This Week In Security: Unicode Strikes, NPM Again, And First Steps To PS5 Crack

Maybe we really were better off with ASCII. Back in my day, we had space for 256 characters, didn’t even use 128 of them, and we took what we got. Unicode opened up computers to the languages of the world, but also opened an invisible backdoor. This is a similar technique to last week’s Trojan Source story. While Trojan Source used right-to-left encoding to manipulate benign-looking code, this hack from Certitude uses Unicode characters that appear to be whitespace, but are recognized as valid variable names.

const { timeout,ㅤ} = req.query;
Is actually:
const { timeout,\u3164} = req.query;

The extra comma might give you a clue that something is up, but unless you’re very familiar with a language, you might dismiss it as a syntax quirk and move on. Using the same trick again allows the hidden malicious code to be included on a list of commands to run, making a hard-to-spot backdoor.

The second trick is to use “confusable” characters like ǃ, U+01C3. It looks like a normal exclamation mark, so you wouldn’t bat an eye at if(environmentǃ=ENV_PROD){, but in this case, environmentǃ is a new variable. Anything in this development-only block of code is actually always enabled — imagine the chaos that could cause.

Neither of these are ground-breaking vulnerabilities, but they are definitely techniques to be wary of. The authors suggest that a project could mitigate these Unicode techniques by simply restricting their source code to containing only ASCII characters. It’s not a good solution, but it’s a solution.

More REvil Arrests

Apparently making yourself an enemy of the whole Western world is a good way to get arrested, as REvil members are continuing to learn. Operation GoldDust has netted seven arrests this year, the most recent in Romania. This is the same law enforcement effort that has resulted in the No More Ransom project.

Breaking the PS5

We haven’t heard anything from Fail0verflow for a while, but they’re back with new work targeting the PS5. They’ve found the root encryption keys for the system. This isn’t quite as big a deal as it originally seemed, as the signing key would still be needed to run custom software on the device. What this should allow is decrypting the device firmware, and then looking for bugs in the bootloader and firmware, potentially leading to a PS5 jailbreak in the future. If you’ve been hoping for a homebrew scene for the PS5, your time may be coming.

Translation: We got all (symmetric) ps5 root keys. They can all be obtained from software – including per-console root key, if you look hard enough! https://t.co/ulbq4LOWW0

— fail0verflow (@fail0verflow) November 8, 2021

NPM Again

Last week, the coa and rc packages temporarily updated to versions containing malicious code. The timing, and nearly identical added code, indicates that it was the same individual or group behind both packages. While the malware seemed to be non-functional on some systems, it should be assumed that anywhere these malicious versions were deployed is compromised. At a combined 20 million weekly downloads for these two packages, there are sure to be many compromises, even given the short time the malicious packages were available on the 4th. NPM was hosting the malicious version of coa for one hour and twelve minutes. The rc package pushed the malicious update a couple hours later, and it’s unclear how long that version was available.

The malicious code was run using a preinstall script, which seems to be the common vector for these hacks. There have been suggestions that install scripts should be disabled by default. While that would prevent these very simple attacks, it wouldn’t actually protect against the underlying problem. Supply chain attacks are a growing problem, but they seem to be particularly problematic in the world of full-stack JavaScript. If the popularity of node.js and npm are to continue, we will need a better solution to this pernicious problem.

Palo Alto and Disclosure

Researchers at Randori have discovered a pair of vulnerabilities in Palo Alto firewalls, which chained together can result in full device compromise with no prior authorization required. The attacks are an HTTP-request-smuggling vulnerability that leads to a buffer overflow. The overflow is normally not exploitable, but the request-smuggling allows an attacker to reach the vulnerable code. The flaws were fixed in version 8.1.17, and versions 9.0+ were never vulnerable. An in-depth analysis is due in December, but there’s another interesting angle to this story. Randori’s researchers found the bugs in November 2020, and didn’t disclose them until September 2021 — nearly a year later.

What did they do during that time? Apparently they used this and other 0-day vulnerabilities to perform red-team penetration tests for their clients. The motivation seems to be that a real attack is likely to use 0-days, and to really test a company’s defense-in-depth, unknown attacks have to be part of the equation. What do you think? Good idea or unethical?