The version 2.4.49 of the Apache HTTP server presents a significant vulnerability and it is already exploited in the attacks. CVE-2021-41773 is a simple path crossing flaw, where the
%2e encoding is used to bypass filtering. Fortunately, the bug was introduced in 2.4.49, the latest version, and a patch has already been released, 2.4.50.
curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
If it returns anything other than a 403 error, your server may be vulnerable. It should be noted that Apache comes with a configuration block that mitigates this vulnerability.
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
Require all denied
The day the internet stopped
You may have noticed a bit of kerfluffel on the internet on Monday. Facebook gave up for nearly six hours. While the break was pleasant for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was referring nxdomain to DNS lookups. This led to some funny tweets, with screenshots showing Facebook.com for sale.
How much? https://t.co/fH0zXw7rV9
– jack⚡️ (@jack) October 4, 2021
Facebook has a blog post with all the details, and Cloudflare has a nice post on the fallout from their perspective. An unintentional BGP update was sent to the entire Facebook network, taking their internal backbone network offline. Facebook’s DNS servers continuously monitor internal network connectivity and stop posting unreachable routes to automatically bypass issues in normal cases. In this case, this automated behavior resulted in the disappearance of the entire network, compounding the problem.
With BGP and DNS offline, many tools and techniques that engineers would use to troubleshoot and fix the problem were also unavailable. Humorously, even the physical access controls were affected, meaning FB engineers were left out of the very data centers they needed to access to fix the problem.
Cloudflare has some interesting information about its DNS resolver 18.104.22.168. Namely, when Facebook.com stopped responding, DNS traffic exploded and global DNS queries for Facebook increased thirty-fold. If other domains are expiring or acting weird, it’s probably because of this unintentional DNS DDoS. What caused it? Too many applications written without error handling for the disappearance of facebook.com. Or to quote Cloudflare:
This happened in part because apps won’t accept an error for a response and start trying again, sometimes aggressively, and in part because end users also won’t take an error for a response and start trying. to reload pages, or to kill and relaunch their applications, sometimes just as aggressively.
There has been speculation that a few other stories are related, namely the 1.5 billion user records offered on the dark web. As far as anyone can tell, these stories are irrelevant and the latest dataset to sell is simply the result of more scratching.
Twitch scares it all away
Twitch, on the other hand, has a more serious issue on its hands. The source code, payment records, and internal tools have been released in a torrent titled “Part One”. Twitch confirmed the data to be valid, citing a misconfiguration of the server as the cause. There were a few surprises in the dump, like an ongoing Steam competitor. Source code with commits dating back mostly to the beginning of the service is also included. Time will tell if more data arrives. Either way, Twitch has a mess on its hands.
REvil’s Arrests – Maybe
This week, two arrests took place in Ukraine, with some hints that they are related to REvil. Ukrainian officials said the actor had been operating since March 2020 and demanded ransoms of up to $ 70 million. It would be quite ironic if it turned out that the most notorious “Russian” malware gang was in fact operating from Ukraine.
Open source bug bounties
The Linux Foundation and Google’s Open Source Security Team have collaborated to create secure open source rewards. The new program is an unlimited bounty for developers who improve the security of open source projects. This effort is a little different from other bug bounties, as the focus is not on finding vulnerabilities, but on working to avoid issues. Examples are things like adding continuous integration testing to a project, or adding code signing and verification.
To be a valid target for paid work, the project being improved must be widely used or viewed as critical. Follow the link for more information on these details. With potential payouts over $ 10,000, the potential payout is well worth it. The big advantage of this project over conventional bug bounties is that there is less luck here. Rather than hoping to find a vulnerability, there is no shortage of projects that require better testing and verification.
The Ultimate Rickroll
[WhiteHoodHacker] posted his article on Rickrolling throughout his school district in what has to be the best senior prank ever. It all started when our aspiring hacker was a freshman and started analyzing the district’s IP space. The result was a whole bunch of devices, many with inappropriate security, like security cameras that could be viewed without passwords. These were eventually secured, but there was an IPTV system in place, and it was ripe to play with.
The idea of a prank for seniors seemed to die out with the COVID pandemic, but fate intervened and classroom instruction resumed just in time. [WhiteHoodHacker] and his team dubbed the idea “The Big Rick” and put together an impressive operation to make it happen. A combination of default passwords and vulnerable IPTV equipment allowed them to multicast their pirate video and tell every TV and projector in the system to turn it on at the same time. The embedded video is beautiful:
Now. As the article points out, this farce was technically a computer crime and it would have been too easy for the school district to press charges. Becoming a criminal because of a prank is a terrible way to start adult life. Fortunately, the district administration reacted well and this story ends happily.
Apple responded to [Denis Tokarev], who released iOS Zero Days out of frustration with Apple’s security team. Unfortunately, Apple’s response does not include fixes or workarounds, just more assurances that they are still “investigating these issues.” In other words, nothing has really changed and many security researchers are still frustrated.
OpenOffice released 4.1.11, containing the patch for CVE-2021-33035, which we discussed last week. Just a reminder, this means this vulnerability was available in 0 days for about a week prior to this release.