SQL injection to skip the airport queue
Last week, researchers Sam Curry and Ian Carroll
about a serious vulnerability in one of the services used to ensure security at U.S. airports. In this country, control of security at all airports is transferred to a common administration known as
Transportation Security Administration
. The TSA also provides special programs called TSA PreCheck, which speeds up the passage of regular passengers. Pilots and crew members usually have a separate line. As Curry and Carroll found out, there is a separate system for registering as “crew members,” open to a number of third-party organizations. And one of these third-party services had a rather trivial vulnerability.
The study isn't just about getting through airport security fast. In addition to this system, known as Known Crewmember, there is also a database called the Cockpit Access Security System. It allows access to the cockpit of an airplane. For example, if an airline pilot is flying as a passenger, he or she can use an empty seat in the flight deck. Both systems are administered by a commercial company called Collins Aerospace, but it essentially provides an API, while the actual “passes” are managed by individual airlines. That's where the authors of the study came across the FlyCASS service. While major airlines have their own proprietary access control systems, FlyCASS provides services to smaller operators. Each of them has a separate personal account on the FlyCASS.com website.
The FlyCASS access control system turned out to be easy to bypass: the web service was susceptible to a banal vulnerability that allowed SQL injection. Using the “login” ' or '1'='1 and “password” ') OR MD5('1')=MD5('1 researchers were able to gain access to the admin panel of one of the airlines using the service. There, it was possible to both display a list of pilots and crew members already registered in the system and add new users – without any additional checks. Through a vulnerable service, potential attackers could add anyone to the list of authorized persons, both for quickly passing security at airports and for access to the cockpit.
After the researchers reported the discovery to the authorities in April of this year, FlyCASS's access to general airport security systems was temporarily disabled. The vulnerability was then successfully closed. This incident once again demonstrates that even the most serious security systems often have weak points. In response to the report by Sam Curry and Ian Carroll, the US Department of Homeland Security initially tried to present the incident as insignificant, insisting that all persons registered in the “simplified access” databases undergo additional checks. However, the researchers claim that these additional measures do not always work.
What else happened?
Researchers at Kaspersky Lab are being dismantled Mac OS malware targeting users of the Chinese messenger WeChat.
Vulnerability in surveillance cameras of Taiwanese company AVTECH was honored special warning from the US government cybersecurity agency. A number of cameras from this manufacturer have had a vulnerability since 2019 that allows for full control over the device. The affected cameras are no longer supported by the manufacturer, but, according to the CISA agency, are still actively used by organizations. Since March of this year, the vulnerability has been actively exploited by the Corona Mirai botnet.
Researcher Marcus Hutchins (the same one who in 2017 stopped epidemic of the Internet worm WannaCry) published detailed analysis recently patched serious vulnerability in the tcpip.sys driver for Windows. Hutchins did not manage to implement the ability to execute arbitrary code, but it did (at least partially) another researcher.
August 16th was discovered malicious plugin ss-otr for the Pidgin messenger, containing a keylogger. And by information According to ESET, the exact same malicious code was used by the little-known messenger Cradle, which was advertised as a “secure” fork of Signal.
In Google Chrome browser discovered and closed the tenth zero-day vulnerability this year. In total, according to the website zero-day.cz57 zero-day vulnerabilities (actively exploited at the time of discovery) in various software have been publicly reported this year.
Malicious campaign uses Google Sheets spreadsheets for implementing the command server.
