Apart from the IETF hackathons, the cyberstorm.mu team also focused on internal hackathon either remotely or on-site participation. Another remote hackathon was already in progress since Saturday the 16th of June 2018. It was named Operation JASK – Just a Single Keystroke. Announced publicly on Sunday the 17th of June 2018 after noticing that several Cryptocurrency mining tools were vulnerable to CVE-2018-12356. By the time, many members of the team were already mobilized even if it was a public holiday in Mauritius. The operation was named JASK – Just a Single Keystroke as the security issues are concerned with the hardening of a regular expression, in particular requiring
[GNUPG:] to be at the beginning of a line (
^\[GNUPG:\]). We had to fire a single keystroke at the right place to fix a single vulnerability.
Marcus Brinkmann, who is a free software activist explained “An issue was discovered in password-store.sh in the pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extensions scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.”
However, simply the patch is, the attack aimed GnuPG signature verification process which is specific to pass the Simple Password Store. It can give the attacker access to passwords and remote code execution. On theRegister.co.uk – Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug, Loganaden Velvindron core member of the cyberstorm.mu explained, “It’s hard to identify just how many downstream projects inherit a vulnerability as the one Brinkmann spotted, but the number of problem projects will likely be non-trivial because the GnuPG cryptography suite has applications beyond e-mail protection.”
The cyberstorm.mu usual suspects during Operation JASK hackathon are Kifah Meeran, Loganaden Velvindron, Rahul Golam, Nigel Yong and myself (Nitin J Mutkawoa) all members from the cyberstorm.mu. Some of the projects are Bitcoin, Litecoin, Dash, Bitcoin Gold, Monacoin, Binarium, Terracoin, SmartCash, and many other cryptocurrency projects.
cyberstorm.mu is now looking forward to other hackathons. We are also inviting everyone to meet us at Flying Dodo Bagatelle conference room for the Security Disclosure Process event. Feel free to RSVP on meetup.com and Facebook before attending.