Local Denial of Service in Nissan Leaf EV (2018) Head Unit Display (CVE-2021-1000008)

Summary

The head unit display in the Nissan Leaf electric vehicle (EV) has a local denial of service vulnerability that can be used to lock up the screen. Once locked, the car remains drivable but the display can no longer be used (even if the car is turned off and on). The only way to unlock the screen is by removing and re-inserting the SD card containing the mapping data.

This was tested on the 2018 SV model of the Nissan Leaf, other Leaf models/trims and other Nissan models with similar SOS functionality may also be affected.

This issue has been reported to the vendor (Nissan), NHTSA and ICS-CERT. Since the vulnerability is low risk there is minimal impact on end users. The vendor has confirmed the issue, but no patch is currently available.

Details

The Nissan Leaf is an electric car which contains a head unit with a touch screen interface in the middle of the dashboard. This panel is used for entertainment and navigation functions such as playing music/radio, navigation and interface with cell phone operating systems such as Android Auto and Apple Play. This panel (#3) is separate from the meters and gauges screen (#2) used to display information regarding the operation of the vehicle itself (as seen below – from the owner’s manual):

panel

Additionally, the Nissan Leaf just like many other Nissan models includes an SOS button located on the roof of the car above the passenger seat and is intended to summon help in case of an emergency. This button is paired with the Nissan app and can be seen below (screenshots from Nissan’s video and manual):

Screen Shot 2020-02-11 at 11.44.23 PMScreen Shot 2020-02-11 at 11.45.58 PM

The display has a denial of service vulnerability that can be used to lock up the screen. Once locked, the car remains drivable but the display can no longer be used (even if the car is turned off and on). The only way to unlock the screen is by removing and re-inserting the SD card containing the mapping data. The vulnerability seems to be the result of interaction between the SOS functionality and the rest of the software operating the head unit.

To replicate:

  1. The car being tested needs to be paired with the Nissan mobile app, and have the NissanConnect subscription enabled.
  2. Turn on the car, verify that NissanConnect with SOS functionality is enabled by checking that the little light on the SOS button is lit.
  3. Press the SOS button to trigger an emergency call.
  4. Immediately, press and hold the SOS button to cancel the call while turning off the car.
  5. The SOS call will lock the head unit, and will stay that way until the SD card is removed and re-inserted which reboots the display panel.

This was tested on the 2018 SV model of the Nissan Leaf, other Leaf models/trims and other Nissan models with similar SOS functionality may also be affected. If a NissanConnect subscription is not enabled on a particular vehicle, then it is probably not vulnerable because the SOS functionality is disabled.

Vendor Response and Mitigation

This issue has been reported to the vendor (Nissan), NHTSA and ICS-CERT. Once the report was routed to the correct team, the vendor responded quickly and confirmed the issue. Since the vulnerability is low risk there is minimal impact on end users. No patch is currently available.

A CVE will not be issued for this vulnerability by MITRE since MITRE doesn’t “assign CVE IDs for Local Denial of Service”. A CVE was issued by the Distributed Weakness Filing (DWF) project instead.

References

CVE (DWF): CVE-2021-1000008

ICS-CERT ticket # ICS-VU-984522
NHTSA case # 11308645
Nissan Information Security (IS) Case # 233758
Nissan Leaf (2018) manual: see here

Credits

The original discoverer of this issue is a minor and their full name cannot be disclosed for privacy reasons.

Timeline

2019-09-24: Initial report to the vendor
2020-01-01: Second report to the vendor, automated reply received
2020-01-27: Follow-up email sent to the vendor, no response
2020-01-28: Initial report to ICS-CERT
2020-02-08: Follow-up communication with ICS-CERT
2020-02-11: Draft advisory sent to both the vendor and ICS-CERT
2020-02-12: Reported to NHTSA
2020-02-12: CVE requested from MITRE
2020-02-16: CVE response received from MITRE
2020-02-16: Response from the vendor received (initial reports were misrouted)
2020-02 through 2021-03: Multiple phone and email communications with the vendor
2021-03-14: Public disclosure

2021-04-08: CVE assigned via DWF

CORS Misconfiguration in Verizon’s Residential Account Portal [2020]

Summary

The residential billing section of Verizon’s account portal for residential customers had a CORS misconfiguration issue which would have allowed another site in the same browser to download copies of bills in PDF format. The vendor has deployed a fix for this issue.

Because the vendor stopped responding, the issue is fixed and a year has passed, we are now disclosing this publicly.

Vulnerability Details

Normal browser security mechanisms prohibit calls between websites not hosted on the same domain. An override mechanism exists for use cases where such functionality is desired called Cross Original Resource Sharing (CORS). This mechanism employs several headers to allows clients and server to signal each other when such functionality is desired. One of those headers is the “Access-Control-Allow-Origin” header sent by the server indicating which domains are allowed to access a given endpoint or API.

The billing download endpoint (“https://www.verizon.com/digitalservices/billing/billdownload/v1/downloadpaperpdf“) in Verizon’s residential control panel had a CORS misconfiguration. The “Acess-Control-Allow-Origin” header was not restricted to the sites operated by Verizon, but instead simply mirror the domain provided in the client’s request (via the “Origin” header). This could potentially allow other sites to access this endpoint and download the user’s bills in PDF format if they were logged in to the Verizon website at the same time.

This issue was tested on Firefox and it is not known if other browsers were also vulnerable.

Code To Replicate

The following code was used to replicate the issue originally:

Screen Shot 2020-02-17 at 4.46.59 PM

Vendor Response

This issue was reported to the vendor and a fix has been deployed.

References

MDN Reference for CORS: see here
OWASP HTML5 Security Cheet Sheet: see here

Credits

Text of the advisory written by Y. Shafranovich.

Timeline

2019-10-09: Initial report to the vendor
2019-10-08: Vendor requests POC, POC sent
2019-10-24: Pinged for status
2019-10-29: Issue still being investigated
2019-11-30: Pinged for status, issue still being investigated
2019-12-14: Pinged for status, issue still being investigated
2020-01-30: Vendor pinged for disclosure coordination
2020-01-31: Issue fixed, vendor asks for confirmation
2020-02-02: Fix confirmed, asked for disclosure coordination
2020-02-13: Vendor requests a copy of proposed advisory for review
2020-02-17: Draft advisory provided for review; vendor asks to remove their name from the advisory, request is denied; vendor stops responding
2021-03-03: Public disclosure

Content Injection (RCE) in Yandex Browser for Android [2018]

Summary

The Yandex Browser Android application provided by Yandex can be injected with malicious content by an MITM attacker. Because this application is a web browser, this can lead directly to remote code execution (RCE) within the app. The root cause is lack of SSL being used in the help section of the app as well as some other links in the about section, homepage and search engines. Because these links are likely to be clicked on by users and may be considered by users to be “more trusted”, they should be protected.

The recommended fix is to change all of these to use HTTPS instead of HTTP.  The vendor has been notified but has not fixed the issue since they do not consider it to be a security problem. No CVE has been assigned. Version tested is v17.11.1.628, it is not known if other versions are affected.

Since vendor stopped responding in 2019, this is now publicly disclosed.

Vulnerability Details

Yandex Browser is a web browser application based on Google’s Chromium and made by Yandex. While monitoring network traffic of a test device running Android, we observed that the help section of the application makes an initial HTTP call is made to a non-HTTPS site, which then redirects to an HTTPS version. There are also additional hyperlinks within the about section and the homepage which do not use HTTPS, as well as some search engines as set in the settings. Because these links are likely to be clicked on by users and may be considered by users to be “more trusted”, they should be protected.

Because the initial call is done without HTTPS, it is possible for an MITM attacker to intercept this traffic and inject their own content.  Since this is a web browser, this can result in remote code execution within the application since all the content is web based.

Screenshots of the captured traffic:

Screenshot_20180225-163514 Screenshot_20180225-163523

Steps To Replicate (on Ubuntu 17.10)

1. Install the application on the Android device but do not start it.

2a. Install dnsmasq and NGINX on the Linux host:

sudo apt-get install dnsmasq nginx

2b, Configure NGINX by changing the following in /etc/nginx/nginx.conf:

default_type text/html;
charset utf-8;

3. Modify the /etc/hosts file to add the following entry to map the domain name to the Linux host:

192.168.1.x help.yandex.com

4. Configure /etc/dnsmasq.conf file to listen on the IP and restart DNSMASQ

listen-address=192.168.1.x
sudo /etc/init.d/dnsmasq restart

5. Add a file with malicious content (you may need to use sudo):

cd /var/www/html
echo powned >mbrowser

6. Modify the settings on the Android test phone to static, set DNS to point to “192.168.1.x”. AT THIS POINT – Android will resolve DNS against the Linux computer and serve the large servers file

7. Open the app on the Android device, tap on the three vertical dots to the right of the URL bar, and select “Settings” to open the settings menu. Scroll to the bottom and tap “Help”.

We also checked the HSTS preload list maintained by Chrome and did not find the “help.yandex.com” domain on that list. Therefore, Chromium on which this application is build would not force HTTPs for these URLs by default.

All testing was done on v17.11.1.628  of the Android application using a Linux host running Ubuntu v17.10 and Android test device running Android v7.

Additional Vectors – “About” Links

There are also several links within the about section that do not use SSL and lead to the same result. To get that section, tap the “Settings” menu, scroll to the bottom and select “About”:

Screenshot_20180225-163626

These include the following links:

  • “Build xxx” credits – uses domain “storage.ape.yandex.net”
  • “Blink” – uses domain “chromium.org”
  • “Chromium” – uses domain “www.chromium.org”
  • “Opera Turbo” – uses domain “www.opera.com”
  • “License Agreement” – uses domain “m.legal.yandex.ru”

Screenshots of captured traffic below:

Screenshot_20180225-163816 Screenshot_20180225-163732 Screenshot_20180225-163708 Screenshot_20180225-163743 Screenshot_20180225-163826

Additional Vectors – Homepage

There are also several links within the homepage of the application that do not use SSL and lead to the same result. To get that section, open the app and drag the screen down to display all of them. They also show up as a banner in the top of the Android screen in other apps as well – to see, go anywhere in the OS and drag down the top of the screen. Screenshots:

Screenshot_20180225-184156 Screenshot_20180225-184205

Of these, the following do not use SSL / HTTPS:

  • YouTube – uses domain “m.youtube.com”
  • Booking – uses domain “www.booking.com”

Screenshots of traffic attached:

Screenshot_20180225-184258 Screenshot_20180225-184312

Additional Vectors – Search Engines

Some of the search engines that the browser supports are also not configured to use SSL, thus allowing for injection. To reach the search engine settings, tap the right side of the URL bar with the vertical “three dots” icon to show the settings menu, then scroll down to “Search Engine”. Screenshots attached:

Screenshot_20180225-184941 Screenshot_20180225-184945

In particular, the following search engines are affected:

  • Bing (which is used by default) – uses domains “m.trovi.com”, “m.bing.com” and “www.bing.com”

Screenshots of captured traffic attached:

Screenshot_20180225-184645 Screenshot_20180225-184652 Screenshot_20180225-184658

Recommended Mitigation and Vendor Response

The recommended fix is to change all of these links to use HTTPS instead of HTTP. The vendor doesn’t consider these to be a security issue and has no plans to fix these issues at this time.

Users should consider using a different browser.

References

Google Play Link: https://play.google.com/store/apps/details?id=com.yandex.browser

Credits

Text of the advisory written by Y. Shafranovich.

Timeline

2017-12-17: Initial report to the vendor via their bounty page
2017-12-25: Initial vendor reply rejecting the bug, and our follow-up
2018-01-14: Reminder email sent to the vendor
2018-01-15: Vendor unable to replicate the issue
2018-01-23: Reply to vendor sent
2018-01-25: Follow-up communications with the vendor
2018-01-26: Vendor asks for video
2018-02-10: Videos and payloads sent to the vendor
2018-02-14: Reminder email to vendor sent
2018-02-22: Vendor rejecting the report, and a follow-up communication
2018-02-25: Draft advisory sent to the vendor for review, along with another video
2021-03-03: Vendor stopped responding in 2019; public disclosure

Network Vulnerability in Oracle Database – CVE-2021-2018

Summary

Vulnerability in the Advanced Networking Option component of Oracle Database Server can lead to an MITM attack. Supported versions that are affected are 18c and 19c (Windows platform only).

Details

Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option.

CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts)

CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

References

CVE Database: CVE-2021-2018

Vendor advisory: see here

Brief Notes on WhatsApp Link Previews

(All testing was performed using WhatsApp for Android v2.20.201.20 and WhatsApp Web)

Introduction

Recently, we have been looking into possible security issues around how WhatsApp parses and displays preview information about hyperlinks. Basically, WhatsApp will parse some basic information from a hyperlink and display it within the body of a chat. Based on our sleuthing, it appears to be parsed from various elements in the original HTML. For Google, it looks like this:

Parsing code

This appears to be parsed from various meta tags within the original site as per the code snippet below. If those are not present, it will use the “title” tag instead. Here is some of the parsing code:

Additional Details on HTML Retrieval

From testing and review of logs, it appears that the actual call to retrieve the site happens on the Android client. There are also some additional interesting points:

  • The retrieval is cached on the client
  • If WhatsApp Web is used, the retrieval still happens on the mobile phone with the parsed results transferred to the Web version
  • If a link is forwarded, posted into a chat or group, there is no additional retrieval that happens. Instead, the parsed preview is transmitted along with the link

Here is the actual snippet of decompiled code doing the retrieval:

Future Areas for Research

We plan to research the actual parsing and retrieval of the HTML with the eye towards trying to see if any of the parsing code can be manipulated to inject content into the client or the Web version. For things like images and videos, there is potential for exploiting the underlying native code.

Exposure of Motor Vehicle Registration Data via Auto Insurance Quotes

An interesting item that we ran into recently: most US-based auto insurance companies bulk-purchase vehicle registration and driver records from state motor vehicle departments. This information is used for two separate purposes:

  • To adjust rates based on accident history, both for the state as whole and individual policy holders
  • For marketing purposes – either to proactively send marketing materials/ads, OR to make quotes easier.

The second item is interesting since it exposes vehicle registration information via web portals and mobile apps. This can be obtained by a malicious attacker by going through the online or mobile auto insurance quote process. Not clear how sensitive/private such data is or the legal implications of obtaining it this way.

YAA: An Obscure MacOS Compressed File Format

Summary

MacOS introduced a new compression archive format in High Sierra (v10.13) called “YAA”. Because this format is new, it may not be supported correctly by security tools, thus allowing malware authors a way to bypass existing controls in such tools. It is recommended that vendors add support for this format to their tools. Users should NOT accept or open YAA archives received from unknown sources.

Details

Early this year we ran across a new file format specific to MacOS: YAA. Apparently it was originally released in the fall of 2017 as part of MacOS High Sierra (v10.13) (see this article from MacKungFu). As per this forum post, apparently it is used as part of compressing the “Content” section of signed executables for MacOS. According to another post, this is an LZFSE tool. This should not be confused with an older tool with the same name called “Yet Another Assembler”.

It is supported via a command line utility called “yaa” as well as the Archive Utility in the GUI – but in the GUI you can only uncompress the archive. For details regarding the CLI, run “yaa” or “man yaa” (also see here).

Our previous research around novel file formats found issues in how Google Chrome (here and here), and various anti-virus vendors for MacOS handle compressed files (here). Specifically, handling a novel compressed archive format is something that existing antivirus software, browsers and other utilities may not be dong well since they are not aware of the format. On the other hand, malware authors can easily package malware inside a compressed archive, which will decompressed by a user via double-clicking the file in Finder. This results from the fact that the Archive utility supports decompression of a lot more file formats that vendors maybe aware of.

For YAA, we have done some testing back in January against a handful of security tools and found some to be vulnerable. Due to lack of resources, we didn’t pursue a more extensive investigation into additional tools but did report whichever issues were found back to the relevant vendors. Because of lack of resources, we are publishing this post to increase awareness of this issue.

To replicate this issue on a particular tool, do the following:

  1. Download the EICAR test file from here into a folder.
  2. Create a YAA file archive as follows:
    • yaa -d folder -o archive.yaa
  3. Test the resulting “archive.yaa” with the security tool of your choice.
  4. To uncompress the archive, double click on it in Finder.

Vendor Responses

This section contains responses we received for this issue from specific vendors:

  • Chromium: Safe browsing pings not sent back for YAA files (issue # 1039128)
    • The default behavior has been set to FULL_PING, so unknown types (such as YAA) should now be sending pings to Safe Browsing.” (also see our blog post)
  • Google/Gmail: YAA archives are not scanned for malware by GMail (issue # 147190746)
    • “Not all file formats are supported and this is expected.”

Most A/V vendors responded either with the fact that once expanded the contents will be scanned, or that this will add this as a feature in the future.

Credits

Written by Y. Shafranovich

Timeline

Majority of this research and responsible disclosure was done in January 2020. Blog post was published on June 14th, 2020.

Two vulnerabilities in Oracle’s iPlanet Web Server (CVE-2020-9315 and CVE-2020-9314)

SUMMARY

Two vulnerabilities were discovered in the web administration console of Oracle’s iPlanet Web Server which allow for sensitive data exposure and limited injection. The first issue allows read-only access to any page within the administration console without authentication, resulting in sensitive data exposure. The second issue allows for injection of external images which can be used for phishing and social engineering.

These vulnerabilities have been reported to the vendor (Oracle) but the vendor will not be issuing security patches because the affected product is no longer supported. Users are encouraged to implement other controls to mitigate these vulnerabilities such as restricting network access to the administration console from the Internet or switching to a supported platform.

Version 7 has been tested and found to be vulnerable, however, it is unknown whether earlier versions are affected. Latest versions of Oracle Glassfish and Eclipse Glassfish application server (v5) share common code with the affected product, have been tested and do not seem to be vulnerable. MITRE has assigned CVE-2020-9315 to track the sensitive data exposure issue and CVE-2020-9314 to track the injection issue.

ISSUE #1 – SENSITIVE DATA EXPOSURE / ADMIN GUI BYPASS (CVE-2020-9315)

A vulnerability exists in the web administration console of Oracle’s iPlanet Web Server which makes it possible to read information from any page within the console without authentication. This can result in sensitive data exposure of configuration information about the server including encryption keys, JVM configuration and other data. We did not perform testing to see whether this vulnerability allows for changes to be made within the console.

This is accomplished by replacing any URL for any page within the administration console as follows:

with:

To replicate, try the following URLs:

ISSUE #2 – IMAGE INJECTION IN THE ADMIN GUI (CVE-2020-9314)

The “productNameSrc” parameter in the administration console allows for injection of external images. When used in combination with the “productNameHeight” and “productNameWidth” parameters, this can be used to inject an external image into a site to facilitate phishing. This is due to an incomplete fix for CVE-2012-0516. The earlier fix added validation against XSS issues but didn’t add validation to make sure an external image is not loaded.

To replicate, try the following URLs:

VENDOR RESPONSE

Both vulnerabilities have been reported to the vendor (Oracle), however the vendor doesn’t plan to issue security patches since the product is no longer supported, as per the following responses:

Oracle iPlanet Web Server 7.0.x is no longer supported. Please see the life time support document.

And:

Thank you for your report regarding Oracle iPlanet Web Server 7.0.x, which is no longer supported by Oracle. Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle. Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation. Oracle does not assign CVEs for products that are no longer supported. That means, if you want a CVE assigned you will need to contact Mitre.

CERT/CC concurred with the vendor’s assessment.

MITRE has assigned CVE-2020-9315 to track the sensitivity data exposure issue, and CVE-2020-9314 to track the injection issue.

AFFECTED VERSIONS AND MITIGATIONS

Version 7 has been tested and found to be vulnerable, however, it is unknown whether earlier versions are affected. Latest versions of Oracle Glassfish and Eclipse Glassfish application server (v5) share common code with the affected product but have been tested and do not seem to be vulnerable.

Users are encouraged to implement other controls to mitigate these vulnerabilities such as restricting network access to the administration console from the Internet or switching to a supported platform.

REFERENCES

CERT/CC ID: VU#343851
CVEs: CVE-2020-9315 and CVE-2020-9314
Oracle lifetime support documentation: see here
Related vulnerability regarding XSS: CVE-2012-0516 and advisory

CREDITS

We would like to thank Synack for assistance with the disclosure process. Text of the advisory was written by Y. Shafranovich.

TIMELINE

2020-01-19: Initial discovery
2020-01-24: Initial disclosure sent to vendor; rejected since product is not supported
2020-01-24: Clarification questions sent to the vendor
2020-01-27: Report again rejected by vendor; referred to MITRE for CVE assignment
2020-01-29: CVEs requested from MITRE
2020-02-07: Initial report sent to CERT/CC
2020-02-17: CVE request rejected by MITRE, resubmitted with more data
2020-02-18: Response received from CERT/CC
2020-02-20: CVE assignments received from MITRE
2020-02-20: CVEs and disclosure plans communicated to the vendor
2020-05-10: Public disclosure

Interesting two-factor (2FA) behavior in Facebook

We recently ran across an interesting behavior with two-factor authentication in Facebook. There are two methods supported: SMS to a phone and OTP via an app such as Google Authenticator. What is interesting is that when OTP is added as an 2FA method and SMS remains as backup, every login to Facebook still sends an SMS code (even though that method is supposed to be a “backup method” only if the OTP method fails). This is in contrast with other vendors such as Google where only one 2FA method is used at any given time.

The only way to get around this, is to setup OTP as the primary 2FA method and backup codes or a security key as the backup one. If you try to setup SMS as the backup method, it reverts to the behavior described above.

This was reported to Facebook on April 27th, 2020 and rejected as a security issue. The original report # is 554696145470552.

Screen Shot 2020-04-30 at 9.42.37 PM

Exfiltrating data from remote access services via video and sound

Given the current situation, many of us are now working remotely all the time. Many of such arrangements are facilitated via tools like Citrix, RDP, VNC, LogMeIn, etc.  We have been researching some possibilities about how to exfiltrate data via such arrangements. Here are some obvious choices:

  • File connections – if enabled
  • Remote USB connections – if enabled
  • Remote printing connections – if enabled
  • Exfiltrating via email or Internet connections at the remote desktop level

Most of these have obvious controls that can be activated by an administrator, which would leave the attackers with very few channels left. The two in particular that we were interested in, are video and sound, since the user can view their remote screen and many tools allow hearing sound from their remote desktop.

For exfiltration of data via video, we originally considered encoding data with base-64 using an encoding tool such as the Windows certutil CLI command, then doing screen capture on the host and running some sort of OCR against it such as Tesseract. However, we ran across a much better tool from Pen Test Partners called PTP-RAT which flexes the pixels on the screen to transfer information (see their blog post and GitHub repo).

For exfiltration of data via sound, we originally considered using a tool that will modulate the data into a sound form that used to be used by modems back in the 1980s/1990s. However, we ran across a much better suited tool from Roman Zayde called amodem which is able to do this. While the tool is designed for exfiltrating data across a physical air gap, it should work the same way on a remote desktop by converting the data into sound via the soundcard and capturing it back on the host then decoding it.

P.S. For extra brownie points, you can also try enabling the webcam and microphone on the host, and transfer data from the host back to the remote desktop using the same mechanisms.