Tag fuzzing

InfoSec Week 7, 2019

Ubiquiti network devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.
https://www.zdnet.com/article/over-485000-ubiquiti-devices-vulnerable-to-new-attack/

Researchers demonstrated that Intel SGX trusted enclave poses a security thread, when they implemented proof malware that bypasses antivirus protection by leveraging SGX properties. Find more information in the research paper named "Practical Enclave Malware with Intel SGX".
https://arxiv.org/abs/1902.03256

Looks like the diffusion layer of Russian symmetric ciphers Kuznyechik and hash function Streebog, have mathematical properties required for the backdoor. There is no theoretical attack yet, and I am not convinced that it is on purpose, but the construction is suspicious.
https://mailarchive.ietf.org/arch/msg/cfrg/4PmssKzCBsxTmLCieDgqD7Nynwg

Google engineers have designed a new encryption mode for ChaCha stream cipher called Adiantum. The new encryption mode should be used on cheap ARM processors that does not have hardware support for AES, and it is almost 5x faster than AES-256-XTS.
https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html

Current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API.
https://www.exploit-db.com/exploits/46362

Phones running Android OS can be compromised remotely by viewing malicious PNG image.
https://source.android.com/security/bulletin/2019-02-01.html

A new vulnerability in the runc, container runtime used by Docker, Kubernetes and others. allows container escape just by running a malicious image.
https://www.openwall.com/lists/oss-security/2019/02/11/2

NCC Group published an interesting blog about a downgrade attack on TLS 1.3 and multiple other vulnerabilities in major TLS Libraries which they found last year.
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/

Researcher Scott Gayou published a step by step guide on how to jailbreak Subaru Crosstrek 2018 head unit leveraging USB port and update mechanism.
https://github.com/sgayou/subaru-starlink-research/tree/master/doc

According to the Airbnb presentation, 38 percent of bugs at Airbnb could have been prevented by using types.
https://www.reddit.com/r/typescript/comments/aofcik/38_of_bugs_at_airbnb_could_have_been_prevented_by/

You can try to find bugs in the Swiss eVoting System, as they opened a bug bounty program. There is also a source code available for registered bug hunters.
https://onlinevote-pit.ch/details/

Google open sourced ClusterFuzz, an infrastructure used for fuzzing Chrome and OSS-Fuzz, continuous fuzzing pipeline of open source software.
https://opensource.googleblog.com/2019/02/open-sourcing-clusterfuzz.html

InfoSec Week 1, 2019

Let's Encrypt recapitulated the last year in the operation of their ACME based certification authority, and summarized the challenges that they will work on in 2019.
They intend to deploy multi-perspective validation, checking multiple distinct Autonomous Systems for domain validation, preventing potential BGP hijacks. They also plan to run own Certificate Transparency (CT) log.
https://letsencrypt.org/2018/12/31/looking-forward-to-2019.html

According to the consultant Nathan Ziehnert, "CenturyLink 50 hour outage at 15 datacenters across the US — impacting cloud, DSL, and 911 services was caused by a single network card sending bad packets."
https://twitter.com/GossiTheDog/status/1079144491238469638

Great blog by Artem Dinaburg, where he is resurrecting 30 years old fuzzing techniques from the famous research papers to run them on on the current Linux distro. Successfully.
https://blog.trailofbits.com/2018/12/31/fuzzing-like-its-1989/

An article by Wired about the fake murder for hire services on dark web and a freelance security researcher that took them down. As it turned out, some clients killed their targets themselves.
https://www.wired.co.uk/article/kill-list-dark-web-hitmen

Multiple newspaper publishers in the US were hit by a ransomware attack, delaying their operations.
https://www.latimes.com/business/technology/la-fi-tn-ryuk-hack-20190101-story.html

The European Union starts running bug bounties on Free and Open Source Software.
https://juliareda.eu/2018/12/eu-fossa-bug-bounties/

Foxit Readers' proof of concept exploit for the Use-After-Free vulnerability (CVE-2018-14442) was published on Github.
https://github.com/payatu/CVE-2018-14442

Attacker launched multiple servers that return an error message to the connected Electrum clients, which then turn them into a fake update prompt linking to a malware.
https://github.com/spesmilo/electrum/issues/4968

Adam Langley published blog about the zero-knowledge attestation when using FIDO based authentication. It could prevent a single-vendor policy some sites started to require.
https://www.imperialviolet.org/2019/01/01/zkattestation.html

Interesting blog post by Wouter Castryck on "CSIDH: post-quantum key exchange using isogeny-based group actions".
https://www.esat.kuleuven.be/cosic/csidh-post-quantum-key-exchange-using-isogeny-based-group-actions/

The security researcher Bruno Keith published a a proof of concept for a remote code execution vulnerability in Microsoft Edge browser (CVE-2018-8629).
https://securityaffairs.co/wordpress/79264/hacking/microsoft-edge-poc-exploit.html

If you are interested in older car hacking/tuning, check this article about overcoming the speed limitation on an old Japanese Subaru Impreza STi.
https://p1kachu.pluggi.fr/project/automotive/2018/12/28/subaru-ssm1/

Jonathan “smuggler” Logan published study on the future of black markets and cryptoanarchy named "Dropgangs, or the future of darknet markets".
https://opaque.link/post/dropgang/

InfoSec Week 4, 2018

Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.
https://electronjs.org/blog/protocol-handler-fix

Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.
https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/

Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.
http://blog.ptsecurity.com/2018/01/running-unsigned-code-in-intel-me.html

It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.
https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/

It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt

The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.
https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/

Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.
https://www.techrepublic.com/article/10-new-vm-escape-vulnerabilities-discovered-in-virtualbox/

The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.
https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/

Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.
https://www.qubes-os.org/news/2018/01/22/qubes-air/

There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.
https://eprint.iacr.org/2018/080

Nice introduction on how to fuzz TCP servers by Robert Swiecki.
http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html

InfoSec Week 39, 2017

Security researcher Gal Beniamini from Google has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and published working exploit after notifying affected parties.
https://googleprojectzero.blogspot.sk/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html

Google engineers also found multiple flaws and vulnerabilities in the popular DNS software package - Dnsmasq. The patches are now committed to the project’s git repository. Make sure to upgrade to v2.78.
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Arbor Networks researchers attributed Flusihoc DDoS botnet to the Chinese origins. More than 154 different command and control servers were used during the years, with over 48 still active right now.
https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/

HP Enterprise shared ArcSight source code with the Russians.
https://www.schneier.com/blog/archives/2017/10/hp_shared_arcsi.html

The vulnerability in Siemens industrial switches allows an unauthenticated attacker who has access to the network to remotely perform administrative actions.
https://ics-cert.us-cert.gov/advisories/ICSA-17-271-01

Computer manufacturer company Purism is currently running crowdfunding campaign to finance Librem 5 – A Security and Privacy Focused Phone.
From the campaign webpage:
"Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers."
Support them!
https://puri.sm/shop/librem-5/

Microsoft announced new cloud-based memory corruption bug detector with the codename Project Springfield.
https://blogs.microsoft.com/ai/2016/09/26/microsoft-previews-project-springfield-cloud-based-bug-detector/

Super-Stealthy Droppers - Linux "Diskless" binary execution by example.
https://0x00sec.org/t/super-stealthy-droppers/3715

InfoSec Week 38, 2017

The ZNIU Android malware is exploiting Linux kernel "Dirty COW" vulnerability to install itself on a device and collect money through the SMS-enabled payment service.
http://blog.trendmicro.com/trendlabs-security-intelligence/zniu-first-android-malware-exploit-dirty-cow-vulnerability/

Good introduction blog into the art of binary fuzzing and crash analysis demonstrated by fuzzing famous open-source Mimikatz software.
https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikatz-on-windows-with-winafl-heatmaps-0day/index.html

Security researcher Inti De Ceukelaire has gained access to company team pages by exploiting faulty business logic in popular third-party on-line helpdesks.
https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

Server part of the Wire end-to-end encrypted instant messenger application is now open-source, but there are lots of external dependencies and no documentation yet.
https://medium.com/@wireapp/wire-server-code-now-100-open-source-the-journey-continues-88e24164309c

A brief description behind the technology of a private contact discovery used in Signal messenger.
https://signal.org/blog/private-contact-discovery/

X41 IT Security company has released an in-depth analysis of the three leading enterprise web browsers Google Chrome, Microsoft Edge, and Internet Explorer.
https://github.com/x41sec/browser-security-whitepaper-2017

A nice list of a various open-source honeypot projects available on-line.
https://www.smokescreen.io/practical-honeypots-a-list-of-open-source-deception-tools-that-detect-threats-for-free/

SigThief - The script that will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. It's not a valid signature BUT it's enough for some anti-viruses to flag the executable as trustworthy.
https://github.com/secretsquirrel/SigThief

InfoSec Week 19, 2017

You have probably heard about the WannaCry/WannaCrypt/WannaWhatever worm spreading ransomware, because of the sensation created by parties profiting from the scare tactics. But also because it is using really good spreading technique - exploiting MS17-010 SMB vulnerability leaked from the NSA.
Some post-mortem analysis of the first version (with the killswich) and TheShadowBrokers blog are listed below. Crypto is working, so no trivial decrypter is probable, except if the keys are published.
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

Nice analysis of a P2P botnet. The researchers determined the botnet size by injecting fake nodes to the network, as well as using crawling. http://securityaffairs.co/wordpress/58931/malware/p2p-transient-rakos-botnet.html

Fatboy Ransomware-as-a-Service is using The Economist’s Big Mac Index to calculate the ransom amount.
https://www.recordedfuture.com/fatboy-ransomware-analysis/

Tor hidden service operator is analysing bots used to enumerates and attack hidden services.
http://www.hackerfactor.com/blog/index.php?/archives/763-The-Continuing-Tor-Attack.html

Google Project Zero post about the process of discovering CVE-2017-7308 vulnerability. Found by fuzzing, with the later exploitation to escalate privileges.
https://googleprojectzero.blogspot.ch/2017/05/exploiting-linux-kernel-via-packet.html https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308

Wikileakes released "AfterMidnight" and "Assassin " malware frameworks designed, two CIA malware frameworks for the Microsoft Windows platform. Those services allow operators to dynamically load and execute malware payloads on a target machine & exfiltrate the data.
https://wikileaks.org/vault7/#AfterMidnight

A Security researcher Thorsten Schroeder discovered that an audio driver shipped on dozens HP laptops and tablet PCs logs keystrokes. It's actually a badly written application outputting pressed keystrokes to the debug output, so everyone is able to list them using MapViewOfFile function.
https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html

malwaresearch - A command line tool to find malware samples on the openmalware.org. It's possible to use the various hashes or common name.
https://github.com/MalwareReverseBrasil/malwaresearch