Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
With an eye to the approaching weekend, some lighter reading in today's news brief:
Botnet Madness for Teens
From Scott J. Shapiro's new book, "Fancy Bear Goes Phishing", by way of IEEE Spectrum magazine, comes the fascinating tale of how an arms race between two sparring groups of teenagers, combined with an informal protection racket against Rutgers University, led to the creation of the Mirai botnet.
Shapiro, Scott J., The Strange Story of the Teens Behind the Mirai Botnet, IEEE Spectrum, 23 May 2023. Available online at https://spectrum.ieee.org/mirai-botnet.
Defending Against XPath Injection
One of the short topics I cover during our CISSP courses is the variety of injection attacks, with examples of both SQL injection and XML injection; there isn't time to go into the other types such as LDAP injection and command injection. One that I don't mention at all is XPath injection.
Trend Micro comes to the rescue here, with a nice, short but reasonably comprehensive tutorial on the topic. XPath - the XML Path Language - is used to query XML databases and it can be used by attackers in a manner similar to the more common SQL injection, retrieving information from the XML Document Object Model. In particular, with repeated queries, an attacker can 'crawl' the DOM, gradually recreating the entire XML document.
The Trend Micro tutorial walks the user through creating a simple Node.js application which queries an XML database, and then demonstrates some XPath injections. It then concludes with the defensive techniques, which are in some ways analogous to the SQL injection defenses: input sanitization, using parameterized XPath queries and using precompiled XPath queries.
Trend Micro DevOps Resource Center, Understanding XPath Injection Vulnerabilities, web page, 25 May 2023. Available online at https://www.trendmicro.com/en_us/devops/23/e/xpath-injection-vulnerabilities.html.
Exploiting SSH Public Keys for Fun and Profit
Finally, from The Hacker's Choice comes an interesting technique which exploits a little-known feature of OpenSSH in order to create a persistent backdoor on compromised systems.
OpenSSH public keys can be prefixed by various options - I bet you didn't know that, despite having read the Snail book, right? - and one of these options allows execution of a command. In the article, the author executes PowerShell to evaluate some commands, which are obscured by their conversion into a long hexdump string; the string is piped into the xxd hex dump utility to convert them back to text before evaluation.
The backdoor in this example is an installer, fetched from thc.org and then executed in memory before the user's normal shell is started.
It's a neat trick; SSH public keys are long base64-encoded strings anyway, and so at a casual glance, a long hex string will not draw attention. Generally, we can rely on a simple defence - the permission bits on ~/.ssh and the authorized_keys file within it, which will stop any other users having access to them, let alone editing a key:
drwx------. 2 username username 48 Feb 26 14:11 .
-rw-------. 1 username username 102 Jun 11 2022 authorized_keys
However, cloud instances often have keys loaded into them at boot time, and if an attacker was able to edit a root account or service key in, for example, a cloud management console . . .
Something to think about over the weekend.
root, Infecting SSH Public Keys with backdoors, blog post, 24 May 2023. Available online at https://blog.thc.org/infecting-ssh-public-keys-with-backdoors.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.