This Week in Security: Apache Nightmare, REvil Arrests? And the Ultimate RickRoll

Spread the love

The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.

curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'

If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.

# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>

The Day The Internet Stood Still

You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale.

Facebook has put up a blog post with all the details, and Cloudflare has a nice write-up on the fallout from their perspective. An unintentional BGP update was sent to the entire Facebook network, knocking their internal backbone network offline. Facebook’s DNS servers keep constant tabs on the connectivity to the internal network, and stop advertising inaccessible routes in an effort to automatically route around problems in normal cases. In this case, that automated behavior led to the entire network disappearing, making the problem worse.

With both BGP and DNS offline, many of the tools and techniques engineers would use to troubleshoot and fix the problem were also unavailable. Humorously, even physical access controls were affected, meaning that FB engineers were locked out of the very datacenters they needed to access to resolve the problem.

Cloudflare has some interesting insights from their 1.1.1.1 DNS resolver. Namely, when Facebook.com stopped responding, DNS traffic exploded, and global DNS queries for Facebook multiplied thirty-fold. If other domains were timing out or acting strange, it was probably because of that unintentional DDoS on DNS. What caused it? Too many applications written without error handling for facebook.com’s disappearance. Or to quote Cloudflare:

This happened in part because apps won’t accept an error for an answer and start retrying, sometimes aggressively, and in part because end-users also won’t take an error for an answer and start reloading the pages, or killing and relaunching their apps, sometimes also aggressively.

There has been speculation that a couple of other stories are related, namely the offered 1.5 billion user records being offered on the dark web. As far as anyone can tell, these stories are completely unrelated, and the latest data set for sale is simply the results of more scraping.

Twitch Leaks Everything

Twitch, on the other hand, has a more serious problem on its hands. Source code, payment records, and internal tools were released in a torrent labeled “part one”. Twitch has confirmed the validity of the data, citing a server misconfiguration as the cause. There were a couple of surprises in the dump, like an in-progress Steam competitor. Also included is the source code with commits going back basically to the beginning of the service. Time will tell if more data is coming. Either way, Twitch has a mess on its hands.

REvil Arrests — Maybe

This week a pair of arrests happened in Ukraine, with a few hints that it’s related to REvil. Ukrainian officials have stated that the actor had been operating since March 2020, and demanding ransoms as high as $70 million. It would be quite ironic if it turns out that the most famous “Russian” malware gang was actually operating out of Ukraine.

Open Source Bug Bounties

The Linux Foundation and Google’s Open Source Security Team have worked together to create Secure Open Source Rewards. The new program is an open ended bounty for developers making security improvements to open source projects. This effort is a bit different from other bug bounties, as the emphasis isn’t on finding vulnerabilities, but work to prevent problems. Examples are things like adding continuous integration testing to a project, or adding code signing and verification.

To be a valid target for payable work, the project being improved needs to be widely used or considered critical. Follow the link for more information on those details. With potential payouts over $10,000, the potential payoff is worth the work. The big advantage to this project over conventional bug bounties is that less luck is involved here. Rather than hoping to find a vulnerability, there is no shortage of projects that need better testing and verification.

The Ultimate Rickroll

[WhiteHoodHacker] has posted his write-up of Rickrolling his entire school district, in what must be the best senior prank of all time. It all started when our aspiring hacker was a freshman, and started scanning the district’s IP space. The result was a whole bunch of devices, many with improper security, like security cameras that could be viewed with no passwords. Those were eventually secured, but there was an IPTV system in place, and it was ripe for messing with.

The idea for a senior prank seemed to die with the COVID pandemic, but fate intervened, and in-class instruction resumed just in time. [WhiteHoodHacker] and his team dubbed the idea “The Big Rick”, and put together an impressive operation to pull it off. A combination of default passwords and vulnerable IPTV equipment allowed them to stream their bootleg video over multicast, and tell every TV and projector in the system to turn it on at the same time. The embedded video is glorious:

Now. As the write-up points out, this prank was technically a computer crime and it would have been all too easy for the school district to press charges. Becoming a felon because of a prank is a terrible way to start adult life. Thankfully, the district administration responded well, and this story ends happily.

Followups

Apple has responded to [Denis Tokarev], who released iOS zero days out of frustration with the Apple security team. Unfortunately Apple’s response doesn’t include fixes or workarounds, but just more assurances that they “are still investigating these issues”. In other words, nothing much has changed, and many security researchers are still frustrated.

OpenOffice has released 4.1.11, containing the fix for CVE-2021–33035, which we discussed last week. Just a reminder, that means that this vulnerability was available as a 0-day for about a week before this release.