Application Security Weekly for July 15

npm is a dumpster fire.  Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies.  In other news, I learned about snyk, which is a pretty cool tool.

https://snyk.io/vuln/npm:eslint-scope

 

In dev news, the #1 development GUI of all time is being updated.  Notepad!

https://www.theverge.com/platform/amp/2018/7/12/17563704/microsoft-windows-notepad-app-update

 

Apple wrote some code to appease the Chinese government and it was kind of a mess.

https://objective-see.com/blog/blog_0x34.html

 

Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.

http://seclists.org/fulldisclosure/2018/Jul/44

 

Remember when I said "Spectre is not exploitable"?  Yeah, I was wrong.  Again, and again, and again...

https://arstechnica.com/gadgets/2018/07/new-spectre-like-attack-uses-speculative-execution-to-overflow-buffers/

 

New variation of my favorite Weblogic vuln - CVE-2017-10271.

https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/

I wrote the tests for this vulnerability for Nikto.

https://github.com/sempf/nikto/commit/530351343da18f684b57fbf7431717cf24f9eb4e#diff-05c4b2da09480ffee5450fdf8fa8faac

 

And that's the news.

Application Security Weekly for July 8

LTE has a bug.  Who knew? One more strike for IoT devices, methinks.

https://arstechnica.com/information-technology/2018/06/lte-wireless-connections-used-by-billions-arent-as-secure-as-we-thought/

 

Cool XXE Vulnerability in WeChat Pay SDK.

http://seclists.org/fulldisclosure/2018/Jul/16

 

UK's National Health Service had a breack due to a currently unspecified coding flaw, keep an eye on the story for more info.

https://www.theregister.co.uk/2018/07/03/confidential_patient_info_nhs_software_share_tpp/

Application Security Weekly for July 1

It's the "Bill accidentally skipped a week" edition.  I didn't even DO anything last Sunday, I just forgot!

 

The IETF calls for formal revocation of the TLS 1.0 and 1.1 standards.  This will effectively cut mobile users on Android 4.4 and earlier off the web.  Guess who this hurts: developing countries. And why?  Because it's possible to decrypt a message BEFORE the heat death of the universe.  We have a priority problem.

https://www.theregister.co.uk/2018/06/19/ietf_calls_for_formal_tls_1_0_1_1_deprecation/

 

Rhino Security put together a good article about privilege escalation on Amazon Web Services, and it is juicy.

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

They have an open source AWS scanning tool too!!

https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools

 

This isn't a security story explicitly, but it is about why security in apps for mobile is so important, and it features Columbus, where I am based.  And it is The Atlantic, one of my favorite papers.

https://www.theatlantic.com/technology/archive/2018/06/shops-arent-for-shopping-anymore/563054/?utm_source=feed

 

There's a 7-month-unpatched vulnerability in Wordpress that allows for unauthorized access.  Considering what Wordpress has grown into I'm kind of shocked by this.

https://thehackernews.com/2018/06/wordpress-hacking.html

 

A breach bigger than Equifax?  SURE WHY NOT.

https://www.wired.com/story/exactis-database-leak-340-million-records/

 

While I am eating up your Wired soft-paywall allowance, they have another good article on how the Mirai botnet was just some kids trying to cheat at Minecraft.  Great long read.  Don't screw with malware, folks!

https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/?mbid=social_twitter

By the way, Wired has great reporting and is worth the $10 a year.  You should subscribe.

 

And that's the news.  Have a great 4th, if you are in the US.  Otherwise, have a great week!

Veracode partnership

I don't do a lot of advertising on this blog, but this is a pretty important part of my "walk the talk" campaign.  I have for years been espousing a four part analysis pattern, including manual dynamic analysis (vulnerability analysis), manual static analysis (code review), automatic dynamic analysis (scanning the app with something like ZAP), and automatic static analysis (code scanning).  Well, I have added this last one, automatic static analysis to the list of products that POINT offers, with a partnership with Veracode.  Veracode offers automatic static binary analysis, and is the best product I've found for web applications and mobile applications.  What's more, I can triage the findings for you before delivery. (I'll of course also give you the original test results).  I spoke on this in my talk from a couple of years ago, Developers: Care and Feeding.

https://www.youtube.com/watch?v=_7jsUACnjjM

I also spoke at length on the topic on the Brakeing Down Security podcast

http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf

So now, I offer this for real.  It's not free, but it's a great addition to a vulnerability analysis, and I'm pleased to be able to add it to the suite of offerings we have here at POINT.

Application Security Weekly for June 17

The Android Debig Bridge (ADB) feature is even less secure than we thought.  Avoid those "recharge stations"

https://doublepulsar.com/root-bridge-how-thousands-of-internet-connected-android-devices-now-have-no-security-and-are-b46a68cb0f20

 

A tale of the disclosure of WebUSB vulns.

https://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html

 

In the "let's be clear" department, Microsoft explains what is will and will not fix.

https://www.theregister.co.uk/AMP/2018/06/13/microsoft_security_servicing_commitments_for_windows_draft/

 

And that's the news.

Application Security Weekly for June 10

Firstly, I have had a MASSIVE chest cold that has kept me down for the count, so I have been reading a lot of news.  Thus, long newsletter.

 

Microsoft bought Github.  This might seem to not be a security issue, but 'tis.  Why did they buy them? Github doesn't make money.  However: 1) Microsoft wants devs on their platform and 2) they are really into machine learning.  So, let's get all of the devs and all of their code and ... profit?

https://www.linuxfoundation.org/blog/microsoft-buys-github-the-linux-foundations-reaction/

 

This is a little older but was new to me - Bruce Schneier writing for Lawfare (recommended reading by the way) about the implications of Efail.

https://www.lawfareblog.com/what-efail-tells-us-about-email-vulnerabilities-and-disclosure

 

A cartoon intro to DNS over HTTPS.  We need more of these.

https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/

 

Building malicious zip files.  Remember, mess with malware in a virtual machine, and NOT on your company network please.

https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/README.md

 

Didier Stevens is oft referenced in these missives, and he had a really productive May.  I'll just link to his own overview.  Lots of great appsec content.

https://blog.didierstevens.com/2018/06/05/overview-of-content-published-in-may-3/

 

XSS on ESPN's site.  Stuff is just everywhere:

http://seclists.org/fulldisclosure/2018/Jun/22

 

Oh man, I forgot about this one.  Remote Code Execution on a voice-based AI.  You know, one of those smart speakers?  Incredible stuff.  Now I wanna go test my Echo.

https://github.com/Nhoya/MycroftAI-RCE

 

And we'll finish up with a breakdown by El Reg of all of the week's data breaches.

https://www.theregister.co.uk/AMP/2018/06/09/what_got_breached_this_week_ticket_portals_dna_sites_and_atlantas_police_cameras/

 

Have a good week, everyone. I'm going back to bed. Oh, and that's the news.

Application Security Weekly for June 3

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

 

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

 

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

 

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

 

And that's the news.

S

Application Security Weekly for June 3

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

 

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

 

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

 

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

 

And that's the news.

S

Update git. It has an RCE vulnerability

There is a new version of git, including for Windows, including VSTS, that you should move to immediately.

https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/

Turns out there is a remote code execution vuln in git at the "protocol" level and a malicious repo can really cause a mess.  Update right away.

This news brief brought to you by Application Security Weekly.  Now back to your regularly scheduled cat video.

 

He's so proud of his catch until he realizes...it's all a lie from r/aww

Application Security Weekly for May 27

Portswigger (who builds Burp Suite) has a great article about finding vulnerabilities in bug bounty programs.  Must read.

https://portswigger.net/blog/so-you-want-to-be-a-web-security-researcher

 

SANS has a great article about Antivirus evasion.  Don't try this at home.

https://isc.sans.edu/diary.html

 

Oh hey I almost forgot about this one.  Remember that Electron bug that was patched?  It didn't work.  Patch again.

(Maybe we shouldn't write Windows apps in JavaScript.  Hmm.)

https://www.theregister.co.uk/2018/05/25/electron_patches_blacklist_error/

 

REALLY cool use of HTML5 to attack iOS.  NEat stuff, good writeup.

https://blogthemediatrust.wordpress.com/2018/05/25/html5-safe-haven-malware/

 

And that's the news.

S

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList