Bruce has some thoughts on a well-circulated article suggesting that application security isn't that important after all.
https://www.schneier.com/blog/archives/2019/03/an_argument_tha.html
Solid analysis of SimBad, a rogue malware campaign that infiltrated the Google Play store.
https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/
Terrifying tool that creates a spoofed cert for any website and signs an executable for AV Evasion.
https://github.com/paranoidninja/CarbonCopy
More awesome research from Rapid7, on deserialization bugs. A topic, as regular readers know, that is near and dear to my heart.
https://www.rapid7.com/research/report/exploiting-jsos/
And that's the news!
Android malware had almost 150 MILLION Googe Play Store downloads before it is was discovered and pulled.
https://www.theverge.com/2019/3/13/18263739/android-adware-simbad-google-play-store
Awesome User Access Control bypass that never saves anything to disk. As always PLEASE be careful playing with malware.
https://www.activecyber.us/activelabs/windows-uac-bypass
I wrote something similar for FALE a LOOOONG time ago but the ActiveLabs tool is better.
https://github.com/lockfale/DotNetAVBypass-Master
It's old home week. Subdomain brute forcing tool in VISUAL BASIC 6!! If anyone gets this up and running let me know, I would, but it triggers my PTSD.
https://github.com/visualbasic6/subdomain-bruteforce
Thanks to Jim Holmes to tuning me into this list - collected exploits for web attacks.
https://github.com/swisskyrepo/PayloadsAllTheThings
And that's the news!!
The NSA has open sourced their internal reverse engineering tool. It's so good, many consultants I know and trust have moved to it from IDA.
https://ghidra-sre.org/
This is a great story from the Verge that reminds us all to occasionally look at the ANSI alphabet for attacks ... and passwords.
https://www.theverge.com/tldr/2019/3/5/18252150/bad-password-security-data-breach-taiwan-ji32k7au4a83-have-i-been-pwned
Remember that guy, who might or might not write this blog, who said that SPECTRE isn't a real vulnerability and it will never be exploitable? Well, he was wrong. Again.
https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/
In the department of Standing On The Shoulders of Giants, we have a ring of GitHub accounts that are promoting forked and backdoored versions of popular software.
https://www.zdnet.com/article/researchers-uncover-ring-of-github-accounts-promoting-300-backdoored-apps/
And that's the news!
As the network boundary becomes more ephemeral, and attackers don't have obvious kickoff points for attacks as often, they are resorting more and more to the human angle. This is not news to any reader of this blog, I am certain. Physical attacks notwithstanding, the best place to stage an attack against the humans that run the systems is via phishing - using email, SMS, forum comments, customer service requests, or other communication to trick the people that have the keys to applications into giving them up.
Phishing increased 250% in 2018, according to Microsoft.
Vulnerabilities in applications are a key vector in phishing - not the most common vector, but a key vector. Nonetheless, we are testing for them more and more rarely. For instance, unvalidated requests and forwards dropped from the OWASP Top 10 in 2017, as was Cross Site REquest Forgery, even though they are used in a significant portion of phishing attacks. I get it, SQL Injection is more damaging and Cross Site Scripting is sexier, but these identity attacks are what the attackers are doing these days.
Bottom line, you have to be checking for these vulnerabilities. Here is an incomplete list:
- Unvalidated Requests and Forwards
- Cross Site Request Forgery
- Cross Site Scripting
- Host Header Poisoning
- Lack of Two Factor Authentication
- CORS Policy Violations
- Improper Handling of HTTP Verbs
- Out of Date or Insecure Third Party Components
I'll do a little more research on this topic and see if I can't get together a testing guide on this, but in the meantime I think you will find guidance in the new OWASP ASVS v4.0.
A new tool for finding malicious JavaScript and securely using external libraries.
https://blog.focal-point.com/a-new-tool-for-finding-malicious-javascript-and-securely-using-external-libraries
Acunetix has it's annual report out. Gotta give them your dox though, sorry.
https://www.acunetix.com/acunetix-web-application-vulnerability-report/?utm_source=hacktools&utm_campaign=security&utm_medium=content
Portswigger has their annual report out too. You do NOT need to give them your dox. Just sayin.
https://portswigger.net/blog/top-10-web-hacking-techniques-of-2018
Really cool video that shows the non-FUD dangers of digital exploitation, without using a single website, computer, or black hoodie.
https://www.grahamcluley.com/cybersecurity-video-no-computers/
New Google Translate exploit. Funny, because I used Google Translate as a counter-example in my REST security talk.
https://github.com/ljmf00/google-translate-exploit
Universal RCE with Ruby YAML.load()
https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/
And that's the news!
Cool PoC of the Mac vulnerability CVE-2018-4193, an RCE in WindowServer.
https://www.synacktiv.com/ressources/OffensiveCon_2019_macOS_how_to_gain_root_with_CVE-2018-4193_in_10s.pdf
Terrifying vulnerability in an underlying component of Docker, Kubernates, and other virtuilazation software leads to hypervisor breakdown.
https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
An Oracle DCMA takedown of a Docker container leads to some interesting build awareness. Good Reddit thread.
https://www.reddit.com/r/oracle/comments/arqhjc/our_builds_are_failing_because_oracle_has_dmca/
A fourteen year old flaw was discovered in the encryption facility of WinRAR. Whoops. So much for the thousand eyes on open source theory.
https://arstechnica.com/information-technology/2019/02/nasty-code-execution-bug-in-winrar-threatened-millions-of-users-for-14-years/
Microsoft turbocharges GitHub's bug bounty program.
https://www.zdnet.com/article/github-bug-bounty-microsoft-ramps-up-payouts-to-30000-plus/
And that's the news!
A maintainer of the underlying runtime for Docker and Kubernetes) reported a vulnerability.
https://seclists.org/oss-sec/2019/q1/119
Here is a PoC codebase for the above. Well written too.
https://github.com/Frichetten/CVE-2019-5736-PoC
Hashcat can now crack any eight chatacter Windows password in two hours.
https://www.theregister.co.uk/2019/02/14/password_length/
Interested in Bug Bounties? Think they are all taken? Facebook CSRF finding nets $25,000.
https://ysamm.com/?p=185
And that's the news.
Ullaakut on Reddit posted this toolset: Gorsair, a tool to remotely access the exposed Docker API of vulnerable Docker containers. Works, too.
https://github.com/Ullaakut/Gorsair
Someone already pwned TLS 1.3, for crying out loud.
https://eprint.iacr.org/2018/1173
Cool attack on CORS configuration in mobile devices
https://research.digitalinterruption.com/2019/01/31/multiple-vulnerabilities-found-in-mobile-device-management-software/
RCE in Libreoffice. Not so free NOW areya?
https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html
And that's the news. Stay warm.
Here's a thread by Michael Stanek about how bad 7-zip's encryption algorithm is. I use this all the time and had no idea.
https://threadreaderapp.com/thread/1087848040583626753.html
An exploit POC that Mark Haase wrote for the new SCP vulnerability.
https://gist.github.com/mehaase/63e45c17bdbbd59e8e68d02ec58f4ca2
Hadoop is the new target for a lot of malware. Please stop leaving your clusters vulnerable.
https://www.theregister.co.uk/2019/01/24/hadoop_malware_attack/
Chrome is turning off the API that UBlock Origin uses. Makes sense - Chrome is free, Google is an ad company. Whatcha gonna do?
https://www.theregister.co.uk/2019/01/22/google_chrome_browser_ad_content_block_change/
While you're here, the Central Ohio Infosec Summit has their annual Call For Papers open. Submit!
https://www.infosecsummit.com/eSites/2019cbusinfosec/Homepage
And that's the news.