Application Security This Week for December 16

The House oversight report on Equifax is out, and it is a doosy.  Ouch.

https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/

Here's a good Twitter thread on it, unrolled

https://threadreaderapp.com/thread/1072319618352627714.html

 

XXE was added to the OWASP Top 10 and some scoffed.  Read this before you blow it off.

https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/

 

OAuth is a thing, and deserves more research.  If Twitter can screw it up, anyone can.

https://shkspr.mobi/blog/2018/12/twitter-bug-bounty/

 

Wordpress 5 got a security release.  Get your hax in while you can.

https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

 

So SMS based two factor auth is better than NOTHING, but not much.

https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/

 

That's the news, folks.

 

Application Security This Week for December 9

The big news this week was the first significant flaw in Kubernetes:

https://groups.google.com/forum/m/#!topic/kubernetes-announce/GVllWCg6L88

https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/

 

Good research on a PHP RCE flaw

https://lab.wallarm.com/rce-in-php-or-how-to-bypass-disable-functions-in-php-installations-6ccdbf4f52bb

 

More good research on hijacking smart contracts.

https://www.palkeo.com/en/projets/ethereum/stealing_ether.html

 

And that's the news!

 

Insecure Binary Deserialization

The OWASP Top 10 was updated last year, and there are a couple of new items.  One of them is Insecure Binary Deserialization.  Many of us use serialization in our applications, weather we know it or not, and through it sounds obscure it is a significant vulnerability. I talked about the bug on the Application Security Podcast earlier this year.   In 2017, Paypal was hit by a serialization bug in their JBoss middleware because of an unpatched system.  Several .NET projects were found to use the insecure BinarySerializer class in 2016 as well.  It's a very real problem.

Let's take a quick tour of serialization, look at the ways it can be attacked, and what you should do about it, here as part of the C# Advent.

What the heck is serialization anyway?

 Serialization is just saving the state of an object to a storable format.  Encoding and character sets aside, it is usually the conversion of an object in a system to text, so that it can be written to disk in one way or another.  Consider the ASP.NET Session object.  To the developer, it is just a Collection of items, but once stored and sent, it becomes part of the ViewState hidden field.

Back in the day, if we canted to move an object over the wire we had to use a binary transfer protocol, like DCOM or CORBA.  They stunk - they were hard to use and suffered from vendor lock-in.  XML, and later JSON, were eventually made the standard for data serialization, but it still didn't give us a way to move good old objects around.  

Serialization of objects had been around for a while (that's what CORBA does under the covers) but it wasn't really part of the languages we were using back in the 90s, but frameworks like the JDK and .NET changed all of that.  Serialization became commonplace for transfer and storage of the state of an application, identity information, even just a generic object we wanted to persist for some reason.

In .NET, there are a number of serialization options.  After marking an object [Serializable] one can use a member of the System.Runtime.Serialization namespace to render the object to a stable format.

For instance, here is a bit of demo code that serialized a simple class with two properties, and saves it to disk.  Keep in mind, this is vulnerable code and should not be used in production!

SerializableClass sc = new SerializableClass();
sc.StringProperty = "Hello World!";
sc.IntegerProperty = 42;
BinaryFormatter fmt = new BinaryFormatter();
using (FileStream stm = File.OpenWrite(@"c:\temp\output.stm"))
{
    fmt.Serialize(stm, sc);
}

If we take a look at output.stm in a text editor, we will see that it is, well, binary, as one would imagine.

However, this is just an encoding issue.  If we load it up in UTF-8 we see that things get a lot more interesting.

How can something like that be insecure?

It's an injection vector, just like a querystring variable or a INPUT in a web form.  An attacker can modify those values and submit them to the server.

"Wait," you are probably thinking, "doesn't the framework make sure it hasn't changed?"

Well, no.  It doesn't, and therein lies the rub.  The issue, in the case of C# and the .NET Framework, with the BinaryFormatter.  When one deserializes the object, no checks at all take place - it is left in the hands of the developer.  Since most folks don't know there is a problem, most folks don't confirm that the object is as they expect.

If the developer is depending on data in that object, then we have a real consideration.  Bypassing some controls, an attacker might be able to discover SQL Injection, Directory Injection, or even Remote Code Execution commands on the operating system.  But that's just where it starts.  With no signature confirming that the object is as we left it, nothing is stopping an attacker from reverse engineering the object, writing their own application to deserialize it, and even change its functionality.

How does one fix this?

There are two main solutions to insecure deserialization.  The first is to know your framework.  BinarySerializer, the class I used in the example, is the only serialization class that remains vulnerable to this kinds of thing.  As such, if you have to use it, don't store anything that is important in the class being serialized.  Just like a cookie, right? You know the cookie is plain text on the user's computer, so you don't put anything sensitive in it.  Right?

And I know this is a C# article, but other languages have this problem as well.In Java, the ObjectInputScream is vulnerable and it is the most commonly used serializer in the language, so watch for that.  PHP doesn't have a secure serialization route at all - the unserialize method is the only way (so far as I know) to process a serialized object.  The Ruby Marshal.load() method is designed insecure, and they even warn you of it in the documentation.  This is not unlike the BinarySerializer - it lets you run with scissors so that you can solve certain hard-to-solve problems.

So what do you do if you have to use a vulnerable serializer?  Panic.  Not not really.  Start to think in terms of a positive security model.  If you are allowing something that has been outside the boundary of your system back into your system, you should only allow expected values and reject all others.  This starts with type checking, of course, but can extend further than that.  If you are expecting a ZipCode parameter to contain five digits, then anything other than that should set off alarm bells. Input validation is your friend here. 

Alright, what if I ignore this whole thing and hope it goes away?

 In C#land, the BinarySerializer can only be used to store properties, not methods.  Therefore, actual code injection is practically impossible.  If the data is such that you don't care if the user edits it (say, a local only game state file) then ignoring the problem might not cause you any really large scale problems.

However, if you are storing anything that is used in the running of the program, especially in network connected or web applications, then you have to be very careful of possible side effects.  Just like any other input, if you allow the user to change it outside the bounds of your user interface to are begging for problems.  Say you store the contents of the shopping cart in a serialized object.  Can the user change the quantity ordered to a -1?  Would that give them a discount?

At the very least testing of any serialized objects should be part of your vulnerability assessment plan.  Any time data crosses the boundary of your application, check it!

Application Security This Week for December 2

A vulnerability was discovered in CSS (!) that will crash your browser.  Please don't do this at work.

https://cras.sh/

 

There is a new fuzzing list out there that I like a lot for searching for hidden files and directories.

https://github.com/Bo0oM/fuzz.txt

 

The security incident of the week: Marriott lost half a billion customer records, including passport numbers.

https://answers.kroll.com/

 

And that's the news!

Application Security This Week for November 25

A new open source project that generated an Android Studio project from an APK

https://maxkersten.nl/2018/11/21/androidprojectcreator-the-how-and-why/

 

Robert Graham has some thoughts on HTTP/3

https://blog.erratasec.com/2018/11/some-notes-about-http3.html?m=0

 

NEWS FLASH!  There is a security hole in Adobe Flash.

https://www.theregister.co.uk/2018/11/20/adobe_flash_bug/

 

Remember when I said there would never be a reliable exploit for the Rowhammer vulnerability?  I was wrong.

https://www.wired.com/story/rowhammer-ecc-memory-data-hack

 

Mr. Krebs was alerted to a vulnerability at USPS that an exasperated researcher had been trying to get them to fix for a year.

https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/

 

Late addition: PortSwigger posted the Top 10 Web Application Security research for the last couple of years.

https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017

 

And that's the news!!

 

Application Security This Week for November 18

Here's a new set of training wheels for MetaSploit.  It's a little bumpy, but it is pretty decent as an intro to using scripting tools for exploitative pentesting.

https://github.com/M4cs/BabySploit/blob/master/README.md

 

A really good analysis of some PHP malware.  Beneficial reading for red and blue teams. As usual, please be careful playing with malware on your corporate network (or any other network).

https://blog.manchestergreyhats.co.uk/2018/11/07/php-malware-examination/

 

A new XSS detection tool with some nice hand-written parsers.

https://github.com/s0md3v/XSStrike

 

And that's the news!

Application Security This Week for November 11

Happy Veterans Day. Please make sure that this isn't the only day of the year that you take the time to do something for a veteran in your life.

 

The OWASP Top 10 project has added the Serverless Application Top 10 to the collection.

https://github.com/OWASP/Serverless-Top-10-Project/

 

Here's a good analysis of a live example of an Android banking trojan.

https://lukasstefanko.com/2018/11/video-analysis-of-android-banking-trojan-found-on-google-play.html

 

A malicious FaceTime caller can cause a kernal panic in some devices.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1641

 

Squally is a purposefully vulnerable video game to teach hacking of games.  Neat idea.

https://squallygame.com/

 

Struts has yet another RCE bug.

https://www.theregister.co.uk/2018/11/07/flaw_in_apache_struts/

 

There is a XSS bug in Evernote!

https://securityaffairs.co/wordpress/77789/hacking/evernote-xss-flaw.html

 

And that's the news.

Application Security This Week for November 4

A new-to-me file upload vulnerability scanner got an update recently - worth a look.

https://github.com/almandin/fuxploider

 

Not a very USEFUL vulnerability, but someone figured out how to bypass Chrome's security model for cookies.

https://mango.pdf.zone/stealing-chrome-cookies-without-a-password

 

Telerik (a developer tools company) has a good post on XSS and Content Security Policy.

https://www.telerik.com/blogs/on-cross-site-scripting-and-content-security-policy

 

And that's the news!

Application Security This Week for October 28

A flaw in X.Org is exploitable with a tweet sized attack.

https://lists.x.org/archives/xorg-announce/2018-October/002927.html

https://hacker.house/releasez/expl0itz/openbsd-0day-cve-2018-14665.sh

 

A malformed IPv6 packet can take over a Linux box. Thanks, SystemD.

https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/

 

Twelve malicious Python libraries were found and removed from PyPi.

https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

 

And that's the news!

 

Application Security this week for October 21

The "Man that was a hell of a flu bug" edition. Stay healthy, everyone.

 

SSH bypass by ... wait for it ... telling the server your request is granted.  These are not the vulnerabilities you are looking for.  They can go on their way.

https://www.libssh.org/security/advisories/CVE-2018-10933.txt

 

PHP 5.6 support is ending.  That's a whole lot of websites.

https://www.zdnet.com/article/around-62-of-all-internet-sites-will-run-an-unsupported-php-version-in-10-weeks/

 

RCE in URL handling in Edge.  Positive security model, people.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8495

 

Oracle released 300 patches, most of them critical or high.  Not sure if this is good or bad.

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

 

jQuery File Upload has a serious bug that has been being exploited for three years.  Go update those old applications.

https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/

 

Here's a new SSL testing contender.  I haven't tried it yet but I will tomorrow.  Let me know what you think if you use it.

https://testssl.sh/

 

And that's the news.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList