Open Redirect Vulnerability in Substack

Summary

Substack had a open redirect vulnerability in their login flow which would have allowed an attacker to facilitate phishing attacks. The vendor has deployed a fix for this issue.

Vulnerability Details

Substack is an online platform that allows users to create and operate free and paid subscription newsletters. This platform had an open redirect vulnerability in its login flow which would redirect users to any sites after login completed. This could have been used by an attacker to facilitate phishing attacks targeting Substack users and steal their credentials.

The vulnerability was due to the fact that the “redirect parameter” in the login flow wasn’t been validated to make sure that the redirect only goes to a specific set of URLs. The attacker could specify their own redirect URL as follows:

https://substack.com/sign-in?redirect=https://www.google.com

See screenshots below:

Vendor Response

Once a correct reporting channel was established, the issue was reported to the vendor and a fix was deployed limited the redirect parameter to Substack-specific URLs.

References

CWE: CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)

OWASP: Unvalidated Redirects and Forwards Cheat Sheet

Timeline

2021-07-08: Initial contact with the vendor, asking for a correct reporting channel
2021-07-09: Initial reply received, confirming communication channe again – no response from the vendor
2021-07-13: Pinged again – no response; pinged company co-founders on Twitter
2021-07-13: Communication with the vendor re-established, technical details sent
2021-07-23: Pinged for status, no response
2021-07-29: Vendor responded that a fix has been implemented
2021-07-29: Fix confirmed, vendor pinged for disclosure coordination – no response
2021-08-22: Public disclosure

Firebase CLI Installer Making Calls to Google Analytics

Firebase is a mobile and web application development platform provided by Google. One of the tools available for the platform is the Firebase CLI tool (GitHub repo) which helps developers interact with the platform from command line. An automatic install script is offered among other options, which allows installation of the CLI tool via the “curl | bash” pattern as follows:

curl -sL https://firebase.tools | bash

As part of our ongoing research into supply chain attacks, we have been looking into bash installer scripts that make calls to external systems. First, there is no way to verify that the installer is legit, However, to our surprise, we also found that this script makes calls to Google Analytics as part of the installation process. There is no sensitive data being collected but Google may still be collecting IP addresses of users installing the CLI. The source code for the installer script can be found here:

https://firebase.tools/

While this can be disabled, the documentation to do so is hard to find and is embedded within the installer script itself. We hope that Google will make this documentation more clear in the future. In any case, here is the documentation:

The actual code that makes these calls can be found here:

And here are all the analytics events triggered within the script:

send_analytics_event start
...
send_analytics_event uninstall_npm
...
send_analytics_event uninstall
...
send_analytics_event already_installed
...
send_analytics_event upgrade
...
send_analytics_event "missing_platform_$UNAME"
...
send_analytics_event failure
...
send_analytics_event missing_path
...
send_analytics_event success

New Tools for Addressing Supply Chain Attacks

In the recent codecov.io security incident, an attacker modified a shell script used by a common software development tool for code coverage. This modification did not take place at the original source code repository where it would have been visible to others, but after the code was packaged and placed on the web server from which it was served.

Prompted by this incident, we are now releasing new tools that provide information and detection of similar attacks against other projects. The scope is limited to attacks that modify the released code and do not touch the original source code. The following tools are now available:

  • dont_curl_and_bash – a list of projects that are installed directly off the Internet via a “curl | bash” manner along with possible mitigations
  • icetrust – a tool that can be used to verify a downloaded artifact such as a shell script before it is executed via methods such as checksums and PGP signatures
  • release_auditor – a tool that can be used to check if a GitHub release was modified after initial publication (see our earlier blog post for additional information)

Additionally, we are also providing two examples of how a continuous monitoring dashboard can be setup to detect such attacks by project maintainers. The following are available (screenshots below):

Security of Homebrew Bootstrap Process

As part of our ongoing research into supply chain attacks, we have been looking into the overall security of various OSS projects. Homebrew is one such project – providing Linux packages for MacOS. The current bootstrap process is retrieving the bootstrap shell script directly from GitHub and piping it into bash without verification as follows:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

We had a discussion with the project maintainers around the security of this approach, and while it is not great security-wise, it is somewhat safer than hosting the script on an intermediate web server (like codecov.io), since changes will be noticed within a GitHub repo fairly quickly (similar to what happened with PHP).

Details of the discussion can be found here:

https://hackerone.com/reports/1166535

Supply Chain Attacks via GitHub.com Releases

Summary

Release functionality on GitHub.com allows modification of assets within a release by any project collaborator. This can occur after the release is published, and without notification or audit logging accessible in the UI to either the project owners or the public. However, some audit information may be available via the GitHub APIs. An attacker can compromise a collaborator’s account and use it to modify releases without the knowledge of project owners or the public, thus resulting in supply chain attacks against the users of the project.

This issue was reported to the vendor – their response is that this is intended behavior and is an intentional design decision. While the vendor is planning improvements in this area, they are not able to provide additional details. GitHub.com paid plans and the GitHub enterprise server were not tested.

As a mitigation measure, project owners using GitHub.com are encouraged to use other methods for securing releases such as digitally signing releases with PGP. Users are encouraged to check digital signatures and use the GitHub.com release APIs to extract and verify release assets data.

Background

GitHub.com is a widely used tool for software development offering source code management (SCM) and other tools. It is used for hosting and distribution by many open source projects (OSS). The release functionality within GitHub.com offers a way to publish packaged software iterations as releases. These include a compressed snapshot of the source within the project as a .ZIP and .TAR.GZ file, as well as as additional binary assets. This functionality is a common way for open source projects to distribute their releases.

Vulnerability Details

The release functionality on GitHub.com allows modification of assets within a release by any project collaborator, after the initial release is published. An attacker can use this gap to modify releases without the knowledge of project owners by compromising an account of any project collaborator, thus resulting in supply chain attacks against those using the project. The following specific issues facilitate this:

  • Release assets can be modified after initial publication – except for the source code snapshots
  • Any project collaborator can modify a release – there are no fine-grained controls to allow code access and not release access.
  • There is no notification or indication within the UI that a release was modified – to either the project owners or other collaborators, or the public. However, some data is exposed via API.
  • A “verified” flag is displayed if the Git commit was verified – but this only applies to the source code snapshot and not the other release assets

The releases API provided by GitHub does expose additional information about release assets, which could potentially be used to see if a release was modified. This information includes the username of the uploader and the timestamp when the upload took place. This can be compared to the main release metadata. An example of using APIs for checking releases can be found at our release_auditor project.

NOTE: Paid GitHub.com plans and the GitHub enterprise server were not tested.

Example of a release (see here):

Example of API response exposing asset data:

Steps to Replicate

The following steps can be used to replicate this issue:

  1. Alice creates a public repository on GitHub.com, and adds some code including a shell script “test.sh”.
  2. Alice invites Bob as a collaborator on this repository.
  3. Alice publishes a release including the shell script “test.sh” as a separate asset.
  4. Bob accesses the release, and modifies the “test.sh” script within the release.
  5. When viewing the release via GitHub.com UI, there is no indication the script was modified. Downloading the script shows that it is different from what Alice published.

NOTE: Paid GitHub.com plans and the GitHub enterprise server were not tested.

Vendor Response and Mitigation

The issue was reported to the vendor via their bounty program. Their response is that this is intended behavior and is an intentional design decision. While the vendor is planning improvements in this area, they are not able to provide additional details.

GitHub.com paid plans and the GitHub enterprise server were not tested.

As a mitigation measure, project owners using GitHub.com are encouraged to use other methods for securing releases such as digitally signing releases with PGP. Users are encouraged to check digital signatures and use the GitHub.com release APIs to extract and verify release assets data.

An example of using APIs to check releases can be found in our release_auditor project.

References

Example repository: https://github.com/nightwatchcyber/gh_release_test
GitHub.com docs: here, here and here
HackerOne report # 1167780
release_auditor: see here

Credits

Advisory written by Y. Shafranovich

Timeline

2021-04-18: Initial report submitted to the vendor
2021-04-20: Automated response received
2021-04-21: Vendor response received, intended behavior
2021-04-21: Request to disclose sent
2021-04-23: Vendor ok with disclosure
2021-04-25: Public disclosure – added a link to the OSS project

Local Denial of Service in Nissan Leaf EV (2018) Head Unit Display (CVE-2021-1000008)

Summary

The head unit display in the Nissan Leaf electric vehicle (EV) has a local denial of service vulnerability that can be used to lock up the screen. Once locked, the car remains drivable but the display can no longer be used (even if the car is turned off and on). The only way to unlock the screen is by removing and re-inserting the SD card containing the mapping data.

This was tested on the 2018 SV model of the Nissan Leaf, other Leaf models/trims and other Nissan models with similar SOS functionality may also be affected.

This issue has been reported to the vendor (Nissan), NHTSA and ICS-CERT. Since the vulnerability is low risk there is minimal impact on end users. The vendor has confirmed the issue, but no patch is currently available.

Details

The Nissan Leaf is an electric car which contains a head unit with a touch screen interface in the middle of the dashboard. This panel is used for entertainment and navigation functions such as playing music/radio, navigation and interface with cell phone operating systems such as Android Auto and Apple Play. This panel (#3) is separate from the meters and gauges screen (#2) used to display information regarding the operation of the vehicle itself (as seen below – from the owner’s manual):

panel

Additionally, the Nissan Leaf just like many other Nissan models includes an SOS button located on the roof of the car above the passenger seat and is intended to summon help in case of an emergency. This button is paired with the Nissan app and can be seen below (screenshots from Nissan’s video and manual):

Screen Shot 2020-02-11 at 11.44.23 PMScreen Shot 2020-02-11 at 11.45.58 PM

The display has a denial of service vulnerability that can be used to lock up the screen. Once locked, the car remains drivable but the display can no longer be used (even if the car is turned off and on). The only way to unlock the screen is by removing and re-inserting the SD card containing the mapping data. The vulnerability seems to be the result of interaction between the SOS functionality and the rest of the software operating the head unit.

To replicate:

  1. The car being tested needs to be paired with the Nissan mobile app, and have the NissanConnect subscription enabled.
  2. Turn on the car, verify that NissanConnect with SOS functionality is enabled by checking that the little light on the SOS button is lit.
  3. Press the SOS button to trigger an emergency call.
  4. Immediately, press and hold the SOS button to cancel the call while turning off the car.
  5. The SOS call will lock the head unit, and will stay that way until the SD card is removed and re-inserted which reboots the display panel.

This was tested on the 2018 SV model of the Nissan Leaf, other Leaf models/trims and other Nissan models with similar SOS functionality may also be affected. If a NissanConnect subscription is not enabled on a particular vehicle, then it is probably not vulnerable because the SOS functionality is disabled.

Vendor Response and Mitigation

This issue has been reported to the vendor (Nissan), NHTSA and ICS-CERT. Once the report was routed to the correct team, the vendor responded quickly and confirmed the issue. Since the vulnerability is low risk there is minimal impact on end users. No patch is currently available.

A CVE will not be issued for this vulnerability by MITRE since MITRE doesn’t “assign CVE IDs for Local Denial of Service”. A CVE was issued by the Distributed Weakness Filing (DWF) project instead.

References

CVE (DWF): CVE-2021-1000008

ICS-CERT ticket # ICS-VU-984522
NHTSA case # 11308645
Nissan Information Security (IS) Case # 233758
Nissan Leaf (2018) manual: see here

Credits

The original discoverer of this issue is a minor and their full name cannot be disclosed for privacy reasons.

Timeline

2019-09-24: Initial report to the vendor
2020-01-01: Second report to the vendor, automated reply received
2020-01-27: Follow-up email sent to the vendor, no response
2020-01-28: Initial report to ICS-CERT
2020-02-08: Follow-up communication with ICS-CERT
2020-02-11: Draft advisory sent to both the vendor and ICS-CERT
2020-02-12: Reported to NHTSA
2020-02-12: CVE requested from MITRE
2020-02-16: CVE response received from MITRE
2020-02-16: Response from the vendor received (initial reports were misrouted)
2020-02 through 2021-03: Multiple phone and email communications with the vendor
2021-03-14: Public disclosure

2021-04-08: CVE assigned via DWF

CORS Misconfiguration in Verizon’s Residential Account Portal [2020]

Summary

The residential billing section of Verizon’s account portal for residential customers had a CORS misconfiguration issue which would have allowed another site in the same browser to download copies of bills in PDF format. The vendor has deployed a fix for this issue.

Because the vendor stopped responding, the issue is fixed and a year has passed, we are now disclosing this publicly.

Vulnerability Details

Normal browser security mechanisms prohibit calls between websites not hosted on the same domain. An override mechanism exists for use cases where such functionality is desired called Cross Original Resource Sharing (CORS). This mechanism employs several headers to allows clients and server to signal each other when such functionality is desired. One of those headers is the “Access-Control-Allow-Origin” header sent by the server indicating which domains are allowed to access a given endpoint or API.

The billing download endpoint (“https://www.verizon.com/digitalservices/billing/billdownload/v1/downloadpaperpdf“) in Verizon’s residential control panel had a CORS misconfiguration. The “Acess-Control-Allow-Origin” header was not restricted to the sites operated by Verizon, but instead simply mirror the domain provided in the client’s request (via the “Origin” header). This could potentially allow other sites to access this endpoint and download the user’s bills in PDF format if they were logged in to the Verizon website at the same time.

This issue was tested on Firefox and it is not known if other browsers were also vulnerable.

Code To Replicate

The following code was used to replicate the issue originally:

Screen Shot 2020-02-17 at 4.46.59 PM

Vendor Response

This issue was reported to the vendor and a fix has been deployed.

References

MDN Reference for CORS: see here
OWASP HTML5 Security Cheet Sheet: see here

Credits

Text of the advisory written by Y. Shafranovich.

Timeline

2019-10-09: Initial report to the vendor
2019-10-08: Vendor requests POC, POC sent
2019-10-24: Pinged for status
2019-10-29: Issue still being investigated
2019-11-30: Pinged for status, issue still being investigated
2019-12-14: Pinged for status, issue still being investigated
2020-01-30: Vendor pinged for disclosure coordination
2020-01-31: Issue fixed, vendor asks for confirmation
2020-02-02: Fix confirmed, asked for disclosure coordination
2020-02-13: Vendor requests a copy of proposed advisory for review
2020-02-17: Draft advisory provided for review; vendor asks to remove their name from the advisory, request is denied; vendor stops responding
2021-03-03: Public disclosure

Content Injection (RCE) in Yandex Browser for Android [2018]

Summary

The Yandex Browser Android application provided by Yandex can be injected with malicious content by an MITM attacker. Because this application is a web browser, this can lead directly to remote code execution (RCE) within the app. The root cause is lack of SSL being used in the help section of the app as well as some other links in the about section, homepage and search engines. Because these links are likely to be clicked on by users and may be considered by users to be “more trusted”, they should be protected.

The recommended fix is to change all of these to use HTTPS instead of HTTP.  The vendor has been notified but has not fixed the issue since they do not consider it to be a security problem. No CVE has been assigned. Version tested is v17.11.1.628, it is not known if other versions are affected.

Since vendor stopped responding in 2019, this is now publicly disclosed.

Vulnerability Details

Yandex Browser is a web browser application based on Google’s Chromium and made by Yandex. While monitoring network traffic of a test device running Android, we observed that the help section of the application makes an initial HTTP call is made to a non-HTTPS site, which then redirects to an HTTPS version. There are also additional hyperlinks within the about section and the homepage which do not use HTTPS, as well as some search engines as set in the settings. Because these links are likely to be clicked on by users and may be considered by users to be “more trusted”, they should be protected.

Because the initial call is done without HTTPS, it is possible for an MITM attacker to intercept this traffic and inject their own content.  Since this is a web browser, this can result in remote code execution within the application since all the content is web based.

Screenshots of the captured traffic:

Screenshot_20180225-163514 Screenshot_20180225-163523

Steps To Replicate (on Ubuntu 17.10)

1. Install the application on the Android device but do not start it.

2a. Install dnsmasq and NGINX on the Linux host:

sudo apt-get install dnsmasq nginx

2b, Configure NGINX by changing the following in /etc/nginx/nginx.conf:

default_type text/html;
charset utf-8;

3. Modify the /etc/hosts file to add the following entry to map the domain name to the Linux host:

192.168.1.x help.yandex.com

4. Configure /etc/dnsmasq.conf file to listen on the IP and restart DNSMASQ

listen-address=192.168.1.x
sudo /etc/init.d/dnsmasq restart

5. Add a file with malicious content (you may need to use sudo):

cd /var/www/html
echo powned >mbrowser

6. Modify the settings on the Android test phone to static, set DNS to point to “192.168.1.x”. AT THIS POINT – Android will resolve DNS against the Linux computer and serve the large servers file

7. Open the app on the Android device, tap on the three vertical dots to the right of the URL bar, and select “Settings” to open the settings menu. Scroll to the bottom and tap “Help”.

We also checked the HSTS preload list maintained by Chrome and did not find the “help.yandex.com” domain on that list. Therefore, Chromium on which this application is build would not force HTTPs for these URLs by default.

All testing was done on v17.11.1.628  of the Android application using a Linux host running Ubuntu v17.10 and Android test device running Android v7.

Additional Vectors – “About” Links

There are also several links within the about section that do not use SSL and lead to the same result. To get that section, tap the “Settings” menu, scroll to the bottom and select “About”:

Screenshot_20180225-163626

These include the following links:

  • “Build xxx” credits – uses domain “storage.ape.yandex.net”
  • “Blink” – uses domain “chromium.org”
  • “Chromium” – uses domain “www.chromium.org”
  • “Opera Turbo” – uses domain “www.opera.com”
  • “License Agreement” – uses domain “m.legal.yandex.ru”

Screenshots of captured traffic below:

Screenshot_20180225-163816 Screenshot_20180225-163732 Screenshot_20180225-163708 Screenshot_20180225-163743 Screenshot_20180225-163826

Additional Vectors – Homepage

There are also several links within the homepage of the application that do not use SSL and lead to the same result. To get that section, open the app and drag the screen down to display all of them. They also show up as a banner in the top of the Android screen in other apps as well – to see, go anywhere in the OS and drag down the top of the screen. Screenshots:

Screenshot_20180225-184156 Screenshot_20180225-184205

Of these, the following do not use SSL / HTTPS:

  • YouTube – uses domain “m.youtube.com”
  • Booking – uses domain “www.booking.com”

Screenshots of traffic attached:

Screenshot_20180225-184258 Screenshot_20180225-184312

Additional Vectors – Search Engines

Some of the search engines that the browser supports are also not configured to use SSL, thus allowing for injection. To reach the search engine settings, tap the right side of the URL bar with the vertical “three dots” icon to show the settings menu, then scroll down to “Search Engine”. Screenshots attached:

Screenshot_20180225-184941 Screenshot_20180225-184945

In particular, the following search engines are affected:

  • Bing (which is used by default) – uses domains “m.trovi.com”, “m.bing.com” and “www.bing.com”

Screenshots of captured traffic attached:

Screenshot_20180225-184645 Screenshot_20180225-184652 Screenshot_20180225-184658

Recommended Mitigation and Vendor Response

The recommended fix is to change all of these links to use HTTPS instead of HTTP. The vendor doesn’t consider these to be a security issue and has no plans to fix these issues at this time.

Users should consider using a different browser.

References

Google Play Link: https://play.google.com/store/apps/details?id=com.yandex.browser

Credits

Text of the advisory written by Y. Shafranovich.

Timeline

2017-12-17: Initial report to the vendor via their bounty page
2017-12-25: Initial vendor reply rejecting the bug, and our follow-up
2018-01-14: Reminder email sent to the vendor
2018-01-15: Vendor unable to replicate the issue
2018-01-23: Reply to vendor sent
2018-01-25: Follow-up communications with the vendor
2018-01-26: Vendor asks for video
2018-02-10: Videos and payloads sent to the vendor
2018-02-14: Reminder email to vendor sent
2018-02-22: Vendor rejecting the report, and a follow-up communication
2018-02-25: Draft advisory sent to the vendor for review, along with another video
2021-03-03: Vendor stopped responding in 2019; public disclosure

Network Vulnerability in Oracle Database – CVE-2021-2018

Summary

Vulnerability in the Advanced Networking Option component of Oracle Database Server can lead to an MITM attack. Supported versions that are affected are 18c and 19c (Windows platform only).

Details

Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option.

CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts)

CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

References

CVE Database: CVE-2021-2018

Vendor advisory: see here