Sign up to save your podcasts
Or
Share Episode 161
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 161
Overview
This week we take a look into BPFDoor, a newsworthy backdoor piece of
malware which has been targeting Linux machines, plus we cover security
updates for Bind, Vim, Firefox, PostgreSQL and more.
This week in Ubuntu Security Updates
32 unique CVEs addressed
[USN-5429-1] Bind vulnerability [00:38]
client to cause the server to terminate a TLS connection early and hence
trigger an assertion failure within Bind -> terminates -> DoS
[USN-5430-1] GNOME Settings vulnerability [01:18]
disabling the remote desktop service via the gnome-control-center UI it
would then automatically get re-enabled on next login
[USN-5424-2] OpenLDAP vulnerability [01:57]
[USN-5433-1] Vim vulnerabilities [02:20]
user was tricked into opening a specially crafted file, could then either
crash Vim or possibly get code execution as the user
used by sysadmins to edit config files / inspect other files which they
find on the machine - and in that case, this can then be a good privesc
target
[USN-5432-1] libpng vulnerabilities [03:01]
many other higher level libraries / applications
[USN-5434-1] Firefox vulnerabilities [03:20]
within the privileged component of Firefox thereby escaping Firefox’s
internal sandbox - awarded $100k USD
[USN-5435-1] Thunderbird vulnerabilities [03:57]
apply to TB as well as a TB specific issue where it would show the wrong
security status for a signed/encrypted attached message and hence could
allow an attacker to trick the user into thinking the message was
trustworthy
[USN-5436-1] libXrender vulnerabilities [04:28]
execution
[USN-5437-1] libXfixes vulnerability
[USN-5438-1] HTMLDOC vulnerability [04:46]
etc
execution
[USN-5439-1] AccountsService vulnerability [05:06]
fixed it got dropped accidentally
[USN-5440-1] PostgreSQL vulnerability [05:36]
then achieve SQL code execution as the superuser
[USN-5404-2] Rsyslog vulnerability [05:51]
Goings on in Linux Security Community
BPFDoor malware targeting Linux and Solaris [06:08]
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
Malware that has been in the wild for a while (over 5 years)
Reported on by PwC in their Cyber Threats 2021: A year in Retrospect report
via custom backdoor ‘BPFDoor’
Stealthy - allows to backdoor a system for RCE but without opening any
new network ports or firewall rules by piggy-backing on existing network
facing applications
Uses BPF filter to watching incoming packets and activate accordingly
Earlier versions are on VT - with lots of other variants too
Even source code too - https://pastebin.com/kmmJuuQP
As I said - stealthy
innocent so can hide in plain sight
access
In more detail:
to alter timestamps (timestomp) to a specific timestamp (7:17pm
Thursday October 30th 2008)
itself from running
forked copy running resident in memory and then use BPF filter to watch
for incoming traffic to activate
Doesn’t appear to have any particular persistence mechanism but some
reports suggest use of crontab or rc/init scripts
By deleting itself from the ramdisk this avoids detection from filesystem
scanners (although processes running from since deleted binaries are a
suspicious sign themselves and can be easily detected since once the
binary is removed the kernel notes this in /proc/self/exe for the
process)
Renames its argv[0] so that it looks like other commonly found processes
like dbus-daemon / udevd / auditd etc
Also wipes its environ too to try and help hide it’s activities, however
this again is another suspicious activity and can easily be detected
(e.g. strings on /proc/$PID/environ will show as empty which is basically
never normally the case for normal processes)
BPF filter inspects either ICMP, TCP or UDP packets and then if it has a
special magic value in the first couple bytes it passes into the main
packet processing routine
if found then sets up either a local bindshell for the attacker to
connect to OR connects back to the attacker via a reverse bindshell
port to the port of the bindshell on the localhost
bindshell masquerades its process name to look like postfix as well as
setting a specific environment too (including HISTFILE=/dev/null)
Then attacker has full access to the machine (as the user)
Reasonably advanced malware
What is not clear is what is the initial compromise vector and then how
to privesc from that to give privileges to load BPF filter on a raw socket
privesc via xscreensaver but this vuln is specific to Solaris platforms
Why it is important to keep systems updated with latest patches etc.
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we take a look into BPFDoor, a newsworthy backdoor piece of
malware which has been targeting Linux machines, plus we cover security
updates for Bind, Vim, Firefox, PostgreSQL and more.
This week in Ubuntu Security Updates
32 unique CVEs addressed
[USN-5429-1] Bind vulnerability [00:38]
client to cause the server to terminate a TLS connection early and hence
trigger an assertion failure within Bind -> terminates -> DoS
[USN-5430-1] GNOME Settings vulnerability [01:18]
disabling the remote desktop service via the gnome-control-center UI it
would then automatically get re-enabled on next login
[USN-5424-2] OpenLDAP vulnerability [01:57]
[USN-5433-1] Vim vulnerabilities [02:20]
user was tricked into opening a specially crafted file, could then either
crash Vim or possibly get code execution as the user
used by sysadmins to edit config files / inspect other files which they
find on the machine - and in that case, this can then be a good privesc
target
[USN-5432-1] libpng vulnerabilities [03:01]
many other higher level libraries / applications
[USN-5434-1] Firefox vulnerabilities [03:20]
within the privileged component of Firefox thereby escaping Firefox’s
internal sandbox - awarded $100k USD
[USN-5435-1] Thunderbird vulnerabilities [03:57]
apply to TB as well as a TB specific issue where it would show the wrong
security status for a signed/encrypted attached message and hence could
allow an attacker to trick the user into thinking the message was
trustworthy
[USN-5436-1] libXrender vulnerabilities [04:28]
execution
[USN-5437-1] libXfixes vulnerability
[USN-5438-1] HTMLDOC vulnerability [04:46]
etc
execution
[USN-5439-1] AccountsService vulnerability [05:06]
fixed it got dropped accidentally
[USN-5440-1] PostgreSQL vulnerability [05:36]
then achieve SQL code execution as the superuser
[USN-5404-2] Rsyslog vulnerability [05:51]
Goings on in Linux Security Community
BPFDoor malware targeting Linux and Solaris [06:08]
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
Malware that has been in the wild for a while (over 5 years)
Reported on by PwC in their Cyber Threats 2021: A year in Retrospect report
via custom backdoor ‘BPFDoor’
Stealthy - allows to backdoor a system for RCE but without opening any
new network ports or firewall rules by piggy-backing on existing network
facing applications
Uses BPF filter to watching incoming packets and activate accordingly
Earlier versions are on VT - with lots of other variants too
Even source code too - https://pastebin.com/kmmJuuQP
As I said - stealthy
innocent so can hide in plain sight
access
In more detail:
to alter timestamps (timestomp) to a specific timestamp (7:17pm
Thursday October 30th 2008)
itself from running
forked copy running resident in memory and then use BPF filter to watch
for incoming traffic to activate
Doesn’t appear to have any particular persistence mechanism but some
reports suggest use of crontab or rc/init scripts
By deleting itself from the ramdisk this avoids detection from filesystem
scanners (although processes running from since deleted binaries are a
suspicious sign themselves and can be easily detected since once the
binary is removed the kernel notes this in /proc/self/exe for the
process)
Renames its argv[0] so that it looks like other commonly found processes
like dbus-daemon / udevd / auditd etc
Also wipes its environ too to try and help hide it’s activities, however
this again is another suspicious activity and can easily be detected
(e.g. strings on /proc/$PID/environ will show as empty which is basically
never normally the case for normal processes)
BPF filter inspects either ICMP, TCP or UDP packets and then if it has a
special magic value in the first couple bytes it passes into the main
packet processing routine
if found then sets up either a local bindshell for the attacker to
connect to OR connects back to the attacker via a reverse bindshell
port to the port of the bindshell on the localhost
bindshell masquerades its process name to look like postfix as well as
setting a specific environment too (including HISTFILE=/dev/null)
Then attacker has full access to the machine (as the user)
Reasonably advanced malware
What is not clear is what is the initial compromise vector and then how
to privesc from that to give privileges to load BPF filter on a raw socket
privesc via xscreensaver but this vuln is specific to Solaris platforms
Why it is important to keep systems updated with latest patches etc.
Get in contact