Hírolvasó

Az Amnesty International kanadai szervezete nyilvánosságra hozta, hogy még október elején adatsértést észleltek rendszerükön, amely az eddigi vizsgálatok szerint egy, a kínai állam által támogatott hacker csoporthoz köthető.

The post Célzott hackertámadás érte a kanadai Amnesty International rendszerét first appeared on Nemzeti Kibervédelmi Intézet.

As I mentioned a couple of weeks ago, I've been trying to hack an Orbic Speed RC400L mobile hotspot so it'll automatically boot when power is attached. When plugged in it would flash a "Welcome" screen and then switch to a display showing the battery charging - it wouldn't show up on USB, and didn't turn on any networking. So, my initial assumption was that the bootloader was making a policy decision not to boot Linux. After getting root (as described in the previous post), I was able to cat /proc/mtd and see that partition 7 was titled "aboot". Aboot is a commonly used Android bootloader, based on Little Kernel - LK provides the hardware interface, aboot is simply an app that runs on top of it. I was able to find the source code for Quectel's aboot, which is intended to run on the same SoC that's in this hotspot, so it was relatively easy to line up a bunch of the Ghidra decompilation with actual source (top tip: find interesting strings in your decompilation and paste them into github search, and see whether you get a repo back).

Unfortunately looking through this showed various cases where bootloader policy decisions were made, but all of them seemed to result in Linux booting. Patching them and flashing the patched loader back to the hotspot didn't change the behaviour. So now I was confused: it seemed like Linux was loading, but there wasn't an obvious point in the boot scripts where it then decided not to do stuff. No boot logs were retained between boots, which made things even more annoying. But then I realised that, well, I have root - I can just do my own logging. I hacked in an additional init script to dump dmesg to /var, powered it down, and then plugged in a USB cable. It booted to the charging screen. I hit the power button and it booted fully, appearing on USB. I adb shelled in, checked the logs, and saw that it had booted twice. So, we were definitely entering Linux before showing the charging screen. But what was the difference?

Diffing the dmesg showed that there was a major distinction on the kernel command line. The kernel command line is data populated by the bootloader and then passed to the kernel - it's how you provide arguments that alter kernel behaviour without having to recompile it, but it's also exposed to userland by the running kernel so it also serves as a way for the bootloader to pass information to the running userland. The boot that resulted in the charging screen had a androidboot.poweronreason=USB argument, the one that booted fully had androidboot.poweronreason=PWRKEY. Searching the filesystem for androidboot.poweronreason showed that the script that configures USB did not enable USB if poweronreason was USB, and the same string also showed up in a bunch of other applications. The bootloader was always booting Linux, but it was telling Linux why it had booted, and if that reason was "USB" then Linux was choosing not to enable USB and not starting the networking stack.

One approach would be to modify every application that parsed this data and make it work even if the power on reason was "USB". That would have been tedious. It seemed easier to modify the bootloader. Looking for that string in Ghidra showed that it was reading a register from the power management controller and then interpreting that to determine the reason it had booted. In effect, it was doing something like:boot_reason = read_pmic_boot_reason(); switch(boot_reason) { case 0x10: bootparam = strdup("androidboot.poweronreason=PWRKEY"); break; case 0x20: bootparam = strdup("androidboot.poweronreason=USB"); break; default: bootparam = strdup("androidboot.poweronreason=Hard_Reset"); }Changing the 0x20 to 0xff meant that the USB case would never be detected, and it would fall through to the default. All the userland code was happy to accept "Hard_Reset" as a legitimate reason to boot, and now plugging in USB results in the modem booting to a functional state. Woo.

If you want to do this yourself, dump the aboot partition from your device, and search for the hex sequence "03 02 00 0a 20"". Change the final 0x20 to 0xff, copy it back to the device, and write it to mtdblock7. If it doesn't work, feel free to curse me, but I'm almost certainly going to be no use to you whatsoever. Also, please, do not just attempt to mechanically apply this to other hotspots. It's not going to end well.

comments

Over on the Collabora blog, Adrian Ratiu writes about the addition of the kernel's Rust code to the KernelCI automated kernel testing project. The blog post looks at what it took to add the support and on some plans for future additions, as well. An interesting challenge for the rustc docker builds was the fact that the standard Rust method of installing toolchains is via curl https://sh.rustup.rs | sh which might be ok-ish for individual local development, but is a particularly bad idea in an automated CI system. Rustup itself does not (yet) do any signature verifications for its downloads.

Distros like Debian do not ship the version required by the kernel (v1.62), nor even rustup in some cases, and it's unlikely the distro maintainers will keep the versions in sync with the mainline kernel which likely will become a moving target. Thankfully the Rust project provides standalone installers together with GPG signatures which are very useful for CI.

The kernel's page cache holds pages from files in RAM, allowing those pages to be accessed without expensive trips to persistent storage. Applications are normally entirely unaware of the page cache's operation; it speeds things up and that is all that matters. Some applications, though, can benefit from knowledge about how much of a given file is present in the page cache at any given time; the proposed cachestat() system call from Nhat Pham is the latest in a long series of attempts to make that information available.

Oroszország által támogatott kibertámadások fokozódására figyelmeztet a Microsoft, amelyek várhatóan a tél folyamán is az ukrán infrastruktúrák, valamint a NATO szövetségesek ellen irányulnak majd. A Microsoft hétvégén közzétett jelentése arra hívja fel a figyelmet, hogy az orosz katonai hírszerzéshez köthető Sandworm APT csoport által indított kibertámadások az orosz hadsereg kinetikus műveleteivel összehangoltan zajlanak. A támadásokat […]

The post Egész télen orosz kibertámadásokra lehet majd számítani? first appeared on Nemzeti Kibervédelmi Intézet.

Security updates have been issued by Ubuntu (binutils and ca-certificates).

Zsarolóvírus támadás miatt kell elhalasztani a műtéteket egy francia kórházban, eddig hat ápoltat szállítottak másik ellátóintézménybe.

The post Ransomware támadás okoz jelentős fennakadást egy francia kórházban first appeared on Nemzeti Kibervédelmi Intézet.

Alison Chaiken provides an overview of Linux ABI concerns on opensource.com.

Understanding the stable ABI is a bit subtle. Consider that, while most of sysfs is stable ABI, the debug interfaces are guaranteed to be unstable since they expose kernel internals to userspace. In general, Linus Torvalds has pronounced that by "don't break userspace," he means to protect ordinary users who "just want it to work" rather than system programmers and kernel engineers, who should be able to read the kernel documentation and source code to figure out what has changed between releases.

Support for lladdr-tied configuration of (network) interfaces [on which we reported earlier] has been committed. Andrew Fresh (afresh1@) made the commit:

CVSROOT: /cvs Module name: src Changes by: afresh1@cvs.openbsd.org 2022/12/05 13:12:00 Modified files: etc : netstart distrib/miniroot: install.sub share/man/man5 : hostname.if.5 Log message: Add support configuring hostname.if(5) by lladdr Original implementation by martijn@ Feedback and suggestions from kn@, sthen@, claudio@, florian@, and deraadt@. ok deraadt

As explained in the change to the hostname.if(5) man page, only one of hostname.if and hostname.lladdr should exist (but priority is given to the former).

Updated: 2022-12-16
A commit from Andrew Fresh (afresh1@) has reversed the prioritisation: priority is now given to hostname.lladdr.

The kernel project is now more than three decades old; over that time, a number of development practices have come and gone. Once upon a time, the use of "magic numbers" to identify kernel data structures was seen as a good way to help detect and debug problems. Over the years, though, the use of magic numbers has gone into decline; this patch set from Ahelenia Ziemiańska may be an indication that the reign of magic numbers may be reaching its end.

Security updates have been issued by Debian (awstats, chromium, clamav, g810-led, giflib, http-parser, jhead, libpgjava, node-cached-path-relative, node-fetch, and vlc), Fedora (fastnetmon, kernel, librime, qpress, rr, thunderbird, and wireshark), Red Hat (kernel, kernel-rt, and kpatch-patch), Slackware (mozilla), SUSE (cherrytree and chromium), and Ubuntu (libbpf, libxml2, linux-gcp-5.15, linux-gke, linux-gke-5.15, and linux-gke).

Kritikus sebezhetőségeket fedeztek fel három olyan Android alkalmazásban, amelyek lehetővé teszik a felhasználók számára, hogy az eszközeiket távoli billentyűzetként használják a számítógépükhöz.

The post Kritikus kódfuttatási hibákat fedeztek fel egyes androidos távoli billentyűzet alkalmazásokban first appeared on Nemzeti Kibervédelmi Intézet.

Idén ez már a kilencedik zero-day sérülékenység, ami a legnépszerűbb böngészőben javításra került.

The post Ismét javítottak egy nulladik napi hibát a Chrome böngészőben, frissítsen mielőbb! first appeared on Nemzeti Kibervédelmi Intézet.

The eighth and presumably final 6.1 kernel prepatch has been released for testing. "So everything looks good, and while the calming down may have happened later than I wished for, it did happen. Let's hope this upcoming week is as quiet (or quieter)."

The 6.0.11, 5.15.81, and 5.10.157 stable kernel updates have been released; each contains another set of important fixes.

Thank you to everyone that attended Linux Plumbers 2022 both in person or virtually. After two years of being 100% virtual due to the pandemic, we were able to have a very successful hybrid conference, with 418 people registering in-person where 401 attended (96%), and 361 registered virtually and 320 who actually participated online (89%), not counting all those that used the free YouTube service. After two years of being 100% remote, we decided to keep this year’s in-person count lower than normal due to the unknowns caused by the pandemic. To compensate for the smaller venue, we tried something new, and created a virtual attendance as well. We took a different approach than other hybrid conferences, and treated this one as a virtual event with an in-person component, where the in room attendees were simply participants of the virtual event. This required all presentations to be uploaded to Big Blue Button, and the presenters presented through the virtual platform even though they were doing so on stage. This allowed the virtual attendees to be treated as first class citizens of the conference. Although we found this format a success, it wasn’t without technical difficulties, like problems with having no sound in the beginning of the first day, but that’s expected when attempting to do something for the first time. Overall, we found it to be a better experience and will continue to do so in future conferences.

We had a total of 18 microconferences (where patches are already going out on the mailing lists that are results of discussions that happened there), 16 Refereed talks, 8 Kernel Summit talks, 29 Networking and BPF Summit track talks, and 9 Toolchain track talks. There were also 17 birds-of-a-feather talks, where several were added at the last minute to solve issues that have just arrived. Most of these presentations can still be seen on video.

Stay tune for the feedback report of our attendees.

Next year Linux Plumbers will take place in North America (but not necessarily in the United States). We are still locking down on locations. As it is custom for Linux Plumbers to change chairs every year, next year will be chaired by Christian Brauner. It seems we like to have the chair live in another continent than where the conference takes place. We are hoping to find a venue that can hold at least 600 people, where we will be able to increase the number of in-person attendees.

Finally, I want to thank all those that were involved in making Linux Plumbers the best technical conference there is. This would not have happened without the hard work from the planning committee (Alice Ferrazzi, Christian Brauner, David Woodhouse, Guy Lunardi, James Bottomley, Kate Stewart, Mike Rapoport, and Paul E. McKenney), the runners of the Networking and BPF Summit track, the Toolchain track, Kernel Summit, and those that put together the very productive microconferences. I would also like to thank all those that presented as well as those who attended both in-person and virtually. I want to thank our sponsors for their continued support, and hope that this year’s conference was well worth it for them. I want to give special thanks to the Linux Foundation and their staff, who went above and beyond to make this conference run smoothly. They do a lot of work behind the scenes and the planning committee greatly appreciates it.

Before signing off from 2022, I would like to ask if anyone would be interested in volunteering with helping out at next year’s conference? We are especially looking for those that could help on a technical level, as we found running a virtual component along with a live event requires a bit more people than what we currently have. If you are interested, please send an email to contact@linuxplumbersconf.org.

Sincerely,

Steven Rostedt
Linux Plumbers 2022 Conference chair

On December 1st, 2022 the OpenIKED project announced a new stable version, OpenIKED 7.2.

Read more…

The software-interrupt mechanism is one of the oldest parts in the kernel; arguably, the basic design behind it predates Linux itself. Software interrupts can get in the way of other work so, for almost as long as they have existed, developers have wished that they could be made to go away. That has never happened, though, and doesn't look imminent. Instead, Android systems have long carried a patch that tries to minimize the impact of software interrupts, at least in some situations. John Stultz is now posting that work, which contains contributions from a number of authors, in the hope of getting it into the mainline kernel.

Security updates have been issued by Debian (snapd), Fedora (firefox, libetpan, ntfs-3g, samba, thunderbird, and xen), SUSE (busybox, emacs, and virt-v2v), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-hwe, linux-gcp, linux-hwe, linux-oracle, and tiff).

Bleeping Computer reports that the Android platform signing certificates for several manufacturers have leaked and been used to sign malware.

However, based on the results, even though Google said that "all affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google's recommendations since, at least in Samsung's case, the leaked platform certificates are still being used to digitally sign apps.