Readit News logoReadit News
retsl commented on Xubuntu.org Might Be Compromised   old.reddit.com/r/Ubuntu/c... · Posted by u/kekqqq
like_any_other · 2 months ago
Do browsers still let websites read the clipboard?
retsl · 2 months ago
Not without approval, see https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_A... or https://web.dev/articles/async-clipboard#security_and_permis.... But that is not relevant here.

Instead of the .torrent files, the compromised website served a .zip file, which contained a .exe. When opened, it shows a GUI to select a Xubuntu version and a button to generate the link. When that button was clicked, the malware showed a download link to the user and, in the background, deployed a second stage to %APPDATA%\osn10963\elzvcf.exe and executed it.

The second stage monitors the clipboard for cryptocurrency addresses which it will replace with attacker-controlled ones. The second stage is also added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure it is run whenever the user logs in.

Both stages have some limited anti-debugging and anti-VM functionality.

retsl commented on Xubuntu.org Might Be Compromised   old.reddit.com/r/Ubuntu/c... · Posted by u/kekqqq
retsl · 2 months ago
the malware's main function seems to be to check the clipboard for crypto wallet addresses and then replace them with attacker addresses:

  Bitcoin (bc1): bc1qrzh7d0yy8c3arqxc23twkjujxxaxcm08uqh60v
  Litecoin (ltc1/L/M): LQ4B4aJqUH92BgtDseWxiCRn45Q8eHzTkH
  Ethereum (0x): 0x10A8B2e2790879FFCdE514DdE615b4732312252D
  Dogecoin (D): DQzrwvUJTXBxAbYiynzACLntrY4i9mMs7D
  Tron (T): TW93HYbyptRYsXj1rkHWyVUpps2anK12hg
  Ripple (r): r9vQFVwRxSkpFavwA9HefPFkWaWBQxy4pU
  Cardano (addr1): addr1q9atfml5cew4hx0z09xu7mj7fazv445z4xyr5gtqh6c9p4r6knhlf3jatwv7y72deah9un6yettg92vg8gskp04s2r2qren6tw
can't guarantee it doesn't do anything else.

retsl commented on Neovim tee.exe binary dependency exhibiting illegitimate / unauthorized behavior   github.com/neovim/neovim/... · Posted by u/patadune
doix · 10 months ago
Yeah, I'm inclined to agree. The binaries were probably built by mingw and I've seen "hello world" get flagged by virus total when built by mingw.

If it is the binary itself making those calls (and not the OS), then anyone with a little bit of reverse engineering experience should be able to prove it and post the assembly.

Edit: I was wrong about the build toolchain, they were built by visual studio, see comment below.

retsl · 10 months ago
the virustotal report shows the output from detectiteasy in "Details" -> "Basic properties": DetectItEasy PE64 Compiler: Microsoft Visual C/C++ (19.14.26715) [C++] Linker: Microsoft Linker (14.00.24241) Tool: Visual Studio (2015)

this is not meant to imply anything about whether the binary is malicious or not.

Posted by u/retsl 10 months ago
VS Code Remote SSH: server-to-client remote code execution by designlets.re/blog/vscode-remot...
retsl commented on VSCode’s SSH agent is bananas   fly.io/blog/vscode-ssh-wt... · Posted by u/zdyxry
dunham · 10 months ago
I see. I was intending to use a container to sandbox npm/yarn, it sounds like that is pointless.

npm scares me - if there is a way to sandbox it on a mac, I'd like to know.

retsl · 10 months ago
Containers on MacOS are ran inside a Linux VM. If you ensure that the Linux VM doesn't have access to anything besides the required files/networks, that should be pretty secure.

Best case you go through the settings of Docker, Podman or whatever you use to limit integrations. Then, from within the VM and container see what networks, files, etc. you can reach to be sure.

retsl commented on VSCode’s SSH agent is bananas   fly.io/blog/vscode-ssh-wt... · Posted by u/zdyxry
shipp02 · 10 months ago
That's an issue with any plugin system, right? AFAIK no IDE has a plugin system with capabilities or a sandboxed interpreter.

VSCode does have a thing where it's like do you trust the authors of this project. Not sure what it does because I've never had to use it. From StackOverflow[1]:

>If you select No, I don't trust the authors, Visual Studio Code will open the workspace in 'restricted mode'. This is the default for all new workspaces. It lets you safely browse through code but disables some editor feature, including debugging, tasks, and many extensions. However, keep in mind that 'restricted mode' is all you need for many use cases.

Actually if restricted mode[2] is any good, vscode might be better at security than most other editors/IDEs.

[1]:https://stackoverflow.com/a/67914669/11422647 [2]:https://code.visualstudio.com/docs/editor/workspaces/workspa...

retsl · 10 months ago
There's a feature request from 2018 to add a proper permission model for plugins in VSCode: https://github.com/microsoft/vscode/issues/52116

Sadly it doesn't seem to make any progress.

retsl commented on VSCode’s SSH agent is bananas   fly.io/blog/vscode-ssh-wt... · Posted by u/zdyxry
KTibow · 10 months ago
Is that to say that the server can do things on the client connecting to the server? That doesn't make much sense.
retsl · 10 months ago
"For VS Code remote, the VS Code server is in the same trust boundary as the VS Code client. [...]

For Remote SSH: [...] A compromised remote could use the VS Code Remote connection to execute code on your local machine."

https://github.com/microsoft/vscode-remote-release/issues/66...

I wrote about it in a bit more detail a month ago because it seems to be a common misunderstanding: "VS Code Remote Dev and Dev Containers are not security boundaries" https://lets.re/blog/vscode-remote-dev/

Posted by u/retsl a year ago
VS Code Remote Dev and Dev Containers are not security boundarieslets.re/blog/vscode-remot...
retsl commented on Multiple new macOS sandbox escape vulnerabilities   jhftss.github.io/A-New-Er... · Posted by u/transpute
fsflover · a year ago
If you set it up, users can run anything themselves. Just use the start menu and the apps will automatically run in the corresponding VMs (shown as windows with colored borders).
retsl · a year ago
I set up Qubes OS for and with technical, less-technical and non-technical people and I very much disagree. It only works well for those who are prepared and motivated to learn, and even then, it sometimes can be frustrating.

The copy-pasting between VMs, mentioned in a sibling, requires four steps: (1) copying to the source VM's clipboard, (2) copying to the global clipboard, (3) copying to the destination VM's clipboard, and (4) pasting to the destination. The shortcuts become part of your muscle memory after some use, but until they are, that is just one way in which Qubes gets in the way of productivity.

There are a bunch of minor quirks, often specific to the hardware, which the user needs to learn about and find workarounds for. But if they do, Qubes is probably the most seamless way to work with tons of (well-isolated) VMs. For example, SecureDrop [0] is based on Qubes and does seem to work well for journalists for securely receiving and working with documents from anonymous sources.

[0]: https://securedrop.org/

Posted by u/retsl a year ago
Exporting iCloud passwords on Windowslets.re/blog/icloud-passw...
r

u/retsl

KarmaCake day94November 3, 2024
About
https://lets.re
View Original