Application Security Weekly for June 10

Firstly, I have had a MASSIVE chest cold that has kept me down for the count, so I have been reading a lot of news.  Thus, long newsletter.

 

Microsoft bought Github.  This might seem to not be a security issue, but 'tis.  Why did they buy them? Github doesn't make money.  However: 1) Microsoft wants devs on their platform and 2) they are really into machine learning.  So, let's get all of the devs and all of their code and ... profit?

https://www.linuxfoundation.org/blog/microsoft-buys-github-the-linux-foundations-reaction/

 

This is a little older but was new to me - Bruce Schneier writing for Lawfare (recommended reading by the way) about the implications of Efail.

https://www.lawfareblog.com/what-efail-tells-us-about-email-vulnerabilities-and-disclosure

 

A cartoon intro to DNS over HTTPS.  We need more of these.

https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/

 

Building malicious zip files.  Remember, mess with malware in a virtual machine, and NOT on your company network please.

https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/README.md

 

Didier Stevens is oft referenced in these missives, and he had a really productive May.  I'll just link to his own overview.  Lots of great appsec content.

https://blog.didierstevens.com/2018/06/05/overview-of-content-published-in-may-3/

 

XSS on ESPN's site.  Stuff is just everywhere:

http://seclists.org/fulldisclosure/2018/Jun/22

 

Oh man, I forgot about this one.  Remote Code Execution on a voice-based AI.  You know, one of those smart speakers?  Incredible stuff.  Now I wanna go test my Echo.

https://github.com/Nhoya/MycroftAI-RCE

 

And we'll finish up with a breakdown by El Reg of all of the week's data breaches.

https://www.theregister.co.uk/AMP/2018/06/09/what_got_breached_this_week_ticket_portals_dna_sites_and_atlantas_police_cameras/

 

Have a good week, everyone. I'm going back to bed. Oh, and that's the news.

Application Security Weekly for June 3

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

 

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

 

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

 

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

 

And that's the news.

S

Application Security Weekly for June 3

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

 

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

 

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

 

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

 

And that's the news.

S

Update git. It has an RCE vulnerability

There is a new version of git, including for Windows, including VSTS, that you should move to immediately.

https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/

Turns out there is a remote code execution vuln in git at the "protocol" level and a malicious repo can really cause a mess.  Update right away.

This news brief brought to you by Application Security Weekly.  Now back to your regularly scheduled cat video.

 

He's so proud of his catch until he realizes...it's all a lie from r/aww

Application Security Weekly for May 27

Portswigger (who builds Burp Suite) has a great article about finding vulnerabilities in bug bounty programs.  Must read.

https://portswigger.net/blog/so-you-want-to-be-a-web-security-researcher

 

SANS has a great article about Antivirus evasion.  Don't try this at home.

https://isc.sans.edu/diary.html

 

Oh hey I almost forgot about this one.  Remember that Electron bug that was patched?  It didn't work.  Patch again.

(Maybe we shouldn't write Windows apps in JavaScript.  Hmm.)

https://www.theregister.co.uk/2018/05/25/electron_patches_blacklist_error/

 

REALLY cool use of HTML5 to attack iOS.  NEat stuff, good writeup.

https://blogthemediatrust.wordpress.com/2018/05/25/html5-safe-haven-malware/

 

And that's the news.

S

Application Security Weekly for May 20

Pretty big encryption news this week.  A well known flaw in HTML emails that are encrypted with S/MIME or PGP was "discovered" by some researches, and given the full name, website, and logo treatment.  Even the EFF chimed in and astonishingly suggested people uninstall their encryption tools. The risk was largely overblown; take a look at the #efail tag on Twitter.  Here are a few links that give part of the story.

https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/

https://efail.de/

https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

 

Have you updated your Electron app?  Hope so - there was a pretty bad code-injection flaw.

https://www.theregister.co.uk/2018/05/14/electron_xss_vulnerability_cve_2018_1000136/

 

Pro tip: Don't hardcode passwords into your devices.  Full stop.

https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-enterprise-software-again/

 

A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations

https://www.zdnet.com/article/cell-phone-tracking-firm-exposed-millions-of-americans-real-time-locations/

 

And that's the news.

S

Application Security Weekly for May 13

Thousands of Companies Are Still Downloading the Vulnerability That Wrecked Equifax

http://fortune.com/2018/05/07/security-equifax-vulnerability-download/

 

Another fun iOS bug - The Black Dot of Death

https://www.cultofmac.com/546951/black-dot-of-death-bug/

 

The Nest doorbell doesn't invalidate existing OAUTH refresh tokens when the password is changed.  How could they miss that?

https://www.theinformation.com/articles/how-amazons-latest-security-device-let-people-spy-on-you

 

Introducing Throwhammer - Rowhammer over the network

https://thehackernews.com/2018/05/rowhammer-attack-exploit.html

 

And that's the news.

S

Telling Developers About Vulnerabilities Isn't Enough

To many security firms, a web application vulnerability assessment is a list of confirmed exploitable findings in a web application.  They index the site, run scans, manually test, so research, and write them all down.  The report will get you through a PCI audit.

That's not enough.  You must tell the developer how to fix the problem, and "apply patches" isn't enough.  If you find cross-site request forgery, and can't explain the developer how to fix the problem on their platform, you aren't doing enough.  "Add a token" isn't enough.  "Apply fix as appropriate for your language" isn't enough.  If you don't know, that's fine, but learn.  

We are, as an industry, doing a tremendous disservice to companies by selling them 68 pages of non actionable fluff for $10,000.  If you, as a tester, aren't sure how to fix it, look it up, ask someone, or work directly with the developer to find a solution.

Application Security Weekly for May 6

Good intro to fingerprinting web servers.  This has been codified in the past but the tools are all old.  Need to resurrect an open source project.

https://isc.sans.edu/forums/diary/Another+approach+to+webapplication+fingerprinting/23605/

 

I mentioned CVE-2018-2628 and my Nikto test for it in an earlier newsletter.  Well, apparently the patch doesn't work.  

https://securityaffairs.co/wordpress/71951/hacking/oracle-botches-cve-2018-2628-patch.html

 

Nice video of finding and exploiting another hole in the PDF format.  Apparently they are so common now we just livestream them.

https://www.youtube.com/watch?v=8VLNPIIgKbQ

 

I am fond of saying that the government can outlaw as much encryption as they want, if the bad guys have two coins and a pencil, they can make as much unbreakable encryption as they want with a one-time pad. (Not my line and I don't remember the source sorry)  Here is another nice new pencil and paper cipher.

https://www.schneier.com/blog/archives/2018/05/lc4_another_pen.html

 

Finally.  PHP has a security flaw.  WHAT YEAR IS IT??

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-046/

 

And that's the news.

Base64 is not encryption

I posted a silly tweet after finding a vulnerability in an Android app the other day.  It grew legs and is making its way around.

 

 

I've gotten a few funny replies, but not as good as the QA tweet - mostly "Well duh" or "It isn't" or "People think that?" So I wanted to write a short explainer.

Base64 looks like encryption.  The nice readable test gets all scrambled up.  For instance the text of the tweet turns into this:

QmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLg==

See, not even spaces!  Wild stuff!  But it is not encrypted.  Base64 encoding is a way to turn binary or ANSI files into something that can be transferred over a readable ASCII only medium like the web.  For instance, your binary serialization is like that. If you serialize an object and save it, you'll have unreadable characters in there.  If you base64 encode it, you can save it in a cookie of a web page.  It's super handy, but it is not protected.  The page I used to encode the example above is here:

https://www.base64encode.org/

So to give a concrete example, if you use Apache MyFaces or ASP.NET Web Forms (pre 4.6.2) then your viewstate is just Base64 encoded.  Don't believe me?  View source, find the viewstate, and paste it into the site above.  It will probably decode for you. An attacker can change that data and resubmit, so take care!

To learn even more, check out the OWASP Cryptography cheat sheet.

https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList