Category Archives: Application Development

CVE-2020-7711- Pure Go repositories (goxmidsig) vulnerability – 23-08-2020

Preface: SAML 2.0 implementation for Service Providers based on etree and goxmldsig, a pure Go implementation of XML digital signatures.

Background: “nil” in Go that represents zero values for pointers, interfaces, channels, maps, slices and function types.

Vulnerability Details: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Reference: When “Go” initializes the pointer, it assigns the value of pointer i to nil, but the value of i represents the address of *i. If nil, the system has not assigned an address to *i. So at this time, * i assignment will have problem occur.

Remedy: Official announcement not announce yet. See whether it can apply the similar syntax to do a short term remediation of this design weakness? The gosmal2 package has encountered the similar technical matter (nil point dereference) on Aug 14, 2019 . For more details, please refer to diagram.

Do you worry your camera on your iphone manipulate by hacker. 6th Apr 2020

Preface: Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.

Background: If you let your friend access your phone for 5–7 minutes, they could have downloaded spyware. Perhaps this action only for joking. As a matter of fact, hacker can implant malicious code into a web page to conduct the similar function. Most recently, Apple paid $75,000 to the hacker for reporting the camera hijacking bugs.

Observation: Referring to the attached picture, a simple html file can easily trigger the iphone camera function. Because the control effect of apple is very good. Therefore, it will trigger the control and then let you know. In fact, a hacker hijacked your iPhone camera through a software application or website. However, the iPhone owner can know which application can access your camera. Therefore, it is recommended to check the phone settings in a timely manner. Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.

Chrome and Safari on iOS can access your lens without special markup and can perform both AJAX POST and synchronous form POST operations just like a desktop browser. So, please be careful to use your phone doing web browsing.

Monthly news focus – Mar 2020

Preface: Do you have doubt for the road map of application penetration test? I believe that it is a logical step. Sometimes, you will concerning the limit time windows for remediation for different of vulnerability result. The penetration tester will narrow down the work scope especially the high risk rating vulnerability item. Since this is the highest priority job which requires customer to do the remedy.

How do you deal with application vulnerabilities? I also encountered this error because the high-risk level vulnerability made me nervous. Believe it or not, whether an application system can do a good vulnerability management sometimes depends on how hard the penetration tester analyzes the collected information. Below example can let you know my statement is true.

Get for POST (Risk: informational) – A request that was originally observed as a POST was also accepted a a GET. This issue does not represent a securit weakness into itself. However it may facilities simplification of other attacks. For example if the original is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

Hey Guys, don’t be worry too much. But you should be careful when you do the application penetration test report next time. Be remember that ask your consultant once you got a question.

Can it be remedied or is it a enigma? – JAN 2020

Preface: User Account Control (UAC) is a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.

Synopsis: UAC Bypass Using eventvwr.exe was exploited by malware in 2017. Microsoft fixes Eventvwr.exe UAC Bypass Exploit in Windows 10 Creators Update. In Windows 10 Creators Update preview build 15007, Microsoft seems to have fixed the UAC bypass method involving eventvwr.exe. But the investigator still discovered similar of UAC bypass exploit technique was used by ransomware.
In April of 2019, expert found a new type of ransomware named Sodinokibi. Their design utilize a module loaded into memory functions as a loader on phase 1. Meanwhile it will try to conduct UAC bypass if the processes privileges are insufficient.

The mechanism of UAC bypass technique not limit to use eventvwr.exe. The attacker can writes itself to the registry key (Software\Classes\mscfile\shell\open\command) and launches a new instance of explorer.exe to execute compmgmtlauncher.exe. Whereby it executes anything configured in the registry key Software\Classes\mscfile\shell\open\command\ then execute a script (see above diagram).

So, we have a basic concept that if we only following vendor announcement conduct a patch management will not be a efficient technique to protect your machine avoid ransomware attack.

Objectives and definitions for establishing light weapons: In order to avoid the detection of the anti-malware mechanism, quite a lot of notorious APT malware will be relied on design weakness of UAC. As a result, it can bypass the access control, meanwhile it can significant increase the successful rate of the phase one of cyber attack because it bring the difficulties to the defense mechanism. The fact is that only detect a simple script or code not easy to predict what the intention was. When Wannacry ransomware was born, perhaps the design goal is SMB vulnerability. But it lack of competence of the attack strategy. Whereby, when ransomware take the action to deleting the shadow copies of the system requires local administrator rights the User Account Control will prompt the user for allowing elevated privileges in order to execute the operation (see below diagram). So it alert the end user something will be happened when it click. Therefore the new generation of ransomware try to management this design weakness.

Ransomware author leverage UAC Bypass technique: A novel technique, Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll. Perhaps you might say, this vulnerability has been fixed by Microsoft. But the market feedback is as follow:

Microsoft doesn’t consider UAC a security barrier, and thus they often don’t fix UAC bypasses. These bypasses are common and easy. The following figure shows another scenario of UAC bypass.
Let’s open our eyes and see what happens in the evolving world of cybersecurity?

……………………………………………..END

Additional topic: I am wishing that the Coronavirus will be gone in next morning. Perhaps it was not possible but such punishment to man kind that has been enough!

NewsOne design weakness – Arbitrary File Upload (18th Jan 2020)

Preface: Arbitrary File Upload but require regular user sign in. Perhaps it lose the access control!

Product description: NewsOne is a web based application and fully responsive news & magazine script. Anyone can start your own media/press website with just few clicks without any codding knowledge.

Vulnerability details: Auth as a regular user. Go to specify URL (see attached diagram) and upload any file you want via <input type=”file” name=”user_image”> field. From security point of view, An attacker can use this vulnerability to perform a variety of malicious activities, including defacement, disclosure, and malware infection.

Remedy : Waiting for vendor announcement

Do not ignore integer overflow attack. His power equivalent with torpedo.

Preface: Malware detection, SIEM and predictive technology enhance the detective and preventive control in cyber security world. However the hacker still have solutions to conduct infiltration thus compromise the system. Attacker exploit integer overflow do the evasion. From technical point of view. It is difficult to detect.

Historical records of cyber attack who exploit integer overflow vulnerability:

Total 329 ethereum tokens vulnerable for integer overflow – 9th Jul 2018 – http://www.antihackingonline.com/potential-risk-of-cve/9th-jul-2018-total-329-ethereum-tokens-vulnerable-for-integer-overflow/

CVE-2018-6983 VMware Workstation and Fusion updates address an integer overflow issue – 22nd Nov 2018 – http://www.antihackingonline.com/potential-risk-of-cve/cve-2018-6983-vmware-workstation-and-fusion-updates-address-an-integer-overflow-issue-22nd-nov-2018/

CVE-2018-20181 rdesktop seamless_process() Heap-Based Buffer Overflow Memory Corruption Vulnerability – https://cxsecurity.com/cveshow/CVE-2018-20181

Observation: According to my observations, there are technical limitation on software engineering, most likely the cyber criminal keen to develop a technique sound like F117. That is invisible to radar (IDS) and infrared (SIEM). Perhaps online web application shall require user input function. Even though software developer introduce pull down menu function. However it is not able to lack of name and password input. So this is the objective we highlight today. Integer overflow technique exact can provides silent attack. As a result it form a bridge let attacker execute the 2nd phase of attack. For instance in C environment, The range of unsigned char is (0 – 255). So if the input password length is 260, it will cause integer overflow . So passwd_len actually has a length of 4, so you can bypass the length limit. If buf parameter has design limitation, stuffed 260 length of data into it, it will cause stack overflow.

Software tool can deep look into malware and design weakness – Ghidra

Preface: Ghidra is one such well-known software reverse engineering toolkit that the NSA agency has been using for a long time.

Synopsis: He ensured the audience that there’s no backdoor in Ghidra, said Rob Joyce, the cybersecurity adviser to the NSA director.

About installation: Quick and simple way

Prerequisite: Since “Ghidra” relies on JDK 11+ and therefore your Linux OS might require to update. For example: I am using Fedora system. In order to avoid any technical problem occurs during installation. My Fedora upgrade to Fedora 28.

1. Before kick start do the installation, please confirm your current OS whether compatibility with JDK 11+.

2. If you don’t have any technical concerns about item 1, you can download the software by going to the url below.

https://ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

3. Copy file (ghidra_9.0_PUBLIC_20190228.zip) to your decide location (/home/xxxx/ghidra).

Remark: xxxx is your user name in Linux

4. Permission setting

chmod 755 ghidra_9.0_PUBLIC_20190228.zip

5. unzip the download file

unzip ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

Now do the JDK 11+ installation:

6. As said, I am working on Fedora 28.So download the require JDK 11+ source file in the following location:

curl -O https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz

7. After the download, extract the archive

tar zxvf openjdk-11.0.1_linux-x64_bin.tar.gz

8. Move the resulting folder to /usr/local/

sudo mv jdk-11* /usr/local/

9. Set environment variables (create or edit existing jdk11.sh file)

sudo vi /etc/profile.d/jdk11.sh

Add:

export JAVA_HOME=/usr/local/jdk-11.0.1

export PATH=$PATH:$JAVA_HOME/bin

10. Source your profile file and check java command

$ source /etc/profile.d/jdk11.sh

$ java -version

openjdk version “11.0.1” 2018-10-16

OpenJDK Runtime Environment 18.9 (build 11.0.1+13)

OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)

11. $ which java

/usr/local/jdk-11.0.1/bin/java

12. Installation has been done.

13. You can go to Ghidra now. Go the location which Ghidra in place. Then execute ./ghidraRun .

For users instruction, please refer below url:

https://ghidra-sre.org/InstallationGuide.html

End.


Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Preface: Some organizations that use MySQL include GitHub, US Navy, NASA, Tesla, Netflix, WeChat, Facebook, Zendesk, Twitter, Zappos, YouTube,…etc

Background: Technology writer Ionut Ilascu alert that there is command in MySQL server could be use for steal the personal and web server data without a high level evasion technique.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access.

Security Issues with LOAD DATA LOCAL on web server side:
In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to.

Sounds scary. Should you have interest of this topic, please refer below url: https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html

Facebook 6.8 million users’ private photos leaked – Suspected it was happened in developers environment.

Facebook looks bad luck this year. It is better to invite Chinese Feng Shui master provides suggestion. Yes, it is kidding.

Perhaps Facebook intend to improve their image. It immediately let’s public know what is happening in the moment. It is talking about 6.8 million users’ private photos leakage. But suspected that the loophole was happened in developers environment.
My comment is that may be vulnerability happens in call to action function. A design limitation keep the CTA access token. And therefore it provides unauthorize access.

Headline News: https://www.theverge.com/2018/12/14/18140771/facebook-photo-exposure-leak-bug-millions-users-disclosed

Something 101 – Are you aware Docker containers safety?

Preface: Docker’s introduction of the standardized image format has fueled of interest in the use of containers in the enterprise recently. A Docker container look likes a Virtual machine.

It is without antivirus or malware detector facilities install to Docker container platform. Is that secure?

On the market, there is no such product available in the market. However if you would like to find out something 101 about preventive control. It can find on this short discussion.

Hints: When a container accesses a database or service it will require a secret, like an API key or username and password. An attacker that gains access to the secret will also have access to the service. For more details, please refer to attached diagram.

Recommendation:

  1. Ensure that processes in containers do not run as root, so when attacker try to exploiting privileges command, it will be restricted by role base control.
  2. Cut down on the kernel calls that a container can make to reduce the potential attack surface.

So called “something 101” as usual technical details not suitable describe in long format. See whether we have chance to discuss more in future.