This Week in Security
June 27 - July 3 2022
"LPE Exploit, 34 Zero-Day by Jenkins and Amazon Photo App Access Token Issue"
DragonForce Malaysia, a hactivist group who had launched several campaigns targeting numerous government agencies and organisations across the Middle East and Asia is in news again. This time they have released an exploit that allows Windows Server local privilege escalation (LPE) to grant access to local distribution router (LDR) capabilities.
The Hacktivist group has published the POC and claims that authentication can be bypassed remotely with in a second to access the LDR layer, which is used to interconnection local networks at various locations of an organisation. As per the group, currently their main target is businesses operating in India and they are also planning to add Ransomware to their arsenal.
LPE vulnerabilities when exploited, allows an attacker to gain local admin privileges ultimately giving access to the sensitive data on the network such as credentials. Attacker may impersonate other users for lateral movement within the network. Once attacker will gain admin privileges, attacker can do any task which an admin can do, such as configuration changes, installation and execution of malware, steal data.
Most of the organisations do not treat LPE vulnerabilities under emergency patch cycle but move it to quarterly patch cycle. Reason behind that is that they feel to exploit LPE attacker needs initiate foothold to the victims network or to the endpoint. In my opinion, instead of moving all LPE to quarterly or longer patch cycle they should do it on case by case bases and whenever it is required they should consider patching LPE vulnerabilities under emergency patch cycle as well.
Jenkins, a platform with support of over 1700 plugins which is used globally by enterprises for building, testing and deploying software, has recently announced 34 zero day security vulnerabilities affecting 29 of the plugins for the Jenkins open source automation server. Per Jenkin’s data vulnerable plugins have more than 22000 installs and the severity of these vulnerabilities are in the range of low to high. So far a fix is not available for any of 34 vulnerabilities.
The zero day includes vulnerabilities such as XSS, CSRF, mission or incorrect permission checks, as well as passwords, secrets, API keys and tokens stored in plain text. Per Shodan’s data stats at-least 144000 Jenkins servers which are vulnerable to these vulnerabilities are exposed to internet.
After reading all this information you must be getting negative thoughts about it but, as they always say, be positive! So being positive, I found a few positive things from the 34 zero day vulnerabilities such as: none of the vulnerabilities are of critical severity, vulnerability with high severity require user interaction to be exploited. Hopefully Jenkins will release the fix soon.
Amazon Photos app users should be concerned with this news. It was reported by a researcher from Checkmarx that the access tokens of Amazon Photos app for Android Users are not protected enough and, in theory, an attacker can use those tokens to access personal data not only from the Photos app but also from various Amazon Apps such as Amazon Drive.
As per Amazon, the vulnerability was reported to them on 7th Nov 2021 and it was fully resolved on 18th Dec, But if the issue was known to attacker before the vulnerability was fixed there are still very good chances that attackers might have stolen users data.
Let's understand what is Access Token in Amazon's own words "An access token is granted by the authorization server when a user logs in to a site. An access token is specific to a client, a user, and an access scope. A client must use an access token to retrieve customer profile data and allow access to shipping and payment information. An access token is an alphanumeric code 350 characters or more in length. Access tokens begin with the characters Atza|." Access tokens are also used to authenticate users across various apps within their ecosystem.
In their report, researchers from Checkmarx described how access tokens naturally leaked through an Amazon application programming interface (API) through “a misconfiguration of the com[.]amazon[.]gallery[.]thor[.]app[.]activity[.]ThorViewActivity component, which is implicitly exported in the app’s manifest file” manifest files describe critical application information to the Android OS and Google Play store – “thus allowing external applications to access it. Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer’s access token.”
In addition to third-party applications, the same unsecure token was also shared with Amazon Drive used for file storage and sharing. One of ways in which an attacker could’ve leveraged unsecured access tokens is with a malicious third-party app installed on the victim’s phone. They could’ve redirected the token in a way “that effectively launches the vulnerable activity and triggers the request to be sent to a server controlled by the attacker.” From there, the attacker could have accessed all kinds of personal information a victim had stored in Amazon Photos. The tokens also leaked to Amazon Drive, so the attacker could have access to the files and folders in a victim’s Drive account.
With so much of control, it is very possible for an attacker to go for the ransomware option. Such security issues may happen to any Cloud service provider, so the best option is to go for regular security audits and pentest, so that such loop holes can be found and fixed well before any malicious actors take advantage.