Vulnerability research
Vulnerability research
Although vulnerability discovery is not one of my primary areas of research, I do sometimes identify security vulnerabilities during the course of research and other activities. This page highlights some of these vulnerabilities.
Negative group permissions vulnerability in Linux containers (various CVE IDs, August 2022)
Access control enforcement works subtly differently in containers, as compared to normal Linux behaviour. This can lead to a security vulnerability allowing the bypass of access control policies. Specifically, in containers, the user’s primary group is not duplicated in the list of supplementary groups. Consequently, a program running in a container could drop its primary group. If negative group permissions are in use, the program would then be able to violate the system’s access control policy.
The Open Container Initiative Runtime Specification does not require the vulnerable behaviour but is sufficiently ambiguous as to permit it. While all implementations of this specification were vulnerable, the CVE IDs are still associated with the vulnerable software rather than the specification:
- Podman (CVE-2022-2989)
- Buildah (CVE-2022-2990)
- CRI-O (CVE-2022-2995)
- Moby/Docker Engine (CVE-2022-36109)
For more details see the blog post “Vulnerability in Linux containers – investigation and mitigation” and the video on YouTube.
Security Risks with Security Code AutoFill in iOS & macOS (June 2018)
Security Code AutoFill is a new convenience feature integrated into iOS 12 and macOS 10.14, which aims to ease the use of security codes sent via SMS. We report on the first security evaluation of this feature, inspecting its interaction with different types of service and security technologies that send security codes via SMS for authentication and authorisation purposes. We found security risks resulting from the feature hiding salient context information about the SMS message while still relying on users to make security-cautious decisions. Our findings show that adversaries could exploit this decontextualisation. We describe three attack scenarios in which an adversary could leverage this feature to gain unauthorised access to users’ online accounts, impersonating them through their instant messengers, and defraud them during online card payments.
For more details see our academic paper “Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS” published at Who Are You?! Adventures in Authentication (WAY) 2019 and the associated blog post.
This vulnerability was addressed in iOS/iPadOS 14.0 and watchOS 7.0, released September 2020.
Wordpress 2.5 Cookie Integrity Protection Vulnerability (CVE-2008-1930, April 2008)
An attacker, who is able to register a specially crafted username on a Wordpress 2.5 installation, is able to generate authentication cookies for other chosen accounts. This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection. If a Wordpress blog is configured to freely permit account creation, a remote attacker can gain Wordpress-administrator access and then elevate this to arbitrary code execution as the web server user.
This vulnerability was fixed in Wordpress 2.5.1. For more details see my advisory.
Wordpress Cookie Authentication Vulnerability (CVE-2007-6013, November 2007)
With read-only access to the Wordpress database, it is possible to generate a valid login cookie for any account, without resorting to a brute force attack. This allows a limited SQL injection vulnerability to be escalated into administrator access.
This vulnerability was reported in the press, including by Heise Media and was addressed through a new cookie generation protocol in Wordpress. For more details see my advisory.
Temperature covert channel in Tor (CVE-2006-6893, September 2006)
Location-hidden services, as offered by anonymity systems such as Tor, allow servers to be operated under a pseudonym. As Tor is an overlay network, servers hosting hidden services are accessible both directly and over the anonymous channel. Traffic patterns through one channel have observable effects on the other, thus allowing a service’s pseudonymous identity and IP address to be linked. One proposed solution to this vulnerability is for Tor nodes to provide fixed quality of service to each connection, regardless of other traffic, thus reducing capacity but resisting such interference attacks. However, even if each connection does not influence the others, total throughput would still affect the load on the CPU, and thus its heat output. Unfortunately for anonymity, the result of temperature on clock skew can be remotely detected through observing timestamps. This attack works because existing abstract models of anonymity-network nodes do not take into account the inevitable imperfections of the hardware they run on. Furthermore, we suggest the same technique could be exploited as a classical covert channel and can even provide geolocation.
For more details see the academic paper “Hot or Not: Revealing Hidden Services by their Clock Skew” published at ACM Computer and Communications Security (CCS) 2006 and the associated blog post.
JPEG EXIF information disclosure (CVE-2005-0406, February 2005)
Digital cameras but also other device embed mini versions (“thumbnails”) of the original image in a JPEG image file. Among others one reason is that while flipping through images on the cameras small display the camera does not need to decode and scale the full megapixel picture. The standard to save this thumbnail and other information within a JPEG file is called EXIF. The EXIF standard states that image processing software should leave EXIF headers it doesn’t understand alone.
This means that if an image from a digital camera is edited, e.g. by making a face unrecognizable, and than the modified version is published, chances are that the thumbnail still contains the unmodified version with the unobstructed face. There might be situations where also disclosure of other information in the EXIF header, like the date and time the picture was taken or the model of the camera used, is problematic.
We found that of the JPEG images on the Internet, 20% have a embedded EXIF thumbnail and about 2% have a thumbnail which our screening software considered significantly different from the original image. After human screening 0.1% can be considered to have thumbnails which are more than just boring cropping differences.
For more details see the advisory and my talk “Hidden Data in Internet Published Documents” at the 21st Chaos Communication Congress (2004).