vlc.zip

You are very likely visiting that site because you typed vlc.zip somewhere. Similar to setup.zip I registered the domain to prevent harm to users.

In the ever-evolving landscape of the internet, staying ahead of malicious actors and protecting users from potential threats is of paramount importance. To combat the risks associated with hosting malicious content related to VLC media player, have taken a commendable step by launching VLC.zip—a domain specifically designed to safeguard users from potential security vulnerabilities. With the recent introduction of .zip as a new top-level domain (TLD) a potential risk was introduced.

Preventing Malicious Intent and Impersonation

The introduction of VLC.zip not only serves as a protective measure against malicious hosting but also acts as a deterrent for impersonation attempts. Cybercriminals often exploit well-known software names to deceive users into downloading harmful files or falling victim to phishing attacks. VLC.zip also redirecting to this blogpost improves awareness.

What can you do? Talk to your sysadmin and consider to block the toplevel domain .zip. Install a AV software and keep all your software up to date.

setup.zip

The internet has seen a lot of changes in recent years, and one of the most significant changes has been the introduction of new top-level domains (TLDs). These new TLDs have opened up a whole new world of possibilities for website owners, but they have also created new challenges, particularly in terms of protecting users from malicious actors. One of the newest TLDs is .zip, and in this blog post, we’ll discuss how to register a .zip domain and set it up to protect users from malicious actors.

First, it’s important to understand what a TLD is. A top-level domain is the part of a domain name that comes after the final dot, such as „.com“ or „.org“. Traditionally, there have been a limited number of TLDs available, but in recent years, ICANN (the organization responsible for managing the internet’s domain name system) has been introducing new TLDs to increase choice and competition.

The .zip TLD is one of the newest TLDs, and it’s designed specifically for websites that deal with compressed files. The idea is that by using a .zip domain, website owners can signal to users that their site is a trustworthy source of compressed files.

In May 2023, Google wrote a blogpost about the newest toplevel domains:

  • .dad
  • .esq
  • .prof
  • .phd
  • .nexus
  • .foo
  • .zip
  • .mov

Especially the .zip can cause problems. That is why I went ahead and registered „setup.zip“ assuming it is part of many typos and pages. This blog will be the redirect destination for everyone attempting to access „setup.zip“ if you have other good research ideas what to do with the domain, reach out via twitter on @alexanderjaeger.

CVE-2018-5559 my first CVE

TLDR

CVE-2018-5559 is a information disclosure security vulnerability in Komand Security Orchestrator (v0.40.2) that has been disclosed responsibly to Rapid 7 and has been mitigated and patched within days (version >0.42.0). The vulnerability itself is not worth to have a logo.

Introduction

Being a security professional I happen to hear a lot of people complaining about companies handling responsible disclosure in a way that is not appreciated by customers (by sitting on patches to long) or by the disclosure (by not reacting etc). The following blog post is report about a very positive case that I happen to have by disclosing my very first security vulnerability. I really hope this one is being shared and that companies adopt some of the positive aspects. At the very end of the post I will also try to lead to further points where either researchers or companies can read further about the topic.

The stage

Being interested in various APIs that are interesting to security people (eventually turning into dedicated list of APIs on Github) I stumbled across Komand Security Orchestrator. As there was no documentation available (heads up Rapid 7, that fact needs some love!) I spent some time to reverse engineer and discover APIs with Google Chrome developer tools and Python and actively sharing my results on github.

One of the API endpoints was /connections:

https://komandurl/v2/connections 

Connections

Komand Security Orchestrator is made to interact with various (security related) tools to interact and create so called workflows. To achieve that goal, Komand needs credentials to those tools. Every set of credentials is stored in a central keychain that is accessible for workflows. Most connections store some kind of URL, Username and password.

Given this nature, credentials stored in this keychain have either higher Privileges to accomplish tasks or are able to see more than the regular user.

Every Plugin can have it’s own set of credentials, so let’s say you have the LDAP plugin to connect to Active directory, there could be a dedicated set of credentials for prod and qual active directory.

Surprise

After my first GET request to the connection API endpoint something got my attention. While most of the connections have the password field *****ed out, some did not – WTH?
Most look like the following:

"name":"VT Private API","type":"plugin","parameters":{"api_key":"********","url":"https://www.virustotal.com/vtapi/v2/"} 

But OTRS looks like the following:

{"connection_id":36,"plugin_id":75,"name":"OTRS Dev User:komand_test","type":"plugin","parameters":{"server":"https://`EDUCTED","credentials":{"password":"REDUCTED","username":"komand_test"}},"created_at":"2018-08-08T10:56:54Z","updated_at":"2018-08-08T10:56:54Z","deleted_at":null,"deleted_by_id":null} 

And LDAP:

{"connection_id":39,"plugin_id":72,"name":"ÀD","type":"plugin","parameters":{"host":"ldaps://LDAPURL","port":636,"use_ssl":true,"username_password":{"password":"CLEARTEXTPASSWORD","username":"AD\\USER"}},"created_at":"2018-10-05T11:53:47Z","updated_at":"2018-10-05T11:53:47Z","deleted_at":null,"deleted_by_id":null} 

Scope – pre-requisite

To get the above mentioned list of connections you need to have a to be an authenticated admin, so it is not open to everyone.

Scope – affected plugins

As not every password was visible, several plugins have been tested (not every plugin!) and thus two Plugins seem to be affected:

LDAP plugin and OTRS plugin

Impact

To score the vulnerability, the best way to go for is leverage CVSS, and the rating for this vulnerability is a CVSS Score:3.1

CVSS Base Score:3.4
Impact Subscore:1.4
Exploitability Subscore:1.7
CVSS Temporal Score:3.1
CVSS Environmental Score:3.1
Modified Impact Subscore:1.4
Overall CVSS Score:3.1

Responsible disclosure process

October 25, 2018 14:42 created issue with Rapid 7 online portal / Mail to Circl.lu

So I found the issue and wanted to get it fixed as soon as possible and have a CVE assigned, my first reaction was to reach out to my friends from CIRCL.lu to assist and assign a CVE, so I sent them a pgp encrypted mail to info@circl.lu.

Side-note: By accident I had a local mail rule, filtering out all mails from info@circl.lu to a sub folder and marked them as read, that is a stupid thing to do if you expect an answer from them and caused some confusion afterwards, so for clarification, they were very responsive and their reaction time is in hours, so if you do not know who to disclosure with a 3rd party, CIRCL is a great way to get it started and they have a profound network of contact points.

Then I looked on rapid 7 webpage and found that they have a responsible disclosure statement and procedure in place as well so I gave it a shot with opening an issue there.

The portal is very well done and requesting information that are good for engineers to assess the impact as fast as possible, it is even possible to propose a CVSS rating (more to that later)

October 26, 2018 First reaction of Rapid7

Rapid7 gave a SYN / ACK to have received the issue and that Engineering and Support is working on scoping and verifying the issue.

October 26, 2018 Rapid7 verifies it is an issue

On the same day the designated person made a note in the online portal to verify it is an issue and that they are working on fixing it.

October 30,2018 Rapid7 case update

Note on the online portal, Rapid 7 team is working on a fix and providing a rough timeline that a patch should be available the same week and that assigning an CVE is in progress as well.

November 1,2018 Rapid 7 case update

Another note that fix is on the horizon

November 1,2018 Komand Release Notes

On that day a Mail was sent out announcing a new version „Komand Release Notes“. In the Bug fixes area this was mentioned:

v0.42.0: Certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response. We fixed this issue, and all configurations of connection data are now correctly obscured.

November 1,2018 Komand slack

Via Slack, Komand engineers are asking for my feedback if the patch is indeed fixing the issue I reported, after updating I was able to confirm that.

November 2,2018 pro assigned CVE

Rapid7 reached out to me and CIRCL (who seems to have reported the issue in parallel but I had no SYN ACK from them but told them that they did not need to further disclose as soon as I discovered the Rapid 7 portal.
In this mail I was told the pre assigned CVE for the issue and the CVSS rating their engineering team came up with. They also asked if I plan to write a blog post or other coverage (which you can read at the moment).

Affected?

All versions below 0.42.0 is affected. Afaik it is only the OTRS and the LDAP plugin.

Mitigation

Patch to Komand version 0.42.0 or later. I would recommend to reset the password to all accounts stored for LDAP and OTRS plugins.

Exploited?

Most people might ask – alright, so how can i find out if someone with bad intention has used this vulnerability. The only way to tell is to check the web logs of Komand and look for GET requests to /v2/connections from unusual source IPs.

Feedback

The way this issue was handled was straight forward, at any point I had the impression that my issue was treated on the right level, no over hyping and no „we don’t care“ just the right balance.
It is notably that the online form used by Rapid7 is supporting this process a lot, I assume it makes it easy to scope issues on engineering site as well as easy for the researcher who wants to know what the current status of the reported issue is.

It is also good to see that the work from the FIRST CVSS sig is adding value in such issues as it helps both sides to rate the vulnerability.

Links

https://nvd.nist.gov/vuln/detail/CVE-2018-5559

https://github.com/CVEProject/cvelist/pull/1303

Further reading

To lean more about best practices in responsible disclosure I would recommend:

https://titanous.com/posts/security-disclosure-policy-best-practices

 

Security API collection

While working on different stuff I was searching for a collection of APIs that are related of useful for security researchers, incident response people or threat intel.

Unable to find a good list of REST APIs decided to start it. The collection is hosted on a Security API list, and pull requests or issues mentioning missing APIs are highly welcome.

Why did I produce such a list? More and more people want to automate their workflows, Security Orchestration is the new Buzzword after last years Threat Intelligence, but basically containing the same, they both have in common to facilitate already available data, with Orchestration not storing that much data but enriching dots collected.

However the challenge is, what to integrate, everyone has their „go to“ tools they use on a daily base risking to miss some golden nuggets that are handy.

The list is divided (at the moment) in tools that are mostly on prem., online tools, SIEMs and various. With an increasing number of APIs that ordering might change of course.

So I really hope the list is useful and people can use it and that it can grow.

9Tageticket again a success

One day to go till the Backfischfest in Worms is starting and we can say, the 9TageTicket this year is again a big success. With more then 650 tickets pre ordered, we are on almost the same level as last year, showing that there is a constant interest in the free tickets that show other visitors the commitment to the Backfischfest.

For the first time we will have flyer for the showman explaining the idea behind 9TageTicket.

Ahoi

Django 403 CSRF forbidden

The following error message:

Forbidden (403)
CSRF verification failed. Request aborted
More information is available with DEBUG=True

Might occur if you are using an apache / nginx running behind another Apache as a proxy.
To read more about CSRF go to wikipedia. It is basically an interception of a session exploiting the trust a browser has to a site.

So it is an security feature, that is interfered by the proxy.
You have most likely something like:

ProxyPass / https://$yourhost/
ProxyPassReverse / https://$yourhost/

In your apache config. That needs to be extended to:

ProxyPass / https://$yourhost/
ProxyPassReverse / https://$yourhost/
ProxyPreserveHost On

Quote from apache doc:

When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.

This option should normally be turned Off. It is mostly useful in special configurations like proxied mass name-based virtual hosting, where the original Host header needs to be evaluated by the backend server.

Amazon Fire TV nun in Deutschland

Da öffnet man Amazon ohne böse Vorahnung und bekommt einen Hinweis:

Liebe Kunden,

wir freuen uns, Ihnen heute das Amazon Fire TV vorzustellen.

Endlich.

Und noch schöner, bis Montag gibt es das Amazon Fire TV für Amazon Prime Kunden zum Vorzugspreis von 50 Euro statt 99 Euro.

PS: Das Fire TV bietet neuen und existierenden Prime-Mitgliedern noch mehr. Sie können Tausende beliebte Filme und Serienepisoden mit Prime Instant Video sofort unbegrenzt streamen und erhalten in den nächsten fünf Tagen das Fire TV für nur 49 EUR statt regulär 99 EUR.

Zuschlagen lohnt sich also.

Edit: Golem schreibt nun auch darüber