Security Week 30: Addups again for your own, how to cache uncached in Docker containers - a dangerous load

This story began a long time ago, last year, when researchers from Kryptowire came across suspicious traffic coming from a Chinese smartphone bought on the occasion. Delving into the firmware of the device, they found out that the OTA-update system is a natural backdoor. Well, and a little more update firmware, free from spying on the user time.

FOTA (firmware over the air), a software module from the Shanghai Adups Technology Company, sent literally everything to China somewhere: SMS, IMSI and IMEI, call log, geographic coordinates of the device. The website Adups proudly stated that their wonderful FOTA is used on 700 million devices. These are mainly Chinese and not-so-smartphones, as well as navigators, smart car radios and all other gadgets with Internet connection.

After the not weak scandal, the Addups stated that, firstly, they didn’t even spy at all, secondly, not at all on the instructions of the Chinese government agencies, and, thirdly, they didn’t specifically and never would. Almost a year has passed.

And Kryptowire again uncovered the theme of the evil of Adups. Unbelievable, but true: our hero continues in the same vein. More precisely, it still supplies to China base station identifiers, a list of installed applications, SIM and IMSI serial numbers. Tested on two models - Blu Grand M and Cubot X16S.
')
The main thing in all of this is not even the fact that Addups did not stop spying, but that someone continues to use their products a year after the “exposing the magic session”.

On BlackHat showed a new method of extracting personal data from servers

News Good is the current BlackHat conference in the USA and the reports on it are interesting. Here, for example, our man from Las Vegas writes that Omer Gil from EY Advanced Security Center presented a new way of attacking CDN services like Akamai and Cloudflare - hacking without breaking. This is when, under certain conditions, the server issues cached pages of another user.

The researcher described the attack mechanism as follows. Suppose there is a URL - 'www.example.com/personal.php' that refers to content with important data that is not supposed to be cached. The hacker forces the victim to execute the query 'www.example.com/personal.php/bar.css' (there are a lot of ways to do this). The server on this issues a page 'www.example.com/personal.php' with important information of the victim - it has some cookies. At the same time, the caching proxy rightly regards 'www.example.com/personal.php/bar.css' as a request for a non-existent, but caching file bar.css and saves the contents of '/personal.php' instead.

Exactly the same trick can be turned with more than 40 extensions: aif, aiff, au, avi, bin, bmp, cab, carb, cct, cdf, class, css, doc, dcr, dtd, gcf, gff, gif, grv, hdml, hqx, ico, ini, jpeg, jpg, js, mov, mp3, nc, pct, ppc, pws, swa, swf, txt, vbs, w32, wav, wbmp, wml, wmlc, wmls, wmlsc, xsd and zip. After that, the hacker calmly enters the URL of interest and receives a page with the entered personal data from the cache, for example, a payment card. According to Gil's experience, cached files in the specified services are stored for about five hours. Worse, a cached request may contain CSRF tokens, session identifiers, answers to secret questions, that is, it already smacks of account hijacking.

To its credit, Akamai and Cloudflare, both services recognized the problem. They themselves can’t prevent such an attack and urge webmasters to take care of protecting their sites - so that when they request a non-existent file they don’t give out the content located above.

In Docker containers they learned how to hide malware

News Cool story continues to come from the BlackHat USA conference. This time the participants exposed Docker. This most modern tool for debugging and deploying applications in a virtualization environment is now used by many developers. Researchers at Aqua Security have shown how Malvaru can be embedded in Docker containers by building essentially a double bottom.

First you need to find a victim - a developer using Docker for Windows. Then you should force him to go to a special site where malicious JavaScript is sitting, which creates a new container on the victim's machine, which in turn draws malicious code from the repository. Its stability on the machine is provided by a script that preserves the container at shatdaun and launches it during the Docker boot.

A temporary solution is to update Docker, allow only authenticated clients to access the network, block port 2375 on the Moby Linux virtual machine interface using a firewall, and disable LLMNR and NetBIOS on all computers to avoid spreading malicious code over the network.

How dangerous such an attack is is not very clear, but potentially this is the real way of introducing popular applications into the pipeline. The consequences can be very sad. Few will not seem to anyone.

Antiquities

"Drop-1131"

Resident non-dangerous virus. Standardly infects COM and EXE files when accessing them. Intercepts int 1Ch and 21h. Depending on the value of its internal counter, it rather actively sprinkles letters on the screen.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 66.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.