Top Ten “longevity” vulnerabilities in the hidden deep code

In 2021, a vulnerability was exposed in a modern computing underlying system. An attacker can force the system to perform any code. Surprisingly, there is a 54-year history, and there is no patch available, and there will be no patch in the future.

However, this system is the general map of Mavinminsky (Marvinminsky) in 1967, although it has a major theoretical significance to computer science, but never actually be constructed into a practical computer. There is no patch that does not seem to be harmless. However, in Minski designed this diagram for 10 years, early versions of UNIX and DOS systems were born until today, the descendants of these two operating systems were still with us. Some of the system’s vulnerabilities have been hidden in deep codes and even decades.

Below us, we will give a major vulnerability in recent years.

Vulnerability list

Nissan Vehicle Remote Information Control Module Baseband Vulnerability Sudo Pileup Vulnerability Baron Sameditlinux Grub2 Secure Boot Vulnerability LIOWIKI Local File Contains Vulnerability Domain Time II Aggressor (Man-on-the-Side) attack Linux SCSI Subsystem Vulnerability Windows DNS Server Remote Code Execution Vulnerability SigredPutty Piles Vulnerability Win32k.sys Vulnerability PrintDemon Local Rights Vulnerability

Nissan Vehicle Remote Communication Control Module Baseband Vulnerability

Age: 7 years old

Introduction date: 2010

Fix Date: 2017

As early as 2011, the safety researcher Ralf-PhilipPweinmann found a secret vulnerability that was recently introduced in the mobile phone baseband processor: hackers setup false mobile phone signal towers, snoofed this false signal tower, and then hijacked its network connection. The repair movement of mobile phone manufacturers is not as fast, but the speed of being thrown after the repair is also as fast.

This has left a question: the mobile phone is not the only device using such a chip. Jessemichael, chief network security company Eclypsium chief network, said: “Basically, the same honeycomb baseband chipset is also used in Nissan Hishera and other models.” A number of researchers have experimented from the car from the waste car. The same vulnerability was found.

Michael said: “This vulnerability is already well known in many different markets. It is more than seven years than we find it in the automotive market. Because it is widely existing in many market seasons and supply chain complex, no one before It will also encounter a vulnerability like a mobile phone. “Industry is island problem is really worthy of attention.

Sudo Pileup Vulnerability Baronsamedit

Age: 9 years and 6 months

Introduction date: July 2011

Fix Date: January 2021

The sudo command is an important tool in the UNIX Administrator Toolbox that gives the caller superuser permissions. But “The bigger the ability, the bigger responsibility”, it is necessary to set the threshold to this command to prevent the user from being hit straight in the system. For example, the SUDO command can be called in the SHELL mode, and a series of shell commands followed after the parameter can be executed with superuser privileges. However, this mode is easy to be overflowed by the buffer, inserting the special characters in these instructions will induce the system to write the code to the assigned memory buffer, which may enable the attacker to get root privileges.

In general, SUDO will recognize such special characters before execution, thus resisting such attacks. In 2011, however, in 2011, SUDO was intertwined, and the buffer overflowed attack became possible, and this vulnerability has lapped under the eyes of everyone for ten years. The vulnerability does not exist in the sudo command itself, but hiding in the secondary command SudoEdit. The sudoedit command allows the user to access and edit files with superuser permissions without granting the editor program itself complete superuser privileges. As in January 2021, the Qualys blog pointed out, the vulnerability can lead to serious proposal attacks, and repair is imminent. Almost all UNIX-based operating systems are affected, including Linux, Solaris and MacOS.

Linux Grub2 SecureBoot Vulnerability

Age: 10 years old

Introduction date: 2010

Fix Date: July 2020

As the BIOS alternative, UEFI is considered to have a fairly advanced security function, which is able to confront the operating system to boot the software level attack. The key is that the UEFI uses a mechanism called SecureBoot, and the legitimacy of each bootloader is verified with the signature encryption certificate. The UEFI’s root certificate is signed by Microsoft, and the Linux distribution puts it downstream of the chain.

However, widely used Linux boot loader grub2 has a UEFI ready certificate, but also includes buffer overflow vulnerabilities, which can be inserted into the malicious code in its configuration file. (Although GRUB2 itself is signed, it can be signed by the configuration file edited by the local administrator.) Security company Eclypsium discovers this vulnerability. Although an attacker needs a certain degree of target machine local control to implement an attack, as long as they have been successfully implemented, they can ensure that they can continue to control this computer every time they start, it is difficult to expel them from the system. Liowiki local file contains vulnerabilities

Age: 11 years and 11 months

Introduction date: November 2008

Fix Date: October 2020

Lionwiki is a minimalist engine written in PHP language. Unlike a lot of popular Wikyi engines, such as Wikipedia underlying engines, Lionwiki does not use the database, but is completely based on files. Since its goal is simple, it is completely based on the advantage of Lionwiki, but it also leads to the introduction of major vulnerabilities.

In essence, users accesses various files under specific LionWiki instances through files and pathnames in the respective page URL. This means that the attacker can traverse the file system on the server hosting this Lionwiki instance with the correct constructed URL. You can prevent file system traversal attempts by configuring URL filtration, but as JuneWerner, JuneWerner, a network target engineer, bypass, is so easy to bypass URL filtration.

Werner pointed out that despite multiple trial repair, the vulnerability continued for a long time. “I launched some relief measures for the first time in July 2009, and then spread more broad mitigation measures in January 2012. However, although mitigation measures are implemented, the code is still unable to resist the same type of attack. Until 2020 The method of bypassing these mitigation measures is researched together, and the vulnerability has been in the code for eight years. “

After officially report, the vulnerability was repaired by the developer.

Domain Timeii bystander (Man-on-the-side)

Age: 14 years old

Introduction date: 2007

Fix Date: April 2021

If the two computers on the same network cannot agree on time, the consequences may be from simple annoyance until you can’t clean up. Time synchronization problem is the old man talking in the field. The most mature business solution is DomainTime II, which is a closed source application that is widely deployed on Windows, Linux and Solaris.

Domain Timeii has a very serious vulnerability from the date of birth. From time to time, or under the conditions you can set, this software sends a UDP query request to the UDP query request to the Update Server of its vendor Greyware AutomationProducts. If the server replies URL, Domain Timeii runs a program with administrator privileges, downloads and installs updates from this URL.

What is the problem? If the malicious hacker grabs a successful reply request before greyware’s update server, then he / she can send a reply to the structure, prompting the DomainTime II to download an attacker to any malware want to install. In the real middle attack, the attacker will intercept two-way; compared to the MAN-ON-SIDE attack: the attacker does not intercept the response to its goals, but Grab the reply he / her constructed before he legal reply. In practice, this means that an attacker needs to control a computer on the target local network; however, this type of attack can upgrade an attacker to upgrade intrusions, and the other more valuable, safer machines on the local network. I found that the security company GRIMM of this vulnerability pointed out that at least in 2007, this vulnerability appeared in various versions of the software.

Linux SCSI Subsystem Vulnerability

Age: 15 years old

Introduction date: 2006

Fix Date: March 2021

If you are a nostalgia, you may still remember SCSI: The data transmission standard in the 1980s. Perhaps your first hard disk is to use it to access your IBMPC or classic MAC machine. Since today, SCSI is still in use in some environments. It is also a set of extended SCSI subsystems for the need for demand for systems. These modules can be used by the automatic module loading function, where the operating system gets and installs the required system code when needed. This is really useful when you want to mount the SCSI hard drive to the Linux machine, but it is very useful when you don’t want to find a variety of necessary support codes, but it also helps attackers use the vulnerabilities in the code.

In March 2021, the network security consulting agency GRIMM released a series of vulnerabilities found in the LinuxSCSI code. One of the buffer overflow vulnerabilities allows the normal user to get root privileges, and other vulnerabilities can cause information from the kernel to the user space, and all vulnerabilities can be used to obtain confidential information, or expand the affected machine to the affected machine to expand DOS attacks. GRIMM said that these vulnerabilities can be traced back to 2006, and cold-cooled, “These vulnerabilities are the lack of safety considerations in programming practice, and this kind of programming practice is very common at this code.” WindowsDNS server remote code execution vulnerability SIGRED

Age: 17 years old

Introduction date: 2003

Fix Date: 2020

DNS is an underestimated Internet backbone system, and the computer deals with the associated IP address by a given URL. DNS is hierarchically, the domain name analysis request is up and down in the DNS pyramids, find the DNS server that can answer “where this computer is?” This problem. Therefore, all mainstream operating systems have built-in DNS.

In 2020, Microsoft disclosed a key loophole in its DNS, although there was no evidence that the vulnerability was illegally used. The CheckPoint researchers who found this vulnerability will be named as Sigre. This is a WindowsDNS server buffer overflow vulnerability, which can be triggered by the vulnerability in the Hidden DNS packet signature. The malicious name server can respond to the domain name parsing request, bypass most of the security protection measures, get remote access to the Microsoft DNS server. This attack can also be wormyed, that is, can be automatically propagated without user intervention.

PUTTY Pile of overflow vulnerability

Age: 20 years and 9 months

Introduction date: January 1999

Fix Date: October 2019

Putty is an open source free toolkit, including serial console, terminal simulator, and various network file transfer applications, but also built-in SSH and other encryption schemes. PUTTY was originally developed to bring the UNIX administrator’s own tool set into Windows and classic MacOS, but the range has been expanded, and even the Unix system is also used. Although PUTTY is designed to protect the network connection, its core code is exposed to hidden vulnerabilities. The vulnerability is another form of buffer overflow problem (here is a pile over), which can be triggered by a short SSH key, causing the PUTTY to run crash, or even remote code execution.

In the vulnerability bounty plan initiated by the EU EU-FOSSA project, the vulnerability is submitted to HACKERONE to earn 3,645 bounty for the submitter, as well as a thank you from the PuTTY team. The Puttt team pointed out that in 1999, this vulnerability appeared in the early versions of the PUTTY source code.

Win32k.sys vulnerability

Age: 23 years old

Introduction date: 1996

Fix Date: 2019

In 2019, Microsoft Windows Win32API exposed two vulnerabilities. The first vulnerability was found in April, which is a User -After-free vulnerability, and the program can utilize operating system encoding errors to access the system memory that should be protected. The security researchers detected this vulnerability during the discovery of malicious hackers attempts to take this vulnerability to obtain computer control. Another vulnerability is a rights vulnerability hidden in the operating system window switching function and is discovered in December. Similar to the former, this vulnerability is also detected during active attacks, when these attacks simulate keys for manufacturing memory leaks.

Two vulnerabilities can be traced back to the early stages of the Windows operating system. Kaspersky Senior Security Researcher Borislarin explained: “The problem stems from Win32K as the first time in Windows NT4.0, most WIN32 graphics engines shift from user-level to the kernel to improve performance.” Although these two specific vulnerabilities have been Repair, but Microsoft’s interpolation decisions have been widely influential, and the impact may continue. Over the years, the kernel security vulnerabilities found in Windows have probabilically, they have to be attributed to Win32K components.

PrintDemon local rights vulnerability

Age: 24 years old

Introduction date: 1996

Fix Date: May 2020

The printer can be described as a common pain point in the IT industry because the type is really too much, and it is not manufactured by the computer and operating system vendor, but the user expects to plug in the printing. Especially Microsoft, strive to make users relatively easy to install printer drivers relatively easily in their early stages. However, the recent PrintDemon vulnerability indicated that Microsoft may have a little far from the 1990s, until today pays a price for this.

The core of the vulnerability is three facts: non-administrators users can add printers to the Windows machine; the underlying implementation mechanism allows printing to file instead of physical printing devices; Windows on the key print service runs with System permission. This means that as long as you are right, you can construct a “printer” driver, create a file (even executable) anywhere in the file system (even privileges). For so many years, hackers have designed a large number of vulnerabilities utilization programs to use these design defects, and the STUXNET is also one of them. However, the PrintDemon found in 2020 is particularly special, and the repair of Microsoft’s many years is just a patch rather than fully refactoring the entire printed subsystem. As Winsider description, “just do a little change to the file system, you can implement file copy / write behavior that is not part of any process, especially after restarting. With a well-designed port name, you can let you The Spooler process helps you place [portable executable] file on the disk. “How to listen is a good news … Drama is a budget?

This list of “longevity” vulnerabilities can always realize that their own computer may be black due to the vulnerability of the Printing Machine system during the Clinton. But understanding these “old” vulnerabilities that have not necessishes it immediately. Grimm Chief Vulnerability Researcher Adamnichols said: “In the independent research work, one thing we will do when you find vulnerabilities is to try to determine how long this vulnerability is. Unfortunately, this is not industry standard. However, other researchers have It will also do this. Take this step to find out how long people face black risks is not a part of the work, but I think this is an important part of research work. “

SandyClark’s research shows that universal code reuse has caused a huge known vulnerability attack surface, and long-term useful loopholes may eventually evolve into a vulnerability utilization program. This has a traditional software engineering dogma, and the traditional software engineering dogma believes that most of the vulnerabilities will be repaired when the code library uses an early encounter in real problems and attacks. But in fact, in the words of the CLARK paper title, “familiarity will brew contempt.”