• tl;dr sec
  • Posts
  • [tl;dr sec] #133 - Hunting Evasive Vulnerabilities, eBPF, Fuzzing

[tl;dr sec] #133 - Hunting Evasive Vulnerabilities, eBPF, Fuzzing

James Kettle on finding subtle bugs and bug classes, eBPF-related tools and backdoors, fuzzing Golang, malware, and getting higher coverage.

Author

Clint Gibler
May 18, 2022

Hey there,

I hope you’ve been doing well!

Pura Vida

This week I’m in Costa Rica at an offsite with r2c’s Security Research team + friends!

It’s actually the first time we’ve ever all met in person, with people flying in from all over the U.S., France, Belgium, and Russia.

We’ve been having a blast: getting to know each other better, having meetings at the pool, going ziplining, and fending off more biodiversity than most of us are accustomed to.

Staying at a large Airbnb basically surrounded by jungle is humbling- you realize that it is in fact ants* that own this territory, you’re just a visitor.

Wait, so you wrote an issue of tl;dr sec in Costa Rica while your colleagues were having fun?

Yes 😅

*As well as the 5 inch spider we found in the common area, the bat that flew into the house, and countless other inch+ insects.

Sponsor

📢 Cloud SIEM Best Practices Guide: Learn how to apply Datadog Cloud SIEM best practices

Datadog Cloud SIEM, a part of the Datadog Cloud Security Platform, provides robust threat detection for dynamic, cloud-scale environments.

With Cloud SIEM, you can analyze operational and security logs in real time—regardless of their volume—while utilizing curated, out-of-the-box integrations and rules to detect threats.

In this guide, learn how to collect and leverage logs from popular technologies to monitor and secure your systems. Additionally, explore how to use authentication logs to detect common security threats.

Read Datadog's Cloud SIEM best practices guide to learn more.

📜 In this newsletter...

  • AppSec: Tool to probe for Java deserialization gadgets blind, the power of customizable, open source static analysis

  • Mobile Security: Flutter reverse engineering framework

  • Web Security: Hunting evasive vulnerabilities, mitmproxy to OpenAPI 3.0 specs

  • Cloud Security: Building a data perimeter on AWS, security reference architeture for serverless app, complete AWS security maturity model

  • eBPF: Chinese eBPF backdoor, nmap for pids, tool to build, run and distribute eBPF programs using OCI images, Linux eBPF backdoor over TCP, flow-based IDS, using machine learning in eBPF

  • Supply Chain: Keyless git signing using Sigstore, how to sign Lambda function code built with GitHub Actions

  • Fuzzing: Getting higher observed fuzzing coverage, fuzzing ClamAV with real malware samples, fuzzing Golang

  • Politics / Privacy: How to disable ad ID tracking on iOS and Android, ICE uses data brokers to bypass surveillance restrictions

  • Misc: Avril Lavigne parody about Bitcoin

  • Productivity tools Katie Paxton-Fear uses every day: List of some useful tools

AppSec

BishopFox/GadgetProbe
Tool by Bishop Fox’s Jake Miller that helps you exploit Java deserialization bugs when none of the ysoserial payloads worked, and you need to debug or build a gadget chain totally blind. Probes endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

RE #3: I am not sure what the CodeQL target is? Security engineers?

The only way to scale is to have a dedicated rules team. With Semgrep I can talk to devs about writing their own rules.

Mobile Security

Impact-I/reFlutter
Flutter reverse engineering framework by @Impact_I that uses the patched version of the Flutter library which is already compiled and ready for app repacking. This library has a snapshot deserialization process modified to allow you to perform dynamic analysis in a convenient way.

Web Security

Hunting evasive vulnerabilities
Nullcon Berlin keynote by Portswigger’s James Kettle picks out evasive vulnerabilities found across a decade of web security research, exploring what factors hid both individual bugs and entire attack classes - and what gave them away. He extracts both specific techniques and broad principles that you can apply to find other overlooked flaws, as well as what doesn’t work, as he’s learnt quite a bit about that too.

See also James’ excellent So you want to be a web security researcher?.

alufers/mitmproxy2swagger
Automatically convert mitmproxy captures to OpenAPI 3.0 specifications. Basically you can automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.

Cloud Security

Building a Data Perimeter on AWS
An AWS whitepaper on best practices and available services for creating a perimeter around your identities, resources, and networks in AWS. See also this blog post by Ilya Epshteyn.

Security reference architecture for a serverless application
Salesforce’s Anunay Bhatt walks through the security controls you can apply to a demo serverless application, including authentication, authorization, infra least privilege, network security, code security, data protection, and logging.

Complete AWS Security Maturity Model
Great resource by AWS’ Dario Goldfarb et al breaking things down into the following phases: quick wins, foundational, efficient, and optimized.

eBPF

PFDoor is interesting. It allows a threat actor to backdoor a system for remote code execution, without opening any new network ports or firewall rules. For example, if a webapp exists on port 443, it can listen and react on the existing port 443, and the implant can be reached over the webapp port (even with the webapp running). This is because it uses a BPF packet filter.

I swept the internet for BPFDoor throughout 2021, and discovered it is installed at organisations in across the globe— in particular the US, South Korea, Hong Kong, Turkey, India, Viet Nam and Myanmar, and is highly evasive. These organisations include government systems, postal and logistic systems, education systems and more.

kris-nova/xpid
By Kris Nóva: Like nmap but for pids. xpid gives a user the ability to “investigate” for process details on a Linux system, for example: investigate a specific pid, find all container processes on a system, find all processes in the same namespace as a given pid, find all processes running with eBPF programs, etc.

solo-io/bumblebee
By solo.io: Get eBPF programs running from the cloud to the kernel in 1 line of Bash. BumbleBee helps to build, run and distribute eBPF programs using OCI images. It allows you to focus on writing eBPF code, while taking care of the user space components - automatically exposing your data as metrics or logs.

kris-nova/boopkit
Linux eBPF backdoor over TCP by Kris Nóva. Remote code execution over TCP (SSH, Nginx, Kubernetes, etc), network gateway bypass (bad checksums, TCP reset), self obfuscation at runtime (eBPF process hiding).

A flow-based IDS using Machine Learning in eBPF
Academic paper: “We show that it is possible to develop a flow based network intrusion detection system based on machine learning entirely in eBPF.”

Supply Chain

sigstore/gitsign
Keyless Git signing using Sigstore. Uses keyless Sigstore to sign Git commits with your own GitHub / OIDC identity.

GitHub Actions signing Lambda code
LaunchDarkly’s Alex Smolen describes how to sign AWS Lambda function code built with GitHub Actions.

Fuzzing

This ICSE’22 paper brings up a very important point in fuzzer evaluation — the observation that spending more time in the more destructive, “havoc” mutation stage, can lead to higher observed coverage 1/n

Fuzzing ClamAV with real malware samples
“tl;dr: Fuzzing ClamAV using real malware samples results in 10 bugs discovered including one buffer overflow and three DoS vulnerabilities.” See also their multiple posts on fuzzing game map parsers and network fuzzing with AFL.

Go Fuzz Testing - The Basics
Fuzzbuzz’s Everest Munro-Zeisberger walks through fuzzing a simple Golang function, and in Advanced Go Fuzzing Techniques discusses fuzzing with assertions, round-trip fuzzing, and differential fuzzing.

Politics / Privacy

How to Disable Ad ID Tracking on iOS and Android, and Why You Should Do It Now
Walkthrough by the EFF on revoking tracker access to your ad ID on Android and iOS as well as the history of ad identifiers and why they matter.

According to details in American Dragnet: Data-Driven Deportation in the 21st Century, ICE has used a combination of public records and privately acquired information to build a surveillance system that can investigate the majority of US adults with little oversight. The agency now has access to the driver’s license data of three-quarters of US adults (74 percent) and has already run facial recognition scans on the license photographs of 1 in 3 adults (32 percent). And when three out of four adults hooked up utilities like gas, water, and electricity in a new home, ICE was able to automatically update their new address.

“ICE consistently paints itself as an agency whose efforts are really focused or targeted, but we’re not really seeing that at all. Instead, what we’re seeing is that ICE has built up a sweeping surveillance infrastructure that’s capable of tracking almost anyone seemingly at any time. These initiatives were conducted in near-complete secrecy and impunity, sidestepping limitations and flying under the radar of most state officials.”

Sponsor

📢 6 Best Practices for Kubernetes Audit Logging

Running Kubernetes is challenging and complex. Learn how to set up Kubernetes audit logging to troubleshoot your deployment in this guide from Teleport.

Misc

Lil Bubble - Liquidated
This week on “Things I Didn’t Expect to See but I Suppose are not Surprising” (TIDEtSbISanS), is this “Complicated” by Avril Lavigne parody about Bitcoin 🤣

Chill out, whatcha selling for?

10k? We’ve been here before.

and if you would only let it climb

we’d be fine.

  • Plan - The best organization app - a planner + multiple TODO lists.

  • Obsidian - For note-taking.

  • Notion - For dashboard-style setups.

  • XMind - For mind maps.

  • GoodNotes - iPad note-taking.

  • LiquidText - Where she stores all PDFs and notes on books/whitepapers/blogs.

  • Speechify - Reads PDFs to you.

  • Feedly - RSS reader.

  • Fantastical - Best Calendar app that integrates with many different calendars, handles natural language event descriptions (“Sunday 4pm at…”).

  • Calendly - For scheduling.

  • Discord - Social.

  • OneDrive - Storage.

  • DarkReader - Makes websites dark mode.

  • Grammarly - Writing and grammar help.

  • Dragon - Dictation (speech -> text).

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint