Category Archives: Application Development

Application Development, Data privacy

Do you worry your camera on your iphone manipulate by hacker. 6th Apr 2020

Leave a comment

Preface: Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.

Background: If you let your friend access your phone for 5–7 minutes, they could have downloaded spyware. Perhaps this action only for joking. As a matter of fact, hacker can implant malicious code into a web page to conduct the similar function. Most recently, Apple paid $75,000 to the hacker for reporting the camera hijacking bugs.

Observation: Referring to the attached picture, a simple html file can easily trigger the iphone camera function. Because the control effect of apple is very good. Therefore, it will trigger the control and then let you know. In fact, a hacker hijacked your iPhone camera through a software application or website. However, the iPhone owner can know which application can access your camera. Therefore, it is recommended to check the phone settings in a timely manner. Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.

Chrome and Safari on iOS can access your lens without special markup and can perform both AJAX POST and synchronous form POST operations just like a desktop browser. So, please be careful to use your phone doing web browsing.

Application Development, Under our observation

Monthly news focus – Mar 2020

Preface: Do you have doubt for the road map of application penetration test? I believe that it is a logical step. Sometimes, you will concerning the limit time windows for remediation for different of vulnerability result. The penetration tester will narrow down the work scope especially the high risk rating vulnerability item. Since this is the highest priority job which requires customer to do the remedy.

How do you deal with application vulnerabilities? I also encountered this error because the high-risk level vulnerability made me nervous. Believe it or not, whether an application system can do a good vulnerability management sometimes depends on how hard the penetration tester analyzes the collected information. Below example can let you know my statement is true.

Get for POST (Risk: informational) – A request that was originally observed as a POST was also accepted a a GET. This issue does not represent a securit weakness into itself. However it may facilities simplification of other attacks. For example if the original is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

Hey Guys, don’t be worry too much. But you should be careful when you do the application penetration test report next time. Be remember that ask your consultant once you got a question.

Application Development, Under our observation

Can it be remedied or is it a enigma? – JAN 2020

Preface: User Account Control (UAC) is a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.

Synopsis: UAC Bypass Using eventvwr.exe was exploited by malware in 2017. Microsoft fixes Eventvwr.exe UAC Bypass Exploit in Windows 10 Creators Update. In Windows 10 Creators Update preview build 15007, Microsoft seems to have fixed the UAC bypass method involving eventvwr.exe. But the investigator still discovered similar of UAC bypass exploit technique was used by ransomware.
In April of 2019, expert found a new type of ransomware named Sodinokibi. Their design utilize a module loaded into memory functions as a loader on phase 1. Meanwhile it will try to conduct UAC bypass if the processes privileges are insufficient.

The mechanism of UAC bypass technique not limit to use eventvwr.exe. The attacker can writes itself to the registry key (Software\Classes\mscfile\shell\open\command) and launches a new instance of explorer.exe to execute compmgmtlauncher.exe. Whereby it executes anything configured in the registry key Software\Classes\mscfile\shell\open\command\ then execute a script (see above diagram).

So, we have a basic concept that if we only following vendor announcement conduct a patch management will not be a efficient technique to protect your machine avoid ransomware attack.

Objectives and definitions for establishing light weapons: In order to avoid the detection of the anti-malware mechanism, quite a lot of notorious APT malware will be relied on design weakness of UAC. As a result, it can bypass the access control, meanwhile it can significant increase the successful rate of the phase one of cyber attack because it bring the difficulties to the defense mechanism. The fact is that only detect a simple script or code not easy to predict what the intention was. When Wannacry ransomware was born, perhaps the design goal is SMB vulnerability. But it lack of competence of the attack strategy. Whereby, when ransomware take the action to deleting the shadow copies of the system requires local administrator rights the User Account Control will prompt the user for allowing elevated privileges in order to execute the operation (see below diagram). So it alert the end user something will be happened when it click. Therefore the new generation of ransomware try to management this design weakness.

Ransomware author leverage UAC Bypass technique: A novel technique, Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll. Perhaps you might say, this vulnerability has been fixed by Microsoft. But the market feedback is as follow:

Microsoft doesn’t consider UAC a security barrier, and thus they often don’t fix UAC bypasses. These bypasses are common and easy. The following figure shows another scenario of UAC bypass.
Let’s open our eyes and see what happens in the evolving world of cybersecurity?

……………………………………………..END

Additional topic: I am wishing that the Coronavirus will be gone in next morning. Perhaps it was not possible but such punishment to man kind that has been enough!

Application Development

NewsOne design weakness – Arbitrary File Upload (18th Jan 2020)

Preface: Arbitrary File Upload but require regular user sign in. Perhaps it lose the access control!

Product description: NewsOne is a web based application and fully responsive news & magazine script. Anyone can start your own media/press website with just few clicks without any codding knowledge.

Vulnerability details: Auth as a regular user. Go to specify URL (see attached diagram) and upload any file you want via <input type=”file” name=”user_image”> field. From security point of view, An attacker can use this vulnerability to perform a variety of malicious activities, including defacement, disclosure, and malware infection.

Remedy : Waiting for vendor announcement

Application Development

Do not ignore integer overflow attack. His power equivalent with torpedo.

Preface: Malware detection, SIEM and predictive technology enhance the detective and preventive control in cyber security world. However the hacker still have solutions to conduct infiltration thus compromise the system. Attacker exploit integer overflow do the evasion. From technical point of view. It is difficult to detect.

Historical records of cyber attack who exploit integer overflow vulnerability:

Total 329 ethereum tokens vulnerable for integer overflow – 9th Jul 2018 – http://www.antihackingonline.com/potential-risk-of-cve/9th-jul-2018-total-329-ethereum-tokens-vulnerable-for-integer-overflow/

CVE-2018-6983 VMware Workstation and Fusion updates address an integer overflow issue – 22nd Nov 2018 – http://www.antihackingonline.com/potential-risk-of-cve/cve-2018-6983-vmware-workstation-and-fusion-updates-address-an-integer-overflow-issue-22nd-nov-2018/

CVE-2018-20181 rdesktop seamless_process() Heap-Based Buffer Overflow Memory Corruption Vulnerability – https://cxsecurity.com/cveshow/CVE-2018-20181

Observation: According to my observations, there are technical limitation on software engineering, most likely the cyber criminal keen to develop a technique sound like F117. That is invisible to radar (IDS) and infrared (SIEM). Perhaps online web application shall require user input function. Even though software developer introduce pull down menu function. However it is not able to lack of name and password input. So this is the objective we highlight today. Integer overflow technique exact can provides silent attack. As a result it form a bridge let attacker execute the 2nd phase of attack. For instance in C environment, The range of unsigned char is (0 – 255). So if the input password length is 260, it will cause integer overflow . So passwd_len actually has a length of 4, so you can bypass the length limit. If buf parameter has design limitation, stuffed 260 length of data into it, it will cause stack overflow.

Application Development

Software tool can deep look into malware and design weakness – Ghidra

Preface: Ghidra is one such well-known software reverse engineering toolkit that the NSA agency has been using for a long time.

Synopsis: He ensured the audience that there’s no backdoor in Ghidra, said Rob Joyce, the cybersecurity adviser to the NSA director.

About installation: Quick and simple way

Prerequisite: Since “Ghidra” relies on JDK 11+ and therefore your Linux OS might require to update. For example: I am using Fedora system. In order to avoid any technical problem occurs during installation. My Fedora upgrade to Fedora 28.

1. Before kick start do the installation, please confirm your current OS whether compatibility with JDK 11+.

2. If you don’t have any technical concerns about item 1, you can download the software by going to the url below.

https://ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

3. Copy file (ghidra_9.0_PUBLIC_20190228.zip) to your decide location (/home/xxxx/ghidra).

Remark: xxxx is your user name in Linux

4. Permission setting

chmod 755 ghidra_9.0_PUBLIC_20190228.zip

5. unzip the download file

unzip ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

Now do the JDK 11+ installation:

6. As said, I am working on Fedora 28.So download the require JDK 11+ source file in the following location:

curl -O https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz

7. After the download, extract the archive

tar zxvf openjdk-11.0.1_linux-x64_bin.tar.gz

8. Move the resulting folder to /usr/local/

sudo mv jdk-11* /usr/local/

9. Set environment variables (create or edit existing jdk11.sh file)

sudo vi /etc/profile.d/jdk11.sh

Add:

export JAVA_HOME=/usr/local/jdk-11.0.1

export PATH=$PATH:$JAVA_HOME/bin

10. Source your profile file and check java command

$ source /etc/profile.d/jdk11.sh

$ java -version

openjdk version “11.0.1” 2018-10-16

OpenJDK Runtime Environment 18.9 (build 11.0.1+13)

OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)

11. $ which java

/usr/local/jdk-11.0.1/bin/java

12. Installation has been done.

13. You can go to Ghidra now. Go the location which Ghidra in place. Then execute ./ghidraRun .

For users instruction, please refer below url:

https://ghidra-sre.org/InstallationGuide.html

End.


Application Development, Under our observation

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Preface: Some organizations that use MySQL include GitHub, US Navy, NASA, Tesla, Netflix, WeChat, Facebook, Zendesk, Twitter, Zappos, YouTube,…etc

Background: Technology writer Ionut Ilascu alert that there is command in MySQL server could be use for steal the personal and web server data without a high level evasion technique.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access.

Security Issues with LOAD DATA LOCAL on web server side:
In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to.

Sounds scary. Should you have interest of this topic, please refer below url: https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html

2018, Application Development, cyber security incident news highlight

Facebook 6.8 million users’ private photos leaked – Suspected it was happened in developers environment.

Facebook looks bad luck this year. It is better to invite Chinese Feng Shui master provides suggestion. Yes, it is kidding.

Perhaps Facebook intend to improve their image. It immediately let’s public know what is happening in the moment. It is talking about 6.8 million users’ private photos leakage. But suspected that the loophole was happened in developers environment.
My comment is that may be vulnerability happens in call to action function. A design limitation keep the CTA access token. And therefore it provides unauthorize access.

Headline News: https://www.theverge.com/2018/12/14/18140771/facebook-photo-exposure-leak-bug-millions-users-disclosed

Application Development

Something 101 – Are you aware Docker containers safety?

Preface: Docker’s introduction of the standardized image format has fueled of interest in the use of containers in the enterprise recently. A Docker container look likes a Virtual machine.

It is without antivirus or malware detector facilities install to Docker container platform. Is that secure?

On the market, there is no such product available in the market. However if you would like to find out something 101 about preventive control. It can find on this short discussion.

Hints: When a container accesses a database or service it will require a secret, like an API key or username and password. An attacker that gains access to the secret will also have access to the service. For more details, please refer to attached diagram.

Recommendation:

  1. Ensure that processes in containers do not run as root, so when attacker try to exploiting privileges command, it will be restricted by role base control.
  2. Cut down on the kernel calls that a container can make to reduce the potential attack surface.

So called “something 101” as usual technical details not suitable describe in long format. See whether we have chance to discuss more in future.

Application Development, System

He is a bird – Taiwan supercomputer (Nov 2018)

Preface: There are many reasons for wanting to combine the two parallel programming approaches of MPI and CUDA. A common reason is to enable solving problems with a data size too large to fit into the memory of a single GPU, or that would require an unreasonably long compute time on a single node. The message passing interface (MPI) architecture successful exchanging messages between multiple computers running a parallel program across distributed memory. Thereby single system can group together form a big power.

Synopsis:
The open source refers to any program whose source code is made available for public use. Open MPI is a Message Passing Interface library project combining technologies and resources from several other projects. Meanwhile it is a potential power driving the technology world in this century. It is hard to imagine that Xeon processor type computer machine will go to supercomputers world. With assist of QuantaGrid D52G-4U GPU. The dream come true now. Tesla V100 can deliver up to 896 tensor Tflops to training deep learning model with 8 NVIDIA Tesla V100 (dual-width 10.5″). Taiwania 2 supercomputer take the role to handle big data , AI and scientific research functions.

Ref: https://www.taiwannews.com.tw/en/news/3575187