Disobey, the annual Nordic security event was held on 11th-12th of January 2019 at Kaapelitehdas, Helsinki. The group of JYVSECTEC staff members participated to the event with an aim to hear the latest news from the field, meet their colleagues, increase their knowledge and of course, to have fun! Group had also a desire to gather valuable information and contacts from the event that could be used in development work of the CinCan project and increase the project visibility.
Development of the event
In the past four years Disobey has become one of the most considerable security events in Finland and in Nordic countries. The growth of the event can partly be explained by its atmosphere: regardless of your background, as well experienced hackers, curious beginners as organisations and their deputies are welcomed to the event. The other reason to the event’s growth can be found from its comprehensive program. This year, the two-day program included several talks from different specialists, Disobey Challenge as well as various Capture the Flag’s and workshops. Whatever you are interested in, Disobey has definitely something to offer you for just a small fee. In this blog post I will present one of the talks that I found interesting.
The (In)Secure Copy
F-Secure’s Senior Security Consultant Harry Sintonen enlightened in his talk named “Weaponizing the SCP Vulnerability” how he found several vulnerabilities from the programs that have implemented the SCP network protocol. In a nutshell Secure Copy is a network protocol that can be used to transfer data between hosts and it is a secure version of its predecessor RCP. SCP programs are normally command line tools and for example in Linux distros the scp program (yeah, the program name is same as the protocol) is commonly used.
Sintonen found that when the scp program is used, the server-side can change directory permissions on the client side (CVE-2018-20685) and control which files are sent to the client when the data transfer is in progress (CVE-2019-6111). In fact, scp does not offer any duplication checking for transferred files, so if the server-side decides to transfer files with the same name that the destination has, the destination files are overwritten without any confirmation. Sintonen showed that this can be used for malicious activities. For example in cases when the clients .bash_profile file is overwritten with a file that contains malicious commands. In normal situation the client should see what files were transferred from the scp’s progress output and do appropriate actions before any malicious activity happens. However, Sintonen found a vulnerability (CVE-2019-6109) that the server-side can use to manipulate the progress output on the client side making the detection of any malicious activity harder for the user.
Link to the Sintonen’s presentation:
https://www.youtube.com/watch?v=Yv6mD5vOVI0&t=1026s
Link to the vulnerability descriptions:
https://sintonen.fi/advisories/
The CinCan project
The CinCan is a two-year INEA/CEF funded project which started in 2018 as a collaboration of three different facilities Traficom, Oulu University Secure Programming Group (OUSPG) and JAMK University of Applied Sciences.
“The purpose of the CinCan project is to establish continuous analysis of incident data as a part of CERT or CIRT functionalities, using tools and interfaces to rapidly create, augment, correlate and share analysis and threat intelligence in collaboration.”
More information about the project can be found from following links:
 |
Joni Ahonen
Technical Specialist at JYVSECTEC |
