Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- In a very specific scenario, the authentication for this Asus router could be bypassed. All of these things had to be done:
- The submitted
asus_tokenstarts with a Null (0x0) - The request User-Agent matches an internal service UA (asusrouter--)
- The device has not been configured with an
ifttt_token(default state)
- The submitted
- The reason for passing in
Nullis because the validation of theifttt_tokenreturns NULL if the functionality is not in use. If theifttt_tokenis the same as theasus_tokenthis returns Null. - The author does not explain the
asusrouter--user agent. However, it is common for a header or UA to be used to denote if an internal service is being used. In this case, it is not a security issue but rather something to hit the service at all. - Interesting bypass that would ONLY be found by manually reviewing source code. I will likely add
\0to my input fuzzer list after reading this article.
- Azure functions is a way to run code in the context of Microsoft's Azure cloud platform. This is a nice feature to have because it allows quick code functions to run upon some trigger. This is similar to AWS Lambda functions.
- This is remote code execution by design! So, restricting the environment abilities in a multi-tenant world is important. Otherwise, other users can see or alter the ENVs around them.
- By inserting a remote shell in an Azure function, the author noticed an odd environment variable:
SCM_RUN_FROM_PACKAGE. The code downloaded for the Azure function package had the r+w flag on the SAS token. By altering this package, an attacker could secretly plant a backdoor on the code package for the functions using this box. - Within an encrypted configuration blob were more SAS tokens. One of the SAS tokens was not scoped properly, which allowed the author to pull arbitrary configurations from other users. Although, these were encrypted.
- The
x-ms-site-restricted-tokenheader used for authorization was extremely verbose on its error messages. Because of this verbosity the attacker was attempting to launch a padding oracle attack against this endpoint. - A padding oracle attack abuses the outputted error messages from the padding in order to byte by byte deduce the key. This is an extremely powerful vulnerability if it is discovered. This is not an issue with the algorithm itself; it is an issue with how the algorithm is being used.
- Sadly, this attack did not work because the padding algorithm did not work properly. Encryption may not always be 100% necessary, but it made this cross-account configuration issue way less impactful. Adding encryption for a defense-in-depth measure can be a good idea.
- Overall, interesting findings on Azure not restricting SAS tokens properly. This is likely seen in other places within Azure and other cloud platforms as well.
Synology DSM AppArmor synosearchagent misconfiguration vulnerability
Talos Reference →Posted 4 Years Ago- Synology DiskStation Manager is the Linux-based operating system for every Synology NAS.
AppArmoris a Linux kernel security module that allows the system to restrict the capabilities on a per-profile basis. - The vulnerability is a simple misconfiguration of
AppArmor. The profile for the synosearchagent profile did not restrict access to loading kernel modules. Now, by using theinsmodcommand it is trivial to run code inside of the kernel.
- Dell is a brand of computer used across the world. The author audited the Dell firmware update driver (
dbutil_2_3.sys) and found several vulnerabilities in it. - The first (and most obvious) issue is that the driver accepts IOCTL (input/output control) requests without any ACL requirements. This means that the driver can be hit by any user on the system to call the functionality of the driver. By calling a driver that takes in pointers for a call to
memmovean arbitrary read/write vulnerability has been given to the user. Damn! - An additional vulnerability is direct access to IN/OUT calls in kernel mode. Using these instructions, it is possible to interact with the HDD and GPU with DMA operations. Direct Memory Access (DMA) operations from userspace is 100% game over, as it can be used to bypasses all security mechanisms the OS has put in place.
- The main issue is that the driver does not require any permissions to run, allows any user to kernel instantly. However, these other issues could be exploited by an administrator to get kernel access, which is still a valid concern.
- These bugs sat around for 12+ years without anybody discovering them. Sometimes, the best research is just finding the right target. Good research here!
Buffer Overflow in Super Mario Maker level decompression
mrnbayoh - hackerone Reference →Posted 4 Years Ago- The Nintendo 3DS is a handheld gaming platform several generations after the GameBoy. Streetpass is a functionality that allows passive communication between Nintendo 3DS systems held by users in close proximity, commonly used to share information such as Miis.
- When a Streetpass sends a level of Super Mario Maker, the data is compressed. The buffer size is 0x18000 bytes (which is the maximum that is will receive). Because of this, the developers did not consider a bounds check for the size to be necessary. They thought wrong!
- The decompressed section sits directly AFTER the compressed section. The parser will continue parsing until it finds no more data to be parsed! Because of this, the parser will attempt to decompress already decompressed data, causing a buffer overflow on the heap.
- The 3DS does not have ASLR enabled and there appear to be function pointers on the heap. So, it is trivial to take this buffer overflow to code execution via a specially crafted packet.
- This can be done in a drive-by fashion, sort of like Bluetooth level attacks. Although, what is there to gain from compromising a kids 3Ds!? Interesting find that reminded me of the Pokewalker hack as well.
Remote code execution in Homebrew by compromising the official Cask repository
ryotak Reference →Posted 4 Years Ago- Homebrew is a package manager for MacOS that is ran from the terminal. I personally use Homebrew all of the time. So, hearing about vulnerabilities is quite interesting.
- The vulnerability exists in a Homebrew Github actions automation. A Github Action is something that is performed when something happens to the repository, such as a pull request. One of the actions is that if a pull request is simple enough, then it auto merges the PR.
- The author could not find a vulnerability in the logic directly. So, instead, they went to the
git_diffrepository to see how the merge functionality worked. - The diff functionality is quite complex and has many interesting primitives for remote attackers. In particular, the
git_diffadded file information for where to write the file to directly into the file! With this in mind, it was possible to make a 0 line change PR that could overwrite a Ruby file in Homebrew itself. - The root cause was not in a vulnerability in the parsing library for
git_diff. Instead, it was using the code in an unattended way; the authors ofgit_diffnever expected an attacker to be able to control the file information when writing the tool. Overall, interesting finding where the issue is with the integration of technology.
Password reset code brute-force vulnerability in AWS Cognito
Pentagrid AG Reference →Posted 4 Years Ago- Cognito is an SSO solution from Amazon. Somebody can log into the site and this has password reset functionality. This is implemented by sending a 6 digit code to the users email.
- While testing the rate limiting, the researchers realized that something was off. Although the documentation said 5-20 failed attempts will result in a
limit exceedederror, this limit could be bypassed using concurrent request via Burp Turbo. - An additional issue was found that the code had a cool down time. Once the limit exceeded had been introduced, some time later attempts could be made again because the counter would be reset.
- The maximum they got to work was 1587 which is 0.16% of the space. This means that 1/625 times. With the cool down bug, the odds went down to 1/312. Because this attack could be repeated by requesting a new password reset token and this could be performed on multiple users at a time, this could eventually lead to user compromise.
- Reset token functionality is incredibly hard to implement! Even with rate limiting, the limitations may not be enough. On engagements, I will make sure to validate that the rate limiting works with concurrent requests.
Dependency Confusion Vulnerabilities in Unity Game Development
Jason Kielpinski - Include Security Reference →Posted 4 Years Ago- Unity package registries, referred to as UPM, work using the same protocol as the Node package manager (NPM). Unity allows for private registries to be used in this environment.
- So, what would happen if a outside user created a Unity package with the same name as a private repo? Whatever has the higher version will be used during the installation process. This means that a malicious attacker who knows the name of an internal repo can hijack it.
- The ability to hijack repositories has been a vulnerability as of recent. It may be worth taking the time to look at other packages managers to see if the public takes precedent over the private in some way. Overall, great find though!
- Oxide is designing a computer from the ground up. With this in mind, nothing goes undocumented. While reverse engineering the
NXP LPC55S69 ROMthey found an interesting piece of undocumented functionality that allowed them to update the ROM. Sadly (or good for attackers), this code is accessible by non-secure, unprivileged user code thus allowing attackers to make runtime modifications to purportedly trusted APIs. - The purpose of a secure boot process rooted in a hardware root of trust is to provide some level of assurance that the firmware and software booted on a server is unmodified and was produced by a trusted supplier. By using a hardware root of trust, we can 100% know if the firmware has been modified or not.
- The chip has a set of privileged APIs for directly accessing Flash, putting the chip into programming mode and so on. The issue is that the undocumented API is not considered 'privileged' which allows for the altering of the ROM itself. Luckily, although the ROM can be modified, it does not persistent across boots. So, this does not corrupt the root of trust.
- With access to this API that allows for the editing of this ROM, we can give ourselves access to patch part of the privileged APIs. Then, when a secure-mode application calls this API, we control the execution from this point onward. This issue could be pre-mitigated if the memory protection unit (MPU) is turne, which restricts access to specified address ranges.
- The rest of the article talks about how to call this API, the reversing process and so on. All of this is interesting but not ground-breaking. The one thing of note is that only 32 bytes can be written via this API, restricting the impact of the bug.
- To fully mitigate this issue, new chips without this feature have to be designed. According to the manufactures current chips do not have this functionality. Besides this, choosing to use the MPU fixes this problem from a user standpoint as well.
- A DEFCON talk that dives into the details of TrustZone-M can be seen here as well.
- Originally, there were two types of users in Linux: privileged and non-privileged. However, this binary change was not enough for handing out permissions. So, Linux released capabilities, which allows for fine-grained control of the administrative permissions.
- When creating a namespace and mounting to a file system, having all of the permissions is totally fine. During the execution on these files though, the capabilities permissions are not checked! This was because a wrapper function with permissions check was not used.
- Because of the lack of permission checks on the capabilities on the outer namespaces, the author writes over the user process information to become root. So, they just win at this point with an LPE on Ubuntu.
- The remediate of the bug was done in a better than expected way. Instead of waiting for more OSes to make the mistake of not calling the wrapper function, the permission checks were made inside of the regular function. Centralizing security always helps.
