This Week In Security: .zip Domains, Zip Scanning

This Week In Security: .zip Domains, Zip Scanning

Time Stamp: May 19, 2023 10:00 AM
Source Node: 2662949

The world may not be ready, but the .zip Top Level Domain (TLD) is here. It’s a part of the generic TLD category, which was expanded to allow applications for custom TLDs. Google has led the charge, applying for 101 such new TLDs, with .zip being one of the interesting ones. Public registration for .zip domains has been open for a couple weeks, and some interesting domains have been registered, like update.zip, installer.zip, and officeupdate.zip.

The obvious question to ask is whether this new TLD can be abused for scamming and phishing purposes. And the answer is yes, sure it can. One of the trickiest ways is to use the AT symbol @ in a URL, which denotes user info at the beginning of the URL. It usually is used to include a username and password, like http://username:password@192.168.1.1/. That is pretty obvious, but what about https://google.com@bing.com? Still looks weird. The catch that really prevents this technique being abused is that slashes are disallowed in user data, so a abusive URL like https://google.com∕gmail∕inbox@bing.com is right out.

Except, take a look at that last link. Looks like it has slashes in it, so it should take you to google, and ignore the AT symbol. But it doesn’t, it goes to Bing. You may have guessed, it’s Unicode shenanigans again. Those aren’t slashes, they’re U2215, the division slash. And that means that a .zip TLD could be really sneaky, if the apparent domain is one you trust.

Troy Hunt has some thoughts on the matter. The Godfather of compromised passwords points out that URLs are already ridiculously hard to parse at times, and once Unicode tricks are part of the problem, it’s basically impossible to tell a good URL by eye. His final gift: attachment.zip

Scanning Inside Zips

[Andrew Brandt] discovered something odd, as a part of his security research. He uses Microsoft Sharepoint to share live samples of malware, always password protected with “infected”. Just recently those files got flagged as containing malware in Sharepoint.

For normal users, finding malware in zip files is great. For a security researcher, it’s a huge hassle. But how is the Sharepoint service looking inside encrypted zip files? It’s simple, Microsoft is automatically trying the most common passwords, as well as scraping user emails for obvious patterns like the password is “$password”. The default zip encryption in Windows, however, is notoriously insecure. Even so, it’s a bit unnerving for a cloud vendor to be automatically decrypting files in this manner.

Vulnerable Addons

There are a couple of high-priority vulnerabilities in web plugins this week. Up first is Essential Addons for Elementor, which has a flaw allowing an unauthenticated user to take over any user’s account. It’s a byproduct of the new password reset functionality, which fails to actually verify the password reset key. Considering that this WordPress plugin is installed on over a million sites, that’s a big problem. The flaw only exists between 5.4.0 and 5.7.2, with that release containing the fix. Make sure to patch right away, as this is a trivial problem, and now fully disclosed in the public.

And over on PrestaShop, there’s a really nasty problem in a module called possearchproducts. In that one, an HTTP request can trigger an SQL injection attack, leading to full admin access to the site. The worst part is this vulnerability is accessible even if the module is installed but not active on the site. It’s being actively used to steal credit card information. The author of this plugin seems to have abandoned development, and is not responding to attempts to contact, so this looks like one to uninstall right away.

BlackLotus Fallout

Secure Boot on Windows has been broken by BlackLotus. This technique was found in the wild, and announced just a couple weeks ago. Since then there’s been a patch and workaround found, allowing BlackLotus to continue to bypass Secure Boot, and start running malware very early in the boot chain.

The latest bypass takes advantage of existing secure boot binaries, that themselves have bugs, to get a toe-hold into the boot process. The solution is to add those binaries to the list of disallowed EFI binaries. The only problem is that those binaries are key to booting the Windows Install disks, and a handful of other tools. So the solution is to roll the fix out very slowly.

You can get the update now, but it’s a hassle, and intentionally so. In July a second update will make the process simpler, but still not revoke the binary signatures by default. And finally in 2024, the revocation update will roll out for everyone. If you’re not using it, this doesn’t really apply, but any user of Secure Boot for system integrity should take a close look at this one.

Bits and Bytes

IPv6 is the relatively new kid on the Internet Protocol block, and as such, there’s a bunch of code paths that haven’t been as well tested as their old, IPv4 cousins. It’s true in the Linux kernel as well, evidenced by the remote kernel panic that can be induced by a single IPv6 packet.

There’s another vm2 escape this week. This seems like an instance of one bug discovery leading to another, as we covered vm2 escapes about a month ago, too. This library is intended to allow running untrusted JavaScript code safely, and gets used by quite a few big vendors. This escape is pretty simple, and abuses error handling to get to real execution.

The Wemo Mini Smart Plug V2 has a FriendlyName problem. Namely, that the bounds checking when setting said name happens in the browser, and sending an un-Friendly Name causes a buffer overflow. The overflow can be leveraged for Remote Code Execution, and could possibly be triggered via the Wemo cloud service. The device is passed its end of life, so no fixes are coming. On the plus side, these devices run an ancient fork of OpenWRT, so it seems like a great opportunity to jailbreak and update to a modern release. Happy Hacking!

Time Stamp:

More from Hack A Day