Sam Curry modem masterclass, PHP threat to Windows Servers, Calls for AI safety Bug Bounties – ethical hacker news roundup

July 9, 2024

Researcher extraordinaire Sam Curry has recounted how an attack on his own home network led him to uncover how an attacker could have breached millions of modems.

The US telco that supplied the modems, Cox Communications, said it found no history of abuse of the relevant attack vector, patched the issue rapidly and promised a comprehensive security review, according to Curry.

“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's PII, and gained essentially the same permissions of an ISP support team,” wrote Curry in his latest blog post. The research was much upvoted and commented-upon on r/netsec and covered by Bleeping Computer.

Curry’s latest tour de force was the lead story in our latest Bug Bounty Bulletin, a monthly LinkedIn roundup of notable security research, new hunting opportunities, and hacking advice and inspiration.

The next story saw the Federation of American Scientists (FAD) urge Congress to establish bug bounties for AI safety and create a safe harbour for research on generative AI platforms.

“While Congress encourages companies to provide bug bounties and protections for security research, this is not yet the case for AI safety research,” wrote the FAD. AI companies were criticised for “implicitly threatening to ban independent researchers that demonstrate safety flaws in their systems,” and failing to “adequately test their models after they are deployed as part of an evolving product or service”.

Setting a bad 'eXAMPPle'

Meanwhile, a patch was issued for a remote code execution vulnerability in PHP CGI that affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences, reveals a writeup from Taiwanese infosec firm DEVCORE.

“This vulnerability is incredibly simple, but that’s also what makes it interesting,” said renowned DEVCORE researcher Orange Tsai on his blog. “Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature? I believe this feature could lead to more potential vulnerabilities.” Watchtowr Labs analysed the vulnerability and its implications further.

A 2006 vulnerability in the OpenSSH secure communications suite has resurfaced, zombie-like, to expose an estimated 700,000 Linux-based systems to the risk of “full system compromise”. Downstream vendors are have been rushing out patches for the aptly dubbed 'RegreSSHion' RCE (CVE-2024-6387), which is a signal handler race condition in OpenSSH’s server (sshd). The OpenSSH team seemingly reintroduced a long-ago patched flaw (CVE-2006-5051) by mistake in a 2020 software update.

While the high severity (CVSS 8.1) issue’s impact is potentially enormous, exploitation could potentially take “approximately 10,000 attempts on average to succeed," said Jeff Williams, co-founder and CTO at Contrast Security, reassuringly. The issue was discovered by Qualys researchers. In a recent development, it has emerged that a circulating proof-of-concept (PoC) purporting to be an exploit for CVE-2024-6387 is in reality a “trap” for security researchers, The Stack reports.

Nearly 30 popular apps (and potentially more as yet untested apps) and an iOS feature were vulnerable to an attack in which any installed iOS app from the Apple App Store could perform a user account takeover, according to Evan Connelly.

Vulnerable OAuth implementations

About his co-discovery with Julien Ahrens, Connelly writes: “This vulnerability exploits the nuances of the OAuth protocol and iOS’s handling of Custom URL Schemes and Safari browser sessions to steal OAuth Authentication Codes from vulnerable OAuth implementations, thereby allowing an attacker to gain access to a victim’s account.” He also notes: “Unless Apple changes the behavior of ASWebAuthenticationSession, the onus is on developers to mitigate this".

Apple App store

A vulnerability in the Lua implementation of Factorio, the hugely popular (including with Elon Musk) construction and management simulation game, potentially allowed a malicious server to obtain arbitrary execution on clients, according to a researcher. Now patched, the bug is dissected in a post described as “one of the best exploit development write ups I've read” by one infosec redditor, which concludes with a gamified challenge to practice the techniques explored.

In MongoDB NoSQL Injection with Aggregation Pipelines, Soroush Dalili, who assisted with PortSwigger’s NoSQL injection module, explores a scenario where the “aggregate” function in MongoDB is exposed and vulnerable to NoSQL injection attacks, increasing the impact by allowing adding or updated data, or reading data from, other collections.

A developer recently made popular open source project 'ip' read-only after “someone filed a dubious CVE about my npm package” and being inundated with messages about the bug. Bleeping Computer reports that this reflects an uptick in open source developers “receiving debatable or, in some cases, outright bogus CVE reports filed for their projects without confirmation”.

NPM sticker

The Register has reported on one of South Korea’s largest telcos allegedly targeted hundreds of thousands of its own customers with malware in a bid to stop them using torrenting sites, in a story first reported by a local media outlets.

Finally, nowafpls is a simple Burp plugin from Shubham Shah of AssetNote which will contextually insert “junk data” into your HTTP request inside the repeater tab. You can select from a preset amount of junk data you want inserted, or you can insert an arbitrary amount of junk data by selecting the "Custom" option.

Disclosure discord

As previously mentioned in our CrowdSecWisdom (CISO-focused) roundup, there are some Bug Bounty disclosures with unusual twists involving Apple, Microsoft Azure and the Kraken crypto exchange, as well as a new Bug Bounty Program for large language models (LLMs), and an interesting report on the growing role of Chinese vulnerability researchers in capture-the-flag competitions and Bug Bounty Programs.

'I feel like a detective'

We’ve handcrafted some of our own hacker-focused content, as per usual, so behold: our latest bug hunter interview below (Swedish bug hunter Eldar Zeynalli, aka ‘HakuPiku’)…

…And the first in a series of four Dojo modules showing how to bypass WAFs, focused on filter collisions, based on ‘The Art of Bypassing WAFs’ from NahamCon 2024 (watch below), delivered by our very own in-house hunter, Brumens.

Our latest CTF-style Dojo challenge, which awards YesWeHack swag to the three best write-ups, is AI Image Generator. Submit your solution by 2 August to participate.

Congratulations to the winners of last month’s ‘Windows 12’ challenge: ‘Memset’, ‘Weac’ and ‘Kix29’. Kudos also to ‘lr04d’ for the first valid critical report within a mobile scope on a public program – leaving just one achievement (prize: exclusive swag pack) on our Hunter Bucket List 2024: discovering a valid critical bug on YesWeHack’s public program.

New public Bug Bounty programs

For Bug Bounty hunting proper, we’ve a pair of new public programs to flag, both operated by one of India’s leading crypto exchanges and offering $2,000 for critical vulnerabilities: for the CoinDCX crypto exchange platform and CoinDCX’s orchestration layer of Web3, Okto.

Finally, we can reveal the leaderboard of our latest Live Bug Bounty marathon, this time with L’Oreal, which took place at LeHack in Paris over the weekend.

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.