HACKADAY

THIS WEEK IN SECURITY: BLAST-RADIUS,

GITLAB, AND PLORMBING
by: Jonathan Bennett No comments

July 12, 2024

The RADIUS authentication scheme, short for “Remote Authentication Dial-In User
Service”, has been widely deployed for user authentication in all sorts of scenarios. It’s
a bit odd, in that individual users authenticate to a “RADIUS Client”, sometimes called
a Network Access Server (NAS). In response to an authentication request, a NAS
packages up the authentication details, and sends it to a central RADIUS server for
verification. The server then sends back a judgement on the authentication request,
and if successful the user is authenticated to the NAS/client.

The scheme
By using was
our website andupdated
services, youto its current
expressly agree toform in 1994,
the placement back
of our when MD5
performance, was and
functionality considered
advertising cookies. Learn more
a cryptographically good hash. It’s been demonstrated that MD5 has problems, most OK
notably a chosen-prefix collision attack demonstrated in 2007. The basis of this
collision attack is that given two arbitrary messages, it is possible to find a pair of
values that, when appended to the end of those messages, result in matching md5
hashes for each combined message. It turns out this is directly applicable to RADIUS.

The attack is a man-in-the-middle, but not against an authenticating user. This attack is
a man-in-the-middle between the NAS and the RADIUS server, and a real user isn’t
even required. This elevated position does make an attack harder to achieve in some
cases, but situations like RADIUS providing authentication for administrative access to
a device is squarely in scope. Wrapping the RADIUS backend communications in a
TLS layer does protect against the attack.

GITLAB
It’s once again time to go update your Gitlab instances, and this one sounds familiar.
It’s another issue where an attacker could run pipeline jobs as an arbitrary user. This
comes as one more of a series of problems in Gitlab, with at least one of them being
exploited in the wild. It’s not surprising to see a high-visibility vulnerability leading to
the discovery of several more similar problems. With this latest issue being so similar
to the previous pipeline problem, it’s possible that it’s actually an incomplete patch or
additional workaround discovered to exploit the same issue.

EXIM
There’s a bug in the Exim email server, that impacts the processing of attachment
blocking rules. Specifically, the filename in the email header is broken into multiple
parts, with some confusing extra bytes in between. It’s technically compliant with the
right RFC, but Exim’s mime handling code gets confused, and misses the right
message name.

Exim server can be configured to block certain file types, and this vulnerability allows
those blocked attachments through. The original CVSS of 9.1 is a tad insane. The latest
update drops that to a 5.4, which seems much more appropriate.

PLORMBING YOUR ORM

Prisma is a “Next Generation ORM (Object Relational Mapper), that takes database
schema, and maps it to code objects. In other words, it helps write code that interacts
with a database. There’s some potential problems there, like using filters on protected
data, to leak information one byte at a time, in a very Hollywood manner.

By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK
This brings us to a second approach, a time-based data leak. Here a SQL query will
execute slowly or quickly depending on the data in the database. The plormber tool is
designed to easily build attempts at time-based leaks. Hence the pun. If you have a
leak in your ORM, call a plORMber. *sigh*

INTERNET EXPLORER RISES AGAIN

When Microsoft finally obsoleted Internet Explorer in 2022, I had some hope that it
wouldn’t be the cause of any more security issues. And yet here we are, in 2024,
talking about an exploitation campaign that used a 0-day in Windows to launch
Internet Explorer.

A very odd file extension, .pdf.url , manages to appear as a pdf file with the
appropriate icon, and yet opens IE when executed. This finally got classified by
Microsoft as a vulnerability and fixed.

BITS AND BYTES

There’s another SSH issue, related to regreSSHion. This time a vendor patch makes a
call to cleanup_exit() from a signal handler function, calling more async-unsafe code.
If that doesn’t make any sense, circle back around to last week’s installment of the
column for the details. This time it’s Fedora, Red Hat, and other distros that used the
patch.

One of the security barriers that most of us rely on is that traffic originating from the
WAN side of the router should stay there. When that paradigm breaks down, we have
problems. And that’s exactly what the folks at Claroty are working to defeat. The trick
this time is a vulnerability in a router’s Dynamic DNS service. Manage to spoof a DNS
lookup or MitM that connection, and suddenly it’s RCE on the router.

And finally, we’ve covered a pair of outstanding stories this week here at Hackaday.
You should go read about how Ticketmaster’s app was reverse engineered, followed
by a brilliant and completely impractical scheme to get your Internet connection for
free while flying.

By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK
Posted in Hackaday Columns, News, Security Hacks
Tagged Blast RADIUS, RegreSSHion, This Week in Security

← DIY SPACER INCREASES FDM FLOW RATE FOR FASTER, BETTER PRINTING

HOLY KEYBOARD CASE, BATMAN! →

READ MORE FROM THIS SERIES:

THIS WEEK IN SECURITY

THIS WEEK IN SECURITY: BLAST-RADIUS, GITLAB, AND PLORMBING

THIS WEEK IN SECURITY: HIDE YO SSH, POLYFILL, AND PACKING IT UP

THIS WEEK IN SECURITY: KASPERSKY BAN, PROJECT NAPTIME, AND MORE

THIS WEEK IN SECURITY: CHAT CONTROL, VULNERABILITY EXTORTION, AND

EMOJI MALWARE

THIS WEEK IN SECURITY: UNICODE STRIKES AGAIN, TRUST NO ONE

(REDDITOR), AND MORE

THIS WEEK IN SECURITY: RECALL, MODEM MYSTERIES, AND FLIPPING PAGES

THIS WEEK IN SECURITY: OPERATION ENDGAME, APPLIANCE CARNAGE, AND

ROUTER GENOCIDE

THIS WEEK IN SECURITY: DRAMA AT THE C-LEVEL, ESCAPE INJECTION, AND

AUDITS
By using our website and services, you expressly agree to the placement of our performance, functionality and
THIS
advertising WEEK
cookies. LearnIN SECURITY: THE TIME KERNEL.ORG WAS BACKDOORED AND
more OK
OTHER STORIES
 THIS WEEK IN SECURITY: TUNNELVISION, SCARECROWS, AND POUTINE

SEE ALL ARTICLES IN THIS SERIES →

Leave a Reply

Please be kind and respectful to help make the comments section excellent.
(Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

SEARCH
Search … SEARCH

NEVER MISS A HACK

SUBSCRIBE
By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies.
Enter Email Learn more
Address SUBSCRIBE OK
IF YOU MISSED IT
EMBEDDED PYTHON: MICROPYTHON IS AMAZING

67 Comments

PCB DESIGN REVIEW: HAB TRACKER WITH

ATMEGA328P

13 Comments

SOLAR DYNAMICS OBSERVATORY: OUR SOLAR

EARLY WARNING SYSTEM

3 Comments

THE FLASH MEMORY LIFESPAN QUESTION: WHY

QLC MAY BE NAND FLASH’S SWAN SONG

78 Comments

PEERING INTO THE BLACK BOX OF LARGE

LANGUAGE MODELS

32 Comments

More from this category

By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK
OUR COLUMNS
HACKADAY PODCAST EPISODE 279: SOLAR FLARES,
FLASH CELLS, AND FREE AIRLINE WIFI

No comments

THIS WEEK IN SECURITY: BLAST-RADIUS, GITLAB,

AND PLORMBING

No comments

FLOSS WEEKLY EPISODE 791: IT’S ALL ABOUT ME!

1 Comment

SUPERCON 2023: WHY MORE HACKERS SHOULD

EARN THEIR WINGS

12 Comments

SUPERCON CALL FOR PROPOSALS EXTENDED: JULY

16TH

2 Comments
By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK
More from this category

NEVER MISS A HACK

Copyright © 2024 | Hackaday, Hack A Day, and the Skull and Wrenches Logo are Trademarks of Hackaday.com |
Privacy Policy | Terms of Service | Digital Services Act
Powered by WordPress VIP

By using our website and services, you expressly agree to the placement of our performance, functionality and
advertising cookies. Learn more OK