Security Week 38: Firefox vulnerability, Windows hacking via Safe Mode and Tesla via Wifi

On the landscape of cyber threats, a week of strange hacks of eggplants happened - several studies appeared in which the title turns out to be somewhat steeper than the content. Let's start with Tesla hacking ( news ): Chinese researchers from Tencent showed how you can hack this supercar remotely. Here you need to attach a link to the study , although there is no research as such: the discoverers limited themselves to a video showing how remotely you can turn on the wipers, open the trunk, and, alas, turn off the instrument panel and even press the brake.

Remotely taking control of a CAN bus is, in any case, the nightmare of any automaker: if somehow you manage to penetrate this level, then the attacker has almost nothing to prevent evil. Slightly more details about the vulnerability revealed by representatives of Tesla in an interview with Reuters. To exploit the vulnerability, the following conditions must be met: the auto browser built into the multimedia system is used when connected to a prepared WiFi point. This is hardly possible during the movement, although anything happens: for all the seriousness of such holes, this time Tesla got off with a slight fright.

Moreover, the update covering the vulnerability was transmitted by Tesla to customers by air, and there is no need to attend the service. In a security context, this is definitely a big advantage. Most of the other cars could not have done without a mass recall campaign with a mandatory check-in for the service.

Firefox (and Tor browser) fixed a sly RCE vulnerability using MiTM attacks

News Research

Here I wanted to talk about complex security issues as simply as possible. So what? MiTM, RCE ... But in this case it just won't work, otherwise something like this will come out: “Computers of darkweb users are being hacked en masse”, although in reality they are not. The researcher, known only under the name movrck, published an interesting document on how to be very non-trivial, expensive and working weekly in a quarterly way to hack into the computers of users of the Firefox browser or Tor browser (they are based on common code). The vulnerability itself is not quite the correct method of processing certificates, so you can implicitly substitute the fake addons.mozilla.org domain into some particularly suitable time frames for the Firefox user, transfer the malicious code from it as an update to the already installed update, and thus achieve arbitrary code on the system.
')

To accomplish such a task requires a lot, first of all - theft or forgery of the certificate for addons.mozilla.org is a complicated thing, but not impossible. Next, you need to create conditions when the browser sends a request to this server (this happens at least once a day to check for updates to the installed browser extensions) in order to substitute the correct server. This is relatively easy to implement just for Tor users - if the attacker has the ability to create many prepared output nodes. You need to choose some popular add-on Firefox / Tor, the study provides an example of the NoScript extension. Then everything is “just” - the browser requests a fake server, downloads the “update”, the received code is executed, which theoretically allows either to reveal the real coordinates of the Tor user, or to gain control over the victim’s computer. Not specific, but everyone who has the same date / browser version / installed extension / use of a malicious node.

Cool, yeah? It is not surprising that on the first attempt to report the theoretical possibility of such an attack, the researcher was answered with something like a “bug”. I had to do a proof-of-concept, and this was where everyone realized. A Firefox update of September 20th and Tor 6.0.5 fixes the problem.

Safe Mode in Windows can be used to attack corporate networks.

News Research

Researchers at CyberArk Labs report that "Safe Mode" in Windows is not as safe as it seems. Their work is devoted to methods of obtaining full control over the system after it is accessed - either physically or remotely. Much more attention is usually given to attempts to gain initial control over the system. It is assumed that you can continue to do whatever your heart desires. This is not entirely true, although the Safe Mode hack shown in this study is probably only one of many methods of attack development.

So, the Safe Mode task is to limit the functionality of the system to a minimum, so that it continues to work even in the event of a major failure in the installed software or somewhere else. The limitation of functionality extends to security systems. The researchers took advantage of this by showing how to implement arbitrary code, change the settings of the protection software or monitoring systems, and even change the representation of the safe mode so that it does not differ from the normal one. All this sounds awful, but with one amendment - those presented in the work of the circumvention system are possible remotely only if the attacker already has administrator rights. In essence, the “late Borzhomi drinking” scenario is considered.

What else happened:

Cisco has a second round of advisory (with no patches yet, but with hacking indicators) for vulnerabilities revealed in the ShadowBrokers leak. Vulnerabilities in Cisco iOS look very serious.



Well-known expert in the field of encryption and network security Bruce Schneier talks about the increasing incidence of attacks on the root infrastructure of the network - and it's not just about DDoS, there are attempts to use other attack vectors to disconnect from the network either individual domains or entire TLDs. Details are unknown - sources of information were asked to publish information without names and examples. Threatpost publishes a recording of an interview with Bruce (in English).

An interesting crypto-fiber Mamba, in my memory - the second, using full-disk encryption.

Yahoo today confirmed record-breaking passwords — up to 500 million entries . Awful, but against the background of other leaks somehow not even impressive .

Google decided not to include a ban on keeping correspondence on the server by default in the new messenger Allo. Presumably this is done to enable learning of an intelligent answering machine robot. Crypto public indignant.

Antiquities

"MJ-1513"

The resident is a very dangerous virus, is recorded in the MBR of the hard drive when the infected file is started and in the .COM files when they are launched. The old MBR sector is stored at 0/0/2 (head, track, sector), .COM files are affected as standard.

When a .COM file is started, the virus sets its TSR copy in memory, issues the message “Bad command or file name” and returns to DOS. On the 100th boot, it erases the first 16 sectors from the affected hard drive. at every 256th read from disk (int 13h), the word “mj” is inserted into the read block at address C8h. Intercepts int 13h, 1Ch, 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 106.


Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.