The world may not be ready, but the zipped top-level domain (TLD) is here. It is part of the generic TLD category, which has been expanded to allow applications for TLDs. Google led the fee, applying for 101 new TLDs, with zip being one of the interesting areas. Public registration of .zip domains has been open for two weeks, and some interesting domains have been registered, such as update.zipAnd installer.zipAnd officeupdate.zip.
The obvious question to ask is whether the new TLD can be misused for fraud and phishing purposes. And the answer is yes, you certainly can. One of the most difficult ways is to use the AT code @ In the URL, which indicates the user information at the beginning of the URL. It is usually used to include a username and password, eg http://username:[email protected]/. This is very obvious, but what about https://[email protected]? Still looks weird. The catch that really prevents abuse of this technique is that slashes are not allowed in user statements, so an offensive URL like https://google.com∕gmail∕[email protected] Right.
Except, take a look at this last link. It appears to have slashes in it, so it should take you to google, and ignore the AT symbol. But it doesn’t go to Bing. As you might have guessed, it’s Unicode scams again. These are not slashes, they are U2215, the division slash. This means that a .zip TLD can be really deceptive, if the domain shown is one you trust.
This is an interesting read on the .zip TLD. However, the results are close to zero for phishing attacks, read it first and then I’ll explain: https://t.co/RoN3L2m61o
– Troy Hunt (@troyhunt) May 17, 2023
Troy Hunt has some thoughts on the matter. The godfather of hacked passwords points out that URLs are really hard to parse sometimes, and once Unicode tricks become part of the problem, it’s impossible to spot a good URL by eye. His final gift: attachment. zip
Scan inside zips
[Andrew Brandt] He discovered something strange, as part of his security research. It uses Microsoft Sharepoint to share live samples of the malware, always password-protected with the “infected”. These files have recently been flagged as containing malware in Sharepoint.
For regular users, finding malware in zip files is a nice thing. For a security researcher, it’s a big deal. But how does Sharepoint search inside encrypted zip files? It’s simple, Microsoft automatically samples the most common passwords, as well as scrapes users’ emails for obvious patterns like the password “$password”. However, the default zip encryption in Windows is known to be insecure. However, it is a bit worrying that the cloud vendor automatically decrypts files this way.
Weak plugins
There are a few high priority vulnerabilities in web plugins this week. The first is Elementor’s core plugins, which have a flaw that allows an unauthenticated user to take over any user’s account. It’s a by-product of the new password reset function, which actually fails to verify the password reset key. Considering that this WordPress plugin is installed on over a million websites, this is a big deal. The bug is only present between 5.4.0 and 5.7.2, with this version containing the fix. Be sure to debug immediately, this is a trivial problem, and now it has been fully disclosed to the public.
And more so in PrestaShop, there is a really bad issue with a module called possearchproducts. In this case, the HTTP request can trigger a SQL injection attack, resulting in full administrative access to the site. The worst part is that this vulnerability can be accessed even if the module is installed but not active on the site. It is actively used to steal credit card information. It seems that the author of this plug-in has abandoned development, and does not respond to connection attempts, so it seems that this plug-in will be uninstalled immediately.
Fallout Black Lotus
Secure boot on Windows is broken by BlackLotus. This technology has been found in the wild, and was announced just two weeks ago. Since then, a patch and workaround have been found, allowing BlackLotus to continue to bypass secure boot, and start running malware too early in the boot chain.
The latter bypass takes advantage of existing secure boot binaries, which themselves contain errors, to gain stability in the boot process. The solution is to add these binaries to the list of disallowed EFI binaries. The only problem is that these binaries are key to booting Windows installation disks, and a few other tools. So the solution is to roll out the fix very slowly.
You can get the update now, but it’s annoying, and it’s intentional. In July, a second update will make the process simpler, but still won’t revoke binary signatures by default. And finally in 2024, the cancellation update will roll out to everyone. If you’re not using it, it doesn’t really apply, but any user of Secure Boot for system integrity should take a good look at this.
bits and bytes
IPv6 is the relatively new kid on the Internet Protocol block, and as such, there are a host of code paths that aren’t as well-tested as their older cousins, IPv4. This is also true in the Linux kernel, as evidenced by the remote kernel panic that a single IPv6 packet can cause.
There is another vm2 escape this week. This sounds like an example of catching one error leading to another being detected, as we covered vm2 escapes about a month ago as well. This library is intended to allow untrusted JavaScript code to run safely, and quite a few large vendors use it. This escape is very simple, mishandling errors to get to the real implementation.
Wemo Mini Smart Plug V2 has a FriendlyName issue. That is, bounds checking when said name mapping occurs in the browser, and sending an inappropriate name causes a buffer overflow. Overflow can be leveraged for remote code execution, and it can run via the Wemo cloud service. The device has expired, so there are no upcoming fixes. On the plus side, these devices are running an old fork of OpenWRT, so it seems like a great opportunity to jailbreak and update to a recent version. Happy hacking!
#week #Security #zip #domains #zip #scan