Episode 60 - Breaking Lock Screens & The Great Vbox Escape

< Back to post
This transcript is automatically generated, there will be mistakes
Specter
00:00:08
Hello, everyone, welcome to episode 60 of the day Zero podcast. I'm Specter with me a zi. Sorry that we couldn't go live this week. Unfortunately Canadian winter and above-ground power lines do not make for an awesome combination as I had had a bit of a power outage. They're literally like 40 minutes for we were supposed to start today.
zi
00:00:27
So I figured you'd know me better. I like these I
Specter
00:00:32
I know I slip it up. I I just rolled with it, but I I'm going to I should have caught out. I'm sorry. So the videos are up at normal times obviously, but the stream didn't happen this week nonetheless in this episode. We have lots of lockscreen bypasses the almost end of an era with bug track and a write-up about escaping virtualbox. So the zi, I'll pass our first topic over to you because I know you had some things to say about Slayer
zi
00:00:59
labs. Yeah, so I've mentioned Slayer Labs before on the podcast. I kind of gave them a brief shout out back on episode 35 less March and they kind of fill an interesting a gap. I think that exists in training when I've talked about oscp in the past. So to be clear I have not done oscp, but when I think about some of the benefits that do come from it, it's not so much that the course I think, you know just covers everything. They tore is amazing or anything like that. But the lab environment giving you a place kind of play around with some of the vulnerabilities and actually kind of get some Hands-On practice in an environment that isn't insanely structured or isn't just walking you through everything. I think that has a lot of value and that's where Slayer Labs kind of tries to fit in that gap of providing that sort of flexible training that area that you just get to kind of play around with by providing these open Labs that are structured not just as like hack the box where you get like a box maybe to to play around with by like a complete lab, you know several domains to move around through boxes that you can only hit after compromising other things like Cheney things off pivoting through the network. They kind of provide that at a fairly reasonable price. They've got three Labs here neotech. Is there easiest lab Eleven VMS within it that will kind of on the smaller side $14 for 14 days of access pretty reasonable. I think for anybody that's kind of in that in between Spock you kind of know what you're doing and you just want to get a little bit more practice have kind of that chance to play around with things a little bit more. Oh I have so I haven't actually been through most of these Labs so I can't actually comment on the content too much except one of the reasons why I was hesitant in the past with recommending Slayer Labs with simply because this is only available to u.s. Residents that's residents in the sense. Like you're in the u.s. Not like permanent resident or anything. But they would only open it out to people that are in the US and it seems like that will be changing right now. They're frequently asked questions still mentions that as a requirement fortunately however last month they had reached out if I was interested in giving it a test being from outside of the US and in Canada, so I'm not sure how they're going to be opening it up if I have more or if I get information about that at all. I'll make that no one but they did give me access to their the sprawl range, which is I believe their largest lab with yeah for dbms my folks without Windows Active Directory issues and just web apps. And I was it was a lot more polish and impressive than I was actually expecting it to be. I was kind of expecting it to have like some decent machine some decent challenges in there, but they've put a lot of effort and it seems kind of small but the Hue I was really well done just in terms of like going around the boxes on all of the applications you had and on just like the interface for a reverting the box and stuff like they put a good amount of work into that. That's somebody that's done a bit of web design. I know how much of a pain that can They did a really good job and while it's maybe not the most important thing. It's one of those things that really stands out as soon as you kind of see that level of polish on there, but talking about the actual lab. It is I want to say it's $19 for 14 days $36 for 30 days, which pretty reasonable price special with 40 plus VMS think it's 41 or domains 5 subnets kind of move around between I did not get as far as I want to just being the Christmas season when I had access I did not get to spend as much time as I'd have liked but overall I was quite impressed and I do like fact they do this campaign modes. They kind of give you a little Apart little bit of a story to follow along without that kind of provide some natural hints about access some natural some natural goals for you to go after rather than just kind of having free-roaming. You can just go at it in whatever order you want. It's not locked down to you following this campaign. You can use free roam mode, which just you get to Target everything in anything the issues themselves. Generally, they're not Not CTF style there, you know you might find information on one box that you'll use over on another and the information will kind of be sitting in more or less normal locations where somebody might put it. It's not like just oh here's you know, get get the next information from like flag dot txt. So it's a lot more realistic as to what he might encounter during an actual penetration test. I mean overall I was really impressed by likes it the Polish that kind of exists there. I didn't run into a lot of issues. I didn't get to go as deep as I want to as I already mentioned partially because of the time partially because I mean, I do application security the network security is definitely not my strong suit of yeah, because I did give me access I did at least want to kind of give them that quick review because I was really excited when I first saw them and super disappointed when I saw that it was Only for American so as they're clearly planning to open this up. I believe some of the issues have just been related to like tax issues. You know, how do you
Specter
00:06:56
charge taxes internationally
zi
00:06:58
some of that? I'm assuming I actually probably show up as I'm assuming this somebody who's played like CTS and has some experience on that side of things and wanted to get into this rather than like some companies some large companies that she's trying to break into a training industry so I can understand somebody not necessarily knowing about all the taxes. I certainly wouldn't And just kind of taking the safe route of just keep it within the US. There's no if the international issues to deal with. Honestly, I think I think this is really awesome. It feels it fills that gap of getting the realistic I've environment to play around in. And if the price is quite good, I mean it's cheaper. I believe that even hack the Box Pro. I have not done any of the heck the Box Pro Network, so I can't comment on the how similar they are. But that is kind of another option that provides those networks free to play around
Specter
00:07:53
with I will say another thing. I noticed just looking at their Pages the windows VMS and while that may seem trivial to call out a lot of late whether it be CTS or Labs or whatever. They don't they mostly focus on like the Linux side of things because Windows is a bit of a pain to deal with from an infrastructure point of view. So that's another like point of value here is the fact that it's not just Linux but it's both windows and Linux I think having access to both those environments. It's a cool add as well
zi
00:08:23
is I love mentioned that and I recently found out in a discussion with somebody that it's maybe not as bad as I've thought to get Windows machines in there. And so the windows Windows 10, you can actually within their terms as far as I can tell you is that in like a commercial Project without activating Windows 10 like you can use the free version of it because it's not actually a trial version. It's just a more restricted version. So that does let you get the Windows operating system in a little bit easier. I just recently kind of had a discussion about this. So I thought I'd call that out, but it might actually mean that we'll see some windows show is over on zero wax,
Specter
00:09:06
too. Yeah, it's funny. This is a bit of a tangent. But I remember seeing this discussion pop up when it came to like Tech reviewers and doing benchmarks because because their question was why were they using free versions of Windows? Because the way Windows licensing works is kind of weird. It's kind of tart tied to your Hardware. So if you switch out too many things in your Hardware, it'll actually deactivate your windows license. So Tech reviewers will use the unactivated windows for like benchmarking and stuff and technically that is a commercial Context right you're making money off of doing the reviews. So I think that which I saw that come up there too.
zi
00:09:42
Yeah, and that's completely allowed the commercial usage. It's the their terms for that VM the developer VM that has like some things installed that has a more restrictions on how you could use it. But just the operating system itself the free one. It's not a trial. It is literally just a free version that's more restricted, but it is a free version which means you are able to use that basically, however you want I spent some time. Trying to read all of their terms of service to dig into what type of restrictions they had and I was surprised by
Specter
00:10:12
that no the cool to try to get some challenges on 0x for
zi
00:10:17
that and that definitely isn't to downplay maybe the effort for a network like this no running ad they very well might be running Windows Server, which is not a free thing to run my far. Yeah on a whole like I was really impressed by it. Mike said I didn't get as far into it as I would have liked. I very well might go ahead and pay for just fly around in there other labs to for myself, but I really want to give him the shout out here. This is like I said, I think this fits that really important gap of like bridging that Knowledge from you know, all the little tips and tricks and all the basics and to playing around in an actual environment. I wouldn't recommend at least the sprawl as somewhere to go. Learn those things, but it is somewhat actually get some practice and kind of put it into practice. I'm not sure how neotech Neo Texas their new newest lab, which is there easy one that one. Maybe it is a bit more accessible for like a newcomer, but just because of because the openness it's not really guided very well in terms of being a training from what I've seen neotech might be different. yeah, I mean I keep repeating that point but I yeah, I'm excited to see what were they go from here, especially since they started with just the one lab about a year ago. I don't recall the exact date they started now they're up with three. So I mean they're probably going to keep adding more I imagine to so I'm excited to see where they go. I hope they get a lot more
Specter
00:11:49
uptake. Yeah island off on that point that I noticed that actually under their ranges. They say that more ranges are in development. So yeah, let's keep a lookout see what else comes that area. Oh bug track shut down. I saw this on Twitter people were saying it's the end of an era with bug track shutting down though. There are some updates on this though, which I'll get into in a minute. So originally the the archive was intended stay up until the 31st of January, but no new messages were going to be Sent to the mailing list and that was coming out of the acquisition of some of security Focus which owns the bug track mailing list their assets were being acquired by Accenture. There's a last-minute update on this though yesterday. There was a decision made to continue they announced the continuation of the list, I guess because of community support and people saying that they really didn't want it to go or whatever. So I'll pull it up on the stream here. But yeah, they said on second thought bug track has been a valuable Institution for almost 30 years. So based on the feedback we've received from both the community at large and internally we've decided to keep the list running. So yeah, I guess it's kind of funny. It was originally an end of an era now. It's not they just decided to walk it back. Yeah. We just walked it
zi
00:13:09
back to be fair about track has has kind of lost its relevance. Oh really, like after the full disclosure split way back and probably really around 2010. I think there's more from move on to full-on to the full disclosure mailing list over bug track. It is still like I think the era already ended and this was this was just going to be the final nail. Although with that update. I mean it's nice that they'll keep it running man. It's not like it was entirely an act of but I mean full disclosure I think is where a lot a lot of the discussion that bug track used to have happens. Yeah, I mean that is that split happened I want to say was like started and like with grok taking it over in her will not take it over but starting full disclosure like 2002 so like pretty old split
Specter
00:14:10
but And you can even see in their list archives. They have like the the number of messages that were sent per year by month and you can see like around 2016, especially it really starts to fall off. So,
zi
00:14:26
I mean who uses mailing list anymore feels like a lot of the mailing list that I've been on this ever really died actually. Actually right around like yeah 1516 even unrelated to security a couple of mailing lists. I was on for other stuff. I have died kind of since then nonetheless. I mean bug track. It was really I think the start of her gave birth to like the whole full disclosure movement. It definitely like it existed before there were even some other mailing list before but it feels like you know, if you were to trace it back to a single event like this bug track mailing list was kind of where that got its big push. So, I mean this started nearly 30 years ago. So 93 Nobody was like so many vendors were ignoring vulnerabilities about point and to be clear. I was not part of the scene in 93. I was not doing any of this yet then or capable of doing anything yet. But I understand his like vendors through the 90s really were not great about dealing with vulnerabilities and through the 80s, of course before that. We didn't have all the websites. I mean the web was a really a thing until after 93 also, that's why it's a mailing list. It played a pretty big role and I can't take that away from it even as talking about maybe its relevance isn't quite as strong anymore. It's had a very significant role in the security
Specter
00:16:02
industry. Yeah, but like you said, yeah, it's cool that they're going to keep it running even though it's not really used as much anymore. All that stuff has probably moved to like slack or teams and and integration like GitHub and stuff with with GitHub issues and whatnot. So, yeah, I think there's so many other better Avenues at this point, but still you haven't
zi
00:16:28
published for yourself to like, I mean blogs are a thing now logs were not a thing in 1993. And you're able to kind of self publisher even share. You've got hacker wine to disclose. You don't need to like their other options or disclosure and I think you could also have like the full disclosure argument. Although the disclosure policies is kind of why the split between bug track and full disclosure happen in the first place, but you can have some of that discussion but Yeah, I mean, I'm glad they're keeping it off but there are these days there are so many other ways. You can report here vulnerabilities and I think doing so and arguably more responsibly. It depends on how you go about it though, even with the mailing
Specter
00:17:19
list. Yeah, so up. Next we have a report on the security of the IOS and Android platforms. So there is a full report which you can read. It goes into more detail. If you're interested were mainly going to cover the highlighted points on the first page though. Some of these points will probably sound familiar to those of you who follow mobile security. So they focus on IOS and Android rig. So those are the two major mobile platforms. So with iOS they know that they have strong mitigations and Privacy controls which is pretty well known but there is a lack of protection around encryption due to most applications using available after first unlock or AFU. I believe it's called encryption where the keys are kept in memory, even when the phone is in a lock State, although with iOS. I believe they are evicted eventually. It's just not right away. They note the iCloud backup is a potential weak point. There's been evidence of compromise in the past of secure enclaves mainly with Key, and there's some confusion around encryption and end-to-end encryption when it comes to cloud services from what I believe is iCloud backup is encrypted and not end to end even though Apple cloud services advertised as end-to-end encrypted. So there's a bit of confusion there on on what exactly is send and what isn't
zi
00:18:39
when I was reading this. I kind of got the opposite understanding that with end-to-end the problem. Was that even though things were intending Cryptid that as soon as you turned on the iCloud backups those were those would happen or the iCloud backup would happen in the clear. Are partially in the clear I guess it wasn't so much in the clear. I think the issue was that are no I guess I was a separate issue where Apple can basically get the user download to go to and other Hardware security module that could be compromised like easily move things around like that. That was a separate issue. But my understanding one came to thee and and cloud services was just that you would basically undermine the end-to-end by using the backup service. Maybe I misunderstood that and those seem to disagree on how that
Specter
00:19:30
worked. So I was I was a little bit confused with the way it was worded the way you're talking about. It actually makes a lot more sense. So I think you're probably right and I'm probably I was probably confused here. So okay. Yeah that makes sense because the way I'm rereading it now, they're saying that yeah, we find the end confidentiality of some encrypted Services undermine when used in tandem with the iCloud Backup Service Okay, so It was a little bit weird how it was worded. But okay,
zi
00:19:58
so and that's not an entirely surprising conclusion either know and I guess I will mention like they this whole report it's coming from looking at what law enforcement and like looking at the government documents like out of various legal cases what they what their capability seem to be too. That's where they're finding these weaknesses. It's not so much survey if the actual vulnerabilities but of what law enforcement and the government seem to actually be
Specter
00:20:28
doing Yeah, because I think one point that they made pretty strongly near the top was the fact that if they have like a warrant or whatever, you know, the US government or us, you know through the legal system. They could essentially contact Apple and get anything through that iCloud backup that you have there. Whereas within end-to-end encryption. They obviously wouldn't be able to do that because Apple wouldn't have the plain text of the data that the authorities would be seeking. So yeah, there's Like you said there seems to be a strong focus on the law enforcement angle with Android. They found a lot of the same issues. One thing with end-to-end was they found I think and and is opt-in and not opt out which they disagree with again. It had that same lack of encryption strength with available after first unlock though. It's a little bit worse with Android because Android keys are apparently never evicted from memory. Unlike Apple. We're after some time has passed they will Affected 1.0.
zi
00:21:31
That's true for the lockdown mode that some Android phones have now we're hearing that. I'm not with a lockdown mode is basically it's usually key combination of they're just holding power and a button you can hit or some other combination, but it will require that you re enter your password. So usually when you close it, like if you have something like Biometrics you're able to keep using Biometrics to unlock it except on your first unlock and lock down. Down is I don't think they actually advertise it as taking you back to that for some box date, but it's kind of used in that way where you have to go and enter your PIN again or enter your password or whatever you're using, right? Okay. Wonder if maybe if you do that, it's still will affect it or if it doesn't at all. I don't know what apples are certain what Androids claim on that is either. It just came to mind there as like I would hope they evicted on that but there's a pretty good chance they don't.
Specter
00:22:28
Yeah, that's an interesting question. The other point that I wanted to talk on was they talk about large attack surface. I think this point would be more aptly titled fragmentation, which we've talked about in the past. Mainly what they're talking about. They're with large attack surfaces the lack of centralization for development of components and drivers and stuff like that which leads to issues and coordination for security and that I think this is less about more attack surface though. There is more attack surface to because of that but I think what's more important is shared code? Between devices that could all potentially be on different paths because of that fragmentation a to issue which Google is trying to address to be fair. I can't remember the name of the terminology. They use. Yeah,
zi
00:23:14
I forget talk about her brother recently, but they've introduced like their common kernel
Specter
00:23:20
as well as the common Colonel.
zi
00:23:22
Yeah, and the common Colonel basically is Google Wills kind of centrally provider or I guess we could probably even bring it up. up here Alex I know they have a nice page that kind of talks about their architecture before the common kernels now, okay. This isn't the page I was thinking of nonetheless. Basically they've just got set up to kind of try and centralized a little bit of fat. So people aren't just branching right off the AOSP project doing their own things. They need to like back poured everything. It's working a little bit more structured. Google has been doing good like a lot of push in the last couple versions loss. you versions on that security front on getting more up getting security updates out to end users a lot quicker to I think they now have a policy regarding how long it can be between or how long a OEM can take to actually get those updates out and stuff. So they are addressing this but it's definitely an
Specter
00:24:25
issue. Yeah, I mean if you want to see some of the stuff that can come out of fragmentation. It was like the binder issue in 2019 the cve 2019 2215 the One A Day right up on the bond issue.
zi
00:24:40
I feel like there's been a lot of finder issues.
Specter
00:24:43
Yeah, I should have been more specific there. Although I did say the cve anyway that was in the that was fixed in the mainline kernel for two years and it's just that devices that were running Android or I think even Case Android itself just didn't pull down those updates. So that's the kind of issue. You can have you can have n days that are oh days on devices just because the the state of upstream and downstream is so fragmented between the devices. So yeah, like zi said they're trying to fix that but nonetheless it is still an issue playing Android today. At least. The other thing with Android was the Deep Google integration with Services, which people have definitely critiqued in the past and it's been a CERN with more than just Android, you know, there's the concern with integration with like YouTube and stuff like that, too. But yeah, I mean some of these points are definitely known about and people have been worried about for You know a while but it's I think it's nice that they have this laid out and they have a obviously they have more details in the paper. Like I said, but I mean, I think it's a good summary basically a both devices and there were definitely some things that I learned. Like I didn't know about the key not getting evicted in Android that that's kind of that maybe is a little bit so there's definitely some things to be learned here as well. At least for me there
zi
00:26:08
was yeah and I am, you know when it comes down to it points to They looked at all the legal case to get this information. So, you know a lot of us pretty much knew. They were likely compromising like the on iOS is going back to that on iOS like the secure Enclave processor. They likely had some compromise there. We've heard rumors of some of the tools names of some of them that's basically just confirmed that yeah, like they have been able to get around the restrictions imposed by the secure Enclave processor, which is
Specter
00:26:39
Do
zi
00:26:39
you think for this is that's thing that kind of prevents you from trying the pin too many times. Like getting around that so they can broforce the pins things like that and they basically look the case say like yeah, they have definitely been doing this. Yeah, that was I think a big takeaway at least for me. I mean, it sounds like you kind of knew was happening. But this was just the confirmation.
Specter
00:27:03
So our next topic centers around honey pots for industrial Control Systems. So this was kind of a fun topic specifically. He talks about simulating Siemens PLC is used for valve regulation in nuclear power plants. So what to do that, he wrote a listener for honeytrap a little interact with anything scanning for devices on the S7 calm protocol. So after learning that for a bit, he started getting indexed by scanners like showed in and and census and one point they made that was funny was show dance Honeypot detector detected it as not a honey pot. It's like, yep, not a honey pot. It's real system, which obviously isn't the case since we're talking about this article. So whatever flags that were looking for weren't found on this fake PLC while nobody ended up trying to actively exploit the PLC there were some interesting findings. For looked at the list and filtered out some of the big scanners like showed an they found an interesting list of smaller scanners or individuals that seem to be interested in it among them among the smaller scanners were like f-secure lab that was enough secure lab server the two most interesting ones though. We're from a Belgium is p called telenet what we are there was the request was actually made using the S7 complex protocols suggesting that it was a targeted targeted send and the other one was from opt Asian Optics, which is apparently a weapon restore though. This one didn't send targeted requests. I think it just sent like TCP requests. I will say Weaponry is used pretty Loosely here. It's mostly like Scopes and stuff and it's not just for military applications. They have stuff that you can use for marine navigation and nature observation to but just seems like something you wouldn't expect request from
zi
00:28:49
yeah. That's what I was going to say. Like, it seems really interesting that there Making the request syrups. I mean like the Scopes and stuff. You wouldn't necessarily expect a lot of overlap with scanning the internet for plcs but What do I know of the Belgian one was interesting because that does seem to be just an individual trying to connect to it from their own. Internet or it could be you know, somebody compromised running malware being used as a proxy effectively. It kind of go either way on that but still interesting. I think the results worked as interesting as I was maybe hoping for But it's still an interesting honey pie made something different from the usual sort. I'm not terribly surprised that the actual honey pot or not to check bailed on it.
Specter
00:29:43
But seems like a check that could be fragile. Yeah.
zi
00:29:46
Yeah, like I wouldn't necessarily rely on that too
Specter
00:29:49
much. Yeah, I do wonder where they got the idea of running honey pots for nuclear power plants industrial plc's almost like certain malware attack. He's that vector and they were they were keeping it in mind when they were setting up the hell honey pot. Well,
zi
00:30:09
they do mention here that one of the concerns stated by a yearly publication by the Dutch government was the lack of insight into the state sponsored activity towards vital. fit structure so that I think is also where he got the idea to do a honey pot to see who's actually trying to hit this pretend
Specter
00:30:29
infrastructure. Yeah, for sure just the nuclear power plant specifically, you know was obviously well inspired by the stuxnet attack.
zi
00:30:40
It's perhaps or I mean if you're just thinking what critical infrastructure would be worth hitting or worth doing like nuclear just comes to mind as a big option for that.
Specter
00:30:51
I mean it does kind of sucks
zi
00:30:52
not related that said I'd wonder about The impact of where it's being hosted in who owns the IP as being why didn't maybe get more potential interest from actual? From perhaps nation-state actors, perhaps a month just wasn't long enough. The other hand though is it could be kind of obvious if this is sitting on an IP that isn't owned by Any sort of government? Then like that's very clearly not an actual. I mean it might be an actual PLC on the internet, but it's probably not what its
Specter
00:31:31
reporting. Yeah, I was going to say like usually script kiddies aren't running around trying to exploit plc's for nuclear power plants. That's that's not really in their scope. The only actors that would be looking at something like that would be like a nation-state type attacker which is going to have the resources and capability to know that what you're setting up is fake. So I'm not too surprised that it wasn't actively exploited. Well, I'm still doing I thought some of the findings were cool. Oh
zi
00:32:01
no. Noah's Faith although he kind of have this issue of they weren't worried about pretending not to be a fake thing. They want to see who is making first contact with it. The only way you're outside of the scanning which doesn't really tell you a lot. I think they actually show with one of the scanners. Would have here yeah, they show the census one which just shows like the plant ID serial number and like some information about what it actually is. Or what it seems to be. I guess I should say they only want to see who would see this and then try and make a request against that they weren't worried about. Trying to prevent anybody from knowing it was fake and actually trying to compromise that just who was actually going to try and make any request whatsoever. And actually look at it. They were only worried about that first that first look at it. Basically.
Specter
00:33:00
Yeah, but like somebody like a nation-state of Packer probably wouldn't even bother going that far if they saw this, right? So yeah, that's where I was just seeing
zi
00:33:09
where it's how sad would have been enough to know. That it probably wasn't interesting just because of the world IP. That would be my guess at least I've never operated at that level. I have no idea what their actual processes are. So I'm just speculating but it does seem like it would be obvious to be able to filter out some of
Specter
00:33:30
these. Yeah, so bit of a fun article, but yeah, yeah still only a few interesting findings. Yeah. So we'll get into some exploits. So it's another day another Windows exploit by Jonas. This one's a bit Locker lockscreen bypass. So this is the first of many courses on the lockscreen bypass area. It's via the ease of access utility which for those that haven't used it. It's a feature that allows you to do things such as on-screen keyboard narrator and some of the other accessibility features and BitLocker for those who haven't used it is it is the officially supported encryption mechanism that Microsoft provides for Windows. So there's multiple issues here. I believe the main one for the entry point being when hitting shift a lot to triggers stickykeys. The dialogue will show up to turn on sticky keys which contains a link that will launch the settings dialog which obviously isn't usually reachable from the lock screen. Now while that Settings app is hidden, you can force focus it by clicking it a bunch until a focus box in the middle of the screen comes up and then stop clicking it and you won't be able to see it. But by abusing the the other accessibility feature being the narrator you can interact with the settings through sound and the
zi
00:34:47
keyboard the idea there with clicking it a lot. I believe it's just because you're trying to get a click on it while it is actually in focus and like the first thing they're so it's not so much that you're clicking on it a lot. It's that you're clicking a lot in the right place so that when your click will actually kind of reach it and is the thing that it's clicking on it again. You can't this Specter said you can actually see it you're doing a bunch of clicks. So hopefully you To that once and if you get it that once then it will remain kind of focused and under s something you can easily interact with.
Specter
00:35:20
Yeah, it's a bit of a race kind of because you have to click it.
zi
00:35:22
And yeah, I mean it's not a race condition but like you are kind of racing before disappear so I could actually see maybe a race condition description, but it feels weird call it that
Specter
00:35:37
Yeah, so by doing that you can use settings to launch an executable from a malicious USB key. Now that does get you code execution, but it doesn't give you the code execution as anti system or anything like that. But there's another issue to chain with this part gets a bit weird, but I assume the issue like if I were to summarize it into like a CD or something is the narrator doesn't properly verify a driver that it loads when it gets triggered which is the cam CTL 32. Diello. Because by abusing a symbolic link on the USB key, you can get BitLocker to create the directory that contains the dll and gives you permissions to it when it goes to create a client recovery password rotation directory and that's through the system volume information. So you can basically use that to write a dll that you control the gets loaded by the narrator when you trigger the narrator, so if that exploit succeeds and account will get created with The username hacks and the password hacks So that obviously allows you to get past the login screen and log in
zi
00:36:43
the and of course like the username password like that just depends on the deal that you actually inject there like that just a pain like you can have whatever payload you want. But what you do when you insert the USB stick BitLocker will create inside of the system volume information. I will create this client recovery password reto rotation. directory it'll crate It'll create that every time so if you're able to create kind of the and we say symlink where he is now if we're talking about like the RPC control attack there. That's that James for Shaw and a link attack talking about using that to get assembling. So you would symlink that client recovery password rotation directory Target that over to the narrator dot exe dot local folder under system 32. And then drop in your own dll into
Specter
00:37:42
there. Yeah classic DLo. Hijack at the end of things now. I do wonder what the fix was because there's there's multiple issues there right for one thing. The narrator should probably be verifying like I should be using a sign driver. It shouldn't just be loading. Whatever is there. The other thing is the symbolic link issue. Not sure what the fix was I tried looking and there's like no information on the Microsoft advisory page.
zi
00:38:09
So the pouch was that they remove the Sticky keys prompt. Yeah, I don't get that think anymore. So that fixes
Specter
00:38:19
that but I think they would have fixed the other issue too, right? Because that's that's pretty serious issue to the fact that you can get a dll hijacking even though you didn't need that first stage. There might be other vectors that could get you that far. So I would think that they would fix the second stage attack too, but I don't know on that obviously. Yeah, I'm not sure possible they didn't
zi
00:38:42
Necessarily what the fix would have been there something so writing writing to system32 usually is going to be a protected thing. It's just the fact that it happens to be pointy going to the narrator dot exe doll local that kind of helps out there, which is kind of a special folder for DOT EXE. Yeah, it
Specter
00:39:07
just seems like it'd be smart to verify that driver before loading it
zi
00:39:11
what the fix was.
Specter
00:39:13
Yeah, that's all speculation on my part. But I would think that they would add validation there too. But who knows maybe it isn't maybe somebody can look into that and tell me I'm wrong and the comments or something. All right, so We have more lockscreen bypasses. We have Linux Mint this one apparently was discovered by children by accident the issue arose from kids in this instance typing on a real keyboard as well as the virtual keyboard same time pressing many keys do by reading into the thread. It seems the issue isn't really related to pressing a lot of keys. But rather pressing one weird key, which is an accented e and the virtual keyboard which comes up after holding down the regular EE And that crap causes a crash in the lib kerabu library for assistive technology, which then crashed the screensaver. I looked into it a little bit more because I was curious apparently. It's a character from the Latvian alphabet and the accent thing is called a macron. That's a bit of a fun fact, I guess but yeah, so you can just crash the screen saver and just bypass authentication although it seems weird because when I was looking into it, it seems sometimes they did bypass authentication and other times they didn't. So it seems like there's maybe some kind of undefined behavior when the screensaver crashes and depending on what path is taken you either get authenticated or you just get nothing. I don't know. I thought that was a little bit strange with when I saw that in the report. Did you see anything that would clarify that see
zi
00:40:45
had nothing that would directly clarify if my first thought just has to be they do talk a little bit about how sometimes the on-screen keyboard would be running in a different context like and one case of run. The and the cinnamon process and another case it's loaded elsewhere. But so it could be that could be related to it. I didn't really dig into that. I did notice our I didn't see what you're talking about. So
Specter
00:41:10
yeah, it was yeah, it was further down in the thread it wasn't in the original post. So
zi
00:41:16
Still I mean, it's not a it's an issue. We've definitely seen before I don't know if we've talked about something too similar. Well, I guess we've talked about kind of crashing some of the process before to deal with art again off bypass but screensavers themselves have cut. I know I've seen this sort of issue before just crashing it. So I'm not terribly surprised by it. It is kind of a fun issue. It is all some that apparently was a regression from an issue. That should have been fixed in December. And then there was a regression that happened where it was getting back ported. And what ended up happening was the back porches mix miss the fix for the CV? So, I mean that that itself is another issue but seem to be found really quickly after that backward actually miss the fix. It's like say that looks like the CV the original CV was just in late 2020s early
Specter
00:42:21
December. So takeaways of the day here. I think our children are the best fathers and accessibility features can makes for some great attack surface. It seems anything that can provide like a virtual keyboard or a narration or anything like that is probably worth looking into if you're looking to perform any of those higher level logic issue type attacks. So yeah. That's that's a free tips, I guess for anybody that's looking looking for something. We do have one more lock screen bypass and then I actually skipped the topic but we'll get back to that in a minute. I figured we might as well roll through the lock screen bypasses really quick. So this was a next Cloud. This is basically the theme of the episode with lock screens. It is in the next cloud Android app. This is an interesting one it consists of two different attacks. The first attack is directly invoking the file. Browser and 10 through 80 be in order to just get access to the file browser without authenticating which is a little bit more boring but
zi
00:43:26
little bit more boring but it's also fairly common. That's actually why I want to call this one out or this report out is I don't I don't recall us actually talking about doing this before but it's a really common mobile issue and mobile application issue to be to directly invoke. Solve the intense to either Bypass or get access to functionality that you shouldn't have. So it's just something I kind of want to call out just to be aware of if you are doing an assessment on an Android apps. There aren't a lot of attacks that really impact just the application running on an Android device. But this is one of them that you know kind of sits at the high level but is our can be reasonably impactful. It's not just like a user attacking a user type thing or attacking themselves Suri.
Specter
00:44:21
Yeah using like considering a TB is something that I can see easily being forgotten by an app developer. It's not something you think your user is going to use so I can see it very easily
zi
00:44:32
something through the cracks that you can make these same intent. You can do this without a DB by have by installing an app onto the phone, too. Yeah, but if this big is the
Specter
00:44:43
case, I mean 3db.
zi
00:44:44
Yeah, and this well that's usually how he tests to and in this case. I mean by path like in theory, this would probably be somebody who's by passing their own authentication which isn't all as useful like a remote attacker probably isn't going to be able to do is probably isn't going to be able to attach an ADB show without further exploitation at least or even somebody who just gets your phone. out but nonetheless like I just thought it was something more to be aware of in terms of being able to directly invoke some of the activities because that can be used in more more sensitive
Specter
00:45:26
ways. Yeah, so the second issue was a little bit more interesting to me. Basically, they allow this grace period from when the last time that the app was closed. If you're within five seconds reopen it, then you don't have to re-authenticate and the problem with that is they use the system time to determine if they need to prompt for a new unlock. So if you can change the system time to within 5 Seconds of after the app being closed it will Grace you with that convenience. Time out and let you bypass the lock screen. So the second issue was fixed by using or the suggested fix. Anyway was using the real elapsed time instead of using the system time the issue of directly in Booking the intent it seemed wasn't fixed because it's considered outside of the threat model which I imagine you probably disagree with zi because of what you were saying where it could be exploited outside of just 80 be
zi
00:46:23
well. No, I that's why I was kind of saying in this case. Case it is bypassing the authentication but it's going to be somebody that's able to either install an application onto the device or has a TB which is a pretty high ask like that is kind of just a user attacking themselves. There are other cases where the same issue though is our can be more sensitive. That's kind of what I was getting at earlier was this case in particular. It's hard to see an actual attack. Oh. But this issue in general because I hadn't seen any reports involving this issue. I don't recall is talking about it before that's why I can't come and talk about that issue. But in this case it definitely is hard to exploit just because like those are really your only two scenarios and even like a malicious app wouldn't be able to abuse. That's because it would start that activity but the malicious app wouldn't be to see or read or do anything on that activity. It would just be started so it needs that he was our interaction to
Specter
00:47:35
so it is wired to answer
zi
00:47:36
that. I mean there are the cases where could be used if it's like a friend or somebody that you're actually letting on to your phone who then does something or being used to regain access to your own account? Perhaps but on a whole you can make the argument I think for for to be fixed if they decide that it's not really part of their threat model. I like that is up to them. They've been informed about the issue. I think that's one of the things that they just decide on what their threat model is and if they're not going to be concerned about that sort of attack. I think that's fair because there are you know other things to kind of focus on. Yeah, yeah
Specter
00:48:26
before we move on I thought I would talk a little bit about something. I found interesting at The Meta level the next Cloud staff requested to disclose this report, which already I found kind of interesting. Usually it's the researcher that requests a disclosure, but the researcher in this case canceled the request to disclose report. They said really sorry. I'm not interested in this close in this report the same issue occurs in other apps in the fixes pending. I need some time to disclose this report. And then a year later the next Cloud staff said one year should be enough. So we're disclosing this town. It just seems interesting because it's the reverse of what you expect most of the time the researcher wants to disclose and the vendor kind of fights back on it. And in this case, it's the opposite at the vendors trying to disclose it and the researcher was fighting back and I don't know I just I don't know if I'd seen that before I thought that was kind of a funny.
zi
00:49:18
Yeah. I've seen that either I would kind of disagree with the researcher though about you know now Wanting to disclose this one because some other application has the same issue because this isn't an uncommon issue. It's a little bit like not wanting to disclose cross-site scripting because another website has cross-site
Specter
00:49:36
scripting. Yeah seems kind of silly
zi
00:49:39
like it's just it's not it's not some novel issue that like somebody's going to see this and then oh, I should try that elsewhere. I mean, I guess to be fair looks at I haven't seen a lot of reports involving it. But like I don't bleep like it is not a new issue whatsoever. Like You know, I've been this has been like right from my very first met while assessment. This was something I'd be looking for looking at what intense could be directly invoke so Yeah, I mean I kind of disagree with the researcher. It's a like I don't fault the researcher like it's it's done with good intentions of just not sharing that I disagree, but I don't really fault them on that. It is interesting that they kind of push for the disclosure and then just decided to disclose it after the
Specter
00:50:27
year. Yeah, I wonder why the the vendor was so eager and that instance. It's a little bit
zi
00:50:33
strange. I'm going to assume that next Cloud just doesn't tend to hold back on their reports.
Specter
00:50:41
Yeah, I never even looked at their history,
zi
00:50:43
but just pulling up their activity now like they've got a couple that were closed recently. That haven't been disclosed. But otherwise It looks like my sister got a scary. Yeah. Which is definitely good to see for sure.
Specter
00:51:03
So this one's kind of a funny story. It's a story about a researcher that managed to take over a top level domain CD due to the expiry of a domain for three of the authoritative name servers. So zi, I'll let you take this one away because yeah, I know you're more into the network and stuff than me.
zi
00:51:18
Yeah. So this one definitely kind of has a little bit to do with how DNS works, but this is if you're familiar with it dot IO was taken over back in 2017. Same idea same issue. If you're not super familiar with how DNS works when you actually do a look up. There's kind of this a recursive process for looking up a domain that eventually like different layers will cash differently, but eventually kind of hits your authoritative name server that if you register domain like, you know day Zero sectile cam register that will set a name server on it. But in order to discover that name server, what like a recursive DNS resolver Do is they will go ask the one of the root servers that's like you're like, I think it's a through M might have more characters dot route - server dot org o go have one of those. And from there it'll get the name server for like the actual i.com. And then that name server will give it what the name servers for Day Zero Sac which then will give the authoritative answer on was like a what are a record is or quad a so, there's kind of that recursive process. So while those root servers are generally not going to end up. Expiring. It's just that route - server dot org, if that expired. They're going to be some very big problems. But on some of these lesser use more up skier top-level domains. It has happened and it happened multiple times where they'll have several name server setup. Ideally, these will automatically renew and stuff. But in this case what they end up having were kind of two primary domains scpt - network.com and S AIX dotnet and then they had some sub domains on that. We're actually acting as the name server like NS - shroo - 1. Scpt blah blah blah was one of the name Services three of them were on the scpt domain and three of them were on the essay IX domain. So what? Researcher notice was first that the scpt domain was expiring. And so they just kind of added it to a list and watch it and then on December 30th, it actually expired or and left the grace period so they could go and register. So, of course this researcher went ahead and registered it. And then that means that when what any of those recursive DNS resolvers go and try and look up any dust CD domain. They're going to get this list of name servers. They're going to randomly choose one of them. And so roughly 50% of all DNS requests are going to hit a name server that the sky controls now, which basically gives them access to take over any domain respond. However, he wants he doesn't have to respond appropriately and usually these name servers are going to respond appropriately of course, but they do not have to do that. And if somebody's able to get control they basically control the entire domain. Like the entire top level domain which is why it is a very crucial issue. And because dot IO had this I will like I completely avoid I oh, I would never register wonderful, even though it was a few years ago when the management of a top-level domain forgets to renew their own domains. That's a very significant day she to me of just incompetence. So I mean that's kind of a side topic for I/O and I had no plans to register a DOT CD with the what is that? I think it's a Congo
Specter
00:55:11
domain. Yeah. I think it's a Dominican Republic or combo but
zi
00:55:15
whatever this because it's not CD I could understand why people would you know register that is a vanity domain. Yeah that said I mean it's a bad sign to see it happen. There was a little bit of drama about this researcher because he was honest turd he registered the domain or on December 30th, but he did reach out to I am a like that sorry the contacts list said her there for the dot CD her a tree until January 7th. So there was a week-long where he just controlled this and mentions that. Basically just had it read like return all. It's server fault basically returned in are I can't recall exactly what the return value was which would effectively mean anybody looking up on it will just try another one if the name servers so it's you know decrease the quality of little bit, but in theory wouldn't have done any damage. I saw some complaints that like you shouldn't have even tried to register it at all. Some companies take advantage of the registration grace period save a little bit of money by renewing later or something. I'm not sure what their motivation is for that but it definitely happens. So I don't think necessarily shooting out a warning then it would have been a little bit premature. Maybe not the worst idea but I mean just because of how a lot of companies ignore that for a while. It's it's not something I'd really fall time on. So then the fact that he did go and register immediately again, I mean if you're a researcher and a fair game, you don't want to wait for a malicious attacker to grab it and then be like oh and here's this issue didn't you notice so like I think that's fair the week though. Seems very odd to me. But In fairness this guy's is the co-founder of the detective file ABS. He has a history of research and responsible disclosure. So I really doubt anything malicious what's going on with this if this were some random researcher, I'd maybe I'd maybe be willing to buy into that but I'm more than willing to give the benefit of the doubt here that there was like some reasonable explanation for it that really wasn't malicious, but I don't actually know what that
Specter
00:57:44
at is The main argument I saw being thrown around was. Even if he isn't a malicious actor by trying to register, it was possible that someone could have gotten it before him and done damage. Whereas if you just reported it to the internet assigned numbers Authority they would have been able to take care of that and it wouldn't even like gone up for registration even though it might have been a bit pre-emptive like you were saying, I don't know if I totally agree with that argument because it's one of those okay, something good happens something bad could have happened. I mean it's worth noting, but I don't think that's really worth calling. Out for the situation could have ended up a lot worse than it did so it feels like people are kind of being a little bit unfair. I think
zi
00:58:31
I think so too. I mean the pre-emptive badly that's fair that is the ideal world. But pre-emptive reporting of issues is just that it's pre-emptive. It's generally too early you can do it, but that also runs the risk of just becoming spam. Yeah, you have to kind of triage a little bit if it were possible to kind of see the history a little bit of like, you know, is this company that usually lets it fall into that grace period before renewing verse says if they had never done that before then okay, like maybe there's a reason there's something different about this time like somebody and I don't know if you can even see that history at all to be honest. I'm just kind of spitballing the idea like if there was some like that fair. If I were like on an assessment and looking at this, then I might say like hey, I observed that like this is going to your grace fear. It's going to run out. So like make sure you've got somebody on it like a game that's fair. But when you're an external actor, it's a little bit different I think on what you end up reporting or what you should end up reporting. Like they're real issues that you can report but like as an external actor, you don't know the internal policies. And trying to just err on the safe side usually just comes off as spamming other results. Like in this case it would have been. Oh, probably okay, like it's fairly serious thing but as a general rule Doing that like every time that your domain enters of that grace period is probably just going to end up as somewhat
Specter
01:00:12
spam. Exactly. I think a lot of people are leaving out or ignoring that aspect of internal versus external and how things get treated between the two different settings. So yeah. All right, so we can move on to laravel. So this is a pen testing company that when doing an audit on a client found a larval based application that was running in debug mode and they ended up finding an RC e via the debug functionality through ignition. One of the things larval is debug functionality allows you to do is use something called solutions to try to automatically fix code such as undefined variable usages and the endpoint that is responsible for doing that requires a file path and a variable name to get replaced and the file path is used in a really strange way when they stripped it down to like what it was essentially doing in the code. It seemed to be a no operation it gets the file contents and then it writes the Contents back to itself which is strange but that ability to control the path gives some interesting exploit potential. I'm sorry. Go ahead.
zi
01:01:22
Sorry. Yeah, it only did that because it would if it didn't find like the variable name that need to replace it. Would it make any modifications to the page or if it had a if the are ended up looking gum? If it was something you didn't want to actually write out because I thought it was breaking the page. It wouldn't write out. So it wasn't really a Noah it was their particular case that resulted in it visiting the read and then write immediately.
Specter
01:01:53
It was an edge case. Yeah, so that ability to control that file path give some interesting exploit potential and they ended up finding two ways to abuse the bug one was abusing PHP file wrappers, which we've talked about before. I can't remember exactly when we talked about I think it was probably before we went on the break. But yeah, they basically use the filter to change the contents of the file before it's returned. And then the use that filter capability to build up a payload in the log file and convert it to valid far and then use it to deserialize it and get code execution. The second way was a little bit more boring. It was just abusing the FTP capability to send arbitrary PHP packets to PHP fpm. So Yeah, I mean just kind of highlights how powerful the ability is to give an attacker control over a file path because those rappers are just they offer so much capability
zi
01:02:52
until I learned that you can have separate rappers or you can have separate. Thanks for reading and writing. I I may have been aware of that at some point. So you still love more PHP, but it seemed a little bit like it. It senses a filter but I don't think I'd have recognized that it was there unless I went and read the docs so that just like setting your filter and then read equals and convert up basic c4d code and kind of doing your normal thing there, but just setting that read equals means you can set it to only do the basics for encoding on reading or decoding or only doing it on the right. Which in this case is pretty useful I wasn't aware of that feature like said or I may have been just forgot about it. But yeah, I learned something out of that at least. Yeah.
Specter
01:03:46
So this is another one of those issues where it's definitely not unique to this application. This is probably something you want to be on the lookout for if you're doing any auditing of of web apps or anything like that. It's probably something you want to keep in your your toolkit.
zi
01:04:00
Yeah. I mean any time you're able to control that full path to a file. While there's some interesting vectors that you might be able to take advantage of that all come back to using these filters. If you can't control the full path though, you're not able to have that filter at the front. then it's not an issue, but Yeah, I mean this actually also comes down to don't run debug mode and production just don't it's never a good idea. Even if you don't see what the issue is and its really useful to debug an issue. Just don't do it for anything. It's the debug mode usually are usually have features that are intentionally and secure
Specter
01:04:43
especially in those big like Frameworks like larvae. Yeah.
zi
01:04:47
Yeah, like I don't fault ignition for having like this sort of Are page like that? I think that's a really cool feature.
Specter
01:04:55
I did too. I didn't know about it. I thought it was neat.
zi
01:04:58
Yeah, it's neat. It does feel like it's doing too much. Like I don't know if I'd well, I wouldn't trust ever having that in production just because it can modify code. So here he is like it's not something but it takes and it does you're hearing us talk about make something's fixes. It does make some effort to make sure it doesn't just break your pages and it makes a lot more sense when we're talking about. I'm like PHP where the pages are very Dynamic and just kind of keep working no matter what versus like a compiled
Specter
01:05:30
language. Yeah. So zi. I know you found a rather unique and cool attack that was posted by Mozilla which is like a side Channel type issue. Yeah, so I'll let you take this one away because yeah, this is a cool attack.
zi
01:05:46
Yeah. I thought this is a cool bug. No, I not terribly useful. But still kind of a fun idea. It's a side channel here. The title is leaking silhouettes of cross-origin images so usually If you include an image from a remote origin, or if you try and draw that image from a remote origin onto a canvas on your page. You can't read that canvas. You can't read the information that was actually written to the canvas anymore because that's a violation of same origin policy. That's what this timing attack takes advantage of. Is kind of a side channel on how long it takes to to actually Draw Something pixels. So you can kind of ants answer the question of if this is a transparent pixel like there's nothing actually there. It'll basically be instant because it's transparent. Like there's nothing to actually read or sorry. Nothing to actually write to the canvas and that case. Oh and the other case is if you have a semi transparent pixel, it'll take a little while because it has to figure out what's already there and then draw that and then draw based on some calculation based off that and the timing on actually drawing just a no-bake pixel would be quickly drawn and that's some that you kind of notice. You can look at the timing of fault. He's so what they did for this attack was you would take how long it would take to draw just one of the single pixels from one image and you would try and draw that onto a canvas up in this case the 1024 by 1024 that way all these my new timing differences keep adding up. How long it takes to draw that single Pixel blowing off to 1024 by 1024 and using that timing information you can determine is that pixel transparent or is that pixels opaque or semi-transparent? You can have asked that question and figure out and redraw the image yourself basically and get a little bit of information about it. So I thought that was just a really neat attack. It's a way of reading the information cross origin. Not terribly useful in most cases. Like there aren't a lot of cases where you're necessarily leaking too much sensitive information. Through an image like that. It's not like you're usually storing your password as an image like that maybe a to a fake coat. I've seen a couple implementations that do that you can leak after across origin, but I'm not sure how useful that one would be of but I just thought it was kind of neat attack regardless and if you use a GPU rendering select Chrome, I Believe by default will to this then it's you can't you don't have the same time. It seems like they take roughly the same amount of time regardless, so limited a noose, but I thought it was still really cool
Specter
01:08:45
issue. Yeah, it's like a new application of classic timing attacks. You see and like crypto where you try to time how long an operation takes to try to figure out what's going on. This is not an area where I ever would have guessed. You would have saw that kind of attack which is why it's cool.
zi
01:09:03
Yeah. I mean we definitely have seen this with other cross-eyed leaks before taking advantage of timing. Yeah, that's more use like seen that Hughes think for figuring out of something if it's like an image is cached or not.
Specter
01:09:16
Of how
zi
01:09:17
quickly you get a response when you try and load that image. That's kind of a common one. And that kind of led to the separation of cash is now and in Chrome.
Specter
01:09:31
So the reason why this one works is when you're doing the semi transparent pixels, like obviously transparent and opaque pixels are going to be really quick because it's just a single color when you're doing semi-transparent you have to do the calculations like the blending and stuff and that's where get that additional computation time and because of how that works and the fact that you can only get the semi transparent pixels the information you get back is obviously going to be distorted but Can get like clouds around text for example of where doesn't want to have sharp edges on the background. So it has the the alpha blending and that's where you kind of get that leak. But yeah, I kind of along the same lines. I thought it was a cool attack, but I can't really see how this can be practically used Too Much outside of this kind of test dummy case,
zi
01:10:24
although you know, there probably is some random website out there. That does something that you can use this on but I don't know it.
Specter
01:10:35
Yeah, so we have another secret Club post. This one is a write-up from Real World CTF exploiting virtualbox. So real world CTF is kind of a it's a unique and interesting CTF in the fact that it tries to employ bugs that are found in the real world as the name would suggest it's less contrived issues. So it has a high regard I think in the community, I think people really like that that aspect of it. Now the vulnerability in this case was in the SCSI drivers read string function. Basically, it has some bugged
zi
01:11:12
bumper traffic. That is scuzzy.
Specter
01:11:15
You read as a scuzzy.
zi
01:11:16
I'm pretty sure that's how it's supposed to be sad. Actually.
Specter
01:11:20
Oh, okay. I don't know. It's a little bit before my time because it's a small computer system interface. So I'm a Zoomer so, you know, I didn't really use that that kind of interface. But yeah, basically they have some bug buffer tracking. Incorrect validation when reading in data to an internal buffer it tries to ensure that a single Reed is less than 40 bytes which is the size of the buffer. Then it copies the data in an advanced as the buffer pointer problem is it doesn't ensure the rate is less than or equal to the size that's left in the buffer after the advanced just so that's less than the size of the initial buffer. So when a calculation happens later that takes the size of the input there's an underflow that can occur which can lead to some. Out of bounds accesses and because you can specify the direction of the operation you can get both a out-of-bounds read and an out of bounds, right which is extremely powerful. It's generally not hard especially when you're talking about like virtualization or kernel or anything at that like monolithic level. It's not hard to go from relative out of bounds freed right to something like arbitrary rewrite your code execution. It's generally just a matter of time basically. So they talk about how they use that vulnerability to both leak Heap addresses and text addresses of the vbox dll that's because they wanted to get gadgets to work with for when they got code execution and they talk about trying to find it in candidate object and keep spraying it into the out of bounds range in order to leak it what they ended up settling on was using the HTC and message call object which is used to store callback information for messages sent through the host guest communication manager. ER so they use that object twice. They use it for the leak to get gadgets and then they use it again to get code execution by corrupting that objects call back to get our IP Control but like these breakups are really cool because virtualization is one of those areas that's a little bit less explored in exploitation. Then like let's say colonel or browser. Those are like the two big ones that are explored a lot. But when you get to like virtualbox and VMware and hyper-v, though, Areas, get much more complex and there's less known about them virtualbox is open source. Put a lot of virtualization stuff is closed source, and you have to do a lot of reversing which is part of why there's that big barrier of Entry before you get to the exploitation level. But yeah, I think there's a lot of like really cool insights in here that can be learned for exploiting and virtualization based environments
zi
01:13:59
and I always just appreciate getting the exploit strategy here. Yeah, it doesn't just stop at we got our IP Control or we got a will be read right? It's you know going on going beyond that I think is always information. I appreciate
Specter
01:14:15
seeing For sure. Another thing I'll call out is this is only part one. There is a part two blog posts plan for this this one took this blog post talks about the issue and exploiting it. I believe the second blog post is supposed to be about trying to mitigate the issue and how you would like a chit. Oh that could that's another post. I can give you insights on the other side of the fence on the on the defensive side. So
zi
01:14:46
yeah, I know I really want to call out one other feature of this is this is I don't read a lot of CTF write-ups anymore kind of stopped flying a loss ETS but this is not the first write-ups. I think that I've seen talking about job in a really kind of well done way I think kind of towards the end of the article They talk both are dropped payload jump oriented program. So, you know part of like the you're probably familiar with the raw. We've talked about drop a little bit on the podcast before where raw basically, you have all your gadgets ending with return ja the gadgets and with jump then you've also got call oriented which they end with call the thing with jobs. It's a little bit different from raub. Usually, you're kind of using jock to get in to get to like a stack pivot or you can then do a rock it rock bass. Saying from but they have this kind of cool or interactive that you can just kind of Step through the relevant instruction. See how different registers are. Being modified they show their jump table over on the left. They're using. And I think it just kind of explains the mental concept kind like that job weird machine right by idea. So it's I think it's even worth just taking a look at for that to kind of get an idea for jobs that don't well, it's use pretty frequently. I don't see a ton of I don't know. If a lot of good resources that actually talk about it.
Specter
01:16:16
It's hard to wrap your head around when you're first learning like even the rock can be pretty tricky when you're first getting into stuff job just complicates it even more. So yeah, and I yeah, I mean, this is a really neat little mo thing.
zi
01:16:28
You know, Rob is something like it does take a bit to wrap your head around it, but there are some good resources out there like for APA Emporium Jonathan karp feel like there's less to go on for those besides. Just seeing a Hughes and wrapping your head around it by trying to do it yourself. At least kind of my
Specter
01:16:51
experience. Yeah, I mean when you start talking about things like dispatch tables and stuff. It's just so easy for people to get lost because like wait what so yeah, I mean this this is a really awesome resource. I didn't even think about that. But yeah, this does do a really good job of highlighting. How job works so good good show with that said, I think we can move to shout outs. So zi know you have two of them. So I'll let you go ahead with yours.
zi
01:17:16
Yeah to Wilfong just because project zero put out. Well seven posts this week six of them are all part of one kind of series. And this first one here hunting for bugs in Windows mini filter drivers. We actually talked about a bug James Forshaw reported. I should have looked up what episode it was on but we talked about one of his issues that he found in the many filter and there's There are a lot of things I just didn't know and have to do cold during yet. So this post is talking about like giving a lot of that information that I didn't know. It's just a lot of background information for somebody if you want to get into that you want to start taking a look at exploiting those many filter drivers. This gives you all the background and stuff that you kind of need to know to start doing vulnerability research in that area. So I think it's a really valuable thing. It's very dense, and it's not something we're going to cover. I'm on the podcast. Like it's not actually covering invulnerability. It's just all this information about how these things actually work like how these file system filters and all doing what they do basically and we're getting that on Windows lot of reverse engineering involves. So just a really valuable resource. I want to call out and the second thing that I have there is projects are also put out this in the wild series. Which is taking a look at issues that have been detected by Google's threat analysis group in the wild. And so they have several blog posts looking at in the wild with chrome bugs Android windows and even Android post exploitation. Just looking at both vulnerabilities and the techniques being used there a lot of interesting stuff there. I haven't read all of the posts yet. looks at there's it's a lot of post Sarah makes it six six posts, but a lot of really interesting information and what I have read because I have gone into the Android ones. And I think that's first one the infinity bugging Chrome. Yeah doing like the root cause analysis of the old days that they were seeing. Some of them are end days. They cover like couple that are from 2014 or 2015 and then the post exploitation just a lot of really interesting stuff. I mean as usual project zero, like if they put out a post odds are we're at least want to mention it on the podcast because it's one of the few really solid like always good. blogs out
Specter
01:19:58
there Yeah, I was going to mention what the Android one it there seemed to be there was more end days in there than I thought like I thought they mostly focusing on no days, but they have some other information in there too that they don't cover a ton on their blog. Mostly they focus on vulnerabilities and exploits for those vulnerabilities. But like in the Android post exploitation what I think they cover some like obfuscation techniques and stuff too that they've seen which is which school you don't really get that Insight a lot because usually You know, if somebody's doing a root cause on something they find in the wild. They're just going to reverse the at the station and get to the core issue. They're not really going to talk to that process of getting there. So yeah, I thought that was kind of cool and something I don't really see too often. So there's something there even if you're not fully interested in then bugs and exploitation.
zi
01:20:50
Yeah, like they said this was working with the threat analysis group also, which gives kind of some interesting Insight. It's one of those Things why I like getting anti to jump on with us because it's related to a lot of the vulnerability research that we do but it's also separate from it, but definitely an overlap in terms of the interest.