Lattera

Enlarge (credit: US Air Force)

Hackers working on behalf of the Russian government are compromising large numbers of routers, switches, and other network devices belonging to governments, businesses, and critical-infrastructure providers, US and UK officials warned Monday.

The Russian government-sponsored actors are using the compromised devices to perform man-in-the-middle attacks that extract passwords, intellectual property, and other sensitive information and to lay the groundwork for potential intrusions in the future, the officials continued. The warning was included in a technical alert jointly issued by the US Department of Homeland Security and FBI and the UK's National Cyber Security Center.

"Since 2015, the US government received information from multiple sources—including private- and public-sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide," Monday's technical alert stated. "The US government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation's national security and economic goals."

In 2014, when starting the Fuzzing Project, Hanno Böck did some primitive fuzzing on GIMP and reported two bugs. They weren't fixed and were forgotten in the public bug tracker.

Recently Tobias Stöckmann found one of these bugs and figured out that it's easy to exploit.

Uh... that's bad!

We think so, too.

What kind of bug is that?

It's a classic heap buffer overflow in the FLIC parser. FLIC is a file format for animations and was introduced by Autodesk Animator.

How does the exploit work?

Tobias has created a detailed writeup.

Why is the exploit for FreeBSD?

Modern Linux systems use Address Space Layout Randomization (ASLR), which makes exploiting buffer overflows much harder.

FreeBSD doesn't use ASLR by default.

Oh... That sounds bad, too?

We agree.

The exploit doesn't work for me!

We figured out it's unreliable and the memory addresses are depending on many circumstances. The exploit ZIP comes with two variations using different memory addresses.

Try both of them. We also noticed putting the files in a subdirectory sometimes made the exploit work.

Anything more to tell about the GIMP?

There's a wide variety of graphics formats. GIMP tries to support many of them, including many legacy formats that nobody is using any more today.

While this has obvious advantages - you can access the old images you may find on a backup CD from 1995 - it comes with risks. Support for many obscure file formats means many parsers that hardly anyone ever looks at.

So... what about the other parsers?

The second bug, which is a simple overread, was in the TGA parser. Furthermore we found buffer overreads in the XCF parser, the Gimp Brush (GBR) parser and the Paint Shop Pro (PSP) parser.

We found another Heap buffer overflow in the Paint Shop Pro parser which is probably also exploitable.

In other words: The GIMP import parsers are full of memory safety bugs.

How do you find these bugs?

With some effort it's possible to use american fuzzy lop - a state of the art fuzzing tool - together with Address Sanitizer to fuzz GIMP.

This is not straightforward. GIMP's import plug-ins are separate executables, crashing them doesn't crash the main process.

The fuzzing process is very slow, but we have some ideas on how to improve it.

We wanted to submit a fuzzing tutorial to the GIMP wiki. Unfortunately our attempts to get an account for the GIMP wiki were as successful as our attempts to get these bugs fixed. For now the tutorial lives here, but we still think it'd be better to have that hosted somewhere with the GIMP project.

So what now?

Our attempts to communicate with the GIMP developers have been met with silence. Some of the bugs reported have patches attached, most of them haven't been applied. We also tried contacting the GNOME security team. They tried to help, but weren't successful either.

We get the impression that security is no priority for GIMP. We think this needs to change.

What should happen?

First of all obviously all known memory safety bugs should be fixed.

Furthermore we believe the way GIMP plugins work is not ideal for security testing. The plug-ins are separate executables, however they can't be executed on their own, as they communicate with the main GIMP process.

Ideally either these plug-ins should be changed in a way that allows running them directly from the command line or - even better - they should be turned into libraries. The latter would also have the advantage of making the parser code useable for other software projects.

Finally it might be a good idea to sandbox the import parsers.

Anything else?

GIMP makes use of the exiv2 tagging library, which has its problems, too, and a couple of unfixed security bugs.

We also think GIMP should think about the security of their downloads.

FLIC... FLIC... is it possible I heard this story before?

Gstreamer recently also had a serious bug in the FLIC parser that was discovered by Chris Evans.

Who drew the logo and what's the license?

The original GIMP logo was drawn by Tuomas Kuosmanen. The modified version was created by Ludwig van Boltzmann.

The original logo was released under the GPL 2 or later, the modified version is released under the same license.

Who did this?

This is a project by Hanno Böck and Tobias Stöckmann.

The website design was "stolen" from the DROWN website and slightly adapted; it was created by Sarah Madden. The logo was created by Ludwig van Boltzmann and is a modification of the official original GIMP logo by Tuomas Kuosmanen. It is licensed under the GPLv2 or later. The webpage design is under a CC0 license. | Imprint

A year ago, when president-elect Donald Trump announced Senator Jeff Sessions would be his attorney general, advocates for marijuana law reform were suddenly seized with panic. The longtime Alabama senator, they knew, had once joked that he considered the Klan to be OK guys until he found out they smoked pot. Only they weren’t quite sure he was kidding.

Sessions’ appearance at his confirmation hearing in early January did little to allay those fears. During testimony best remembered for the attorney general’s commitment to recuse himself from any investigation related to the 2016 election, the nominee was asked about medical marijuana by Vermont Senator Pat Leahy: “Would you use our federal resources to investigate and prosecute sick people who are using marijuana in accordance with their state laws, even though it might violate federal laws?”

Story Continued Below

“I won’t commit to never enforcing federal law, Senator Leahy,” Sessions replied, suppressing a slight smirk. That double negative tightened the knot in every drug policy reformer’s gut. Exactly how vulnerable were the nascent marijuana industries in the 29 states where it was now legal? Would Sessions, who rarely misses an opportunity to bemoan the scourge of marijuana, sweep aside the paper-thin order imposed by the Obama administration that had stayed the enforcement hand of the Department of Justice? Would SWAT teams arrest wheelchair-bound medical marijuana patients, raid marijuana dispensaries and shut down the high-tech growhouses that supplied them?

The dreaded crackdown never materialized. Sessions, perhaps preoccupied with other priorities like keeping his volatile boss from firing him, remained largely inactive on the subject. Meanwhile, a series of incremental advancements on the pro-marijuana front helped to further enmesh the $9.7 billion industry into the commercial fabric of the nation, 60 percent of whose residents support some form of legal pot. California opened the doors to recreational marijuana and issued regulations for outdoor marijuana festivals; Florida began its implementation of a medical marijuana program; and Denver and Las Vegas are vying to become the first city in America to legalize “marijuana consumption lounges” (think high-end bars with expensive weed choices instead of booze). Sessions, for his part, has spent his time in testy exchanges with DOJ interns and convening meetings with small groups of like-minded anti-pot activists determined to roll back state-level momentum. “I do believe … that the public is not properly educated on some of the issues related to marijuana,” he told one such group on Friday.

But things are suddenly looking rosier for Sessions. Thanks to Congress’ fumbling over the spending bill, the AG’s yearning to battle legal marijuana may get a major boost without him having to lift a finger. That’s because Rohrabacher-Farr, a little-known and even less discussed amendment that protects state-legal medical marijuana programs from federal interference, is close to expiring. If the government shuts down at the expiration of the current continuous resolution on December 22, or if negotiations in an upcoming appropriations conference committee fail to insert it in the final draft of the spending bill—entirely possible given House Republicans’ hostility to marijuana—Sessions would be free to unleash federal drug agents on a drug, which according to federal drug law, is considered the equal of heroin and LSD.

The politics on this issue has shifted so dramatically that reform advocates, instead of quaking in their boots at Sessions’ saber rattling, are actually itching for the fight.

“Part of me just thinks: Let ‘em try. There will such a ferocious backlash,” Rep. Earl Blumenauer of Portland, Oregon, told POLITICO Magazine in response to a question about a potential Sessions-led crackdown. (Blumenauer replaced Sam Farr as the amendment’s Democratic co-sponsor after Farr’s retirement, so in a turn that does not help its branding efforts, Rohrabacher-Farr is now called Rohrabacher-Blumenauer.)

Morgan Fox, communications manager of the Marijuana Policy Project, agreed with Blumenauer: “There’s no way that Sessions can start rolling back medical marijuana policies or attacking patients and providers without looking like the bad guy.”

Still, with the legislative barrier gone, there would be plenty of ways for Sessions to make life difficult for marijuana businesses without creating dramatic footage for the nightly news. Fox worries less about SWAT team raids than the possibility the Department of Justice would quietly send letters to landlords who rented to legal marijuana businesses to threaten them with asset forfeiture.

People would be forgiven for thinking that state-legal medical marijuana was a settled issue, but in fact it is hanging by a thread, and Congress is poised to hand Jeff Sessions the scissors.

***

From the beginning of his tenure, Attorney General Sessions’ public rhetoric seemed to promise that he would waste no time before he undid the protections of the Cole Memo, the four-page memorandum issued in 2013 to all U.S. attorneys that granted them a great degree of prosecutorial discretion as to how to use the federal government’s limited crime-fighting resources.

Story Continued Below

“I, as you know, am dubious about marijuana,” Sessions told the National Association of Attorneys General in February. “States can pass whatever laws they choose, but I’m not sure we’re going to be a better, healthier nation if we have marijuana being sold at every corner grocery store.” In early April, he announced that the DOJ’s Task Force on Crime Reduction and Public Safety would include a new subcommittee to evaluate marijuana enforcement policy, marking, in the eyes of many marijuana observers, the start of Sessions’ effort to roll back the needle-threading compromises of the Obama administration.

Less publicly, Sesssions was going after Rohrabacher-Farr. In May, he wrote a letter to members of Congress asking them to undo the protections provided by the amendment: “I believe it would be unwise for Congress to restrict the discretion of the Department to fund particular prosecutions, particularly in the midst of an historic drug epidemic and potentially long-term uptick in violent crime,” Sessions wrote in the letter, which was first obtained by Tom Angell, an advocacy journalist and founder of the nonprofit Marijuana Majority, and confirmed by the Washington Post.

First introduced in 2001 as Rohrabacher-Hinchey, the amendment was first passed as Rohrabacher-Farr in 2014 after seven tries, and reauthorized with a greater majority in 2015. But after the near-passage of a gay rights-related amendment in June 2016 that embarrassed House leadership, Paul Ryan and Pete Sessions, chairman of the House Rules Committee and no relation to the attorney general, shut down the amendment process, leaving measures like Rohrabacher-Farr unprotected even though it could easily pass given that 66 members of the House signed a letter addressed to House and Senate leadership urging its passage. (Pete Sessions declined multiple requests for comment.)

Sessions isn’t the only one fighting against Rohrabacher-Farr. He has help from Smart Approaches to Marijuana, or SAM, an anti-legalization group run by Kevin Sabet, one of the handful of attendees at Sessions’ meeting December 8 at DOJ. “We’ve been fighting behind the scenes to remove Rohrabacher-Farr because it really ties the hands of law enforcement,” Sabet told POLITICO Magazine. “On the Hill this year, we’ve had really good progress, like what we did in the Rules Committee.”

During the summer, all signs pointed to Jeff Sessions’ imminent action against legal marijuana, but in August, the DOJ’s Task Force on Crime Reduction and Public Safety, which had been at work behind closed doors since April, reported back with no new policy recommendations to curb legal marijuana programs, advice that would have remained secret if the Associated Press hadn’t obtained the documents. It signaled that maybe that the federal prohibition on marijuana was practically unenforceable without state and local police doing the feds’ dirty work.

“I will push back on any federal effort to interfere with our laws and not share information if it’s not related to a criminal investigation under our own law or ordered by a court,” Rep. Jared Polis, a Colorado Democrat and fierce advocate of marijuana legalization, said on Monday in a Reddit “Ask Me Anything” thread. “So as long as we don’t cooperate it would be hard, almost impossible, for there to be a major federal-only enforcement action.”

As recently as late November, Sessions signaled that his Justice Department remains committed to re-evaluating the Cole Memo: “In fact, we’re working on that very hard right now. We had meetings yesterday and talked about it at some length,” he said during a press conference meant to highlight the DEA’s new tools in fighting the opioid crisis. Exactly what he plans to do remains a mystery.

With Sessions keeping his cards close to the vest, it’s hard to say what might happen because of the otherwise chaotic nature of this administration. Where is the president on this issue? In February 2016, candidate Donald Trump told FOX News host Bill O’Reilly, “By the way -- medical marijuana, medical? I’m in favor of it a hundred percent.” At CPAC later that month, Trump responded to a question on Colorado’s legalization of marijuana by saying, “I think it’s bad. Medical marijuana is another thing, but I think it’s bad,” seeming to draw a line between medical use and adult recreational use.

Story Continued Below

In March of this year, President Trump put “solving the opioid crisis” in the basket of responsibilities for his son-in-law and senior advisor, Jared Kushner, who then handed off the opioid crisis to his reported frenemy, Chris Christie, the soon-to-be-former governor of New Jersey, in the form of a task force called the Commission on Combating Drug Addiction and the Opioid Crisis. One of the first acts of Christie’s task force was to seek public comment for suggestions. Its interim report touted “more than 8,000 comments from the public,” of which the ONDCP later admitted to Vice News that more than 7,800 were suggestions to legalize marijuana as a means of combating the opioid crisis. It was a suggestion the task force promptly ignored. In May, Christie said taxes collected on medical marijuana was “blood money,” and that the whole concept of medical marijuana was “beyond stupidity.”

Kevin Sabet is encouraged. “When you have [the task force] agreeing that marijuana legalization is a bad idea and that it would not help the opioid epidemic, the White House hears that. They hear that loud and clear,” Sabet told POLITICO Magazine. Translation: Sabet thinks Trump will do what Sessions wants when it comes to marijuana.

***

With the threat of a government shutdown delayed until December 22, there is now some breathing room, but Rohrabacher-Blumenauer is still at risk of not making it through the conference committee because of Paul Ryan and Pete Sessions have bottled up the amendments process in the House.

“I don’t know what went through his head, in terms of preventing us from having a vote on the floor of the House,” Blumenauer said, referring to Pete Sessions. “I think before the year is over that Pete is going to find out that position is not popular in Texas.”

For now, marijuana amendments are out of order. That means that the extension of these protections rests squarely on the shoulders of the Senate, where a companion amendment to Rohrabacher-Blumenauer sponsored by Pat Leahy passed by a voice vote in July without much fanfare or controversy.

Leahy’s office did not respond to multiple requests for comment for this story, but Leahy’s counterpart, Senate Appropriations Chairman Thad Cochran, R-Mississippi, told POLITICO Magazine through a spokesman, “As you know, medical marijuana-related provisions in the Senate bills were approved with bipartisan support,” a statement that is sure to leave House Republican leadership feeling a little frosty with their Senate Republican colleagues seemingly unwilling to back them up on a fight that House leadership has picked.

It’s still unclear how marijuana reform will fare in the conference committee. “It all comes down to how much Leahy cares to fight about this behind closed doors,” Tom Angell told POLITICO Magazine. “That’s what it comes down to.”

At time of writing, Congressional leaders had not yet settled upon top line numbers for military and nonmilitary spending to even begin negotiations that would lead to a conference committee, where smaller issues like marijuana will get sorted out. Still, with a certain amount of confusion in the air, optimism for continued reform was winning the day.

Story Continued Below

“It’s more trouble than it should be, but I think it will ultimately be protected,” Blumenauer told POLITICO Magazine. “And what’s going on right now is going to accelerate further reform.”

Looking forward to the 2018 midterm elections as Congress continues to hemorrhage incumbents (including House Judiciary Committee Chairman Bob Goodlatte, a powerful anti-marijuana voice), even safe Republican seats are likely to be filled by younger Republicans who tend to support marijuana law reform. “Just by the generational shift, replacing older members with younger members, is going to put us in a better situation whether or not those districts flip parties,” Angell said. “If you look towards next year, there’s like 35 gubernatorial races, and there’s a ton of major party candidates who are on the record in favor of legalization.”

As for Kevin Sabet and his anti-marijuana group SAM, “We have raised more money this year than ever before,” Sabet said, meaning they will be out there fighting against the forces of legalization in 2018. That’s a challenge Blumenauer welcomes.

“The public is behind us. Both chambers of Congress are behind us, and if they choose to make it a partisan issue,” Blumenauer said, “it won’t go well for them.”

No matter what happens, one can guarantee that the status quo won’t hold for long: Congressional leaders will soon tire of the drama surrounding the annual reauthorization of Rohrabacher-Blumenauer, and the Cole Memo is dust in the wind as soon as Jeff Sessions says so. “If I was a betting man, I’d say that the Cole Memo will not be the final word. Everyone knows that,” Sabet said. “It’s like ‘Don’t ask, don’t tell.’”

Of course, we know what happened after that was struck down.