Category Archives: Application Development

Application Development, Potential Risk of CVE

About vulnerabilities of PHP – Aug 2018

Leave a comment

PHP is a popular open source general-purpose scripting language. It capable for web development and can be embedded into HTML. Perhaps a fundamental weakness of PHP and therefore we seen common problem especially SQL Injection and Trusting user input to execute code happens in frequent.

Below details are the php vulnerabilities found on Aug 2018.

(CVE-2018-14883) An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c

https://bugs.php.net/bug.php?id=76423

(CVE-2018-14851) Allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.

https://bugs.php.net/bug.php?id=76557

(CVE-2018-14884) Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call.

https://bugs.php.net/bug.php?id=75535

Reference: Vulnerability found on Jul 2018

Jul 2018 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

Application Development, System, Under our observation

Aug 2018 – Similar to establish new challenge in IT world, mingw-w64 design limitation!

Leave a comment

Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. ASLR function like the last line of defense of the system against cyber attack. Recently, security expert comment that the software application developer might not following guideline issue by CPU vendor. The fact is that an error occur on their software application when apply ASLR or SGX ( Software Guard Extensions – Intel). As a result, the non compliance application products will be available in the cyber world.

The actual scenario is that several tools that check for ASLR compatibility assume that the presence of the “Dynamic base” PE header is sufficient for ASLR compatibility. Because Process Explorer does not check that a relocation table is present, its indication of “ASLR” for a running process may be incorrect, and it may provides room for malware alive. I forseen that it may create the impact to the docker environment.

 

MinGW is an implementation of most of the GNU building utilities, like gcc and make on windows, while gcc is only the compiler. It looks that it has more Linux operating system includes in ASLR non compatible checklist announced by MinGW. The CPU vendor on the way to address the CPU design flaw (Meltdown and Spectre). It looks that a new form of challenge is going to join into the mistaken task force.

Should you have interest. Below hyperlink can provides the detail.

Vulnerability Note VU#307144 : mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

https://www.kb.cert.org/vuls/id/307144

Application Development, Cell Phone (iPhone, Android, windows mobile), System, Under our observation

Synopsis- NIST plan to retire SMS function deployed for two Factor Authentication

Leave a comment

As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.

Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market.  The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 4.4.1.6 indicate the address confirmation including SMS. (below hyperlink for official document download).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.

SMS messages system design limitation (see below):

  1. SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
  2. SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
  3. ASN.1 design flaw

Should you have interest of item 2 and 3? Please refer below:

SS7 flaw make two factor authentication insecure – Reveal the veil

 

 

Application Development, Potential Risk of CVE, Under our observation

Node.js hits arbitrary command injection (CVE-2018-13797)

1 Comment

Node.js framework become popular today. Node.js can build the application on ethereum (cryptocurrency). Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Node.js’ package ecosystem, npm, is the largest ecosystem of open source libraries in the world.

Meanwhile, npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. Software developers must stay alert on CVE-2018-13797. Should you have interested, please refer below:

Fixes arbitrary command injection by using execFile instead of exec:

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

https://github.com/scravy/node-macaddress/pull/20/

Application Development, Blockchain

Integer overflow weakness similar kill the Ethereum. But SafeMath to protect from overflows.

Leave a comment

Integer overflow weakness similar kill the Ethereum – for more details, please see below (url):

Jul 2018 – Integer overflow may killed Ethereum!

But SafeMath to protect from overflows.

c >= a causes integer overflow happen

arithmetic: c=a+b-M (where M = 2**256 is the max unit256 plus one)

If c >=a replace to get a + b -M >=a

Cancelling and recording terms and get b >= M

Result: b is a uint256 and thus b < M

write an algebraic expression in a certain order. We start with the terms that have the largest exponents and work our way down to the constants. Using the commutative property of addition, we can rearrange the terms and put this expression in correct order, like this.

Reference:
Before you evaluate an algebraic expression, you need to simplify it. This will make all your calculations much easier. Here are the basic steps to follow to simplify an algebraic expression:

remove parentheses by multiplying factors
use exponent rules to remove parentheses in terms with exponents
combine like terms by adding coefficients
combine the constants

http://www.math.com/school/subject2/lessons/S2U2L5DP.html

How does the SafeMath library of OpenZeppelin protect your code from integer overflow?

https://ethereum.stackexchange.com/questions/38525/how-does-the-safemath-library-of-openzeppelin-protect-your-code-from-integer-ove?rq=1

Application Development, Potential Risk of CVE

Jul 2018 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

1 Comment

CVE-2018-12882 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

Use-After-Free vulnerabilities are a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code. Refer to statistic, PHP Version 5 is used by 82.0% of all the websites who use PHP. How about this vulnerable version? It  is 17.3 %. Both statistic informaiton seems up to date. PHP programming language have following advantage.

  1. Cross-Platform. PHP is, an application can be run on various platforms.
  2. Ease of use. Any individuals who are new to programming can easily learn to use them within a short duration of time.
  3. Open source and Powerful library support.

Hey, but do the remediation first! If you are using version 7.x.

CVE details shown as below: https://www.securityfocus.com/bid/104551/info

Application Development, Blockchain

See whether Bitcoin signatures do not comply with RFC 6979

Leave a comment

Have you heard a song by Dinah Washington ? The song title is what a difference a day made? In crypto currency world, bitcoin is the big brother. However technology world still concerns Bitcore signatures is able to comply with RFC 6979 specification?

Bitcoin owner must protect the private key. The conceptal idea is that generating random number k in elliptic curve is crucial and in any transactions signature in Bitcoin, random number k is required to compute a point k*G. If this k is chosen not randomly, it instantly leaks the private key.

Do you think attached diagram can provide the resolution to you in this regard?

What A Diff’rence A Day Makes Lyrics: What a difference a day made? Twenty-four little hours. Brought the sun and the flowers.Where there used to be rain……..

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA):

https://tools.ietf.org/html/rfc6979

Application Development, Public safety, Under our observation

Attention: Stay Alert – Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

2 Comments

Preface:

PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

Security concern by security experts

The security issues are typically exposed when PHP code makes use of system-level calls.

Found critical security problem today! – Original release date: April 27, 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit one of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review MS-ISAC Advisory 2018-046 and the PHP Downloads page and apply the necessary updates.

See whether any short term remediation can take before upgrade?

1.Restrict PHP Information Leakage

expose_php=Off

2.Disable Remote Code Execution

Allow_url_fopen=Off

allow_url_include=Off

3.Not show errors to the visitors

(/etc/php.d/security.ini file)

log_errors=On

error_log=/var/log/httpd/php_scripts_error.log

4.Disable Dangerous PHP Functions (php.ini)

disable_functions =exec,passthru,

shell_exec,system,proc_open,popen,curl_exec,

curl_multi_exec,parse_ini_file,show_source

5.Upload Files (/etc/php.d/ directory)

file_uploads=Off

6.Control File System Access

always keep the open_basedir directive set to the /var/www/html directory.

open_basedir=”/var/www/html/”

7.Control the POST Size (/etc/php.d/security.ini)

post_max_size=1k

— End —

Application Development, Cell Phone (iPhone, Android, windows mobile), Under our observation

Realistic threats exists in NFC. Are they all secure?

Leave a comment

The mobile payment is aggressive in some sort of area. As seen, it fully utilized in China market. From the economey point of view, this new payment design driven the retail business in parallel. The traditional banknote concept convert to digitalization silently.Is this a prelude of digital currency? The people doubt of the NFC (near field communcation) technology embedded in Visa payment earlier. As times goes by, it is popular today. The new smartphone market similar pushing the NFC techonology into next phase. The new form of payment method integrated both smartphone (iPhone and Android) and payment card with near field communication. How Secure Are NFC Payments? NFC technology comes with a range of security features that help protect financial data from stolen. But are they capable to avoid modern cyber attack? Perhaps if the computer product contains Java programming element. It is hard to avoid vulnerability. As a matter of fact, Java bytecode Verification is a key element in Java world. If this feature applied in the overalll design. It will significant reduce the malware infection because it is not easy to execute the malicious code. Do you have doubt after this discussion?

Application Development

Why REST (API) is so popular? But how to hardening the API security features?

1 Comment

REST (API) is key component to building powerful, scalable web-based applications today. So how to enhance the security feature, since it is working with HTTP communication method. Thence:

1. We should ensure that the HTTP method is valid for the API key/session token and linked collection of resources, record, and action.

2. Authentication – It is better to deploy multi-factor authentication and token-based authentication.

3. Token validation errors should also be logged for audit purpose.

4. Input sanitization.

5. If the classification label of data is private or confidential. A symmetric cryptography will be used to encrypt the data transmitted.

6. Hardrening REST API status return codes instead of 404 (errors) and 200 (success).

Perhaps above items of enhancement not easy to fulfill. However the system developers should be fulfilled the standard requirements. Following the web server security best practice. Apart from that it compliance with HTTP security (RFC7230 – section 9).

Should you have interested of RFC7230 – section 9 standard. Please refer to below url for reference.

https://tools.ietf.org/html/rfc7230#section-9.1