 50% have shown signs of Pegasus spyware. The Guardian was part of the initial coordinated release, and has some impressive non-details to add:

The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.

Amazon’s AWS was named as part of the C&C structure of Pegasus, and in response, they have pulled the plug on accounts linked to NSO. For their part, NSO denies the validity of the list altogether.

It’s no secret that NSO tools are used to spy on people all over the world. The real questions here are whether those tools are being abused to spy on particularly inappropriate targets, whether NSO knew about it, and what they will do now, if these claims are true. If you suspect your device might be compromised by Pegasus, take a look at the Mobile Verification Toolkit, developed by Amnesty International.

More Print Spooler Fun

At this point, it should be obvious that we should turn off the print spooler for any Windows machine that doesn’t really need it. Yet another flaw has been announced, CVE-2021-34481. This one is a bit odd. According to Microsoft, this bug is totally unrelated to the previous Print Nightmare bugs, and was discovered by [Jacob Baines] back in June. What makes it particularly strange is that it was publicly disclosed weeks before the researcher’s deadline, and hasn’t yet been patched. Their advisory indicates that it isn’t being exploited in the wild, but it seems they are acting as if it has already been made public.

If Print Spooler EoP bugs aren’t enough, how about a world-readable Security Account Manager (SAM) file? This flaw is related to the shadow copy service, and on Windows 10 and 11 machines, allows any user to read the entire SAM, SYSTEM, and SECURITY files. What can you do with that? Jump from an unprivileged user straight to System, for a start.

Debugging Backdoor in KiwiSDR

Thanks to [jpa] for pointing this out last week in the comments. The KiwiSDR is a BeagleBone cape, together with a customized BeagleBone image, that captures radio data and puts it online for anyone to listen to. Before we get to the security issue, I have to say that this is a really nifty project. Check out the list of nodes online around the world.

The problem is that the project included a root web shell built in with a hardcoded password, and it wasn’t particularly well documented — a couple brief mentions in the forum doesn’t really count. The SHA256 encoded password would be difficult to crack, but as Ars points out, any connections happen over HTTP, so a single instance of packet sniffing would reveal the password. To the developer’s credit, he has now put up a warning on the site’s main page, that previous versions have a security vulnerability. A brief discussion in the latest commit on Github indicates that a more complete disclosure is coming. (You may need to scroll to the bottom of the page to find the comments.) Ironically, I don’t think any of the users would have had a problem with this, so long as it had been well documented, opt-in, and implemented a bit better.

Linux Filesystem Vulnerability

This is an odd one. As far as the public disclosure goes, it starts with the news that a logged-in user can crash a Linux system via a SystemD flaw involving a very long path name. That’s an annoying bug, but it gets weirder. The researchers at Qualsys found it by accident, while trying to pull off a full jump to root exploit. That exploit is one where an integer can be overflowed by a very long path. The path string needs to be a whopping 1 GB long. By mounting and then deleting something on that crazy path, the overflow allows an out-of-bound write. A PoC is available, so make sure to get the latest kernel offered by your distro.

0-day Campaigns This Year

Google’s Threat Analysis Group has released a report with a bit of insight into a trio of campaigns using 0-day vulnerabilities they’ve discovered in active use this year. The first is an email campaign that seems to be based in Armenia using CVE-2021-21166 and ​​CVE-2021-30551, both bugs in Chrome. In what may have been part of the same campaign, victims were sent Microsoft Office documents that used either ActiveX or VBA Macros to launch IE 11 and trigger CVE-2021-33742.

The last campaign discussed is a bit more interesting, as it used a Safari 0-day to infect the browser on iOS. This one is thought to be from the Russian APT29, and targeted officials in Western Europe via LinkedIn messages. The exploit wasn’t coupled with a sandbox escape, but just runs in the confines of the browser, grabbing information from every page accessed.

Windows Hello Fooled by Photo

Windows Hello. It’s not unique, the iPhone also has the capability to unlock via facial recognition, and some Android phones have picked up the feature as well. There’s a fundamental difference between a Windows machine, and a phone. The camera on the phone is a known and trusted entity. Any device can claim to be a webcam on a desktop or laptop. Windows Hello accepts any webcam device, and that leads to some obvious security problems. The system uses infrared imaging, so one simple bypass is to present an infrared picture of the user. It sounds like further attacks should be possible, like a device that presents itself as a webcam, but replays captured images of the target’s face. This is sure to be an interesting topic for further research.

REvil Decryptor

After REvil has mysteriously taken down their shingle (AKA, disappeared and gone out of business), a new development has emerged in the Kaseya ransomware story. A universal decryptor has been obtained “from a trusted third party”, and is being used to recover data. No word on who the third party is, and involved parties have declined to confirm whether any ransom was paid as part of the deal. Hopefully further news will leak out about how the decryptor was obtained, and what is going on with the REvil group.