Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Address Space Layout Randomization (ASLR) is a defense-in-defense security mechanism that randomizes the location of memory for the stack, heap and other data fields (not the code itself though). This was built into the kernel for most OS's in order to make the barrier for exploitation higher. If a memory leak cannot be found, then exploitation is almost impossible (unless your Google).

Although ASLR has mitigated a ton of remote attacks, it appears that locally it has been an issue.

Several exploits have been written that allow for the leaking of pointers and other sensitive pieces of information by viewing the process information. This article chronologically goes over these exploits.

Path traversal is a way to move up a directory by using the common ../. I usually think of this as a vulnerability associated with handling files.

This vulnerability occurs because of two REST API calls talking to eachother. The firsts request has parameter for some ID value. If this ID value is set to ../something then the next REST call will move up a directory in the URL before making the call!

Finally, to make this exploitable, the API handler for the second REST call allows for ?parameter=some_value. So, the directory traversal can be used to hit internal APIs (that should not be accessible) with parameters!

The example, in the post, can be used to promote any account to admin! The request some_api/(../users/?admin=true) where the ID should be the item in parenthesis gets translated to api/v4/users/?admin=true. This almost acts as an interesting SSRF attack.

There is a buffer overflow in Sudo! In order for this to occur, a the pwfeedback feature needs to be turned on.

The bug occurs because of bad parsing in certain situations where characters cannot be written back to the terminal. In order to exploit this, create a pty (pseudo terminal) and set this to READ ONLY.

The bad parsing occurs when a pointer (cp or current pointer) does not get reset back to its original value when the write error occurs.

The exploitation was actually really straight forward! The overflowed buffer existed in .bss. Because the overflow occurred in .bss there are no canaries. So, there is no way to detect if a bug has occurred or not at the binary level.

Quite a ways down into the .bss section is a variable called User Details. By overriding the uid field in this struct with 0's, we can execute a privilege execution to become root (uid 0).

Another fantastic write up for the exploit: iamalsaher

I thought of this while using Zoom... But, I then assumed that it was too simple to test... Just iterate through ID's and join meetings!

Sometimes, the simple things are what works! So, make sure to try even the simplest of things on a site!

The first two vulnerabilities (private link password bypass and HTML injection) seemed to occur because a single point was not being used for actions. If the link was viewed through a particular API, then the document could still be viewed (without a password)! Additionally, the HTML injection was only possible to inject into the username only when uploading with a CSV file.

The second to last bug is very interesting! Dropbox wants to loud the document 'byte for byte' while getting it secure for other users. Obviously, XSS could be devastating in this context. So, the domain dropboxusercontents.com is used in order to execute the XSS in a useless origin, protecting unsuspecting victims from potential compromise. Seems like a good thought, right?

Somebody found a crazy bypass to this with a little known browser feature called App Cache Manifest (ACM). The ACM is used in order to tell the browser which files to cache locally. Using the App Cache Manifest allowed for pages to be loaded within the normal Dropbox domain, making XSS very impactful. They abused a feature in the ACM with a fallback mechanic that allowed for pages to be loaded when something else failed.

I found Dropbox including the mitigations to be really interesting too. They have an insane amount of defense-in-depth in order to mitigate the impact of the vulnerabilities before they even happen. For instance, they have extensive jailing put in place that restrictions the length of connections and which syscalls can be used.

PHP has two operators for comparisons: == and ===. The triple equals sign is a strict operator, while the double equals sign is a loose operator. These loose operators have PHP juggling in the mix, which can cause major security issues.

This presentation goes over how integer type juggling can lead to weird logic, bypassing security constraints.

The Zero Day Initiative (ZDI) purchases bugs from security researchers and sells them back to the companies (Microsoft and so on). They give a year in review that has some interesting statistics about vulnerability hunting and exploitation. This will be a list things that I found interesting from the article.

Most of the Microsoft bugs being purchased in the past have been Browser related. This year, however, there was a large increase in bugs in the Windows OS itself.

Most common vulnerabilities:

1. Out of Bounds Read (205)
2. Use After Free (160)
3. All others (158)
4. Out of Bounds of Writes (95)
5. Stack Based Buffer Overflows (73)
6. Expression Language Injection
7. Untrusted Pointer Dereference (61)
8. Heap Based Buffer Overflows (36)

There are also a few other notable problems that are still prevalent but becoming less problematic:

• Integer Overflow or Underflow (17)
• Cleartext Storage of Sensitive Information (18)
• Double Free (7)

To me, it is really odd that that stack overflows are more common than heap overflows. Considering there are many more security mechanisms in place for the stack was reason this surprised me.

Additionally, UAF's are all the rage! It is crazy how dangerous these can be! In the same class as UAF's, double frees are not as common as I expected.

Finally, Expression Language Injection was extremely common (at #6). This is something that we should be looking for much more often in 2020!

Overall, it is awesome to see into the mind of the worlds best bug hunters to see how they are exploiting the worlds most popular software. Thanks for doing this ZDI!

Host-Header Injection is a vulnerability where a remote attacker can exploit a HTTP Host header sent by sending a fake host instead of original.

"When creating URI for links in web applications, developers often use the HTTP Host header in order to poison the web-cache or password reset emails." - Tenable

In this application, there was a form that was used reset passwords. However, the domain name (for the link) could be arbitrarily set by setting the Host Header of the request.

Therefore, an attacker could easily set this Host Header to something they controlled. Then, when a user clicked on the link in their email, the attacker would have the password reset token!

In conclusion, do not trust input set on the client side :)

A target application was built for the Google Assistant, which used voice controls.

There are two main vulnerabilities here: failing open and exception handling.

First, by saying the words "A capo" (Italian for newline) the Google input device interrupted this as a legit newline ('\n'). The application assumed that the form had to have data inside of it.

The default intent was not the authentication page but the main page of the application. Therefore, once the crash happened (from the newline) then the app would reopen in the default intent!

Main things to take away: special characters, such as newlines and tabs, can cause major issues. Additionally, make sure all items fail closed. So, even if there is a crash then this will not occur.

Prince is a software that converts HTML, XHTML and several other formats to PDF's.

The XML parsing library allows External Entities to be loaded. Because of this, it is vulnerable to XXE.

The XXE vulnerability can be used for SSRF and/or read files on the current OS.