Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Apache Druid is a real-time analytic database. Druid is used for data visibility and high concurrency needs. This streams data from applications like Kafka, AWS Kinesis and other tools. It has a rich set of APIs via HTTP and JDBC for loading, managing and querying data.

Druid offers the ability to execute JavaScript at the server without restrictions. Out of an obvious security concern, this is not enabled by default. However, what if this functionality could be tricked into being used?

Druid uses Jackson for parsing JSON data. When adding a decorator to the function name, it signifies that Jackson will call this function when going over the JavaScriptDimFilter object. Within this function, most of the parameters are marked with the JasonProperty modification. This results in the field com.fasterxml.jackson.databind.deser.CreatorProperty being added to the field.

However, not all of them have this setting. Whenever something is created with this setting turned off, the com.fasterxml.jackson.databind.deser.CreatorProperty will be named "". Because an attacker can supply the creator property as "", we can control the settings.

When the parsing of the JavaScript type is done, the 'name' property is resolved to "" (empty string) is the config of the object. By adding in our own empty string, we can inject our own configuration file! With our injected configuration file, we can turn on JavaScript for this call. Boom, popping a shell!

Apple Mail has a feature that will automatically uncompress attachments when sent from another user. This is done via custom SMTP headers specific to Apple Mail.

The author discovered that the path directory information is NOT validated/sanitized when being received by the other user. This is the crux of the vulnerability.

The first zip file contains a symlink named Mail that points to the $HOME/Library/Mail directory. Because of this being a symlink, the tmp folder for the mail is not cleaned up properly.

When the second zip file is uncompressed, files are extracted to the location of this symlink! Because of this, an arbitrary file write vulnerability has been created. Luckily, Apple does keep the application sandboxed.

Using this file write vulnerability, the configuration for the Mail app can be altered. Using this, it was possible to setup mail auto forwards to a malicious mail inbox. There is the potential for RCE from this though.

Overall, this is an awesome bug with huge impact. Symlinks are an important attack vector to consider!

OAuth is a protocol that is used for third-party sign ons all over the place. Facebook has their own OAuth provider that can be used to login to multiple things.

The OAuth flow is quite complicated. In the context of OAuth, an arbitrary redirect is an automatic game over because of how the flow of OAuth works. The arbitrary redirect can get the users code that logs them into a site via OAuth.

Facebooks OAuth has a preformatted response when requesting an access token or authorization code via postMessage. When specifying the target origin on the request, a fallbackmeasure could be triggered if no opener window was found.

This fallback URI did NOT have a strict validation on it; it only validated that the path is ON Facebook.com. By using a previously discovered Open Redirect on instagram, we had a bypass for the redirect_uri check.

Using two chained redirects, the access token that a user has gained from logging in could be stolen. Facebook gave the author 30K for the finding and an additional 12K after a bypass to the fix had been found.

This article uses a router to get to the SoC that uses the QualComms Secure Execution Environment (QSEE). This Trusted Execution Environment (TEE) is found on many Qualcommn devices such as Linksys, mobile phones and other devices.

The first issue was trying to get as much access to the device as possible. The device had a nicely documented serial interface with supporting docs from OpenWRT. But, this only got the bootlog though.

The bootlog had a mention of U-Boot. So, by pressing a key, they were able to enter the U-Boot console, which has a plethora of useful commands.

In ARM TrustZone there are two worlds: secure (TEE) and non-secure world, which is also known as the Rich Execution Environment (REE). This is denoted by a special bit called the Non-Secure bit. The primary bootloader and secondary bootloader are used to load the rest of the system (including the QSEE binary) and run at the highest privilege.

To extract the QSEE binary from the system, they set the serverip U-Boot environment variable to be at a server they control. They load the binary into Flash and then send it off to their server. All of this can be done within the U-Boot console!

The QSEE binary is a completely flat binary with no metadata present about the structure or symbols. So, this took some time to reverse.

While using the REE env, range checks need to be done in order to ensure that ONLY TEE addresses are written to. However, this check needs to be done each time a read/write occurs within the TEE.

The authors of this article identified FOUR times that output addresses were not properly sanitized. Because of this, an attacker could write into arbitrary locations of the QSEE to compromise the TEE.

In order to access this, an attacker would need to be able to load a kernel module or get access via U-Boot. Still though, finding vulnerabilities in this has wide reaching effects.

This vulnerability was found in a Github workflow template used for integration with Discord. Github Workflows allows for automated actions to occur when some events (such as a PR) happens.

When a PR had gone through, a Workflow was made to integrate with Discord to send this in a particular channel. However, the commit field (which is clearly controllable) was not sanitized at all.

Using the lack of sanitization, it was possible to add arbitrary Markdown into a Discord message. But, this can get much worse!

The Discord API supports STRING interpolation syntax for environment arguments. The interpolation even allows the executing of arbitrary JavaScript! Using this, it is possible to write to the repository and steal other secrets from the Github Runner instance.

Overall, this is an integration issue between two powerful technologies; none of them (although, executing JavaScript seems like a little much) have direct issues with the setup. Interesting finding!

HackerOne has a warning page when a user is going to an external site. In particular, this happens on all redirects. These redirects commonly have sensitive information, such as keys or exploit proof of concepts (POC).

When a third-party site had been indexed with HackerOne links, the sensitive information in this link was shown. Because of the usage of the link, unlisted YouTube videos were found with POCs and other information was leaked.

I had never considered search engines as a way to leak information! It is quite common for sites to have this redirect page like HackerOne does. So, this bug is probably out there in other places as well.

A while back a major library whose whole existence was trying to figure out if an IP was internal or external was found out to be broken. It turns out that parsing IP addresses is MUCH more complicated than one would think! Besides 127.0.0.1, this could be encoded as 127.1, 0177.0000.0000.0001, 2130706433 and many others that I am missing.

This discrepancy was caused by a parsing mistake in treating octal (base 8) as decimal (base 10). They accidentally created a vulnerability (on the first fix) that parsed hexadecimal (base 16) integers as octal!

An additional issue was that parseInt in JavaScript will strip out all whitespaces characters. Using this parsing, it could have been possible to bypass the filtering in some way.

Although improper parsing of IP addresses does not seem like a big deal, it really is. Protections for attacks such as server-side request forgery (SSRF) and local file inclusion (LFI) rely on some library to filter internal endpoints. Being able to circumvent this is a huge deal. I have a feeling we have not seen the end of this bug!

Linux is secure by default. But, what happens if you change the default settings? Well, some have MAJOR security consequences. This article has a large collection of privilege escalation measures with misconfigurations.

Another similar repo can be found here for Windows.

The author of this article decided to fuzz a file viewer. They choose this target because not many people had fuzzed it. Additionally, they chose to fuzz the CUR format because none of the CVEs reflected this. In general, fuzz things that people have not looked at in order to find bugs.

Peach Fuzzer is an older fuzzer that does not apply binary instrumentation to the programs. The program takes in an input, mutates it then sends it to the program to see what happens. With Peach Fuzzer, you can ask for random mutations or ask it to common a set file format.

The Peach Fuzzer smart fuzzing can be used to specify the structure of the data, the flow of data, set testing blocks and a bunch more. Although things like AFL are much better when things can be instrumented, Peach still has its place.

Using Peach fuzzer the authors find a buffer overflow via the setting the BitCount to be very larger. Using this, an integer overflow occurs that leads to a stack based buffer overflow.

To actually exploit this, the author overwrites the SEH Chain on the stack to control the flow of execution. Because the Windows program does not turn on ASLR or DEP, popping a shell is quite easy. However, the author made POCs that bypass both of these protections just for the fun of it.

Overall, this was a good article on fuzzing! The art of fuzzing looks a little less scary after reading this article.

Gitlab allows users to delete their account. In order to do this, you need to send an email to somebody.

The issue is that the email verification and deletion is done by humans. Because the sending address can be spoofed, it is trivial to delete any uses account.

Bugs are not always technical! Sometimes, it is just a lapse in the attack surface.