tl;dr sec
Posts
[tl;dr sec] #56 - State of Exploit Development, Hacking Apple, flaws.cloud dataset

[tl;dr sec] #56 - State of Exploit Development, Hacking Apple, flaws.cloud dataset

Stats on vulnerability discovery, CVE publication, and patches, lengthy write-up of 3 month Apple bug bounty hackathon, and flaws.cloud logs published.

Clint Gibler
October 14, 2020

Hey there,

I hope you’ve been doing well!

I’m experimenting with two slightly longer sections (vs many short links) this time, feel free to let me know what you think 😀

LAMBDA - A Serverless Musical

In a recent example of “things I didn’t expect, but in retrospect, I suppose is inevitable”– apparently AWS made a parody of the song, My Shot from Hamilton, about functions as a service.

Though it might be a stretch to say this version is “enjoyable” to listen to, it actually does a pretty solid job working in technical terms and keeping a similar flow and rhyme scheme to the original.

H/T @datSecuritychic for the link.

Sponsor

📢 Secure Your Business-Critical SaaS with AppOmni

AppOmni is the leading provider of SaaS Security Posture Management (SSPM) solution. AppOmni provides continuous monitoring, management and security of SaaS solutions, enabling organizations to maintain best practices and secure sensitive data. AppOmni’s technology deeply scans APIs, security controls, and configuration settings to evaluate the current state of SaaS deployments and enable simple remediation. With AppOmni, organizations can establish rules for data access, data sharing, and third-party applications that will be continuously and automatically validated. Get a free AppOmni Risk Assessment today.

📜 In this newsletter...

🔗 Links:

AppSec: Tool to search GitLab for secrets, exploiting common Salesforce Lightning misconfigurations, spin up many vulnerable environments with docker-compose
Web Security: A Burp extension for finding JWTs signed with publicly exposed secrets, evading defenses using VueJS script gadgets
Cloud Security: Slack's evolving cloud networks, public CloudTrail logs from flaws.cloud
Politics / Privacy: Expanding the Californian privacy law, a redaction tool for structured data
Misc: Zapier/IFTTT alternative using GitHub Actions, FDA-approved devices using AI, a song of 168 AWS services in 2 minutes, solving problems with ML
We Hacked Apple for 3 Months: Here’s What We Found: An awesome write-up of some serious vulnerabilities found by five bug bounty researchers, and some brief reflections on bug bounty economics

📚 State of Exploit Development: 80% of Exploits Publish Faster Than CVEs

Some interesting stats by Jay Chen of Palo Alto Networks about vulnerability discovery, CVE publication, and patches.

AppSec

PaperMtn/gitlab-watchman
Tool by Andrew Byford to search GitLab code, commits, wiki pages, issues, MRs, and milestones for AWS keys, GCP or Azure keys and service account files, Google API keys, Slack API tokens & webhooks, private keys (SSH, PGP, …), tokens (bearer tokens, access tokens, client_secret, …), S3 config files, passwords, and more.

Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community
Aaron Costello on exploiting some common misconfigurations in Salesforce Lightning. Includes a fair amount of detail on an overview of the platform, a glossary of useful payloads, and even some bug bounty report templates.

vulhub/vulhub
A ton of pre-built vulnerable environments corresponding to CVEs and other popular applications you can spin up with docker-compose, by @phithon_xg et al. H/T Ishaq Mohammed

Web Security

Meet JWT heartbreaker, a Burp extension that finds thousands weak secrets automatically
Previously, Wallarm wrote about how they collected 340 JWT secrets that were publicly accessible (wallarm/jwt-secrets on GitHub). They’re now releasing a Burp extension, jwt-heartbreaker, that will passively scan any JWT you encounter for >2,000 JWT secrets that have been exposed.

Evading defences using VueJS script gadgets
Gareth Heyes, Lewis Arden, and @PwnFunction examined VueJS and found a number of script gadgets. These can be useful, for example, for bypassing defences like WAFs and CSP.

Cloud Security

Building the Next Evolution of Cloud Networks at Slack
An overview of the design decisions and tech choices made along the way for Slack’s brand-new network architecture redesign project.

Public dataset of Cloudtrail logs from flaws.cloud
Scott Piper has released anonymized CloudTrail logs from flaws.cloud, his hands-on, free AWS security training challenges. The logs are roughly 240MB of largely attack data, covering over a 3.5 year span.

Politics / Privacy

California Voters Asked to Amend Privacy Law
By Fahmida Y. Rashid:

The most intriguing part of Proposition 24 is the creation of a California Privacy Protection Agency to enforce privacy law and issue fines to companies for violating the regulations. Currently, enforcement authority is with the state’s Attorney General’s office, and Attorney General Xavier Becerra has said the office’s limited resources would mean actions taken on only a handful of cases each year. If Proposition 24 passes, a well-funded agency—with an annual budget of $10 million and staffed by 40 people—would have the authority to act against more violaters.

latacora/wernicke
A redaction tool for structured data by Latacora’s @lvh and Patrick Farwick. Useful if you want to anonymize data but keep its overall structure / semantics. Handles IPs, MAC addresses, timestamps, various AWS identifiers, and a few other types of strings.

Misc

actionsflow/actionsflow
A free and open source Zapier/IFTTT alternative that enables you to automate your workflows using Github actions, by Owen Young.

The state of artificial intelligence-based FDA-approved medical devices and algorithms: an online databasePaper from Nature, H/T Eric Michaud:

…we provide an insight into the currently available AI/ML-based medical devices and algorithms that have been approved by the US Food & Drugs Administration (FDA). We aimed to raise awareness of the importance of regulatory bodies, clearly stating whether a medical device is AI/ML based or not.

Fig. 1: An infographic about the 29 FDA-approved, AI/ML-based medical technologies

168 AWS Services in 2 minutes
Forrest Brazeal sings the names of 168 AWS services to a piano tune. I can’t believe he remembered all their names 🤣

#truth from Shreya Shankar

We Hacked Apple for 3 Months: Here’s What We Found

Awesome, lengthy write-up of Apple bugs found in a 3 month bug bounty stint by Sam Curry, Brett Buerhaus, @NahamSec, @erbbysam, and Tanner Barnes. They found 55 bugs (11 Critical, 29 High) in various online services, earning $288,500 so far. Some of the bugs included fully compromising both customer and employee applications, retrieving source code for internal Apple projects, and more.

Reflections on Bug Bounty EconomicsI find the economics of bug bounty very interesting. Big payouts are often glorified and widely reshared, but how much do people who are really good actually get paid on average?

Let's do some extremely back-of-the-napkin calculations. Since not all of the bugs have been paid out, let's round up to $300,000 to make the math easier, or $100,000 per month.

They split it evenly: Each person nets $20K / month, $60K for the 3 months. Annual income if they kept this rate: $240,000.
Let's say two of them are doing bug bounty full time and split 60% of the spoils (30% each), and the other three have day jobs, who split the remaining 40% between them. This would give both of the two full timers $30K / month and $90K for the 3 months. Projected annual income: $360,000.

Caveats There are many unknowns in the above calculations, for example: I don't know how they split the bounties, they may have day jobs, they may have been working on other programs simultaneously, etc. I'd also note that these projected annual incomes do not include health care (if you live in the U.S.), 401K matching, and other benefits you'd get as a full time employee.

One thing I found interesting about the extremely handwavy guesstimates above is that these researchers are quite talented, found many critical bugs, and ended up netting about what you would make as an average senior security engineer at a Bay Area tech company, if the payouts were split evenly. And even if some of them received a higher cut, $360K is within senior security talent pay bands (e.g. see levels.fyi), especially if you're at a FAANG company.

Of course, getting to work your own hours, getting to test a wide variety of different systems, and other aspects of being a bug bounty researcher certainly have their own value, compensation is just one part of a job 😀

If you know of other public stats on professional and/or hobbyist bug bounty researcher income, please let me know! I'd love to learn more.

State of Exploit Development: 80% of Exploits Publish Faster Than CVEs

Some interesting stats and figures from Jay Chen of Palo Alto Networks.

tl;dr: there is often a long delay between vulnerability discovery and CVE publication, public exploits are often published before CVEs are public, and 37% of exploits were published before or in the first week of the patch being released. Yikes, that’s fast. 😅

Of the 45,450 public exploits in Exploit Database, there are 11,079 (~26%) exploits in Exploit Database that have mapped CVE numbers.

Among those 11,079 exploits:

• 14% are zero-day (published before the vendors release the patch), 23% are published within a week after the patch release and 50% are published within a month after the patch release. On average, an exploit is published 37 days after the patch is released. Patch as soon as possible – the risk of a vulnerability being exploited increases quickly after vendors release the patches.

• 80% of public exploits are published before the CVEs are published. On average, an exploit is published 23 days before the CVE is published. Software and hardware may also have vulnerabilities with public exploits that don’t have CVEs. Check security updates from vendors frequently and apply updates as soon as possible.

We also reviewed the entire CVE list since 1999 and found that, on average, a CVE is published 40 days after its CVE-ID is assigned. Of the 177,043 entries we analyzed at the time of this writing, more than 10,000 CVEs have been in “reserved” status for more than two years. It shows that there is a long delay between vulnerability discovery and CVE publication.

We sampled 500 high-severity exploits since 2015 and manually identified their patch dates from the vendor sites. 14% of the exploits we studied were published before the patches, 23% of the exploits were published in the first week and 50% of the exploits were published in the first month. On average, an exploit is published 37 days after the patch is released.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint