Perpetual IT

This month’s scheduled Firefox release is out, with the new 102.0 version patching 19 CVE-numbered bugs.

Despite the large number of CVEs, the patches don’t include any bugs already being exploited in the wild (known in the jargon as zero-days), and don’t include any bugs labelled Critical.

Perhaps the most significant patch is the one for CVE-2022-34479, entitled: A popup window could be resized in a way to overlay the address bar with web content.

This bug allows a malicious website to create a popup window and then resize it to overwrite the browser’s own address bar.

Fortunately, this address bar spoofing bug only applies to Firefox on Linux; on other operating systems, the bug apparently can’t be triggered.

As you know, the browser’s own visual components, including the menu bar, search bar, address bar, security alerts, HTTPS padlock icon and more, are supposed to be shielded from manipulation by untrusted web pages rendered by the browser.

These sacrosanct user interface components are known in the jargon as chrome (from which Google’s browser gets its name, in case you were wondering).

Browser chrome is off-limits to web pages for obvious reasons – to prevent bogus websites from misrepresenting themselves as trustworthy.

This means that even though phishing sites often reproduce the look-and-feel of a legitimate website with uncanny precision, they aren’t supposed to be able to trick your browser into presenting them as if they were downloaded from a genuine URL.

Image-based RCEs

Intriguingly, this month’s fixes includes two CVES that have the same bug title, and that permit the same security misbehaviour, even though they’re otherwise unrelated and were found by different bug-hunters.

CVE-2022-34482 and CVE-2022-34482 are both headlined: Drag and drop of malicious image could have led to malicious executable and potential code execution.

As the bug name suggests, these flaws mean that an image file that you save to your desktop by dragging-and dropping it from Firefox could end up saved to disk with an extension such as .EXE instead of with the more innocent extension you were expecting, such as .PNG or .JPG.

Given that Windows annoyingly (and wrongly, in our opinion), doesn’t show you file extensions by default, these Firefox bugs could lead to you to trust the file you just dropped onto your desktop, and therefore to open it without ever being aware of its true filename.

(If you save the file by more traditional means such as Right click > Save Image As…, the full filename, complete with extension, is revealed.)

These bugs aren’t true remote code execution (RCE) vulnerabilities, given that an attacker needs to persuade you to save content from a web page onto your computer and then to open it up from there, but they do make it much more likely that you would launch a malicious file by mistake.

As an aside, we strongly recommend that you tell Windows to show all file extensions, instead of secretly suppressing them, by changing the File name extensions option in File Explorer.

Fixes for Follina!

Last month’s Big Bad Windows Bug was Follina, properly known as CVE-2022-30190.

Follina was a nasty code execution exploit whereby an attacker could send you a booby-trapped Microsoft Office document that linked to a URL starting with the characters ms-msdt:.

That document would then automatically run PowerShell code of the attacker’s choice, even if all you did was browse to the file in Explorer with the preview pane turned on.

Firefox has weighed in with additional mitigations of its own by essentially “disowning” Microsoft’s proprietary URL schemes starting with ms-msdt: and other potentially risky names, so they no longer even ask you if you want to process the URL:

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.

What to do?

Just visit Help > About Firefox to check what version you’re on – you’re looking for 102.0.

If you’re up-to-date then a popup will tell you so; if not, the popup will offer to start the update for you.

If you or your company has stuck to the Firefox Extended Support Release (ESR), which includes feature updates only every few months but delivers security updates whenever needed, you’re looking for ESR 91.11.

Remember that ESR 91.11 denotes Firefox 91 with 11 updates’ worth of security fixes, and because 91+11 = 102, you can easily tell that you’re level with the latest mainstream version as far as security patches are concerned.

Linux and BSD users who have installed Firefox via their distro will need to check with their distro for the needed update.

Another day, another De-Fi (decentralised finance) attack.

This time, online smart contract company Harmony, which pitches itself as an “open and fast blockchain”, has been robbed of more than $80,000,000’s worth of Ether cryptocoins.

Surprisingly (or unsurprisingly, depending on your point of view), if visit Harmony’s website, you’ll probably end up totally unware of the massive loss that the business just suffered.

Even the business’s official blog, linked to from the website, doesn’t mention it.

The most recent blog article dates to the very start of 2022, and is entitled Lost Funds Investigation Report.

Unfortunately, those lost funds aren’t these lost funds.

Apparently, at the start of the year, those lost funds happened when five individuals were ripped off to the tune of just over 19 million of Harmony’s ONE tokens, then apparently worth about 25 US cents each.

Harmony made an offer, back on 04 January 2022, stating that:

We wish to provide the suspect an opportunity to communicate with the Harmony Foundation and return all funds. Harmony will not pursue further legal action or dox your identity so long as we receive your full cooperation. The team will offer you a bounty to reveal how this theft was performed so long as it can be validated.

We’re not sure whether it’s legal for a company to offer to rewrite history to pretend that an unauthorised and probably illegal hack was actually legitimate research, though it did seem to work in the infamous $600 million hack of Poly Networks.

The perpetrator in that case made a flurry of curious pseudo-political blockchain announcements ALL IN CAPS, written in artifically poor English, to claim that money wasn’t the motivator behind the crime.

Ultimately, after currying favour with the cracker by adopting the nickname Mr White Hat, Poly Networks (to many people’s astonishment, including our own) got most of their funds back.

We’re also not sure just how much insulation from prosecution any offer from the victim not to “press charges” is likely to provide, given that in many countries, it’s the state that usually takes the decision to investigate, charge and prosecute suspects for criminal offences.

Some countries, such as England, do give private individuals (including professional bodies or charities) the right to conduct a private prosecution if the state doesn’t want to do it, but they don’t give crime victims a “corollary right” to prevent the state from prosecuting a case if it does want to do so.

Nevertheless, Poly Networks’ unexpected success in recovering more than half-a-billion dollars has encouraged other cryptocurrency businesses to try this “wipe the slate clean” approach, presumably on the grounds that there’s often not much else they can do.

But it doesn’t seem to work terribly often.

It certainly didn’t seem to work for Harmony in January 2022, though if the perpetrator hasn’t yet been able to cash out their ill-gotten gains, they might regret not taking up the offer.

By 15 January 2022, when Harmony’s fake “bug bounty offer” expired, ONE tokens peaked at $0.35, but have since sunk to below 2.5 cents each, according to CoinGecko.

Once more unto the not-a-breach

That hasn’t stopped Harmony trying the bug-bounty-based historical revisionist approach once again, contacting the June 2022 hacker via the Ether blockchain to say:

The Harmony team is interested in communicating and negotiating. Please reach out at security@harmony.one to start a conversation. Communication can be anonymous.
ID: 0xc8f0dbe83ef36ab59c1fd57099d5ed98c65ff71d0cc69d0084ca570ee26141bb

Since then, numerous other chancers, jokers and cryptocommentators have stepped up to the blockchain as well to say…

Technology is the primary productive force, amazing, great god, I hope you can give me some tokens, I wish you good luck and get away perfectly
ID: x337edbfeb3c6aba36b02e90015be51f0057995eebbe6d8d1f26205ed8449d19c 1 for bless you
6 for stress you
ID: 0x08b7f4914dab2170cdc2ed2cc9760c8478bb3652670cb2fe16f5302c3ad98701 Hello, I think your skills are very good and I admire you very much. I heard that you are being investigated. I wish you good luck. Also, can you send me a little eth if you can? I am a poor man with a family to support and my children are still young, thank you so much, God bless you
ID: 0x505e8914fd0e926e53ef85ba78b7a4e73db564f36fa62a3585383f7cd33be2c8 大哥，给我发1个eth,我感谢你呀，大佬呀，你试大佬啊，你真的是大佬
(Bro, send me 1 eth. I thank you, bro. You really are my bro!)
ID: 0x14ced8b1ec700ce93413e3e537c75beffd7846a68bbda53cabb5cf641296a02e I love you, will you have e-sex with me?
ID: 0x77dfa12c1d21d7385764d48a72c075c12a1ccd843457e4e364e2a7249fbe9cff

In case you’re wondering, the hacker or hackers seem to have made off with at least the following funds, with the US$ values below computed based on a rate of ETH1 = US$1100 (the rate at the time of writing [2022-06-27T17:50Z] is actually closer to $1200 than $1100):

ETH total IN Approx value Transaction ID
-------------- -------------- ------------------------------------------------------------------
ETH 4,570.000 $5,027,000.00 0xb4d60d5161b8508098d9c21834377eaded6b8668d205dfe4bfa7b6dd30f7a192
ETH 3,899.000 $4,288,900.00 0x9cdf447483508d632c5531c5dac8ed31486c0f054c0004bc80a9e07521b3d506
ETH 7,077.000 $7,784,700.00 0xb1d78f2eeea53f1624eea3020409d47c55c868ecf3e0f896e672d04f23fac007
ETH 9,850.000 $10,835,000.00 0x9eced2a4fbc3d95a8ea1a10dd4215b6bf7cbc633d06405e9f052a35f11c59f69
ETH 4,439.000 $4,882,900.00 0x4cceded4cce367631ab6cc11288bd0840d9f9a537b982e1b903205f274fc38a4
ETH 4,431.000 $4,874,100.00 0x9cd567022752e35be9bb429e030a28efad63bcd86ffb3c48ac661c5f966e7aab
ETH 7,990.000 $8,789,000.00 0xdd37bafa2b0941df21e5c5f97558462b394a6013f756954700060ccd354f7eb2
ETH 5,380.000 $5,918,000.00 0xc8382891f4c60c86e5485816a3d79dc5a96b77ad1538b3eb1ee747f7cc18bc46
ETH 14,190.000 $15,609,000.00 0x8447ae8f9367d2f9217355065f620c4e099bfe0ecb4db0e94eb2b32246c859c7
ETH 4,965.000 $5,461,500.00 0x6650ff5c97a026258a25f9e8b15f77f68f34f6f9d5fd39b28bcce316f3b8ef87
ETH 4,919.000 $5,410,900.00 0x02a9727da800d2bb2000f346b28e925d3fffcd88f4ec2e5c0df6753dc8873139
ETH 43.394 $47,733.49 0x3eb9dd782d1c80b292c068ad657f444cba842e6757d1f3b4190c79d7651164b2
ETH 911.000 $1,002,100.00 0x134baf1e5da1ad9f2c99cad48149ac629fdf51cb44a14370756dc02c06510b99
ETH 75.000 $82,500.00 0x62a0a9f6a3ce55f7af494a0e8735a2ba00c5f30cc7b662b899db91099a3dfe60
ETH 30.000 $33,000.00 0x31b5e79ea63ffe4cc00521ec5d2224953ee0ce0cc7cf2284063c02dd494d1e15
-------------- -------------- ETH 72,769.394 $80,046,333.49

Earlier today, despite Harmony offering a $1,000,000 “bounty” and saying it will “advocate for no criminal charges”…

We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information.

Contact us at whitehat@harmony.one or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac.

Harmony will advocate for no criminal charges when funds are returned.

— Harmony 💙 (@harmonyprotocol) June 26, 2022

…the hacker seems to have paid out a substantial chunk of the above ETH72,769 to an account that doesn’t seem to be connected with Harmony, or at least isn’t being claimed by Harmony:

ETH total OUT Approx value Transaction ID
-------------- -------------- ------------------------------------------------------------------
ETH 18,036.300 $19,839,930.00 0x2f259dec682ccd6517c09b771d6edb439f1925e87b562a72649a708fdd0511e1

At least one apparently panicked customer has reached out more desperately and eloquently than some of the other commenters to say:

BISH! DIDN'T YO MAMA TEACH YOU NO MANNERS? WHAT THIS SENDING 7m ONLY. JUST SEND US SOMETHING LET US KNOW YOU TAKING THE RIGHTEOUS PATH. OHH I SEE SO NOW YOU HAVE 97m IN ETHER AND JUST TAKING OFF A LITTLE OF THAT CREAM. OKAY BISH LOOKING GOOD YOU RETURN THAT 97M AND HARMONY CREW GOTS TO RESPECT THAT, 3 A MAGIC NUMBER AND ALL THAT SHI. I AIN'T SLEPT FOR DAYS, GIVE US A SIGNAL BISH, ANYTHING!!!!
ID: 0x3db5cd2270c27808d282a3efccd33342da69312ba07561e2a11a6f1716b0b259

What happened?

Harmony’s write-up so far suggests that the attacker or attackers pulled of this heist even though the fraudulent transactions requiring multiple signatories with each signer having their private key split between two storage locations, one local and one on a keyserver.

Unfortunately, it seems that even though the “multisig” process in this case required two of five trusted parties to co-sign, the attackers were nevertheless able to compromise two of the five private keys needed.

Apparently, Harmony has now decided to require four of the five trusted parties to co-sign, though you could argue that with two of the five having already demonstrated their unreliability, that’s equivalent to restoring the status quo of requiring “two trusted parties”.

Also, what Harmony hasn’t revealed (and may not yet even know) is whether there was a common reason for the compromise of the two private keys that led to the unauthorised transfers.

After all, there’s no point in having N-factor authentication where N > 1 if there’s a common point of failure between all N factors.

For example, if you have laptops with hard disks protected both by boot-time passwords and by one-time code sequences generated by a mobile phone, you effectively have 3FA, so that an attacker needs to: possess the laptop; know the password; and either be able to unlock the user’s phone or recover the seed for the code sequence.

But if you have a user who writes their password and their authenticator seed code on a sticky label and pastes it on the bottom of their laptop, then you are straight back down to 1FA: all security rests in possession of the laptop itself.

Don’t be that user!

And don’t let any of your friends or colleagues be that user, either…

Sadly, over the years, we’ve needed to write numerous Naked Security warnings about romance scammers and sextortionists.

Although those are general-sounding terms, they’ve come to refer to two specific sorts of online crime:

• Romance scamming. This typically refers to a long-game confidence trick in which cybercriminals court your online friendship under a bogus identity, often by “borrowing” images, a name and a life story from someone else’s dating site account. Romance scammers may be prepared to invest weeks, months, or even years, into building an entirely fictitious, but apparently totally serious, online relationship. They may even propose marriage along the way. During this time they will abuse your trust to milk you for financial “help”, for example for visa fees, lawyers’ bills, airline tickets, medical expenses, and possibly much more.
• Sextortion, also known as “porn scamming”. This usually refers to blackmail messages that claim to have taken screenshots showing you viewing porn online, while at the same time catching you on your webcam. Porn scammers usually claim to have acquired their “evidence” by implanting malware on your computer to give them remote access. In reality, there are no screenshots and there is no video, but the criminals often include some personal data about you, usually acquired from an old data breach, to scare you into thinking their malware story might be true. The data is often a phone number, postcode or old password of yours.

The good news in the case of a porn scam is that the crooks don’t have anything on you, and the “malware” they claim to have implanted on your computer is just a pack of lies.

The bad news, however, is that there is a form of online sexual extortion that is effectively hybrid of romance scamming and porn scamming, where the criminals involved do indeed have content with which to blackmail you.

Dating site extortion revisited

These hybrid “romance-combined-with-porn-scam” criminals typically approach you on a dating site, just like the romance scammers mentioned above, and court your interest, but they don’t take their time to milk you for money over an extended period.

Instead, they persuade you to exchange explicit photos, often leading you to think you can trust them by sending you their own explicit photos first. (As you can imagine, they use other people’s photos, not their own.)

Sadly, the scam then unfolds just like the porn scam mentioned above: “Pay hush money or we’ll spread the news to people you don’t want to know about it.”

The difference in this case, of course, is that the criminals do indeed have explicit material.

Unlike the old-school porn scammers, that part of the story isn’t a bluff, because they’re using the photos you sent to them under the mistaken impression you could trust them.

Worse still is that, while sexual blackmail is bad enough in general, there are some specific victims who are even more vulnerable than others, notably those whose sexuality is a secret to start with.

FTC warning

The US Federal Trade Commission (FTC), America’s consumer protection body, has therefore issued a very particular warning about this sort of extortion to people in the LGBTQ+ community who aren’t yet “out”.

As the FTC explains:

[The criminals] usually work something like this: a scammer poses as a potential romantic partner on an LGBTQ+ dating app, chats with you, quickly sends explicit photos, and asks for similar photos in return. If you send photos, the blackmail begins. They threaten to share your conversation and photos with your friends, family, or employer unless you pay — usually by gift card.

Other scammers threaten people who are “closeted” or not yet fully “out” as LGBTQ+. They may pressure you to pay up or be outed, claiming they’ll “ruin your life” by exposing explicit photos or conversations.

Whatever their angle, they’re after one thing — your money.

What to do?

• Consider using your favourite search engine for a reverse image search. This won’t always catch out scammers, but it may help you spot that someone you just “met” on a dating site isn’t the person they’re claiming to be. In other words, if your reverse image search gets no useful hits, that doesn’t prove that the person who contacted you is genuine. But if you do get a hit against someone else’s profile, you can immediately be sure you’re dealing with a scammer.
• Be aware before you share. In many countries, it’s not illegal to send explicit photos to other people with the consent and understanding of both parties. But this requires you not only to trust the other person completely, but also to trust that they won’t themselves suffer a hack or data breach in which the information you shared with them gets scooped up and sold on by someone else entirely.
• If in doubt, don’t give it out. If there’s information that you don’t want to be public knowledge, whether that’s something as simple as your phone number or as intimate as your sexuality, don’t make it semi-public by entrusting it to people you don’t really know and haven’t actually met. Once you’ve given it out, there’s no certain way to recall it, no matter how co-operative the people you shared it with might seem to be.
• Don’t pay the blackmail money. There’s no way to be sure that the criminals really will delete the data as they claim. Worse still, even if they genuinely do delete their copies, you’ve got no guarantee that they didn’t sell the data on before scamming you, or that they weren’t themselves hacked by other crooks between receiving your photos and concluding their blackmail campaign.

One real-life reminder of how cybercriminals sometimes turn on each other is the infamous Conti ransomware breach from August 2021, in which aggrived affiliates of the Conti ransomware “services” turned on the operators of the scheme by publicly dumping an archive file called Мануали для работяг и софт.rar (operating manuals and software).

Reporting online fraud

Whatever your sexuality, and whatever the type of scam you get hit with, remember that if you are in the US, you can report online fraudsters at: https://reportfraud.ftc.gov.

The FTC’s online form is easy to use; you can supply as much or as little information as you know or want (as far as we can see, you can identify yourself as much or as little as you like, too); and you can report scams as varied as “just an annoying call”, fake love interests, phoney government officials, and fraudulent investments.

In the UK, use: https://www.actionfraud.police.uk/

In Europe use: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online

In Canada, use: https://www.antifraudcentre-centreantifraude.ca/

In Australia, use: https://www.cyber.gov.au/acsc/report

In New Zealand, use: https://report.netsafe.org.nz/hc/en-au/requests/new

LEARN MORE ABOUT ROMANCE SCAMS

[embedded content]

LEARN MORE ABOUT “PORN SCAMS”

[embedded content]

If you’re an OpenSSL user, you’re probably aware of the most recent high-profile bugfix release, which came out back in March 2022.

That fix brought us OpenSSS 3.0.2 and 1.1.1n, updates for the two current fully-supported flavours of the product.

(There’s a legacy version, 1.0.2, but updates to that version are only available to customers paying for premium support, and given the changes and improvements in the product since the days of 1.0.2, we urge you to jump ahead to a mainstream version even – perhaps especially – if you plan to continue paying for support.)

The March 2022 update was a vital reminder that deeply-buried code with unusual bugs may end up getting overlooked for years, especially if that code is part of a complex, specialised, low-level function.

The bug fixed back then related to a special-purpose algorithm for computing what are known as modular square roots, which are more complicated to calculate than regular square roots.

Unfortunately, the code to perform this calculation, using an algorithm first discovered in the 1890s, was clumsily coded, tortuously written, poorly commented, and hard to follow.

However, given that it wasn’t in an obvious “externally-facing” part of OpenSSL, and given that rewriting it would have been a daunting task, we’re assuming that it was tested carefully for the correctness of its answers when presented with well-formed numbers, but not probed for its robustness when faced with unlikely input.

Because, when faced with digital certificates that had been booby-trapped to produce ill-formed numbers, OpenSSL’s BN_mod_sqrt() function could be tricked into looping forever, trying to close in on an answer that didn’t exist.

When you work only with integers, and disallow fractions of any sort, you find that many numbers don’t have modular square roots, just as you find that many integers don’t have regular square roots. Thus 7×7 = 49, so 49 has a square root that is a whole number, namely 7. But there’s no integer that can be multiplied by itself to give 50, or 51, because the next “perfect square” is 8×8 = 64. You can try for as long as you like, but you will never find a whole-number answer for √51.

Never actually incorrect, just incomplete

In other words, although OpenSSL’s BigNumber code (many encryption algorithms rely on working with numbers that are hundreds or even thousands of digits long) never gave a wrong answer, it sometimes didn’t realise that there wasn’t an answer to find, and would get stuck in an infinite loop.

This infinite loop, which could be abused to provoke what’s known as a Denial-of-Service attack (DoS), could be triggered if a malevolent website sent across a booby-trapped digital certificate.

This meant, ironically, that software that was scrupulous about validating digital certificates could be brought to its knees via this bug, dubbed CVE-2022-0778, while programs that didn’t bother with certificate validation at all weren’t affected by it.

Given the important “teachable moments” revealed by this bug, we covered it in detail not only on Naked Security, where we explained how to write a better style of code, but also on Sophos News, where SophosLabs showed the gory details of how a booby-trapped certificate could trigger the flaw, and how to debug the code to understand the bug.

Two more security holes in the meantime

The next OpenSSL update was 3.0.3, or 1.1.1o for users of the previous release, which patched a bug that wasn’t considered a major flaw (at least, we didn’t cover it on Naked Security), mainly because the bug wasn’t in the OpenSSL encryption library code itself.

Instead of affecting all software that relied on OpenSSL as its crytographic provider, CVE-2022-1292 just affected a utility script, written in Perl, that came along with the OpenSSL toolkit.

This script, known as c_rehash (short for certificate directory rehash) is a little-known tool that takes a directory of cryptographic certificate files, such as the ones maintained as trusted certificate authorities (CAs) by Mozilla, and creates a list of file hashes that can help software find specific certificates more quickly than searching an alphabetical list of names.

For example, Mozilla’s CA certificate directory looks like this…

$ ls -l /usr/share/ca-certificates/mozilla
-rw-r--r-- 1 duck duck 2772 2022-06-23 05:32 ACCVRAIZ1.crt
-rw-r--r-- 1 duck duck 1972 2022-06-23 05:32 AC_RAIZ_FNMT-RCM.crt
-rw-r--r-- 1 duck duck 904 2022-06-23 05:32 AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt
[. . .]
-rw-r--r-- 1 duck duck 1302 2022-06-23 05:32 emSign_Root_CA_-_G1.crt
-rw-r--r-- 1 duck duck 774 2022-06-23 05:32 vTrus_ECC_Root_CA.crt
-rw-r--r-- 1 duck duck 1911 2022-06-23 05:32 vTrus_Root_CA.crt

…while OpenSSL’s c_rehash script generates a list of symbolic links that allow individual certificates to be located via hashes based on the issuer’s name in the certificate itself, rather than via its filename:

lrwxrwxrwx 1 duck duck 23 2022-06-24 13:41 002c0b4f.0 -> GlobalSign_Root_R46.crt
lrwxrwxrwx 1 duck duck 45 2022-06-24 13:41 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.crt
lrwxrwxrwx 1 duck duck 36 2022-06-24 13:41 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.crt
[. . .]
lrwxrwxrwx 1 duck duck 19 2022-06-24 13:41 fe8a2cd8.0 -> SZAFIR_ROOT_CA2.crt
lrwxrwxrwx 1 duck duck 23 2022-06-24 13:41 feffd413.0 -> GlobalSign_Root_E46.crt
lrwxrwxrwx 1 duck duck 49 2022-06-24 13:41 ff34af3f.0 -> TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt

Some software relies on these “hash links” to act as a kind of basic database system for indexing and finding specific certificates.

Furthermore, some operating system distros automatically invoke the c_rehash script in the background to keep these special-purpose links up to date.

Shell metacharacters considered harmful

Unfortunately, the script relied on the Perl system() function (or an equivalent command) to calculate the file hashes, and the system() system automatically launches a command shell, such as Bash, to launch any needed sub-programs.

And, as you probably know, command shells don’t always treat their command-line arguments literally, so that if you put special characters in those arguments, the shell handles them in potentially dangerous ways.

For example, the command echo runthis literally prints the text runthis, but the command echo $(runthis) doesn’t directly print out the characters $(runthis).

Instead, the so-called metacommand $(runthis) means command substitution, so it says, “Run the command runthis and replace the $(...) part with the output of that command when it’s finished”:

 # argument treated literally, no metacharacters found $ echo runthis runthis # tries to execute 'runthis', but no such command exists $ echo $(runthis) -bash: runthis: command not found # runs two commands, collects output of both $ echo $(whoami; uname -s -r) duck Linux 5.18.6

If the risk posed by $(...) sounds familiar, that’s because it was the metacommand vulnerability that was exploited in the recent “Follina” bug on Windows. To learn more, and see that bug live in action, you can watch our recorded webinar. Just click on the image below. [Registration required, access is immedidate thereafter.]

What got fixed?

Scripts that accepts untrusted input from someone else – whether that’s a string typed into a web form or a made-up filename supplied from outside – need to be very careful not to allow these special metacommands to leak out as shell arguments when relying on the command shell for running external utilities.

Below, you can see the code that was changed from 1.1.1n to 1.1.1o:

A Perl command of the form `...` (a command between backticks, such as `runthis`, is simply an old-fashioned way of writing the $(runthis) command substitution) was replaced with a dedicated internal function called compute_hash that takes greater care with weird metacharacters in the constructed command string.

Well, it turns out that the maintainers didn’t quite catch all the places in this utility script where an external commands was run without due care and attention.

This week therefore saw the release of OpenSSL 3.0.4 and 1.1.1p, to fix another risky system command in the c_rehash utility:

This time, it was a call-out to the cp (copy file) command via the shell-based system() function that was replaced with a safer, dedicated internal function called copy_file.

This bugfix has the official identifier CVE-2022-2068.

As the OpenSSL changelog warns:

[The c_rehash] script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.

What to do?

• Update OpenSSL as soon as you can. If you are relying on your Linux distro to manage a centrally-installed copy, check with your distro maker for details. If you’re relying on your own build of OpenSSL instead of (or as well as) a system-wide one, don’t forget to update that copy, too. You’re looking for 3.0.4 or 1.1.1p. Run openssl version to see what version you’ve got.
• Consider retiring the c_rehash utility if you are using it. The all-in-one utility openssl, which is commonly used for generating and signing certificates in the first place, now includes a built-in sub-command called rehash to do the same job. Try openssl rehash -help for further information.
• Sanitise your inputs and outputs. Never assume that input you receive is safe to use as-is, and be cautious with the data you pass on as output to other parts of your code.
• Be vigilant for multiple errors when reviewing code for specific types of bug. A programmer who was careless with a system() command at one place in the code may have made similar mistakes elsewhere.

Programmers often produce (or reproduce) the same sort of bug many times, usually for perfectly innocent and understandable reasons.

Either they weren’t aware of that class of bug at the time they worked on the code, or they took a “temporary shortcut” to speed up prototype work but never went back and tidied up later, or they copied-and-pasted someone else’s flawed code and made it their own…

LISTEN NOW

• [00’22”] Duck gets behind the Ducks.
• [01’34”] 2000 phone scammers arrested in Interpol action.
• [11’12”] A three-year-old hacking case ends in conviction.
• [17’13”] Canadian financial company picks up enormous data breach fine.

With Paul Ducklin and Chester Wisniewski.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT