Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Achieving RCE in famous Japanese chat tool with an obsolete Electron feature
RyotaK Reference →Posted 1 Year Ago- Chatwork is a Japanese chat application similar to Slack. It is an Electron desktop app.
- While reviewing JavaSctipt files, they noticed the usage of
shell.openExternal(). In Electron, this is a known bad sink that can open arbitrary URLs. Notably, passing infile://with a user-controlled file can lead to code execution. This was available in the preload context, meaning that it was available before the disabling of the node API in the web browser portion. This isn't code execution yet, but it is a good start. - Digging deeper into the code, they found an instance of
BrowserWindowwithwebviewTagset to true. This is a deprecated feature that has dire security consequences when handled incorrectly. By providing arbitrary tags to thewebviewTag, it's possible to disable security features in that processing window in a preload context. - Again, we have a way to execute arbitrary code within a window but still need a way to add this code ourselves. The opening of the vulnerability code path was done via the function
createNewWindowwith a user-controlled but validated URL. In particular, a list of very specific patterns was used and verified to prevent adding thewebviewtag that the author wanted. - Upon testing this service, they found that the usage and client-side validation were slightly different. The backend server URL decoded the request path but the Electron app did not. This means that we can use a directory traversal on the Chatwork app with something like
https://www.chatwork.com/gateway/download_file.php%2F..%2F..%2Fto circumvent the location of the call. Now, using the OAuth redirect, we can go to an arbitrary page! - Here's the full flow of the attack:
- User clicks on a malicious link.
- The link uses a directory traversal and URL encoding to use a redirect from the OAuth page to an attacker controlled site to be rendered within Electron.
- The malicious site
webviewtag. This loads a file from an SMB share. - The file from the SMB share will then exploit the
openExternalto execute native code on the computer.
- Overall, a great chain of bugs! The progression and timing of each bug was interesting to me. Some folks go from JavaScript control yet others start from the bottom of the exploit chain. To me, it depends on where you see the impact. The ability to load a web page in the context of Electron is a good primitive but not a game-over bug by itself.
- The article begins with a hypothetical. You have a class
Personwith a field calledage. What type should it be? - The first suggestion is a
String. This is obviously wrong but why is it bad? It's bad because validation would need to be performed on any and every operation. An example would be the ageJeff. This could be done with "stringly-typed" data but is super annoying to do. - The next is an
Int. It's easier to write, read and it fails fast. This is better than the String type. This is because we remove the capability for many invalid states! The purpose of the article that the invalid states are now unrepresentable. - There are still many invalid states with an Int though. For instance, -1 and 90210 are technically valid according to the program but invalid ages. The goal is to constrain the type to make these invalid states also unrepresentable.
- In a statically-typed language, runtime assertions can be added. For instance, an assertion that throws an error if the age is less than 0 or greater than 150. This is an integer with constraints.
- The next, and final, value they consider is using age type constraints. One problem with the current approach is that an integer used for an age is the same as an integer used for weight. So, having an explicit type for the age, as opposed to using integers, works well. They use the newtype pattern from Haskell to talk about this.
- They do make a comment that the model needs to be done correctly, which takes time. It's easier to move from more specific than to less specific types. So, prefer specificity over generalization. The restrictions being added should always be carefully thought out.
- Overall, a great post. The core concept of make invalid states unrepresentable is a good development principle that will stick with me for a while!
What Okta Bcrypt incident can teach us about designing better APIs
n0rdy Reference →Posted 1 Year Ago- Okta had an interesting security incident. If the username was above 52 characters, then ANY password would be sufficient for logging in. If the username was 50 characters, then it would be only two. In Okta, the password hash included the concatenation of the userId, username and password.
- Why did this happen? The hashing function BCrypt! In BCrypt, there is a limit to the size of the input to 72 characters. Since the user ID and username were included, it was possible to go above this. In some libraries, this would lead to a silent truncation of the data. With how much data Okta was using besides the password, this led to the entire password being truncated.
- The author was curious about why the library even allowed this in the first place. A simple check on the input length would be sufficient in the library for preventing this from happening. They evaluated several implementations of libraries in different languages, all of which handled this case differently. Some errored out and some silently truncated the data. Why the truncation? They were conforming to the BSD implementation from years ago!
- My personal favorite part of the article is the end. The author goes into Secure API Design. Recently, this has become a bigger concern of mine in my job so it was interesting to see these come out.
- The first point is Don’t let the people use your API incorrectly. It should explicitly reject invalid input in order to prevent errors like this. If the functionality is required, then gate it behind a feature flag or
unsafevariant of the function. - The next point was Be predictable. Good API design should be intuitive and obvious. Of course, this is subjective but we can use some common sense here.
- No ego is the next one. Expecting users to read every bit of documentation or fully understand the implementations is totally unreasonable. Making systems easy to use for novice users should be the goal, with more advanced functionality being added to the more advanced ones. Good input validation goes a long way here.
- The final point of note is Be Brave. To the authors point, be the new solution that is better. It's easy to fallback onto old implementations since it's always been there. Do something to make the world a better place.
- Overall, an interesting read that further evaluates the Okta issue. I enjoyed the parts about secure API design the most that used Okta as a case study.
Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)
Adam Kues Reference →Posted 1 Year Ago- The authors of this post saw two vulnerabilities under active exploitation in Palo Alto firewalls. So, they reverse engineered the exploit to understand what was going on. The architecture is setup to have three separate components for web processing: Nginx -> Apache -> PHP.
- First, it's a reverse proxy that sets a bunch of headers. The most important one is
X-pan-AuthCheck: on, which indicates to check for authentication downstream. After this, Apache will re-normalize the request and re-process the request with a rewrite rule. Finally, if it's a PHP file, then an authentication check is done based on the header mentioned. - Anything you have a protocol that requires parsing complicated data, it's important to consider the differences between the tech stacks. The usage of authentication is set by Nginx and then processed by Apache. If we can trick Nginx to not set this header but have Apache still process it as a PHP request, then we can bypass authentication.
- From reading previous research from Orange and messing around, the authors noticed some odd functionality within a
RewriteRule. In Apache, theRewriteRulemay perform an internal redirect. This is important because extra URL decoding may occur! - In Nginx, one of the paths that did NOT include the authentication header being set was
/unauth. So, the goal is to get Nginx to not set the header yet have Apache use an interesting PHP route. Using the Apache trick from above, URL encoding directory traversal characters can be used to do this. For instance,/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.csswill resolve to/unauth/../php/ztp_gate.php/PAN_help/x.css.gzafter the multiple URL decodings. Of course, Apache will resolve the../now leading to/php/ztp_gate.php/PAN_help/x.css.gz. - Parser differential bugs strike again! Overall, a super interesting blog post against the exploitation of a real and impactful vulnerability.
form-action Content-Security-Policy Bypass And Other Tactics For Dealing With The CSP
ruben - nzrt 48 Reference →Posted 1 Year Ago- The Content Security Policy (CSP) is a browser-based protection to protection against XSS. In many ways, it does kill XSS but this post is about bypassing CSPs using forms.
default-srcworks well for is the fallback directive in the CSP. Unfortunately, it doesn't include several, such asform-action.- By creating a form that does not have an end, it's possible to have this form contain a bunch of sensitive data upon submission. Additionally, the form can be made to take up the entire page using CSS, leading to a single click doing the submission. Although this can't read variables, it can be used for data exfiltration.
- An additional method is abusing
autofillin browsers. By making the form look like a password, it will autofill the inputs for many password managers. If the form is the whole page and the page is clicked on, this will then be submitted to the attacker. - Even with the
form-actiondirective in the CSP being set toself, there are still some issues with it. First, same-site request forgery is possible when using form-based auth. Dangling markup attacks are another option as well. - There's a bunch of good tricks in this article for using forms to get around CSPs. Pretty neat!
- The authors of this post are porting significant amount of networking code in EdgeDB from Python to Rust. While doing this, they have ran into a lot of interesting issues, including this post. While trying the port, they noticed that it always failed on ARM64 CI runners but nothing else.
- The CI runner appeared to hang for a while then stop. Upon logging onto the CI box, they noticed that the program had actually crashed but this was detected by the runner. They noticed a coredump, which indicated something weird had happened.
- They loaded the coredump into GDB and noticed that it was a crash within the Rust
getenv()function. The function is crashing when loading a byte from environment variables. It was attempting to load data from an invalid memory location. Why is Libc crashing!? - One of their co-workers dropped a line: getenv isn't threadsafe. From looking at the crash dump, it was clear that while this process was reading the environment variables, another one had write to them. In all likelihood, the memory safe for the env vars was too small so it was reallocated to be bigger. However, the other code was still reading from this.
- The variables associated with the crash were in OPEN SSL. In their code, they were using
opensslto probe for packets, which was the offending code. Since they are using a combination of Python and Rust, Rust didn't think that an unsafe operation was happening. - To fix the bug, they moved from
rust-native-tlsand used therustlsinstead. By callingtry_init_ssl_cert_env_varsfrom Python, a global lock would prevent this race condition. Looking forward, Rust is marking the environment-setter functions unsafe and glibc has tried makinggetenvmore thread-safe. - Why does this only happen on ARM? The crash occurs in a call to
reallocwithinsetenv. To hit this code path, the environmental variables need to line up just write for thereallocto cause issues ingetenv(). Given this information, they're pretty lucky that they found this at all. - Personally, a really good read. Learning about debugging techniques and interesting bugs is fun!
- Apache maven is a common build tool for Java. Artifacts needed for the code are in an XML file. During the build process, the Maven console will download the deps it needs for local use. When it does this, a call to the Maven Artifact Resolver is made.
- Maven Central is the main place where Java libraries are downloaded from. Thie site is public and has group ids to publish artifacts. For instance,
org.springframework.bootrepos can only be written to by the owner of this group. To host these, they are done by a global portal or through a legacy OSS repository hosting. JFrog, JBoss and many others are used under the hood to resolve these. - There is a proxy mode that allows for private Maven repo usage. Two of the in-house repo hosting software where vulnerability to XSS via rendering a malicious XML file. Since the XML file is controlled by the attacker and renders on the local browser, this leads to executing arbitrary commands as the logged in user for the page.
- When a repo manager makes a request to download artifacts, it provides all of the information in the URL - group id, artifact id, etc. What would happen if this information contained slashes or pounds? It's not escaped at all. So, it would be possible to change the meaning of the URL. Additionally, the values after the artifact are truncated by all of the servers.
- For some reason, JFrog supports semi-colons in the URLs as a deliminator. The semi-colon ends the parsing for JFrog but not other things. So, we can effectively do cache poisoning when proxies are being used! The proxied request will get things after the directory traversal then the next cached request will get the poisoned values.
- Both Nexus and JFrog support URL query parameters for proxy repos. Messing around with these was a good attack surface as a result. The Nexus host was doing authorization checks based upon some route matching. By appending an extra slash in the URL path, this verification was bypassed. This allowed for overwriting unintended files on the server.
- To make exploitation easier, they found that the
contentGeneratortag could be set tovelocity. This is a templating engine! So, by overwriting the file with velocity template, RCE is achieved but with authentication. - Overall, a pretty awesome post. The author has a good insight for how they found many of these bugs: "This [architecture] may introduce a second-order vulnerability when an attacker uploads a specially crafted artifact to the public repository first, and then uses it to attack the in-house manager." Integrators multiple pieces of software is complicated.
Microsoft Configuration Manager (ConfigMgr) 2403 Unauthenticated SQL injections
Mehdi Elyassa - Synacktiv Reference →Posted 1 Year Ago- Microsoft Configuration Manager (MCM) is a systems management software by Microsoft. It manages computers with remote control, patch management, etc. If you find a bug, it's a really bad day for the administrators that use it!
- The requests to this server are made over HTTP. While reverse engineering
LocationMgr.dll, they found that some of the provided input was not being properly sanitized. In what way? In a SQL query! - The content is XML that is zipped. The input used for exploitation is a user GUID. The author wrote a nice Python script to make exploitation easy with a simple web request.
- Using SQL injection, it's possible to create a new user account and set their role on the database. Deployment information can now be changed to execute arbitrary commands on all linked systems and bash commands via SQL on the server itself.
- They found one more very similar SQL injection vulnerability as well. Somewhere and some way, it's required to put in effort. Sometimes, it's a crazy vulnerability. Other times, it's reverse engineering. You gotta put the work in or the bug you're looking for has already been found.
Decommissioning Prisma Finance - A Turbulent but Ultimately Soft-Landing
wavey Reference →Posted 1 Year Ago- Prisma Finance is a hacked Liquidity fork that has been a ghost ever since. However, there is still some liquidity in it that they needed to get out. They discovered several other bugs in it while trying to decommision it.
- As the TVL dwindled, a subtle account bug came to light. This was discovered after seeing a mismatch in the sum of the user debt and the actual user debt. The culprit is a stale value being used that did not include the interest from a previous call. Over time, a drift between the collateral's asset value and the tracking of debt would occur. If too much was tried to be withdrawn, then an integer underflow would occur, rendering it all useless.
- At first, they thought fixing this was impossible, since it was in a sunset mode. However, they noticed that Governance was still enabled. By setting the oracle contract to return a value of
uint256.max, users could withdraw their collateral again. This manipulated price created a bunch of bad debt in the protocol but users could get their funds back. - The second bug is MUCH worse. A Discord user posted that collateral gains from the ULTRA pool could not be claimed. At the top of the function
claimCollateralGains(), the author noticed_accrueDepositorCollateralGain. This function rests a value that SHOULD have been zeroed out. Effectively, this removes the replay protection. This was exploited for 13ish ETH a while ago. - Prisma needed to reduce the debt ceiling to zero. Because of this, the mkUSD and ULTRA loans were not allowed. When this happened, Prisma's stablecoins deviated from their $1 peg to as high as $1.45. Why? The stablecoins are required for users to close their loans. Since this was the case, the token became more valuable. Traders hoarded the token to drive up the price and got a profit from the sale.
- Because of this bad market dynamic, they added a manual 1 to 1 peg to allow users to close their loans without paying high amounts.
- There are still $80K in debt remaining that needs to be claimed. Overall, a super interesting post on the complexities of shutting down a protocol.
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel
Sam Curry Reference →Posted 1 Year Ago- Sam Curry and friends had pwned the auto industry for fun multiple times. This time, they set their eyes on Subaru.
- The initial tests around the main Subaru mobile app didn't lead to anything. It was well secured. After talking with Shubs about this, Shubs discovered a website that Sam hadn't seen before -
subarucs.com. Upon looking at subdomains of this, they found a website that had the titleSTARLINK Admin Portal. - Not the Elon Musk Starlink - it's the name of the Subaru in-vehicle infotainment system for remote functionality. With no login creds, it wasn't very interesting. While reading the JavaScript, they found both
starlinkEnroll.jsandlogin.jsthat included references to a password reset. - The JavaScript used for the password reset functionality had ZERO confirmation token on it. If this functionality worked as it looked in the JS, then a single POST request could reset the password of an internal employee account. Unfortunately, this required a valid email which they didn't have - but it DID work for enumeration.
- This had 2FA - literally just the city you lived in. Luckily for them, the 2FA was client-side enforced only. Now, they could login with this users account with the password that they had set.
- On the website, they were able to track a users exact coordinates for the last year. It contained a vehicle search based on a lot of criteria as well. The panel allowed for attachment to an account without the consent of anyone. So, they used this to attachment their account to a friends car then remotely started executing commands. Wild!
- Two fairly simple bugs. To me, the asset discovery and reverse engineering of the web page are interesting to me. In web3, virtually everything is open source so this process is super fascinating to me.
