Comments

erna September 20, 2024 12:08 PM

That link just gives me a blank page, and the HTML contains little other than “script src=/_Incapsula_Resource”. Am I supposed to run that script? Seems ironic.

The Wayback Machine can’t even get those hundred-or-so bytes; it spends a couple of minutes trying to save the page, then fails entirely.

Andrew September 20, 2024 12:56 PM

Saw this earlier today in Brian Kerbs’s blog.

The Intuition there was that developers have a good chance to catch and avoid this. Most of the regular users probably have very slim chance against attack like that.

Who? September 20, 2024 4:23 PM

I fail to see why JavaScript have access to the operating system’s clipboard. It does not need this feature. We need to rethink the basic concepts of Internet and write browsers with a small subset of current features (support for basic HTML (1.0, 2.0, 3.2, 4.01 and 5), CSS and perhaps a small subset of JavaScript (why not?) restricted to safe and well-proved features only.

A browser should fit on a floppy disk!

Anything outside this subset (e.g. PDF readers and video players) should be external —and, again, simple— tools, just like it was on an X11 environment in the nineties.

Perhaps it is time to consider dropping support for ancient web features no one uses these days (after all, it has passed a long time since the first web pages were removed from anything but archive.org). W3C requirement of supporting all technologies developed in the last decades, including old bugs, for compatibility is an error that we are paying on a daily basis.

We need an “updated” Mosaic, simple, fast, auditable and based on modern standards (HTML 5, CSS, and a small and safe subset of JavaScript), not the current swiss-army knifes that have more than one hundred gigabytes of dependencies no one is able to track.

Zerolagtime September 20, 2024 6:41 PM

DISA hardening STIGs block this exact script which tries to write to a temporary folder by not allowing programs to be executed from $Env:TEMP. In Linux, they also try to get /tmp mounted as a dedicated mount point with “noexec” for the same effect.
Following the STIG can be intrusive and time consuming, but there are some very good best practices, especially for Windows.

Winter September 21, 2024 1:45 PM

I wonder how many users actually perform the verification steps in the challenge screen. They look quite involved.

I would be very wary to do anything unexpected in a terminal on the suggestion of a website. But maybe others look at this differently?

Dude September 22, 2024 11:20 PM

To me asking people to run a Powershell command doesn’t seem so clever, especially when the target is developers.

lurker September 22, 2024 11:43 PM

@Who?
I see nobody has yet warned you that HTML5 is an instrument of the devil. But no, there are some useful features in it. The problem as you say is the browsers who think they must fit Monty Python’s Flying Circus into the Palace of Versailles.

My perfect browser would ask the user for permission to open any odd file type in a suitable external application; no setting up humungous lists of mimetypes vs applications. This is another aspect of why IE was never a good browser, it choked on any filetype that wasn’t in the secret seven hardwired list of suffixes that could be opened by Office. And note, the present attack is against Windows systems …

Clive Robinson September 23, 2024 9:52 PM

This attack is a half century or so old.

Yup seriously.

Back in the 1970’s the old mechanical KSR and ASR Teletypes were being replaced with “Visual Display Units”(VDUs).

With VDU’s and the “screen clear” command came the notion of “screens” that gave “menus” and the like.

These menus quickly gave rise to the idea of “function keys” that could be programmed by the software running on the central “main frame”.

Because the length of the serial lines could be 1000ft or more, VDU’s could be in offices anywhere on University Campus and frequently were as they had “status symbol” value.

Around this time Unix was becoming popular and with it came a couple of useful things,

1, “shell scripting”,
2, A program called “write”

(Write was more famously known among admins as “wall” which enabled admin messages to be sent to all logged in users and still is. Write became more structured with “talk”, which was the forerunner of IRC).

It did not take someone too long to work out how to use “write” to put a “shell script” in a function key on another users VDU and get the user to press it.

Which if you think about it is the same as putting a PowerShell script in the browser clipboard and getting the user to execute it.

As I note from time to time, the ICT Industry appears condemned to never learn from it’s history… So here we are a half century later falling for the same old attacks.

And so… I will bet that this is not the last time we see some idiot putting in a buffer that can,

1, Hold a command / script / executable.
2, Be easily written to by an attacker for a user to execute.

Heck I developed such an attack on AT&T Sys V 4 back in the early 90’s due to the terminal-mux programme. It had a bug that ment you could login, switch to another terminal window, type in a command / shell script, but not hit the enter key. Instead you switched back to the original screen and logged out. When the next person logged in the hanging command you had left got executed under their login ID without them seeing it…

So if your shell script detected they had the user ID of zero (ie root). Your script could copy /bin/sh or some other program that you could “shell out of” into temp or other place change the execute permissions and get yourself the “user rights” when you executed the file in temp…

Oh and you did not really require even a valid login in most environments there would always be people who did not log out when they went for a coffee or similar and cron etc could be your friend. But that as they say “Was a hack for another day”.

ResearcherZero September 28, 2024 2:08 AM

@Clive

Sharks never fall for these kinds of tricks. They have been around a while.

But crims are not so savvy.

‘https://www.itnews.com.au/news/afp-modified-software-updates-of-encrypted-platform-to-gain-covert-access-611717

Clive Robinson September 29, 2024 5:53 AM

@ ResearcherZero,

Re : crims are not so savvy

It’s not just criminals, it’s just about everyone.

The underlying reason is depending on who you ask one or more of

“Lazy / convenience / speed / ease of use”

Or most of “the seven deadly sins”[1] (just don’t ask how lust and gluttony fit in[2] 😉

But even those that know their lives are very much in danger still don’t get OpSec right.

Two mistakes we all make are,

1, Getting into fight or flight mode mentality.
2, Mistakenly believing mistakes are ephemeral.

A sense of urgency or haste is from the primeval or simian parts of our brain. We want to scuttle under a rock or scoot up a tree when we sense we are being hunted or surprisingly to some when we are hunting.

Thus as humans we tend to do things “half cocked” and all to often when we scrape through, we then and there think we’ve somehow been clever and got away with it, only to later have it come back to haunt us or hang over us in our minds[3].

The thing is we knew how to communicate in ways that were both private and secure before electronics became more than “glassware with terminals”.

Which brings us to the observation made in 1905 by George Santayana in his book “The Life of Reason, or The Phases of Human Progress”,

“Those who cannot remember the past are condemned to repeat it.”

To which I would add “or chose not to” before “remember” to cover both identified human failings.

[1] Many know the phrase “The seven Deadly Sins” but few know there is more than one set of “Capital sins”, and most can not name them all,

“Pride, Greed, Wrath, Envy, Lust, Gluttony and Sloth”

[2] Oddly perhaps big time criminals have been caught via communicating with their girlfriends and mistresses, and by making large orders of pizza or other food deliveries for their security / retinue.

[3] There is an academic argument that one of the reasons certain types of people are certain types of criminal is that they lack a sense of guilt or empathy. This view is slowly being replaced with other views that actually, the causes are much further down than the high level guilt or empathy. In part because it’s argued that guilt and empathy are “learnt” social skills during early development.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.