This Week In Security: Ransomware Decryption, OpenSSL, And USBGadget Spoofing

We’ve covered a lot of redeeming software here, but we haven’t spent much time looking at the decryption tools available to victims. When anti-ransomware groups give up or change their names, some of them launch a decryption tool for victims who have not paid. In fact, it’s not a good idea to run one of these decryptors. After all, publishers don’t do well in taking care of your data. When the decryptor is still running and verified that it is working, security researchers will reverse engineer the instrument and run a well-known decryption program.

The good people in There is no more ransom manage the fee, build such tools and host a collection of them. They also offer Crypto Sheriff, a tool for identifying what type of redemption software has received your files. Upload a few encrypted files and it will let you know exactly what you are dealing with and whether a decryptor is available. The site is a collaboration between the Dutch police, Interpol, Kaspersky and McAfee. You may be surprised to know that they recommend reporting any ransomware to the authorities. I can confirm that at least the FBI in the United States is very interested in monitoring the various attacks on ransomware – I sent a surprise call from an agent tracking an infection.


The OpenSSL project has fixes a couple of vulnerabilities, CVE-2021-3711 and CVE-2021-3712 with release 1.1.11l. The first is a possible buffer overflow caused by function for calculating naive length. The “fixed” length header is actually dynamic, so carefully crafted plaintext can fill the allocated buffer.

The second vulnerability is less heavy, but more interesting. This is a discrepancy between the official specification of ASN1_STRING structure and how this structure is used in practice in OpenSSL. The structure contains, among other things, a byte array and length. The question is whether this array is reset. In essence, throughout OpenSSL code, this is treated as a standard C string, but nowhere does the documentation require a zero terminator. The real problem comes when a program uses the OpenSSL library and constructs an ASN string locally. Strict adherence to the documentation would lead to an unidentified array. When OpenSSL acts on this value, it prints this information in the log using printf() and %s a wildcard that continues to print characters until the next zero character is hit. This can reveal any unwanted information.

The merger of Atlasia is vulnerable

Confluence is a knowledge management platform, essentially a fantasy business wiki. They just patched up the vulnerability which is present in the last four main versions. CVE-2021-26084 is a problem with OGNL injection weighing 9.8. An attacker can abuse the error to execute code on the primary server, in some cases even without authentication.

OGNL is the language for navigating object graphics and is described as an expression language for Java. The injection problem is quite similar to an SQL injection attack, where the data provided by the user can contain expressions. OGNL injection often looks like this ${(#rt = @[email protected](),#rt.exec("calc.exe"))}.

Smart girl ^ H ^ H ^ H ^ HHacker

Remember the trivial escalation of SYSTEM privileges when you turn on the Razer mouse? The hardest part of this attack was that you had to physically bring the Razer or SteelSeries device to the computer you wanted to compromise. Well, not anymore. If you have root on your Android phone, you can now use usbgadget-tool to cheat the right kind of hardware. The drivers used by these two specific devices are likely to be repaired very soon, but there will certainly be quite similar cases prevalent for abuse.

This is a particularly simple operation that can be performed and you may be tempted to use it on a work computer or in a similar situation. This is your periodic reminder that plugging in a Razer mouse is a crime – if you do it to gain SYSTEM on a machine without permission. In the immortal words of the Bosnian Bill, “beware and be lawful.”

Hacker keychains from Honda

Mobile key codes have been used since 1995. The incremental counter is used as part of an encryption key and is kept synchronized between the vehicle and the key fob. This arrangement makes replay attacks much more difficult, as it allows the vehicle to ignore messages signed with a pre-used counter value. There are many clever attacks devised against this system, such as capturing a message while silencing it so that the vehicle does not receive it. This is not one of those smart hacks. It really looks like a broken system embedded in the wild.

[Blake Berry] works on a simple script to highlight different bits in two strings, and tests it on a pair of keychains sent to a Honda vehicle. The two strings they were alarmingly similar. After further work, it was found that a sealed lock command could be repeated with a few specific bits and unlocked. The attack was confirmed on a vehicle from the age of 2009, as well as a model from 2020. It seems that Honda / Acura simply do not do any effective cryptography in its keychain system. This question has been assigned CVE-2019-20626, which makes the presence of the shortcoming in the 2020 model particularly indicative.

(Editor’s note: We were initially skeptical about this because it’s simple too Obviously, we will note here that the CVE is “undergoing re-analysis” at the moment. If we had a Honda, we would test it before noon. Can you? Let us know.)

Acquisition of a subdomain via DNS

A subdomain acquisition is when an authorized party can perform arbitrary services over an IP specified by a subdomain. There are several ways to deal with this, such as deleting a GitHub Pages site but letting DNS work. Someone else may come and request the same name and then host their own content on that subdomain. There is another way to deal with this through hosted DNS and there is a new tool for finding vulnerable domains. DNSTake allows you to specify a domain and it will go through the DNS chain to find the name servers, looking for strange answers to the DNS status.

The goal is to find a domain that uses a hosted DNS provider, where the domain has been deleted in that provider’s interface, but NS records still exist. For many such providers, anyone can add a DNS record for the unsolicited domain. A number of mischief is possible once the attacker has control of the subdomain.

Comments are closed.