• tl;dr sec
  • Posts
  • [tl;dr sec] #55 - Detection as Code, Vault Authentication Bugs, Fingerprinting Exploit Developers

[tl;dr sec] #55 - Detection as Code, Vault Authentication Bugs, Fingerprinting Exploit Developers

Why we should embrace Detection as Code, write-up of two complex AuthN bugs in Vault, tracking exploit developers by their work.

Author

Clint Gibler
October 07, 2020

Hey there,

I hope you’ve been doing well!

Whoa! tl;dr sec is sponsored all the way through the rest of 2020, and even a bit into 2021!

I’m incredibly honored and humbled by this. A big thank you to all of the sponsors, and even bigger thank you to you, dear reader 🙏

Hearing from people that they find tl;dr sec useful or that they’ve put some of the tools and ideas to good use makes all the work worth it, and puts a spring in my step. Or maybe that’s me limping. Either way, it feels good 😀

The Social Dilemma

Like everyone and their cousin (who works in tech), I watched The Social Dilemma (trailer).

In a nutshell, it’s a set of interviews with a bunch of OG senior tech people from popular social media platforms (Facebook, Youtube, Twitter, Instagram, etc.) who created many of the now common UX tricks to maximize engagement and user growth, woven in with an overarching narrative and reflections.

I thought the movie did a surprisingly good job at explaining technical topics to a non technical audience, and somehow making interviews with a bunch of nerds engaging 🤓

(paraphrased) On one side of the screen there’s you, a human whose brain largely hasn’t changed in thousands of years. On the other side, there’s an advanced AI composed of thousands of servers constantly learning and improving their model of you, by watching your every scroll, click, and behavior. Who do you think is going to win in that fight?

It’s been interesting to see so many representations of the tech industry in media: The Social Network, Silicon Valley, Steve Jobs movies, Theranos, etc.

I hope that one day I can burn enough bridges and make enough powerful enemies that my life also gets made into a trendy movie (Netflix, you know how to reach me 📞).

Sponsor

📢 Jobs @ Praetorian

If you are modest about your extraordinary brilliance, Praetorian is hiring. Their team is comprised of some of the world’s brightest cybersecurity minds, who humbly put customers first and have fortitude towards making the world a safer and more secure place. A default-to-open, take-the-initiative work culture has earned them Inc’s Best Places to Work, and they've been on Inc's Fastest Growing Companies for 7 years running. Praetorian is hiring for a range of positions from security engineers to director level.

📜 In this newsletter...

🔗 Links:

  • AppSec: Finding C-type bugs in memory safe languages, find bugs by looking for dangerous words in source code, code scanning on GitHub

  • Web Security: HTTP desync attacks in the wild and how to defend against them, sending arbitrary MDM commands via HTTP request smuggling, tool to test for HTTP request smuggling/desync vulnerabilities, Cloudflare's write-up on a massive DDoS attempt, JWT security anti-patterns and best practices, updated RFC on OAuth 2.0 security

  • Cloud Security: Write-up of some complex authentication bugs in Vault

  • Blue Team: Autodeploy a Windows Domain RDP honeypot, Salesforce policy deviation checker, fingerprinting exploit developers by their work, detection as code

  • Hardware: List of hardware and IoT security tools

  • Red Team: An overview of the various Metasploit components

  • Politics / Privacy: Academic study of the manipulative tactics used in campaign emails requesting donations

  • Misc: "Smart" bluetooth male chastity belt is totally secure, Grocery Store Argument: The Musical

AppSec

Now you C me, now you don’t: An introduction to the hidden attack surface of interpreted languages
Just because you’re using an interpreted language, doesn’t mean you’re safe from memory safety issues. Bas Alberts describes the attack surface of targeting interpreters, and gives 3 case studies: Perl format strings, deserialization in PHP, and Python’s socket.recvfrom_into.

How to Find Vulnerabilities in Code: Bad Words
Will Butler describes an underrated technique for finding serious security vulnerabilities in code: words that “sound dangerous.” Myself and others found this surprisingly effective as security consultants. Examples include: raw, eval, permission, insecure, and more.

GitHub: Code scanning is now available!
CodeQL / Semmle is now in general availability on GitHub. In another blog post, GitHub also announced a number of third-party static analysis and developer security training GitHub Actions and Apps available on the GitHub Marketplace. It’ll be interesting to see how GitHub handles third-party SAST tools, given that they compete with CodeQL, and if they’ll have to pay an Apple App Store-esque extortion market fee.

Web Security

HTTP Desync Attacks in the Wild and How to Defend Against Them
Imperva describes several types of HTTP desync attacks they’ve observed in practice and several defenses they’ve implemented to protect against it.

The Powerful HTTP Request Smuggling
Detailed write-up on how Ricardo Iramar dos Santos was able to exploit HTTP Request Smuggling in some Mobile Device Management (MDM) servers and send any MDM command to any device enrolled on them for a private bug bounty program.

defparam/smuggler
An HTTP Request Smuggling / Desync testing tool written in Python 3 by Evan Custodio.

Rather than attacking our (Cloudflare) customers directly, they started going after the network providers CloudFlare uses for bandwidth.

Anycast means that if the attacker attacked the last step in the traceroute then their attack would be spread across CloudFlare’s worldwide network, so instead they attacked the second to last step which concentrated the attack on one single point. This wouldn’t cause a network-wide outage, but it could potentially cause regional problems.

JWT (in)security
Great overview of common JWT issues and how to use JWTs safely, by Michał Sajdak.

OAuth 2.0 Security Best Current Practice
Updated working document from the Internet Engineering Task Force (IETF) describing security best practices for OAuth 2.0. “It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.”

Cloud Security

Enter the Vault: Authentication Issues in HashiCorp Vault
Two serious bugs in Vault’s aws and gcp authentication methods, by Project Zero’s Felix Wilhelm.

In my experience, tricky vulnerabilities like this often exist where developers have to interact with external systems and services. A strong developer might be able to reason about all security boundaries, requirements and pitfalls of their own software, but it becomes very difficult once a complex external service comes into play. Modern cloud IAM solutions are powerful and often more secure than comparable on-premise solutions, but they come with their own security pitfalls and a high implementation complexity. As more and more companies move to the big cloud providers, familiarity with these technology stacks will become a key skill for security engineers and researchers and it is safe to assume that there will be a lot of similar issues in the next few years.

Blue Team

tothi/ad-honeypot-autodeploy
By @an0n_r0: Deploy a small, intentionally insecure, vulnerable Windows Domain as an RDP Honeypot fully automatically.

nccgroup/SFPolDevChk
Salesforce policy deviation checker by NCC Group’s Jerome Smith. The tool reveals which Profiles have become desynchronised from Organization level policies, and reviews each one’s password policies and session settings to highlight any deviations from those set at the Organization level.

Graphology of an Exploit - Hunting for exploits by looking for the author’s fingerprints
Fascinating blog post by Check Point’s Itay Cohen and Eyal Itkin in which they differentiate between the people writing malware and those developing the exploits malware uses, and fingerprint two exploit developers. The post analyzes the exploit authors’ clientele, how they improve technically over time, and more.

The set of exploit-related artifacts that they looked for

There is also much to learn by looking at these exploit authors’ clientele. The list of Volodya’s clients is diverse and includes banker trojan authors such as Ursnif, ransomware authors such as GandCrab, Cerber and Magniber, and APT groups such as Turla, APT28 and Buhtrap (which started from cyber-crime and later shifted to cyber-espionage). Interestingly, we can see that Volodya’s 0-days are more likely to be sold to APT groups while 1-days are purchased by multiple crimeware groups. Without further intel, we can only assume that once a 0-day is detected by the security industry, the exploit is then recycled and sold at a lower price as a non-exclusive 1-day.

The APT customers, Turla, APT28, and Buhtrap, are all commonly attributed to Russia and it is interesting to find that even these advanced groups purchase exploits instead of developing them in-house. This is another point which further strengthens our hypothesis that the written exploits can be treated as a separate and distinct part of the malware.

While the earlier Volodya exploits were sold as source code to be embedded in the malware, the later exploits were sold as an external utility that accepts a certain API. This change can suggest that Volodya is taking more precautions.

Moreover, the code of the exploits became more modular, as large functions were split into smaller sub-routines. Also, their technique to search and access specific offsets in various structs was also improved and in recent implementations it became more dynamic and safe, as it better-handled changes in minor versions of Windows.

Our research methodology was to fingerprint an exploit writer’s characteristics and later on use these properties as a unique hunting signature. We deployed this technique twice when tracking down Volodya’s exploits and those of PlayBit. Having these two successful test cases, we believe that this research methodology can be used to identify additional exploit writers.

Can We Have “Detection as Code”?
Anton Chuvakin makes the case for making detection logic automated, systematic, repeatable, predictable, and shareable.

  • Detection content versioning: understand what specific rule or model triggered an alert, even in the past.

  • Proper “QA” for detection content: test for broken alerts (e.g. those that never fire, false positives/negatives) and gaps in detection overall.

  • Content (code) reuse and modularity of detection content: rules, signatures, analytics, algorithms, etc.

  • Cross-vendor content: e.g. Sigma, YARA, YARA-L

  • Cross-tool detection content: e.g. looking for a hash in EDR data and also in NDR; and in logs as well.

  • Metrics and improvement: Get better over time

  • Goal: build a full CI/CD pipeline for detections to continuously build, refine, deploy and run detection logic in various product(s).

Hardware

IoT-PTv/List-of-Tools: List of the tools and usage
A list of various hardware and IoT security tools: firmware reverse engineering, dynamic analysis, bluetooth, radio assessment, etc.

Red Team

Metasploit — A Walkthrough Of The Powerful Exploitation Framework
Nice overview by Manish Shivanandhan of the various components in Metasploit.

Politics / Privacy

At Princeton CITP, we were concerned by media reports that political candidates use psychological tricks in their emails to get supporters to donate. So we collected 250,000 emails from 3,000 senders from the 2020 U.S. election cycle. Here’s what we found. https://electionemails2020.org

Misc

Smart male chastity lock cock-up
A smart Bluetooth male chastity lock - what could go wrong? In a twist that should surprise precisely no one, the API had flaws allowing anyone to remotely lock all devices and prevent users from releasing themselves (removal then requires an angle grinder or similar), and the API also leaks precise user location data, personal info, and private chats. Also, TIL internetofdon.gs exists, a project dedicated to testing the security and privacy of… adult IoT devices.

Grocery Store Argument: The Musical
Twitter thread: A guy records himself dramatically singing in a grocery store, and then a bunch of other users add themselves to his base video with various harmonizing parts. Pretty impressive and fun.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint