Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- Chess.com is the most popular chess website that has cool features like analysis of games, puzzles and online playing modes. Finding vulnerabilities in this could hurt the reputation of big time players if used in targeted attacks.
- At first, the author found a reflected XSS. Using this, an attacker could use the Connect to Google feature to add a backdoor into their account. Even though this is an impactful bug, it does require user interaction.
- Using Burp interceptor, the author decided to look at the traffic being sent over from chess.com. From just viewing the traffic, he realized that a substantial amount of data was being sent over in requests about other users (while searching) for them. Initially, he only realized that an email was being sent over.
- The requests were being signed though. So, tampering with the requests was not trivial to do. Because this was being done client-side, altering this was possible, but would be tedious to figure out.
- Besides an email, the session id was being sent in the request! This session id was the same value as the PHPSessId value... this meant a simple query for a user would allow you to take over the account.
- And that is game over folks! The author decided to take over the account of a known administrator on the site, just for the fun of it though.
Major Vulnerabilities discovered and patched in Realtek RTL8195A Wi-Fi Module
Uriya Yavniely - Vdoo Reference →Posted 5 Years Ago- This WiFi chip supports several WiFi protocols, such as WEP and WPA, WPA2 and so on. Being able to compromise a device by simply having a WiFi interface is a big deal. The first two issues do not require knowledge of the PSK in order to exploit.
- One of the connection types does a
memcpywith a user controlled size and buffer. Because the buffer is static, this leads to a classic buffer overflow on the stack! Using this vulnerability, RIP can be overwritten, resulting in complete compromise of the device. - At first, I thought "what about DEP and ASLR!? You would need to get incredibly lucky to guess these!" Well, it turns out, that the WiFi chip has zero binary protections, making compromise trivial.
- Besides this major bug, there is an OOB read via sending a maliciously size in one of the packets. The data is copied from a static buffer of size 512, while the size can be anything. This could have been used to bypass ASLR even if the binary protections were in place with the original vulnerability.
- Several other buffer overflow vulnerabilities exist but they are a little more involved to do and require knowledge of the PSK. The bad design pattern for these is a user controlled buffer size being used on a static buffer. This is done both by memcpys and iterating too far in arrays.
- There is still low-hanging fruit everywhere. We just need to know where to look at! Sometimes, the setup process for harder to understand/setup attack surfaces is the best place to hit. The easier stuff to test has already been hit hard!
- Containerization has gotten extremely popular in the last 5 years. But, how do containers really work? At the core, they use a few built in OS mechanics.
- The first part of a container is the file system. Contains just take a stripped down version of an OS, put it into a compressed file, then open up the file to get the file system. Nothing to interesting or crazy but good to know.
- The second tool is a syscall named chroot. This restricts the process to a specific directory to treat it as the
/directory. - Chroot restricts access to the rest of the file system but nothing else. Using a command, such as top, still shows all of the process information. The solution for this is using namespaces.
- The unshare syscall allows for easy creation of namespaces by creating a restricted view, in terms of processes, network interfaces and mounts.
- The setns syscall allows for some customization of namespaces. For instance, two namespaces may want to share network interfaces but not process information.
- cgroups (short for control groups) allow for isolation on computer resources, such as memory and CPU. This allows for containers to not be able to hog resources from the computer.
- The final main discussion point is Linux Capabilities. In short, capabilities are a collection of powers that make up root permissions, such as using chown or setting the system clock.
- Besides this functionality, several pieces of functionality have been added, such as Seccomp and Security Enhanced Linux (SELinux).
Exploiting mmap() with MAP_SHARE and PROT_WRITE to get root on SerenityOS
Andreas Kling Reference →Posted 5 Years Ago- The
mmapsyscall is used in order to load code in prior to executing a file. When loading a binary withMMAP_SHARED(which is common so that memory can be shared), the memory is writable, if loaded. - So, by opening up the mmaped file as writable, we can edit the memory across processes. Using this, we can edit the root shell process in order to escalate to root! Modifying an arbitrary process inline is a powerful primitive.
- In order to exploit this, the author wrote some assembly, mmaped a region of a running process, then overwrite the code in this process. Once the code is triggered, a setuid root shell is created that pops a root shell.
- The actual trick for making this consistent was interesting. The author found a line of code that only occurred upon sending the process a signal. This allowed for the write to occur, then for the code to execute, removing the need to win a race condition.
- The bug stems from the issue that there is no verification on a previous file mappings permissions. If validation was done to to check the permissions (writable, readable, executable, etc.), then this would not have been possible. So, the fix is to verify these mapping permissions in the
mmapsyscall.
- Nespresso is a popular coffee machine that has custom smart cards in an office setting. These smart cards are using the known vulnerable mifare classic brand.
- The author, knowing the cards were by default vulnerable, made an assumption that data was being stored on the smart card (and not on a server). Once the author made this assumption, they attempted to crack the keys of the smart card using known software.
- However, this software had some issues. So, the author posted a few pull requests to get the key extraction process to work. Now, the encryption keys for the cards were cracked.
- If the money is stored on the card, how do we know where? Simple: view, make a transaction then see what values change. By knowing how much money was on the card, purchasing something, then checking the value again, the binary dump showed where to alter.
- Using some of the already available tools, the author set the money value to a ridiculously high number that was not even possible to display on the coffee machine (lolz). Pwnage complete!
- The mitigations for this issue would be to use newer smart cards or store the data server-side. When the author disclosed to Nespresso they already offered by in newer products.
Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
Yuval Avrahami - paloaltonetworks Reference →Posted 5 Years Ago- Docker is a wildly used containerization solution. It allows for the build once, run everywhere by building it in the same env every time. Although Docker is not considered a safe sandbox, finding container escapes within Docker are usually a big deal.
cp(yes, like in Unix terminals) is command to copy files. This same command can be used to transfer files between host and containers. In recent years, lots of issues have came up in containers because of this command.- In this example, the cp command was subject to a race condition on symbolic links. The validation and the usage were done at different points, creating a TOCTOU issue.
- The main bug of the article posted results from the
docker cploading libraries at runtime for this command. By usingchrootto go into the container directory for the copy, it prevents symbolic links. But, the dynamically loaded libraries are loaded within the container! - So, a malicious actor who has compromised the container could add a set of malicious libraries for docker to load. Now, we can execute code on the host when it leaves the container.
- This issue was discovered completely by accident at here for functionality reasons with the library loading. The fix for this was loading the libraries prior to chrooting into the container.
- The Ptrace API is how debuggers do what they do! Using this API, we can ask the kernel about information on another process. This API is very complicated and not the most well-documented. So, I wanted to add some personal notes on Ptrace while I have been dealing with it.
- Using this API, you can read/write registers and memory, pause execution, set breakpoints (kind of), send/view signals and set a bunch of flags for the connection. Usage of these functions is none trivial though; for instance, you have to get ALL registers, not just one.
- Using this functionality, functions like backtrace, disassembly and other things are easy to implement. Adding in DWARF (debugging symbols) and ELF parsing, we can have source code level debugging too.
- Breakpoints are complicated though... What we consider a breakpoint would be considered a watchpoint by the hardware. Linux x86 does not allow for setting the actual breakpoint hardware; instead, we have to modify the code (in the debuggee) to interrupt once it hits the line of code we are debugging.
- To handle breakpoints (in the debugger), the function waitpid is used. This function stops once the process has changed state (crashed, breakpoint, start, etc.).
- Ptrace on Linux is super buggy though. Here are a few things to consider:
- Can only handle one threat at a time. I have no idea how GDB handles multi-threaded processes.
- Does not have direct support for memory information about the process. Instead,
/procmust be used. This is extremely annoying and tedious to work with. - I could never get the signal display working for waitpid. I have no idea why.
- Clearly, being able to read from the memory of another process would cause a major security issue. Because of this, a few special security precautions have been added to this:
- You cannot ptrace setuid binaries.
- A special configuration file was created in order to specify WHO can attach to processes:
ptrace_scope.
- Prior to ptrace_scope malware was used to inject code into processes! Because of this, special permissions were added to who can and cannot use ptrace_scope.
- 0 - classic ptrace permissions allow attaching to ANY process with the same UID
- 1 - A process must have a predefined relationship, usually a parent-child relationship.
- 2 - Admin only attaching. The user must have the
CAP_SYS_PTRACEcapability. - 3 - No attaching for debugging at all. Once set, this value CANNNOT be changed.
- Besides the ptrace_scope, setuid processes cannot be debugged with ptrace to prevent easy privilege escalation. You can even ptrace your parent in some cases!
- Next time you use GDB just think about how vastly complicated it actually is! I have a new-found appreciation of GDB after trying to make my own debugger.
- Facebook Gameroom is a Desktop application for gaming. I had never heard of this before!
- The first vulnerability was the configuration file was just one large serailized payload. Using this, editing a configuration file led to the compromise of the application. However, because this does not result in any privilege escalation, Facebook denied it as a finding.
- The second finding was an issue with the custom URI scheme made by the application:
fbgames://. By design, this could be used to load an arbitrary exe on the system, but was stopped by a dialog for the user to click. - The author did find a validation issue on the link going to a Facebook games URL. Using this poor validation, an attacker could send a user to several different and unintended Facebook domains. This normally would not be a big deal but the Chrome version was 3 years outdated. But loading an arbitrary site, the embedded Chrome browser could be compromised.
- C# native apps are very easy to reverse too. Using tools like DotNetSpy and others make this part easy. The author mentions that the attack surface for Desktop applications is much different; to me, this is because browsers protect us from so much and we take this for granted.
- WebOS is a Linux based distro that was built by Palm back in the day. In recent times, LG uses it on a large amount of their smart devices.
- WebOS's application are all called web apps, which was essentially JavaScript applications running. webOS also implements an API that allows for communication with the underlying system called Luna.
- One of these APIs allows for the downloading of files onto the system. Only privileged users can specify the download location. What if we could convince the service that we should be able to hit this endpoint?
- The service validates that a specify string is in the package name prior to running it (
com.palm, com.webos and com.lge.). To me, this looks extra permissive. From researching the setuid binaries, one of the CLI tools had a prefix with this package name! - Because of this, the CLI tools could be used in order to hit this endpoint and specify the location to download the file AS root.
- For exploitation, a binary cannot simply be overwritten because the file will not have the executable bit turned on (this is a good thing for security). So, the author choose to overwrite a configuration file that pointed to a shell script, which runs at booting time. Just restart the box and we have root :)
Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform
Sivathmican Sivakumaran - ZDI Reference →Posted 5 Years Ago- The Solarwinds breach affected the bulk of Fortune 500 companies across the United States. For obvious reasons, people started looking at this widely used software's security.
- The most impactful bug was an authorization bypass by containing one of the following keys: Skipi18n, i18n.ashx and others. The idea was that the JavaScript and CSS files needed to be gathered without authorization. So, these keyed strings were checked for. However, simply adding these to the request (unsure if this is just the path or query parameters too) skipped authorization.
- With the authorization bypass in place, it is time to take over the device. A non-administrative user is able to specify a running VBS script to execute upon some alert happening. But, the path for the interpreter is included, allowing an attacker to set this to
cmd.exeThe final bug is just the ability to run arbitrary SQL from a request, by design. I personally feel this is an intended feature and not a vulnerability though. The threat model assumes that only authenticated users can access this functionality anyway.
