Episode 62 - OSED, North Korean hackers, NAT Slipstream 2.0, and PGP (in)security

< Back to post
This transcript is automatically generated, there will be mistakes
Specter
00:00:10
Hello everyone. Welcome to another episode of the day Zero podcast. I'm Specter with me is zi and anti for today for a few topics in this episode. We have the advisory with North Korea targeting researchers a new variant of not slipstreaming and some bugs and live decrypt pseudo and a few other various things mixed in there before we jump into topics tomorrow. I will be doing the PS4 stream. We were supposed to be doing last Wednesday. And then last Friday before I got trolled by my own PS4. So yeah, that will be happening tomorrow at 5:30 p.m. Eastern and 3:30 p.m. Pacific right think that's how that works out. But yeah with that said let's jump into some news. So first we'll talk about iOS pushed out an update Apple push an update rather for iOS. They released iOS 14.4 which includes two critical security fixes a kernel bug in a webkit bug we don't have any details at all really on the technical details outside of the kernel bug being I think they said the colonel bug Was a Race condition and the webkit bug was I forget what they said about the webkit bug.
zi
00:01:26
Yeah, I was named to find too many details about the actual bug. So I did see that these were being exploited in the wild though. Yeah, so yeah, the webkit bug was
Specter
00:01:39
a logic bug. Sorry. I kind of lost my train of thought there. But yeah, like you said what's notable here is these may have been exploited in the wild which isn't actually super surprising when I saw that there was a webkit bug and a colonel bug it and like being patched in the same release. It does seem kind of likely that the two bugs probably came from the same Source because that sounds like a chain, right which means the colonel bug might Even be reachable from sandbox, which is quite notable because sandboxing is as IOS as primary defense against probe asked. So yeah seems like there could be an interesting chain coming they have in the footnote. They do say we should get additional details soon. But yeah very little information here, but we thought we'd bring it up because it's something that could have been discovered in the wild. So it's probably a good idea to update unless I guess you care about jailbreaking in which case if the technical details I'm out. This chain could be very useful to you I guess but otherwise, yeah, it's probably a smart idea to update speaking of zi wrote as though let's jump into the I guess the meat and potatoes topic here, which is the campaign targeting security researchers from North Korea. So yeah. Yeah, so tag Google's threat analysis group or tag team put out a post. So if you didn't get the notification over Discord or through our Twitter, a few of the write-ups we've covered in the past as recently as last week's episode were apparently post made by North Korean State actors who were not only trying to infiltrate the security Community but also Target security researchers which might have gone as far as even using a chrome zi wrote a chain to get into the machines of researchers we ended up finding out about this through Google's link flagging on the podcast we originally thought it was overzealous automation flagging write-ups because they were write-ups then tag put out this post and it turned out to be a way more serious situation so
zi
00:03:41
we fairness we have been kind of tagged by Google's AI before with like there is a hacker one Post in like episode 5 or something that they came out of like once it was a couple months ago now but they came out Psych episode 5 your link to hacker one is malicious and like against Community guidelines so we've been hit by some of those guideline issues before and so so when I saw this URL getting hit by I was kind of thing it was around the same thing but it does look like I don't believe anybody has Officially captured the eau de that was in use but there have been some people on Twitter who believe it was actually one of the exploits that or lost during last week's episode. We cut ourselves talking about the ex-wife but it was a webassembly issue that was posted on the attack blog itself detailing the exploit that they were launching against people visiting their own website.
Specter
00:04:42
Yeah. I put out a weight on my personal Twitter that was kind of it was just saying like using a zero-day to pop the researchers you want to Target then claiming credit for that and doing a write-up on it and it was thus Tonks image. It's just it's so weird. I don't think I've ever heard of somebody doing that. But um, yeah, I will quickly shout out before we get into like the details of the topic. We have removed the links from our past videos, but if you visited the provin blog which contained the right up for the Chrome web assembly issued that zi mentioned that we covered last week. Explicit always good post from episode 55 which wasn't a main topic, but we did briefly mention and cover with cve 20 2010 34 and the dots to rce a new technique to exploit V8 a null pointer dereferences from so 49. If you checked out the blog post from any of those episodes, especially if you visited the site using Chrome check for the indicators compromise from the tag post if you find an indicator of compromise, or maybe even if you don't you might want to do a system wipe regardless, I know. I did because even though like they have a list of ioc s it's possible that they miss some more one didn't make it into the list. So I would just do a white to be safe. But yeah, it's worth going back and checking on that. So this really shook the security community and especially zi and I because it sucks to think that people could have potentially gotten infected through topics we covered now, obviously when there's zero days involved. I mean there's there's not really much you can do there. What are you going to do? Just stop using browsers? I mean, that's not really realistic. There were some people saying that you should be like you shouldn't be visiting blogs from your host machine and you should be using a VM like the nobody really does that. I mean, let's let's be totally Behavior. If you will
zi
00:06:34
was it cubes OS that's the one that does the sandboxing. I believe I mean there definitely are workflows that you can do that would be using you know, a VM for everything. It is more secure to do that. But most of us kind of live in a more practical world not purely folks on that with something like this. It's kind of interesting just because it was more limited.
Specter
00:07:00
It in
zi
00:07:00
scope oftentimes when you see the browser old age dropping you've got well either it's very targeted like targeting specific individuals and Nations say targeting some particular individual in this case. You've kind of got like targeting a smaller group of individuals to there would have been a lot less noise. Come on there. So I thought that was kind of interesting. I mean, it does sound a little bit weird. So the actual attacks it seemed like they were also hitting people up on Twitter talking to them about wanting to collaborate and then providing them with a visual studio project that had an actual bug that they were apparently trying to exploit and just hadn't figured out or weren't able to do and trying to get the other researcher to open run the visual studio project. And try and work on that exploit also, it seems a little bit weird to me that they would be using this malicious project on the targets that they were actually interested in like on the people that they were actually trying to Target and then dropping a no day on Chrome which was a lot less tired of just whoever happens to visit the website. That felt a little bit odd to me,
Specter
00:08:13
I guess trying to make sure you want to hit those like priority targets as it were and on that note. I am a little bit offended that I was targeted here. I mean when I looked at my danns and I didn't see the North Korean hack the you know, the people that tagged Google tagged as North Korean hackers. I was like, well, what did I have to do man?
zi
00:08:36
Well probably be a probably be involved with chrome. flotation and I'm not sure if I was reached by them or not I had one person like the timing seems really weird he was really pushy to try and collaborate with me but he also kind of seemed like a little bit of an idiot so I'm not and not one of the matching name so either it was clearly different name reach out to me on Discord but I do know that the timing was a little bit weird for me I did not receive any Visual Studio project though either though I feel like it's probably unrelated but like right at the right timing so Double space telescope mentions, I don't use Chrome. So I'm going to pretend that's why I wasn't it. I mean, it does seem like they only had a chrome exploit. I know I've still taken by the usual actions of wiping and stuff just basically just in case because I definitely visited the website. Well, I largely use Firefox. It's still just kind of for or good practice I guess and I'm thinking to wipe my system for a while. Anyhow, so gave me an excuse.
Specter
00:09:44
Mrs. Lennox. No one no one who's using Linux seems to have been affected just my stomach with the being a hole. I saw some people legitimately saying like if you were using like Mac OS or something would have been fine.
zi
00:09:57
Okay. What can you tell us about our can you tell us anything about this particular apt grew like
Specter
00:10:08
I've we see it have there been
zi
00:10:09
other campaigns from them that they've targeted. You know, who else has a Target are like what else do we know about these guys? So I think the big part is obviously it's been
Specter
00:10:20
attributed to North Korea and that was you know in regards to I guess the miners that were drops the as far as I understand it the Chrome like you said has never liked the Chrome exploit. No one has kind of ponied up and showed what it was. So it's hard to know if that was you know anything. In our someone's just leaving. That's how it worked. Maybe there was more to it. But the visual studio project so it's been analyzed by Microsoft and that's how I believe the could eat it tributed the malware to actually have where goes and runs Powershell directly pulls out an actual piece of malware that called clattering I think but I don't know if it was actually ever 100% Associated that specific malware with North Korea. I believe it just had to do typically with the methodology, but I don't know if there's a Really been a distinct. I can double-check. I don't know if anyone actually said this is like aptx right like they gave you specific number but this is right up North Korea is a lie. So if you do some Googling you'll see that like North Korea has been pretty adamant about targeting people through link and I think there was a cryptocurrency like a bunch of cryptocurrency users that a few years back or I think even last year we're being targeted in a very similar manner but you know approached on LinkedIn to talk about, you know, some cryptocurrency stuff and then later found out they were compromised. That's kind of how North Korea has been, you know operating in the past few years rather than trying to be as crazy as they can. Just targeting people in the most simple way. So in terms of attribution, I think it's hard to necessarily give it the exact group because North Korea has multiple groups that do different functions, you know, so I think though that you know, regardless of Microsoft and Google can both say, this is North Korea, then you can probably know that it's Korea right? Let's go Really, you know kind of an analysis standpoint so did back it up though. I don't actually myself. I haven't analyzed any of the malware. I you know any of the things that you might go and see like the website I can't go and analyze myself because it's not available anymore. So it makes it a little hard for that attribution. What's hasn't been taken down entirely. I never actually checked. I know Google put a block on it like saying that it was a malicious link, but I thought you could still go past that if you wanted to go to this site. Because I actually did it because at the time I didn't think it was I didn't know it was malicious. I thought it was just Google being overzealous again and I click through it to go to the page. But are you not able to do that anymore? Not when I last check a couple days ago and the state decided to bring it back up start people but I clicked through just to see how again I'm I say what I was some on but I'm on a different OS than when they targeted so I wasn't all too concerned. But yeah, I mean, it looks like it's down, okay. So I think that's the hard part is, you know, as with anything in type of like threat intelligence world is if you don't have access to it, like maybe the original researchers can be a little difficult because I can always verify against it. It's fine areas, but I think what's important as a takeaway rather than like who did it since it likely is North Korea. I think what's actually more interesting and that was kind of touched on already is the people who are supposed to be smarter than this were getting hit pretty good. You know, so I think that's really an interesting point that you know, everyone kind of assumes like no one's going to bother with me or I've always assumed that dirty people are the important people and I figured it was already happening. So I'm surprised at how surprised everyone is. Is that silly? Am I don't wanna hear?
zi
00:13:55
No I so don't think you're wrong book that like I highly doubt this is the first time security researchers are being targeted. Wait, I think one of the first times of the were really kind of getting a cold out and confirm Firm that that is the case that security researchers were being targeted and also just I think a little bit of the methodology here of starting to befriend them a little bit. Somebody mentioned that they had of the James 0 x 40. I think it was somebody else had our somebody they knew had vouched for them and kind of getting in a getting into it on that personal level like I'm not sure what the how common that necessarily is but there was a certain personal aspect to a lot of the attacks being launched like just getting involved with the research Community actually putting out some right up stuff it does seem like some of the things that they put out were fake as far as I can tell they're blog posts were using legitimate vulnerabilities but they did have some sweets involving basically what look like fake vulnerabilities I think there was like a fake Defender by bypass saying or something We're calling out but it does seem like at least some of the blog post Also may have been written by guess on the blog who weren't actually part of the campaign, but were it's like hey, let's collaborate here write a blog for us and we'll post it and I were something like yeah. Yeah, like course into it. And I think that is at least a little bit novel in terms of how they've started trying to gain a reputation within the security community.
Specter
00:15:35
I mean, you know, that's that's kind of a thing that was like skew to researchers are all pretty collaborative at least in my experience. But I'm pretty sure the 0-2 community while times to be hush-hush, you know, there's also collaborative wasn't necessary. Right? So if someone that comes up to you looks pouch to a degree was willing to work with you and you go and say well what do I have to lose if they're willing to share information with me? You know what I mean? It's like I assume that was where a lot of people because there was one of the Twitter's had 1,200. Where's the other 600 or something like that? So I'm not I'm not really surprised. I think it's one of those things that like you said is already happening. I wonder though really if these Niche communities, you know, if this is really just like the tip of the iceberg I could see why they would drop so many zero days but way and hopes of you know getting more 0 it is because you invest one or two and get a dozen zero days was a pretty good investment. But yeah, I think that this is probably just something that has ready been happening is gonna continue happening, but probably, you know, it's similar to when regular researchers get busted for doing the criminal stuff because like he was talking to this person along. I think this is just kind of part of course, you know, but yeah specifically for you guys, I'd be curious if you've never had anyone else to very curious like this person can't be a legit researcher. Right? Does that not happen? We'll just not I definitely feel like I've definitely had some
zi
00:16:59
people who have approached me that Deuce like I was just mentioning how I think somebody In December of and you know wine to collaborate on Chrome X. Well, here's which I don't do so I had basically denied it off that front but talking with them like, you know know he didn't really seem like a researcher but it seems like the guys that were involved with this could kind of, you know, walk the walk. Also I've done something exploitation and weren't just kind of idiots. so that's where I don't think the person who I spoke with and December was actually involved with this at all, but it's the timing was a little bit weird and it is something that happens like there absolutely are the people that you know will try and in fact be but They're usually playing I guess a bit of a shorter game in my experience. Or maybe I've just been pulling for so long and don't even know what right but just not spending as much time building up that reputation. I think that that feels like kind of the bigger difference here is they did try to build up a reputation have other people who would vouch for them within the community.
Specter
00:18:11
Yeah infiltration deception aspect. I think that that really shook people more than just being targeted for exploitation. Right? I think it was more of that because there's a psychological and like angle to it too. We talked a little bit about this we're talking about the Wikileaks versus zi a talk from CCC. You know when this type of story comes out you start to question. Oh, I wonder if that like glitch I had a couple days ago was related to that like you start to question things that happened over the last little while and it and it hits you more than just in a technological sense. Like even if you weren't attacked you think you might have been and that's where like, you know, people start wiping which you probably should do anyway, but like there's some interesting like Fallout from that on the psychological angle 2 Yeah, I think that's a good plan. I guess I have to look at it from a different way. And at you know, when it's wet intelligence, like it's a little bit different than some of the other secured committees like the zi wrote a development in that you kind of assume 24/7 especially if you're like, some of the books is unlike any crime or if you again you do publish on nation-state you kind of assume there's going to be some level of Retribution like someone's going to either try and do the same stupid crap come to you and go. Hey, I really love their research. Do you want to open this file of my research, you know. Nah, thanks. Well, or you know, they try and do social engineering so I think because it's a daily it's just different you know yeah I think there was more trust in the zero day Community then maybe some other areas set security where you kind of have no choice to just trust everybody because you know the gain of targeting someone who's doing regular the cybersecurity research you know can be a little higher sometimes but the zero day Community it's obviously very high but I I figured what surprised me was I would never think anyone would bother to Target those researchers because I would just assume they're invulnerable like how are you going to Target someone who literally develops exploit right so I felt like someone just everyone had like a more comfortable are knowing that who would dare do something like Stitch does that kind of make sense like it's just it's like trying to go to the dragging like there's no way there's no way they'd always got is a toothpick that this thing it and like that's probably why people got popped to was they thought like people wouldn't Target us or if I was being targeted I would know it I don't click on links I don't know or or well I guess we here I guess you don't know the blog because that's why people got hit but like I don't like Download things I don't know for example, like you could follow pretty like hygienic security practices here and still have gotten hit because there was a zero-day potentially involved right? I did want to jump back on something you said though, which is the value there were some people that were really skeptical at first because there's a question like burning a chrome and possible Windows 0 did pop researchers people were thinking that doesn't really make sense because if you wanted like you're a nation-state you wanted exploits why not just Buy them if you can buy them like for a nation-state exploits really aren't that expensive right? But I have kind of an interesting angle on this because if you think about it, and this actually did come from North Korea. I think it makes a lot more sense of having the instant the intent of stealing 0 days than it would for Other Nation States because for most governments it wouldn't really make sense launched a campaign to steals your days because they could just buy them, but we're a country like North Korea. Is it going to be sanctioned and I didn't actually double check on this but I imagine they would fall under like the wassenaar agreement. Right? Like I doubt it's legally possible to sell exploits to North Korea for anybody in that agreement. Yeah,
zi
00:21:42
they so the way the wassenaar arrangement works is that basically the countries within the Western agreement. You can have the you can export to though they weren't really fall under it. This is more nitpicky, but they would they would fall outside that arrangement. Yeah, so it's a
Specter
00:21:59
lot harder for North Korea to be able to buy those o days, you have to find people who are willing to sell them outside of like the legal jurisdiction. Right? So it's where it's harder for them to obtain them. It makes a lot more sense from a like value perspective to potentially burn one to get more. So I thought that was kind of interesting angle that a lot of people weren't really considering. Maybe that's just because like that take is just kind of off base. I don't know but I think I think you're right. Me touching on it. I think that's actually really good point. I think it's like when people that kind of generalized North Korea, like if you look at the actions of like the North Korean hackers, right what they always focused on is like let's say for instance they go and say well why I like a lot of people ask will because China gives infrastructure and all kinds of things as train North Korea through all this why wouldn't they be giving them zero days and it's kind of logic of I go and spend ten million dollars for 0 days and I just hand it off to this possibly less skilled teammate of mine, isn't it better for me to just use Is it so it's by default? You're not going to be sourcing a lot of zero days, even from their little team members. He member nations, but the real big part here is North Korea, even as a nation state is pretty poor, right, but that's why you see a lot of they're targeting at least from one of the few apt groups. They do have is specifically like that's why they're targeting exchanges. They don't have a lot of money so they have to be creative and how they target things right? It can't just the reason I think that they used is zero days in this manner was because the return on investment was likely going to be a lot higher right let something else burn and hopes of getting you know X y&z different exploit I assume that was their logic so I think that when you kind of go at it understand that North Korea really is about trying to maximize every compromise they can get they may have only had they only had that zero day but they may have literally had to sit there and go we've got one or two or three zero days left left that we can really use which I the way they don't leverage a lot of zero days in my at least from what I can tell so they may have just said look what's the way we can actualize it and that's it and after security researchers and they've done it before they go through Linkedin and different measure so I think it actually is Right within what they have been doing targeting through social media I think they just took it up a notch probably if they had not been so reckless I genuinely think it's been about what a year or two if they really waited which it's North Korea I think it's different that kind of from a watering hole Tech you could probably Target so many researchers if you build up that community and that trust and then now that you've kind of mapped everyone out you've built up a community you've gained some trust I bet you they could have compromised a hell of a lot of people as opposed to just kind of scattered approach they took and they probably actually could have to we don't know but that long with the thing was to say that North Korea I think you're right North Korea does not have the same means as every Other Nation in State this actually really made sense in terms of leveraging a zero-day to hopefully maximize on what they do have gained even more so that was long-winded and on that Financial angle this was kind of interesting because I had a discussion with a few people about this to some of the people who confirm they were compromised with this because they'd open the malicious yes project files they said that shortly after there were attempted they At the login to like their coinbase accounts and then to their like cryptocurrency wallets to extract crypto and to me that seemed really strange like a nation-state doing like skiddy like criminal like Russian hacker stuff. Like it just seemed weird to me. But when you when you throw in that Financial angle of well, they're doing this because they don't have a lot of money to purchase your days and they probably want to get money like you were talking about them targeting exchanges. I mean going after cryptocurrency is a ditch effort does I guess kind of makes sense in that context. So that is another angle. I wanted to throw on there was they did try to after they were caught they did try to leverage it pass what they'd already had. They were like, okay. Well shit we got burned. Let's try to see if we could steal anything from wallet, sir. Yeah, I make details or whatever
zi
00:26:13
but once they've been burned I feel like that kind of makes sense. Like now they just need to utilize this in like before they have time on their side. They can go and kind of play the long game wait it out. And kind of distance themselves from the point of compromise to the point of actually using that information and yeah, once I got burned once to go will take post came out then he started saying you'll talk mode like it seemed like they pivoted to actually use that information because at that point people are going to start changing all that information. They've been burned like we were on the same night. We had started wiping things change changing passwords and all that and we weren't even necessarily compromised through it. So I mean like it makes sense that they would immediately pivot to try to do that. I do want to take one question. I would have chat which was from alkies. Do we know if they had any lock and got some 0 days? And I'm not sure I don't know if we've had anything necessarily confirmed that like they got exactly this zero day. We have had some researchers who got owned who mentioned that they didn't have any I have to imagine those that might have just went to have mentioned it. So I would assume they at least got some out of this. Just giving kind of the scope of who they were targeting that said. It does all seem like one things they heard was like they had a kernel exploit like the visuals the actual code of the visual studio, or maybe this was only I believe it was it wasn't rich in Seattle. There's somebody else I was pretty vocal about What had happened on Twitter? I forget their handle right now, but there was a
Specter
00:27:57
user on Reddit and they might be on Twitter and he said I've hearing Andre is one of the individuals who said they got
zi
00:28:03
compromised. Yeah, and I don't know who I was and what they did know, they mentioned that they ran they were running this under a VM, I believe. Which makes sense like if you're going to look at a kernel exploit, you're probably going to run it under a VM so you can do the debugging like that just seems almost like an oversight because any like you're not going to run your kernel exploit on your hose just because you can debug your hose when the colonel crashes. Well how far from some more unique setups I suppose.
Specter
00:28:37
But they so much assumed it was a test VM. Anyways, I thought if I can get access to that girl. I don't I could be wrong but I assumed that was maybe the theory that if I can't get full access. Maybe I'm going to get access to their testing VMware. They run all this stuff and see at least their crashes and other stupid stuff.
zi
00:28:53
Yeah, you can that is a good point. You can get some information out of just seeing the VM even
Specter
00:29:00
to big swing but you know, maybe
zi
00:29:02
yeah, but no, I actually I wasn't even thinking about that I was saying I tend to use a lot of throw away vm's like if I am using a VM, it's literally just like create a new snapshot run whatever do whatever and then go back to the original like I don't keep a lot of state but I could imagine keeping some State especially if you're working on like a single exponent. So I've got this one to just try really quickly from somebody fair enough. I can see the ReUse happening so they could probably get something off that I wouldn't be surprised to find out that they did get some 0 days out. I've heard that said I don't think anybody's going to admit that they had zero days that got compromised, sir. What?
Specter
00:29:43
I think a lot of researchers are not going to want to admit that they were compromised and that's the only thing I wonder with with the zero day. I don't want to be the person to say it fully but there's been really no discovery of the Chrome thing. Like it's really just been speculation. As far as I understand. So part of me tells wonder if in a bad way that are some people literally just ran the, you know, Visual Studio project and that was literally it and they're just kind of too ashamed to admit it or is it just seems it does seem interesting that no one was able to Hear that, especially if Microsoft was investigating this for months on end and to my understanding this is posted on Reddit and that set community right the malicious blog post possibly. So
zi
00:30:24
yeah, the Dost rc1 was posted on Reddit. That's actually where I first found the blog myself and started looking at it was back when that was posted,
Specter
00:30:34
but the amount of victims could be so high and not one person to notice a chrome zero day. I'm not saying this wrong. I'm so with the Hyperion
zi
00:30:42
Right. He mentioned like that. He had a crash and or I'm sorry, since I don't have my notes written on this part out. I might have the names wrong. But somebody did say they got a crash and it was like they had noticed noted what the CV was anti. It's does seem like like that's what I was hired referring to my said no official Source factually confirm that it does seem like both Google and Microsoft the way they talk about it as being somebody access the website and then shortly after that the malware was running it does seem like Some devices were probably compromise that had like endpoint protection and they're able to see the information from that. They were able to see the axe to the website than the compromise from there. I don't think it's just people lying. I'm just getting away that both Google and Microsoft have reported on it. It seems to me quite likely that the endpoint protection was able to at least or like be compromising the actual running of the actual appearance of malware. With the visiting of the website to kind of say that without actually having a crash to confirm it.
Specter
00:31:54
And that's true. Yeah that that was something that Microsoft published on that. They said they discovered months ago was their endpoint protection across one of their clients tected that so yeah, and I wasn't trying to belittle and say like anyone who was probably just lying. I just meant more of I think a lot of times it's embarrassing to admit you've been compromised and you know, they just be working on said yeah, that must've been the way whereas that was always kind of getting up. Yeah. I do think that there's a validity to it and I was curious though. How many people probably did actually open up just that project alone and got compromised, you know, so it's kind of an awkward situation though in any regard honestly for all these people so I just feel bad but hopefully honestly, you know, unless there's more to bring up. I really hope for most people that it's kind of like a lesson learned that I mean, I'm not surprised that it Researchers were targeted but from myself since I'm not an active zi wrote a developer. I was just surprised that zero day, you know where exploit developers were kind of the Target because as we kind of thought that it was just too spooky thing, you know, who would you go after not those types of people, so that's that's kind of my last too long. Yeah, I mean what's it's interesting like this exploit must have been remarkably stable considering how bold their strategy was of hitting the security researchers like you were saying and the fact that also like you were saying nobody caught it for so long like it must have been a really damn stable bug and didn't really cause much noise and there's also the windows here at a angle to because I think they mentioned like this would have had to have gotten past like Defender to install like the malware the way it did. Um, so like both exploits in the chain must have been pretty damn good exploits for for this to have happened the way it did.
zi
00:33:42
So on the ex-boyfriend, I believe it's like at least the prevailing theory that I've seen is that the exploit being used was that webassembly one. We were talking about last week and cut from the episode
Specter
00:33:53
which is weird because I don't remember that one being something that you would think of as super stable. You know, it seems like it would be finicky, but I don't know I I don't really know much about webassembly or like exploitation in that area. So maybe I'm wrong there but
zi
00:34:10
let me grab my notes on that app that off back here. Actually remember kind of what it was. Oh, so that was the one that called abort. So you'd get that early aboard no would get to use that phrase. So That could actually be kind of stable. It seemed like if they were able to control the next allocation. So they had a break consistent next to use. I got our next allocation after I use after free. You've got a controlled you control the data being copied you control how large the Reed is. It was it would give you a pretty powerful primitive. Now maybe I mean that is actually I wasn't thinking about the actual exploit too much but now that we're kind of coming up on it. Like it was a reasonably powerful primitive. I think I'm in for anybody who's wasn't actually listening live since we didn't include the ourselves talking about it on the on the podcast. I went up on YouTube and Spotify and such the actual issue was effectively being able to trick the browser. Into a boarding after it had finished After the Promise had already been read a JavaScript promise had already been resolved. So it would free on a bork it would end up freeing the object in which case you can get like a second use of it, but it had already returned the first object. So it returned the now freed object and you can get a reuse I would have fit and if you reuse it with a new object that has like different sizes on there were a few different Primitives they gain from it. But effectively use that free and with a different size you'd be able to read more or less or write more lesser right out of bounds.
Specter
00:36:02
Yeah, so maybe I was just remembering the specifics. I thought it was an unstable exploit, but maybe I'm thinking in something else we covered what so I bet. Yeah, we
zi
00:36:11
come who much detail on the actual exploit strategy it just They mostly they didn't seem to like it does seem like it's one of those bugs that actually could be reasonably stable.
Specter
00:36:24
Yeah, this is pure speculation. I do have one more thing. I wanted to pull out a chat. I'm sorry. I know I we have been spending a while on this topic. This probably going to be like the last point for me, but somebody said in chat if I can find it because it's been a little while but they were saying that's my point about like chromium being used everywhere like nowadays almost Everything is chromium-based. That is one big like concern I have with the centralization in like software development man. You have Edge that recently just went to chromium. It's switched from Chakra and it's now people call it edgy. Mm. There's Chrome which is obviously going to be using chromium. Applicant like you have Chrome on Android you're going to be I think there's does nodejs use Chrome. I think it or sorry. What am I thinking about this electron? Use Chrome, I
zi
00:37:22
think electron
Specter
00:37:24
does so like there's so many things out there that use Chrome Under the Hood even if people don't realize it and when you have so many like things using the same software that software becomes such a juicy Target to exploit You can exploit so many devices that are running Chrome nowadays. And that's why Chrome exploits are worth like hundreds of thousands of dollars. There's so many things that run Chrome you have Android you have the Chrome browsers you have like it is concerning and I do feel like there needs to be More fragmentation, I guess coming in when it comes to browsers and usage and it's sad because Firefox is kind of spiraling down to I mean Mozilla made a post last year saying that they were cutting down the development on Firefox. They killed the rust Fork, I believe Firefox. So it's just like it seems like everything's moving towards Chrome and that's kind of a dangerous path, but I don't know if there's anything that can really be done to stop that anyway, but I just wanted to like point. So that is a growing problem. That's happening. I did want to ask you guys if you look at it more in that vein. You know, I think when I talk to people about chromium and I kind of have the same concern is not even just for security but privacy perspective but past that, you know, when you start getting all these other people that then in turn start, you know kind of using chromium and submitting things to erase and it's open source, I believe, you know, would it then over time you have to worry even more that I think a lot of people go and say well it's a Google thing so, So, you know it's going to be safe, but I don't know if I believe that and I worry more that now with all the different browsers and even more using chromium. I feel like people are just going to keep piling into it and adding their functionality. That was may be lost when they ported over to chromium and then they're just going to be bringing in actually more bugs and more vulnerabilities. That stupid is that far-fetched. It's like the Android problem all over again, honestly.
zi
00:39:22
Yeah, look there is there is a little bit of that Android problem where you've got just a very diverse. Ecosystem of different deployments where you've got all the different browsers like Brave volunteer all of them, like well be based on different chromium versions or slightly different chromium versions that said Chrome has at least I would say done some things right when it comes down to how they've done Security in that. They try to centralize a lot of the security aspects. They're not like just implementing these sort of ad hoc. Yours like the security mechanism toss them but they try and centralized. So everything kind of has to go through it and forcing proper development when it comes and that's some that Firefox has been a little bit more ad hoc when it comes to some of the security features. So I mean like I feel like Chrome is that leaves doing some things right that make it a little bit harder for it, too. Or to be compromised in that way for that to really be the root of a lot of vulnerabilities because they do even if people are adding more and more functionality. It is creating a larger attack surface. But who I think is taking a loft the right steps. I mean with the sandboxing, for example, it doesn't really matter. If you're col. Well, it does matter your codes insecure say gets people into the sandbox, but they still have to deal with the sandbox then like it's not there's a layers of defense that Google has it's not just like you have to implement the security If you want it, but it's there and it's hard to either disable it if you want to disable it or impossible to do so.
Specter
00:41:00
Well, I think I think you're right. I just know that from a threat actors like that the baddies quote-unquote, you know, when you start limiting like they don't have to just Target, you know, five different browsers or whatever you write. They can go and say well if I if I do focus on this one, it's going to be there and you're right in that. I just think they handle a lot of the security better. I think it's the smaller security. I'm that start bubbling up. We're like even silly things like malicious plug-ins or you know extensions if it works now on chromium will never browse stuff home. You start seeing issues like that crop up where it doesn't always have to be the biggest and baddest exploit. It's a lot of threat actors find weird things that they can trigger the now work across the board. So I think that's where I were he's just not necessarily the, you know, everything's going to go to hell just it will kind of allow some people to be a little more advantageous now, They don't have to make something work across the board. But no, it's a very strong point that I do think chromium does try to at least do the right thing in terms of security posture. Where as you know, we I think we've talked before about how Mozilla and I have tended to kind of be part of exploit kits pretty frequently because they're not typically a secure so valid
zi
00:42:11
points. Yeah, and I mean it's going to happen as Chrome is more use them. It's similar thing with Windows. Why don't you see a lot of malware? Are being written to Target Linux because the user bases on Windows. I mean you still see plenty of compromises of like Linux Services. I mean that happens all the time, but you don't see as much malware going for that.
Specter
00:42:34
You already spend ransomware doing that. Yeah.
zi
00:42:37
I mean I wouldn't be surprised. Well, I think we have seen some ransomware kind doing more Linux stuff actually,
Specter
00:42:43
but not nearly as much though.
zi
00:42:45
Yeah. Well not as much as the user base their does make it a nicer Target. Which is why I like in some sense, like people who are running Firefox against the sub rovin blog, you know may not have been hit by it simply because they were using an abnormal setup and abnormal in this case. Just being using Firefox instead of
Specter
00:43:05
Chrome. Yeah, you got lucky essentially that you didn't get hit
zi
00:43:09
like there is a certain it like it's kind of security by obscurity and there is a certain degree of security that you do get by having by running an obscure system by having some that obscurity like security by obscurity does like there is some security. They're just not something that should be depended upon but it's not like negligible either. It's just you shouldn't rely upon it and I think that's true in this case,
Specter
00:43:34
too. Yeah, so I think we will move on anti. I know you probably want to get out of here. We're hitting like the 45-minute Mark. We've been talking on the stomach for quite a while. But yeah, did you have any flick final thoughts that you wanted to mention on this topic or any other topic before you jump off? I mean, I guess to give kind of my last parting shot. I mean I summary here is really, you know never assume. It's really good example that you know, you're not worth targeting and that even if you're not the initial Target, you know, this is how I kind of pans out. Sometimes just by nature of being in those communities and I think you know everyone every person's kind of a Target. So I'm hoping you know, I always hate these things but in some small ways, I'm glad these things happen or one small so that people kind of remember like okay. I can't just go and Trust every single thing because unfortunately this is exactly how it works. So I'm excited to you know, see further developments in people who maybe get more analysis, but otherwise Things great conversation. I'm going to head out it enjoyed happen on. Thanks guys. All right, cool. Thanks for coming on anti. We appreciate it's been a while. Thanks for joining us. All right, so we'll jump into a new topic offensive security put out there xpx 301 course, which is a Windows user mode exploit development course, which is one of the courses intended to replace cracking the perimeter along with web 310 300 which we covered back in episode 51 in the blog post. They posted the course syllabus and registration information. So I figure we'll probably go through the course syllabus first talk about some of the things Of course covers. So Prime among them seems to be tool usage using things like when debug Ida just being able to debug on Windows essentially and yeah, there's engineer.
zi
00:45:30
There's definitely like a good segment on Wendy bug. Ida is seems really Limited. In fact, I kind I don't like their use of Ida here. I mean whatever they use at its it doesn't really matter. But like this is there I dissection I'm just pulled off. Literally, it's you know, basic functionality search functionality and they have the static Dynamic analysis synchronization. So literally linking it with your Lincoln with your debugger, so you have the information being shared, you know, make change of one place see it over on Ida or make change in Ida see some fit over and when debug it's doing that links it like you're not getting very deep I do with what's covered in it, you know, like at least stuff you get comfortable within the first few hours pretty much. Yeah, which is kind of why I feel like they should have chosen something besides Ida Pro because there's no reason why they couldn't have you right here that would free and accessible for users rather than encouraging the use of Ida Pro that said you already know if you've listened to the podcast so we kind of have a chip on our shoulder when it comes to Ida I'm her drinks out of
Specter
00:46:43
balance that out Ida's like Windows API matching functionality is kind of unmatched so I can totally see why you'd want to push people to use item for doing Windows reversing Deidre is has bad more was
zi
00:46:57
whacked kedra can get pretty close with Ida if you add like all the symbols a fan it doesn't do that by default were cited does give you that by default like it's batteries included in a sense for
Specter
00:47:09
that exactly
zi
00:47:11
yeah which is fair I mean it is a Windows course it's just because they don't get very deep into either it just feels like you know maybe they should have you something for a but that is like not really a huge issue Ida is the industry standard software that you're probably going to end up using regardless Get into this professionally, but that leads into another thing as a certification. I kind of expect it to be some that says like you could you're at a level to professionally do some of this. This is a 32-bit Windows exploitation. Cool 32-bit is kind of the emphasis there when it comes to actually covering the exploitation it gets you off, you know, roughly two raw covers Robin here covers, you know calling virtual a log doing stuff to defeat death. Like basically creating a memory page that has the read write execute missions pretty standard. Technique for that here off to a but it's 32-bit. I think that is kind of a big deal breaker to me. I was really excited about this course. I was looking forward to see what they'd come out with and I'm really disappointed by what they actually have in here because 4/3. Yeah $1,300. They don't have a 30-day often. There's only a 60-day option 90-day option though for $1,300. This is very much a beginner course on exploit development again least fact-based over right? So it covers kind of your classic EIP over right and an seh over right? That's really all the covers in terms of the actual XYZ covers like a continent some shell coding stuff. But practices covers a little bit of reverse engineering in particular just like cooking in a PR, you know hooking functions being able to modify them at that point Catherine thousand nine of Chad no 6 for big. That's correct. This is purely 32-bit x86 Windows. Like it doesn't feel very updated. It's kind of my issue here because it's not covering like yes, you can argue that once you've learned these Basics on 32-bit. You're going to be to learn 64-bit. That's it. There is a pretty big difference when it comes to the calling conventions and thus when it comes to trying to rob or something and it covers the seh overwrite, which somebody can correct me if I'm wrong here, but With 32-bit the seh pointers would be stored as part of the stack frame on 64-bit. They're out at the stack frame now so you don't get it when you you don't get access to the seh over eye when you have an overflow anymore. So it's For an updated course, I would expect it to work. Like I would expect it to be more up-to-date and don't get me wrong. There are things you can learn from this. It's not like you can learn anything at all from this but for $1,300, which is Again In fairness, not a crazy price for such a course. I just would expect it to be more update like most beginner exploitation courses now do cover 64-bit. I would have liked to say something, you know, maybe a little bit about having a heap overflow. Not necessarily the allocator attacks. I'm just cover like Heap spring something like that. And In fairness Heap spring is little bit more difficult on Windows and is on Linux, but you think it's something you could cover to be an intermediate course, and it's Feels more like a beginner course to me. If you're going to learn from it like braid. It does deal with at least dappin a SLR which was lacking from osc, you know. There's some Fair stuff in there. It doesn't cover fuzzing anymore. But the fuzzing that was covered in osc was. I want to say I was using Spike might have been pH. Just really basic fuzzing though. I think the re is definitely step up and on the whole the course is a step off. But at the price point I would go back and recommend that right to systems horse that I think we talked about some some episodes ago. Yeah, it's pulling it up. Now. This course was $1000 covers a lot more. It's a Linux focused that said I feel like when you make the change to Windows you learn some of the specifics there, but the fundamental concepts still remain. Like
Specter
00:51:38
yeah, I mean like you said, I think the biggest change is going to be the pool like the Heap stuff because in Windows it's not really heat they call it pools and it's a bit like weird how it works. But that's probably the biggest difference when you're going from Lennox to Windows. I think.
zi
00:51:54
Yeah, I mean, there's definitely a lot of differences that do come in with Windows and Linux. The thing is like they're kind of thing like you learn your foundational Concepts like you just, you know, learn to understand drop and kind of really rock. That and then you can learn these differences. You can learn like the common techniques like, you know, they do cover the virtual elk stuff. Just calling virtual like that's a common technique once you get Robbie go for doing that. That's fair game, but you can kind of learn that once you learn your foundations. I do think starting off on Linux. Well one it's a bit easier like Linux exploitation is easier Windows definitely has a lot more little mitigations learn but there's things that kind of add on to your knowledge. Either way, I mean jumping back onto the actual exploit development course, I'm just disappointed by the looks of it. I've said I have not taken it in can't confirm what's in there, but As it stands. I was expecting more. I would have had they do say it's 15 hours of video content and more than 600 pages and you know, maybe it is maybe they probably well I do with their long so it definitely is but that feels like the wrong metric like 600 Pages PDF content. Oh joy, like it doesn't really matter if it's 600 Pages if you know, like every page is filled with an entire spring shot.
Specter
00:53:16
Yeah. I was going to say it's kind of Like that quote from I think it's attributed to Bill Gates with like measuring aircraft building by weight. It's just seems like a it's kind of a useless metric. It doesn't mean anything on its own. Sorry. You were going to say something there's a
zi
00:53:35
Yeah, I was just going to take Bleak L chats as wait Windows have mitigations. What do you mean? I'm talking about like the There's a lot of smaller user line mitigations within Windows, especially when you look at formerly eme act and now you've got windows. It's just built into Windows Defender the exploit mitigations. They're basically that's what I'm talking about. Those things are a little bit more readily available on Windows and they are on Linux. So you're going to run into a more. My experience has been you're going to run two things like stack canaries a lot more also on Windows. Oh, that's it. The stack and everyone has been more just my experience not I haven't done any study on that but that's kind of what I'm referring to. Like. There are these little sort of things of Windows does differently. Oh, yeah, I would have Chad also oil Leo or maybe that's mostly a face for the name. It does this course better prepare for the advanced Windows exploit course at offset cast apparently so at least compared to the The osce course I would have to imagine they're still pretty significant gap between this and
Specter
00:54:48
ose. So I will throw on something that I thought was positive when I was looking through the syllabus.
zi
00:54:57
Yeah, I think I'm sorry
Specter
00:54:59
you little bit but as fine, I mean I was I had a little bit more of a favorable Outlook. I think on the course of you did met at least at first, although some of your points are kind of changing me to that direction. But one thing I thought was cool was they have a section on reverse engineering for bugs using Ida because just because Von research is one of those things that sometimes neglected and Active courses they just throw like end days that you were or or some contrived issues and and like reverse engineering is going to be a big part of Windows. That is one thing with Windows is there's less with an open source community on Windows applications Windows itself is closed source. So I think that angle of covering bone research from like a black box or gray box perspective is a really like good value add to offer in there. So
zi
00:55:51
I thought They only really cover reverse engineering from this concept of hooking okaying. The receipt function I think is trying to find it in the table of contents here.
Specter
00:56:02
Yeah, I think it's near the end of
zi
00:56:04
the either way. It was mostly like the reverse engineering was to hook in which I like say it's fair game. And I think it is an improvement over what they covered in terms of fuzzing that basically is replacing the old fuzzing section of osc. I agree with you. I think I think it's a better step to kind of huge people that more Practical skill that then trying to cover fuzzing that said it doesn't go very much like it's a positive to show it anybody who takes this course so is going to have to run with that a lot more. I guess I should also mention I was talking about all the stacks up they covered they do also cover format string exploit and they start at least it seems like they start talking a little bit about having the concept of like a ripe primitive, which is an important mental. Concept when it comes to modern X which has understanding the idea of Primitives though the format string X like, you know is definitely a good step there whether or not you're actually finding too many format string exploits these days doesn't matter. I think it's still an important thing to learn just because of the mental aspect of a format string X like being a right well aware cell. Excellent. I'm so like that's definitely a positive 2 is including that they're going to talk a little bit about the concept of Primitives and weird machines things like that is definitely an asset is definitely plus here. Like I said, I do think there are things that somebody will learn from this Forest like these are all things that you need to kind of learn. So it's not like there's just nothing to learn in this. I just had maybe my expectations were too high for it. I just had higher expectation.
Specter
00:57:38
There's a few bug classes that are notably We missing here you have no uaf, which is probably like the most common bug class that you run into nowadays. So nothing really covering use after phrase at least from the syllabus, like nothing on Race conditions know like keep stuff. No type confusion like that. There is a lot of stuff missing I agree and and like so this course is $1,300. Like you said would conclude 60 days of lab time. But yeah, like, I don't know I kind of agree. I feel like there's Should have been a little bit more in here when a kid, especially when it came to bug classes. Those are kind of important. I think.
zi
00:58:16
Yeah, this covers like it is an exploit development class. So it does cover some exploits. It's not so much covering any sort of bug classes. We also don't see like even integer overflow. Maybe it'll be in there. Maybe that's how they get something. But
Specter
00:58:31
yeah, it will load so we have to work with here is the syllabus. We don't have the course content. So You know take take what we're saying with that in
zi
00:58:38
mind. Yeah, definitely different grain of salt. I was just want to call out also the labs they've added would appear to be the blind challenges into the lab which was lacking with osc. It was just yours a walkthrough on a few vulnerabilities and that's all the lab were the lab just had machines vulnerable to those things. It looks like don't know for sure, but they do have trying harder the labs in here and challenge one two, and three. They did this with o swe also where they started including some more blind labs for you to actually work through and put into practice and I think there's a lot of value in that. I think like with oscp, you know, they're kind of Flagship course they have labs and they have like 50 plus live. So you get a ton of room to just go and practice the things you're learning about and I think that would be great if there was an exploit development course that did the same thing provided you all these labs to get some practice with Three doesn't really do it but it's an improvement regardless and it really depends on the types of challenges. These are these could be multi-stage things. These can be really great challenges. So I don't want to downplay their potential their it's definitely a positive move again that they are including
Specter
00:59:51
So getting into some of the meta information about the course, it's $1,300 with that six days lap time, which you can extend for 30 days for $360. One thing that is weird though here is you need to be 18 and have ID to register for it. They say there are some exceptions if you're under 18, if you
zi
01:00:09
had to undergo medical certification chance,
Specter
01:00:11
well, I had well I thought so too for I kind of had that thought to was is this common and I look back for some of the previous courses like pain 300 and that requirement wasn't there. So
zi
01:00:22
you need that? I think it's maybe just they're mentioning IQ need ID to register or all of their courses can't even do it from like a Gmail account. You have to use a proper Aid email address presumably a work email address. They have that sir. That's just off second General does
Specter
01:00:43
that so that's just something they don't really mention any other courses, but they mention it here, I guess because I thought that was like specific to this course earlier. Oh, I don't think so. Okay. That's
zi
01:00:53
where maybe the 18 one is because there's definitely been younger people on oscp, but I imagine that's one things where you can just contact them and kind of get the exception done for that. I'll be I know they've always had kind of a slightly annoying registration process that involves dad and I think that's largely just because of are trying to protect the certification itself.
Specter
01:01:22
Yeah, I mean to make sense. Yeah, I just did want to call that out in case there was any like younger people who are like, oh I this sounds interesting. But there is that a that that gate there that you would have to get the exception for
zi
01:01:35
and if it's a final note, I will say like thinking about this as a certification not just the course like I think there's value in this is a course for your learning. There's things you need to learn. There's a value there as a certification. I can't imagine myself ever kind of looking at this thing that yeah, that's what I need. Or like that's what I want to hire somebody with it. Just it doesn't get you far enough to actually do modern exploitation. So like it's not relevant for any current job that involves exploitation. It could be an asset for like somebody doing pentesting. You're going to have a better handle on fixing up or working with existing vulnerabilities and existing proofs of concept. Though all good there but as a certification. I just I can't imagine myself wanting this. That's it. It might be like, oh swe. I didn't care much for the course, but I loved the actual exam and the certification
Specter
01:02:29
because Elka so yeah I mean I guess what I would ask is you think it comes up short compared to pain 301 302
zi
01:02:47
um it depends on what we're talking about like said the course I think it's kind of the same as like web 300
Specter
01:02:55
or sorry I meant the the certain value that's what I meant it's good value for the they might
zi
01:03:01
throw something into the certification or that I like into the exam that actually makes it a really good test that's what they did with oh swe I made me like it was the exam that kind of pulled me back on it because that the exam was really good test of someone's ability to just make a new code base get up to speed on it audit it quickly and like actually well actually start auditing a new code base. It was a good exam for that aspect and that is a really important skill. The course itself, though. Just taught a few tricks. It felt like it wasn't a great horse. So yeah, I don't know. I can't really speak to the value of the certification without having sex with you. But going from this it feels like it's just not actually going to be relevant. Like it's not like osep Warrior getting the methodology out of it. And so, you know the certification still relevant even though the content maybe isn't Exploit development. You need to get up to a certain level for it to be relevant I guess. Yeah, um, like in fairness there are things to learn from so as a course, you can learn things from it. I'm not sure what the value of this sort is going to be. That doesn't mean it's going to be bad. I I'm purely going off the table of contents, which is definitely very limited way of
Specter
01:04:20
judging it. Yeah for those interests that might be interested in taking the course. The course registration has opened up as a January 27th. I don't believe they're actually starting though until March 7th. So you do have that that window if you want to check it out. And if you do like you can leave a comment on our other video or anything and then and let us know what you thought of the course see if we were wrong on anything from the table of contents evaluation, I guess but It does have we'll move into some exploits. So we'll start off with a quickie. This was Linksys WRT54G 60 NL issue in those routers. There's a bug in the web panel when it comes to changing the language for the UI the language Changed by sending a post request to the apply and point and when you do that, they construct a path using the language parameter and pass it to the copy command using system as you can likely guess. There's no sensation on that parameter so you can just break out of it and get Command execution. It's a very straightforward issue. This issue hasn't and probably won't be fixed because this product isn't supported anymore. So in C group recommends updating the router firmware with an alternative firmware, like open wrt. If you have this router one thing I'm curious about though is they note that this endpoint is authenticated you can see in the title. They call it an authenticated command injection, which is a little bit weird to me because being able to change the Language is something you would think you'd want exposed to the login panel as well. So I was kind of expecting with this Vector for it to be an unauthenticated command injection as well. But maybe it uses a different end point for the login or it just doesn't allow you to change the language. I'm not sure
zi
01:06:08
I could imagine just not really having any way to change a language like you kind of said it globally in a sense. It might be where like you set the language for your device. So just starts off as English by default presumably. And then you can make this call to change it. it does seem like a weird way to change the language to actually be effectively just trying to fit does a copy command so it seems like it's literally just replacing one of the files with another file when the you change the language that's going to be a global thing so you login you change the language for the entire device it's not like every user gets a change the get to change yet
Specter
01:06:52
yeah and a login screen like even if it's not in your language it's pretty like recognizable and you know what to do even if you can't necessarily read all the text on the page so yeah but that's probably what's going on there so but yeah very quick issue pretty straightforward so we'll get into a more interesting issue now which is vulnerabilities within Tech talks Friend Finder so checkpoint published Post about a method they discovered to abuse tick-tocks Friend Finder feature. They use this method to hypothetically establish database of users and their Associated phone numbers if they chose to associate a phone number with their account that is you don't have to when you use tick tock apparently, I mean, I don't use to talk but apparently you can choose they have themselves a longer face
zi
01:07:42
sharing I believe. Yeah, that would that you wouldn't have a phone number. So
Specter
01:07:50
it exists through the contact synchronization functionality when using Tick Tock they prompt you to sync contacts on your phone with tech talk to try to find people, you know, which is pretty standard functionality that's going to be on most social media applications. But when uploading the contacts from the list they do try to take some privacy steps like they hash the name and phone number of the contact with sha-256 and upload it and then when synchronizing the Sends back a list of profiles with those hash numbers and names as well as the users ID profile photos stuff like that. Now obviously they do have to set some limits on that because otherwise someone can just abuse their contact list to get a response for batches of phone numbers and Associate them to accounts, which is exactly what this attack is. So what they try to do is they limit the request to 500 contacts per day per user per device and they also do device registration to try to ensure the user is using a physical device and they signed requests with the device to the server. The problem here is the token for that device can be extracted to be used virtually and the other problem is the session cookie for that token last for 60 days. So an adversary can basically just use the devices or idevice as a signing Oracle using something like Frida to hook the signing method and then just automate connecting phone numbers with profile details and it's scalable like if I want to do like you get two devices and do a thousand contacts per day per device if you wanted to right so it seems like they tried to prevent this issue from being an issue and the restrictions were just like way too soft when they were going through the design decision
zi
01:09:37
like I mean it's a hard thing to do though also and I don't I don't think you mentioned yet but in terms of bypassing the signing they effectively would just hook make the calls to the sighing and modified and line it have its sign a different message oh so when it comes down to the Slick it's a hard problem like you create that authentication token like how do you actually lock that down to only a particular device can reuse that especially if you're able to reuse the same IP so sitting on the same network and stuff like it's a hard problem Oh, I think a better thing would have been you know, something like a capture would be used to prevent automation rather than trying to prevent it in these sorts of way actually requiring a certain investment even captures though like you hire a cheap team from 1/3 third world country. You can still kind of deal with that but at least it's a little bit more of a human investment than what we see here. Because ultimately this just came down to the fact that they could automate the entire process.
Specter
01:10:43
Yeah, like
zi
01:10:44
it's not the easiest problem to solve though. Like I think it's really just kind of look this and just as you said like it just all their restrictions were so soft. But it is a harder problem to solve.
Specter
01:10:57
I do kind of question why they have the limits So Soft like who has five hundred contacts on their phone. Like I don't think I've ever seen anybody with even a tenth of them. I so
zi
01:11:12
I've got quite a few contacts imported all bone. I'm actually just pulling my phone now to take a look at what my number is. I want to say it's in the 300.
Specter
01:11:21
Really? Okay, maybe I just don't use my contacts enough and maybe I'm so touched a little bit but phone people
zi
01:11:28
so kind of the problem with my contacts is a ton of them calm because of old like, you know, if I've logged in on half male. Well, I've had like I had MSN in my teens. I had a lot of contacts on MSN and those still exist in my contact list that you can easily have like these hundreds of people in your contacts. Just because of older things kind of adding them. They're registering some information back and forth and just kind of sticking around if you add kind of stuff the same addresses for a long time.
Specter
01:12:04
Yeah, I mean so they don't talk about how this issue was resolved. But I feel like if I got to make a change I would just make it. So for one you like maybe keep the five hundred contacts but change the like change it to like monthly because I feel like you probably don't need to like maybe a hard cap of 500 contacts per month or something. Right? I think that would probably see more reasonable and a lot harder to automate on this or just like you said. You could add a caption on that as well to make it more difficult to automate. But yeah, it's just it's just seems weird that they went through like all this trouble signing the messages and using per device Hogan's but use these like really soft limits and and the 60-day sessions to those are like you don't need 60 day. I don't think you would need 60-day go key sessions there either but now I mean, maybe they probably have reasoning for that. But yeah, unfortunately we don't have exactly what Changes they made to address this issue. I believe that checkpoint does state that they addressed it right? I'm pretty sure it's not just a like a potshot at them, but I'm trying to find exactly where they stated that. Yeah. So we're delighted to join Tick-Tock and fixing these issues. So they don't say exactly how the issues were fixed, but it's probably just like they change the limits and and I doubt they had of the capture on it because that that would probably be annoying for the user. Experience so
zi
01:13:36
well, so there are other ways of doing a capture though, like a proof-of-work style that are a little bit more invisible besides just like typing in a capture coat. There's definitely been some progress on making more visible capture has
Specter
01:13:51
yeah, but yeah, this one wasn't really a technical bug. It was more just like a design oversight I guess and and not like taking into account. How abusable their system still could It'd be even after going through the steps that they did. So thing I think is being abused. We have another secret Club post on yet. Another lock screen bypass for BitLocker. This was actually inspired by Jonas's bypass for if we covered two weeks ago this Reacher researcher decided to weaponize an old bug they found in Windows Touch devices. So again, this one just like Jonas's exploits the hidden settings menu, but in this case the instance that launches lock screen for user prompt is launched as system for some reason. So basically what they do here is they abused the forgot your password functionality to bring up the virtual keyboard really
zi
01:14:46
quickly a part of that part of the reason for system is actually kind of security-related. So other programs can't just hook onto it. It creates the higher Integrity level. So running a system is kind of there for a reason when it's accepting like your password. but for some reason but Windows desktop
Specter
01:15:06
doesn't do that it uses IPC and it's launched as user or default user
zi
01:15:11
sorry well so I'd have to look in before a comment on that actually so yeah I just
Specter
01:15:18
the only reason I remember that is because from Jonas's post his lock screen bypass was very similar to this but he had to do that additional privileges privilege escalation because the lock screen user was the default user which didn't really have any proof privileges so yeah in this case though unlike surface devices you just get that like system proved ask for free with the bypass as well so getting into the bypass and how it works they abused the forgot your password functionality to bring up the virtual keyboard and in the gray space on the virtual keyboard for a brief time you can double tap it to bring up a context menu which has the settings icon and then even though when the settings app is launched its hidden Connect the physical keyboard to it to navigate the hidden settings window and just like Jonas's attack. They use auto play any USB device to execute the payload. In this case though. There was no second stage Tech needed because like I said, you have that binary executing a system not the default user. What's interesting about this report is Microsoft rejected the issue citing the need for a proof of concept and they express this belief towards the exploit ability of the issue. The researchers stated they provided a POC even though Microsoft apparently asked for one now. Obviously, this is only one side of the story. We don't have the bug report and back and forth. So it's hard to comment on this aspect too much but this does seem like a legitimate bypass. So it seems weird that Microsoft would reject the issue out of hand.
zi
01:16:52
I mean my my guess here is they do say this was an old bug that they found my guess might be something along the lines of they reported this quite a while. Go at the time Microsoft didn't care about it. And now maybe they might that's only a guess. We don't know when they reported it initially and of reading through it though. Like I kind of got the sense. They might have reported it quite a while ago and had it get ignored. So now they just figured out how to weaponize and just publish it without taking it back to em SRC. Yeah, that's a little bit
Specter
01:17:28
unclear on that.
zi
01:17:29
Yeah, that's pure speculation has we like to
Specter
01:17:31
do? Clear the speculation Masters. But um, yeah, I mean maybe we shouldn't comment on that too much just because there are so many unknowns. My biggest question though. Here is is like I said earlier and I mean you kind of try and it on the sea, but like it just seems weird that they would have the lock screen directly running his system. This is the kind of like this is why you would want to use IDC to have the lock screen as default and then do a thing sensitive that you would want protected from hooking or something done in a system process. It just seems weird that it would work one way on desktop and in a less secure way on like
zi
01:18:14
Services, it's just that does. Yeah, I agree with you. That said like I chimed in there. I know they use system for that Integrity level aspect. I just in this particular case, I'd have to dig into it a little bit more to see why like there probably was a reason why they chose the system here. I just don't I'd have to look into it further to actually like intelligibly comment on it.
Specter
01:18:42
Again, obviously speculation, but one reason I could think of maybe is something with the touchscreen. Maybe there's something with the touch screen where they need to be system to like interact with the properly. I don't know but that's like the only like big device that level difference between like a desktop and like a surface I would think that's like the user sees would be the lock screen. There could be more like under the hood differences that require the System, but yeah, just just that's probably like my most interesting question out of this blog post and something we're probably not going to get the answer to honestly but
zi
01:19:21
I mean, I just like this post just because it's such a simple issue. I'll get a keyboard basically or get the on-screen keyboard get the settings just like Jonas is one. It's just a great vulnerability. It doesn't require like any sort of buffer overflow doesn't require memory corruption. It's just here's the design decision that has an overlooked security problem. And I don't know I just love those exploits because it's readily understood. It's something that you just have to think about the We're kind of start discovering are just playing around with it. It's not something to take some really deep understanding. Or at least not a deep understanding of like how software works like a lot of the buffer overflows in such that we cover.
Specter
01:20:11
Yeah, and we've been seeing quite a bit of them lately like somebody from chat mentioned I heard about some kids found one of the Medics why keyboard mashing? Yeah, we covered that one a couple weeks ago. I think on the lockscreen bypass one there was a mint 20 issue that was much the same with the virtual keyboard. It wasn't about launching settings. That one was I think crashing the Damon for the login and sometimes if you crashed a certain way it would just bypass it and you can get into the system. But yeah, like there's been a lot. Like lockscreen bypasses and the last like couple months. I guess people are inspiring other people to get into that stuff. And yeah, they're fun bugs. I agree. So let's talking to go. Let's get into another big topic the Nats slipstreaming attack. So been Siri from armas posted that they found a new variant of the NAT slipstreaming attack, which can be used to attack any devices on internal networks from the internet through malicious link clicks. So we talked about Samy kamkar zi original that slipstreaming attack back in October. This was on episode 51. Actually. I guess we would have talked about it in November. So the attack was published, October 31st. Um, and that was the V1 of this attack, which was essentially using packet fragmentation to sneak in and craft a packet to send to the application Level Gateway from the browser one way. They did this I think was using the Max transmission units and they basically smuggled sip requests into the ALG. So browser has released a patch to try to mitigate this issue. I'm not entirely certain what those mitigations were. They don't talk about them in the blog posts and fortunately I I wish they did I would imagine it's something like browsers maybe are not able to sense. It packets anymore, but I'm not totally sure on that again. I'm speculating
zi
01:22:03
there. So I believe part of it at least was the addition of whatever Port they were using to like the restricted port list of That's So it true with this one. It's still a similar attack If instead of using sip they end up using another voice protocol the B23 protocol which kind of has the unique feature of supporting call forwarding which has that aspect of you can have traffic being sent from one being forwarded over to a third IP. So we're with SIP you only had access to the actual victim device. You can get access to any port on that device presuming you knew their internal IP. in this case, you can kind of set up call forwarding to forward your messages along to any device in the network that you want to so it's similar in that it's still you know, you kind of forging that packet and smuggling that in this case h 323 pack it in there so that the firewall might see it as that if it doesn't deal with fragmentation properly and then they also talk about abusing the webrtc going through turn you don't Are doesn't reference the in-browser restricted poreless. So you can access and get request going out to any port from that. So I thought it was kind of an interesting package just required knowing about basically h.323.
Specter
01:23:32
Yeah, I thought that that webrtc like second stage attack was kind of cool too because it's kind of like another smuggling issue. They basically use the username field in combination with tweaking the max segment size the TCP packets and they use that to be able to send arbitrary TCP packets to any port they want such as like the FTP port or whatever. So yeah like this bypasses the original mitigations introduced for the first match slipstreaming attack. And it's more powerful because like you said you can hit like any device on the internal Network. I will say like this right up was so much easier to understand and cutting through the Croft was a lot easier for me than it was with the first national slipstreaming attack. We covered. I think you mentioned at the time when we covered it that there was a like a lot of background information that wasn't like super necessary. That is one thing that I love about this blog post was like this was a And a lot more clearly that I initially thought it would be before I clicked on the article. So I got to get props to to arm us here. This is a really good right up I think.
zi
01:24:47
yeah, I agree with you and we did just have a question chat asking if this is the same as The Sammy 100. Apparently Sammy has updated his website. It just ends up linking over to Your though. Yeah read or I'll bring up Sammy's website. Here's has I'm talking about it. So I would have chat Sammy's website used to have the V1 here as like his write up that he did on it. And now he just links over to the one that were covering which is version 2 of this of the attack.
Specter
01:25:23
Yeah, it's actually really strange how he did that he titles it and that's lips forming V2, which would make you think it's a write-up about be too but it's literally just the rink the ER the lengths are sorry. Like the rest of it is just the V1 attack. So it's just a little bit weird how he set that up. But yeah, that's the be one explanation. The V2 is entirely on the the arm of sight.
zi
01:25:45
So looks like he does include actually I didn't take a look at Sammy's page here to know set up date, but he does actually have some updates regarding Alvey. You lost our works.
Specter
01:25:55
Where's that? I didn't see that at all.
zi
01:25:57
Well, if he's kind of scroll through you'll see mentions of h.323 now and how be to worse for selfie one work. So kind of has a comparison there because it could show that actually all right. Yeah fair enough. I didn't think
Specter
01:26:11
he what I was looking through it it look the same. But
zi
01:26:13
yeah scrolling through it. It does look the same but then you'll notice those few places Bracken 52 and it was into the V2 information. That's said I agree with you that the one from our mess was quite well done. Good
Specter
01:26:29
write-up. Yeah.
zi
01:26:34
So we'll move on to live decrypt. So this this
Specter
01:26:38
topic also blew up last week partially because of some of the drama which I won't really get into its kind of adjacent but not really related to this issue as well as the fact that pgp is audience is infosec people. So I mean that I will talk about the drama for a quick second. It was basically related to some of the issues that were tagged to it like the get scheme being recommended and box for cloning instead of using SSL and stuff like that that's why I wasn't really gonna get into it too much but yeah with this issue specifically live G Crypt had a heat buffer overflow when dealing with message digest digest data it's caused by an integer underflow when reading the digest byte count for the block so when they're writing a block they do a bounced check on the length of how much to copy by subtracting the digest byte count field from the Block size the problem is that count field can get set to a value larger than the block size and the digest final function which I believe is due to another fix they tried to implement to prevent timing attacks on the length of has hash messages it was like a side
zi
01:27:48
Channel necessarily fix or it like I imagine that would have been in there pretty early on that's just keeping things keeping computations at a consistent time so it will write the same amount of blocks every time even if it doesn't actually need to write that many blocks like I always write 32 blocks even if only like 30 blocks are actually part of the message it's just so the timing Remains the Same I'd been there as a fix but that might have been in there right from the beginning like that sort of timing attack has been well known for a long time
Specter
01:28:20
I actually the way I read it was actually introduced in 1.9 I think that that was why well the fun was
zi
01:28:28
introduced for attracted okay perhaps on that note I do also have the fixed commits that will include in the description Fixes pretty much what you expect it checks if the count is greater than the block size and resets the count.
Specter
01:28:45
Yeah, pretty straightforward fix. So because of the impact they advise people to stop using live g grip 1.9 point O and use 1.9 point one. They actually removed the tarball for 1.9 point O anti early. It is worth noting though. No GN U PG version was affected here because no version used that version of the library. So this is like just live G crib that's not an issue and like gpg Released binaries. So yeah, the impact isn't quite as large as you would you might think it would be initially reading into it. But yeah, this is just basically failing to consider that like redundancy of writing the blocks to prevent the timing attacks. Maybe I am I am pretty sure that that came in recently. But like you said zi like that attacked like that attack has been known about for a while and is probably like the first type of attacking the try on crypto. So maybe there was another change that made 1.9 vulnerable and that's been there for a while. I'm not a hundred percent sure. I couldn't I tried looking
zi
01:29:57
a little bit to see if I could font or understand exactly. How was introduced I didn't end up getting on that. They do include the commit hash there though. it is something you can take a look at if you're
Specter
01:30:09
interested yeah to be fair that the gnu PG stuff is kind of annoying to navigate there were a few like references to this issue where it was like blocked off and required a log in and it was like you're not authorized or something but then there was this which has all the technical details of the bugs so I don't it was it was just weird navigating it it's kind of a difficult site to navigate in my opinion but yeah bottom line is it's fixed now and if you use Le G crib for any projects you should update it
zi
01:30:41
You
Specter
01:30:41
1.1.1 if you were using 1.9. So we'll keep on the train of Heap overflows. We have another one which is a heat based buffer overflow in pseudo. So this was another critical issue. It's exploitable by anyone you do not need to be in the sudoers file and it can allow full route privilege escalation on versions going all the way back to July of 2011 apparently and it's an issue when they try to handle command line arguments and she'll mode. So that's when you pass like the the shell flag or through the I option which sets the mode shell black on pseudo itself so when handling command line args they try to rewrite the ARG V to concatenate all the commands passed by the user into a string to formatted into that - see arguments form and they escape they escape the metadata characters internally then later when running the sudoers policy routine they try to unescape those metacharacters when setting the our arguments for and quotations here sudoers matching and logging purposes the problem comes in when they try to deal with those on escaping metacharacters if the mode gets confused between the shell and edit modes problems start to pop up because the user can essentially insert their own escapes and that's what the math that goes into parsing the end and on escaping the
zi
01:32:15
arguments and the math in this case like it's not Really calm calves about the code up here in highlighted. It's literally it iterates over the argument until it gets to a no and then it kind of does that inside of your.h particular one iterates over it? So where the issue end up coming in? Like the math is pretty straightforward if from zero so if like the current character is a backslash and the next character is not a space. It just skips the back slots skips the backslash and copies in in the space when it gets to the next line that I was actually setting it in the destination buffer and then it sets a desk or then it sets a space after it. as I guess I've kind of interrupt you on that, but as you're going to get to ESU comes in with When you're able to kind of confuse the modes little but you're able to control where all those backslashes are. And if you have as the last character of your argument a backslash, then that means it's a backslash and then a null byte which is going to ask the check where looks for the backslash. It's like Sarah backslash. Okay. It's not a space next to let's just skip forward copy that character and keep going through the loop and because they move that iterator forward it never fails the note. Have to see like while from it's looking to see if it's a false e-value. So if it's a no it never ends up failing that so it just kind of keeps going and keeps copying. Until it actually does run into a null. So that leads to the out-of-bounds.
Specter
01:33:57
Yeah, and it's a powerful out of bounds to because you can like you have a lot of control over like The size of the Overflow right? They ended up finding like three different ways to exploit this bug but basically like this this wouldn't be an issue if you couldn't set both the edit and she'll modes and how they managed to do. That was the use the sudo edit command and the - s flag on that and the reason that works is because if pseudo gets executed the pseudo edit the mode edit flag is set, but the valid Flags don't get changed and the ballot flags have that mode shell flag Allowed by Folks that's why you can mix
zi
01:34:36
both of them. And not just for what it's worth. I pulled up the fix it here. Also that will be down in the description. All they did was are all that they did that really mattered as they check the characters and no now
Specter
01:34:49
also yeah, so not only is this a powerful privilege escalation but it's also like an ideal overflow as they note and to try to exploit this vulnerability instead of like just trying a bunch of strategies on their own. They basically brute-force tricking triggering the vulnerability. They kind of fuzz it in a sense and they found three different exploitable paths or objects that they could use and they exploited all three of them actually. So the first way was they overwrote the process hooks get em to function pointer and the pseudo hook entry object to get code execution. They basically did a partial over right on that to make it call exactly instead with which would call it would call it with user-provided arguments that wasn't perfectly stable because a SLR was still at play in the upper bits, but because it's and user land and you can just keep running it they can just keep running until it work which would take less than 4096 try. Sighs probability-wise the second strategy was a string over right in the service user structure, which used for loading libraries. They could basically smash the library named to load their own shared Library as root. The Third Way was smashing a deaf time-stamped or objects directory which gets written to and they race it with assembling to get an arbitrary right of Stack contents into a file as root and they use that to smash the Etsy password file, too. Injector root user in there. I think the coolest exploit path in terms of Ingenuity was probably that third option of inducing the race arbitrary file right through the same link the most practical exploit though. Probably if you were going to use this and you kind of accessibility was probably the second one to load your own library that seems like the path of least resistance. I guess when you're talking about exploit strategies. Yeah that's
zi
01:36:46
resistance. Um, I'd agree there. I did find you. Seeing the the Etsy password over I tie I like that one again. It's it's just a fun way to attack it when you're able to get that super loud. I mean you're overriding Etsy password. So like it's not like that's going to be
Specter
01:37:04
quiet. Yeah, and the first issue was cool. But again, it's very noisy. It's going to be crashing a lot. So yeah, that's second strategy is definitely the best way to go. But yeah, I mean, this is a cool bug is this this is the bug that somebody in our Discord was trying to exploit right or was I confusing that with somebody you know
zi
01:37:30
Discord is I mean, there's a lot of people trying to exploit this one right now. Um I believe there have been some proof of Concepts. The only link that I had kind of immediately available. Is this one which out of chat? It's mentioned that it may not work. Although it does mention that the offsets are basically hard-coded that it might work but both systems. You're probably going to have to mess with the offsets a little bit. Okay, but it is a proof of concept that you can at least take a look at. I think there are some other ones. I don't have the links ready or on me. If I come across from they'll probably just share them in our
Specter
01:38:13
Discord. Yeah, so there's this kind of I guess race or challenge to try to exploit this issue. So if you're looking for something fun to do when your bored I mean this this might be a this might be something to take a look at it seems like a fairly straightforward issue to like exploit. It's just the exploit angle is where you get creative and that's that's what's fun. I think yeah. I got joy thing with like that more than bone research.
zi
01:38:40
So with this fun challenge with this one, you've definitely kind of got that like you've got it. it powerful bug but in an Ideal World you'd probably want to change this or sorry chain this with like a nympho leak or something of that nature which would make it a lot more stable but you don't have that aspect of it
Specter
01:38:58
yeah exactly so yeah fun issue
zi
01:39:03
now before we move on to the next topic that we do have a question of chat from Route email do you think C / C plus plus is going away anytime soon every time this sort of stuff hits hn there's a huge discussion about how everything should be re-written in safe languages like rust or something I don't think she's going away anytime soon. I would like to see more things incorporating Russ and Corporation safer languages, but There's a certain ease that comes with working with see that and obviously there's a lot of momentum when it comes to working with see. Do a lot of old hats that just want to keep working with zi. So it's going to take a while before we kind of start taking move or move away from it. I don't think it's going disappear anytime soon, especially on the more resource constraint systems.
Specter
01:39:56
I there there's there's a lot of Monolithic projects that are written in C or C++. Most operating systems are written in C. Most browsers are written in C++ most game engines. In fact, I don't know if there's any game engines that aren't written in C++ because it's just so like anything that needs a lot of performance. It's going to be using those languages. There has been kind of a push to move to Russ like I mentioned earlier, Missoula had a I forgot the name of the project, but they had a project to try to rewrite Firefox are re-implement Firefox and Rusty that was a sort of you killed sir be oh, that's
zi
01:40:33
right. Yeah, but that was like they had that project way before Russ was he? Like that was like the like they were basically dogfooding Ross when they started at. Yeah, like it was actually never even meant to be a public project. It was always just supposed to be there just dog food and get using rush just to eat that and then it became more of a public project and they start incorporating more but that was never the intent with it. But there is more to option like Ethel. I want to say the 2020 Linux security Summit. There was actually talk about incorporating the rust into the kernel for example might start seeing it with
Specter
01:41:14
drivers. Oh, no. Please know
zi
01:41:17
if there's there's been that sort of discussion going on. I like there's a trend. There are people that want to move to safer languages. It's there. It's definitely happening. I don't thinks he's going to disappear anytime to sue know either.
Specter
01:41:33
I mean it's for people who are wondering why I'm saying. Oh no rust is one of those languages where it's cool, you know the idea of implementing something like C. But with the memory safety built in is cool. And without like a ton of performance loss like you would have in a scripting language obviously, but rust. I really I really really dislike rust syntax. I really hate like reading it. It makes me very sad trying to read Ross and I I would ever want to struggle through writing it either because because writing Russ is kind of a pain in the ass. You got to fight the borrow Checker. You got a deal with the annoying syntax. Like I just feel like rust is not the language. I would want big projects to switch to I feel like I would want them to switch to something built off of Russ which obviously we everybody's mean that is a big I mean Sig is kind of the it seems to be like, it looks promising. I've heard a lot of good things about it from
zi
01:42:33
Frumpy, I haven't gotten to play with it yet. So I just kind of joke about it most of the time. Oh, one of the question I'll chat is arrest as fast as see one of the things about Russ that makes it interesting is they've had an emphasis on what they refer to as zero cost abstractions. That is it implements a lot of it abstractions. I make it kind of nicer to code in but that don't actually cost anything at runtime. There's things that the compiler can kind of check and do Or you so that does actually give rust a pretty good performance. I'm not going to comment on if it's as fast as C is really comparing two languages. It comes down to what you're actually trying to do it's hard to say this language is faster or is slower unless there's like the significant architectural difference like interpreted language versus a compiled language. Then you've got it as a very clear when it comes down to native code. It's going down to negative code. It really just comes down to who has the better off by Zi. Ins or your particular
Specter
01:43:34
problem? Yeah, and one thing I'll mention about those compile time checks that you mentioned is Russ does have pretty good runtime performance. I think it is like on a lot of benchmarking it does trade blows with see but the compile time performance sucks because you're running so many checks at compile time that like I couldn't imagine building an operating system or a browser in Rust and how painful that would probably be. The compile times might be as far as like double as like you're twice as long so that is one angle where there is a pain point there when it comes to rust and it might be at least one factor of Y. It's not being adopted in two major projects Not only would it take a ton of time to rewrite and re-implement everything in Rust but it also comes at an added overhead of development time with the compile times stuff like that, which sucks. So yeah, I mean rest is cool and Like it or cool, but it's just that there's some problems with it. And I don't think it will overtake the sea or anything. In a major way anytime soon. No. But yeah with that said we can we can move into a win more window stuff. So we have a second part blog posts or 1.5. If you want to take the titles versioning of exploiting a simple Windows kernel vulnerability by yard and shaffir. So the first part was exporting a simple phone and thirty five easy steps or less back in November, which we covered in episode 55. Now this blog post isn't directly related to that one. They weren't chained together, but she found this issue while researching event raising interest. Which was what the first blog post covered. So it's basically it's an info leak that can allow you to get half of a pointer into non page pool on x64 is almost any user on the system. You can get the top 32 bits of the of a colonel pointer. So there's a good bit of background information here that I'm going to kind of glance over but what's relevant for the issue is there's a hidden ability to request for applies when sending etw notifications and and the first post kind of touched on this as well. So usually this field is set to 0 but you can set it to 1 in the header when queuing a notification, but essentially when you request a reply a kernel object gets allocated and pointed to in the notification through the reply object field, but this field is actually in a union it can be treated as either a reply handle a reply object or a reg index which I assume means registry registry index, but I'm not certain on that I couldn't And what the reg part of that was relevant to but basically you can get a notification in the queue created with a reply object then call NT Trace control which gets that you Union copied out to use your space which is intended Behavior. But one thing they didn't account for was Reagan Dex is is 8 bytes on 64-bit systems. Not 4 bytes. So the top half of the kernel pointer ends up getting leaked. And what's interesting is because like this is this issue wasn't a problem on 32-bit because pointers and lungs are the same size. So it's just a discrepancy the kind of got skipped over when moving to 64-bit. They didn't consider that eight bytes is copied out but only four bytes gets initialized because of that Union and sorry reg index I guess would be it would have been a long sorry. So not a bites. I got that kind of confuse there. So yeah the Reagan deck so the lower 4 bytes gets initialized with the upper. Four bytes are left under the initialized. So if there was a colonel pointer in there, then those upper 32 bits are going to get bleeped. So it's only a partial info leak, but that still could be useful depending on your situation. But yeah, I mean this was a cool issue and it's extremely easy to trigger you could reliably trigger this issue like a hundred percent of the time as I understand it. There's there's not really any factors for variance with this issue. The POC is literally just three function calls. But I do just want to shout this type of issue is exactly why I dislike unions and when people use them a lot. I understand they have a purpose and this is kind of a debated topic. I think I've actually got into a debate with you about the sea, but it feels like a lot of the time when people are using unions their penny-pinching on memory usage.
zi
01:48:08
I mean, I don't think we've debated this once I agree with you. I'm not a
Specter
01:48:12
fan of radiant. Okay must've been somebody else. But yeah, I mean It introduced confusion and potential bugs into your code to save like four bytes of memory. I mean most systems that I mean this code is kind of old but most systems nowadays your run. Most people are running at least eight gigs of memory to put that into perspective when you're using a union you're worrying about saving like for 4 to the negative 10th power of a percent of memory. What are you doing? This don't use unions. I mean, I don't mind when people use them for aliasing like if you're if you're doing like maybe texture drawing or something and you have RGB and you have the RGB as integers or is like a byte buffer like something like that is fine. But I feel like people use unions dangerously a lot and I don't know why it just doesn't really seem like it's worth it from like a readability perspective like you're sacrificing readability and potentially introducing bugs to save a few bites like it's kind of jokes. Yep. I wanted to rent a little bit about unions off this
zi
01:49:20
topic know. It's a good rent. It is it's one of those features that I'd argue probably introduces more bugs than it really helps solve. Like I said, it it adds so much complexity to trying to understand the code. There are certain patterns where I think it can be nicer to use a union but I'd still kind of push away from it. Like I generally wouldn't write any code or suggest writing code with unions, especially now like memory isn't as much of an issue anymore. Even when we talk about the network aspect of it, like if you're using that for a network packet, I think there's a stronger argument to be made on the network side than on just the memory savings on saving on saving actual Network traffic but it's still such a small amount with modern systems, like even on a bad connection like four bites isn't that much but it might add off like there are probably some scenarios you can make a stronger argument for but I I feel like it's better to just use like a separate structure something rather than trying to make it a union to and with that. Oh, no, I'm not a fan of unions either. I think it's a good rant worth bringing up at least.
Specter
01:50:43
Yeah, it feels like one of those older features that may be at the time it made more sense, but it's just as time has gone on it's not worth it anymore and people should probably stop using them that said we'll finish off with our last window. the shoe this is opposed from zi this one's not in the vent tracing but it's in the win32 K full Graphics subsystem so it's a null pointer dereference now usually we wouldn't cover an oldie rough because they're almost always an interesting from an exploitation perspective beyond denial-of-service the reasoning for that is most systems will allocate a null guard page so that you can't map anything to the null virtual address but in this case there is a shal Avenue for privilege escalation though it's extremely specific and rare circumstances getting into the issue first though Graphics device drivers have this ability to register hooks or custom handlers for certain Graphics operations on drawing surfaces and the kernel which is really common in Colonel specifying like those types of hooks are modules or whatever they're called and what are the hooks you can specify is the plg BLT hook which is for doing That block transfers for color data from Source rectangles to destination rectangles. And the way you enable that hook is you can just enable it by setting a flag from user mode through GDI 32 the problem is if you set that flag, they try to call into the function table as if a hook is provided but it's not guaranteed that the graphics driver you you're using will actually export a function for it. So if you try to call into let's say like the multi-monitor ever provided by win32 K full there's an oldie reference when it goes to call that that hook normally that would result in a crash where the privilege escalation angle comes into play is on 32-bit systems with ntvdm installed for running 16-bit processes. It's actually possible to map the null virtual page there even though it's it is impossible to map Nolan modern Windows machines in those 16-bit circumstances you Map to null I don't know what the reasoning for that is, but I imagine it's probably because in 16-bit your address space is so limited that it's they probably just didn't want to use a guard page and want to carry that over it probably would have broke things honestly and one of Windows big things is not breaking compatibility with old stuff. So that's probably why they removed the the null card pay to there. But yeah, I mean even though it's an extremely specific. From Stan's it is one of the few is this is where privilege escalation is technically still possible with the the null D ref. That being said I can't lie when I say that I felt a bit click baited by the title. I was hoping there was some novel new technique for making null D refs exploitable on Modern windows, but that that's not actually what's happening here. It's only on 32-bit windows with 16-bit process capability and it's only if there's no s map as well because obviously 0 is going to be in user space. So if the system has supervisor mode access access prevention, you're not going to be able to exploit the issue either although on a system that's running 16-bit processors. You're probably not going to have a snap. Anyway, I thought
zi
01:54:09
are also less likely to run 2's math on Windows and general just because of you kind of need the buy-in from all the driver developers to so I there is support for it. I just don't think it's enabled by default. Maybe have to go look into that. Somebody else had pointed that out to me a little while back in the discussion that s Maps a little bit less likely to be seen on Windows just because of the fact that a lot of drivers kind of make the Assumption of being able to make those access. It might only be S map that I'm thing.
Specter
01:54:50
Yeah, so I remember I nsq talked about this to actually because S5 landed in 2018, but it landed in like a very limited capacity at first. I don't know if that's changed over the last like couple months or last year. So I don't do enough Windows stuff to keep up to date on that. But yeah, that's a good show do is Windows is so much harder to like push anything through on the colonel side because the driver ecosystem is just so much more. Have a problem to deal with Senators on like Linux. For example, there's so many windows driver. There's so many crappy Windows drivers. So. Yeah, I mean definitely don't blame Microsoft for that. But yeah, I mean this this was still kind of a cool blog post. But yeah, I mean if you were thinking that this was going to make an ulti rough suddenly exploitable again on like Windows 10 or something that that's that's not what's happening there. Unfortunately,
zi
01:55:51
at least the title wasn't as clickbait e as the North Koreans with their dolls to RC excellent. Yeah, at least like they were In fairness to zi zi like they were clear about and she ality with this one they just covered it and I thought it was interesting to cover because we often end up just talking about Melody references not generally to exploitable these days with colonel and this was just a case where okay there are cases where it still is exploitable it's not the normal case but I felt it was still worth bringing
Specter
01:56:28
up yeah so we'll move into our research segment so this kind of ties back to something that anti said actually in that North Korea discussion which I'll talk about in a second so this is a novel cross-site leaking technique from Lou and Herrera these slides were from a talk he gave at the excess leaks Summit or across leaking Summit and it uses the HTTP redirect fetch from the fetch API in browsers the protocol specification states that there should be a maximum of 20 redirects and after 20 redirects it should return a network error so you got the idea of what if we use that as a side channel to leak information so basically what they do is by patting redirects with an attack page and then redirecting to the Target page and attacker can basically figure out whether or not a page was loaded or if they were again redirected or if they would have been redirected so like think of trying to access like an admin panel and if you had to be redirected to a login page or something like that now where I was saying this kind of connects back to anti is anti was talking about browsers and how the centralization of everything moving towards chromium means that like even non memory corruption exploits things like cross-site leaking if they're like browser-specific this one I don't think is too browser-specific because specification issue but um They cross linking is another thing where if a lot of things use the same browser those cross-site leaks are going to be easier to hit more people with but I just kind of wanted to tie it back to the I didn't want to bring it up to the time because we already kind of going really long on the discussion. But yeah, but anyway, I mean getting back to this issue. I don't think it seems like a super useful thing to leak like knowing if somebody is logged into something. I mean, maybe you can zap to time and attack or something but But I mean we've seen things
zi
01:58:31
like advertisers or insurance companies actually some countries using it to save some are using other techniques to see if somebody would say logged into grinder to see if they're likely gay and then using that to actually will discriminate in a lot of those cases. That's some so the same attack could be used for something like that. It's not like the fact that he were redirected doesn't seem like a terribly sensitive piece of information, but it can definitely be used in a A lot of cases to determine if you are logged in on something to like you can get some interesting information out of
Specter
01:59:06
that. Yeah, I mean I like these cross-site Lakes because they take advantage of pieces of data. Like you said that people think is of as trivial they think of who cares but like yeah, I mean there is possible scenarios. Like I never even thought of it that's a good point with like the the grinder situation actually. Yeah, like I like these little like side channels and take advantage of little-known specification bullet points and abusing them. It's just it's cool. It is a really short like There's only 22 slides which for a talk like I don't know if there's like a recording of the top but I couldn't imagine it being that long
zi
01:59:47
if might have been a bit easier to understand what was going on within the presentation if there were a talk attachment like you could figure out what they're talking about for sure. It did take me a little bit to get like okay, they're talking about the redirects like that is the information that you're able to leak. Like just without having the actual discussion alongside for like it's a well-done slide deck for somebody presenting not for reading after the back out of Chapel a Cass. What's wrong with gay people by the way, I'm not trying to say anything wrong with gay people. I'm there have been some countries such as Iran who have been caught trying to detect if people are logged into sites like grinder. So I was using that as an example where even this redirect information can be
Specter
02:00:37
found. early sensitive Yeah, we were talking about like hostile Nations and stuff that do take issue with like and their political climate with that but not the views we
zi
02:00:49
hold. Yeah, and I think some insurance companies have actually used that sort of detection also in order or use our health insurance use that and then use that as a reason to raise some insurance rates. Really that's nice. I feel like I've read about that before obviously not using this technique for it. They were probably Just using one of the image loads, but yeah, there has been that's why I kind of use use the grinder aspect because there have been some very targeted things trying to figure out if somebody is likely gay like that is something that has definitely been done before it's unfortunate. But that's somewhere though that this redirect can also expose a good deal of information on that front. Yeah, it's not our beliefs that her we're not talking about how we might use it.
Specter
02:01:43
Yeah, I mean the technical aspects of this attack are cool. But where this would attack the Earth where this attack would probably be used as is definitely like that's one of the only like practical applications. I can see if using something like this. Unfortunately.
zi
02:01:59
Yeah, I mean advertising in general learn a lot on the base of what sites you might be logged into. So that's another player to expect
Specter
02:02:06
that. Yeah, but uh, but yeah, unfortunately we don't live in the the perfect world. So we'll move on to our last research topic and then we'll do some Shadows to wrap up the show. This is a post from GitHub security lab. It's the second part of this. keep your GitHub action secure series the first part of which we didn't cover on the podcast because it actually was it came out on the same day that we went on our Christmas break pretty much but that one focused on interacting with pull requests work flow triggers and workflows and how dangerous that can be this one is about forms of untrusted input in general when it comes to workflows covering pull request but also covering more than just pull requests like issues and comments and stuff like that and the funny thing is we've seen we've seen this kind of talked about before back on episode 52 it was with the vs code repository they had a workflow that took newly-opened issues and copy them to another repo but the issue titles were printed to STD out which allowed for a command injection and issue titles are actually the first thing on their list here of potentially untrusted input but there's a lot more on that list to such as commit messages and pull request information comments And the reason using these untrusted input sand in your workflow could be dangerous is because you can set up machines as self-hosted Runners which run were closed for you on your own box. And this is pretty much a necessary for really large projects because github's host and workflow Riders are pretty heavily restricted. I think they can only run for like five minutes or something and even then their resources are limited. So somebody could potentially like do something malicious on your box if you're using a cell phone. Good runner, but even if you're not that aside like someone abusing a poorly set up workflow could potentially inject malicious stuff into the CI build artifacts or the the final build files, which I think is what happened with the S code. I think they made it inject something they got ran by node.js or something like that. It's been a while. I can remember the specific details around
zi
02:04:17
that I think the one that you're thinking of what they were doing was it had It had certain actions that could be triggered on the basis of standard output. Like you could trigger further actions. If you have if you controlled what was in standard output Tom like you can set the in a certain environment variables, that would be used later. Yeah, that was the one that you're thinking of Yeah.
Specter
02:04:47
So basically like there's multiple vectors that you could exploit untrusted input into workflows. And that's that's kind of what they're trying to highlight here. This is like a PSA post and like some of the other things that can happen too is like they could steal repo secrets from that broader context like the repository right access token environment variable Secrets GitHub actions will attempt to prevent secrets from leaking through the But they say that that's not actually a security boundary. That's more just a protection against like people accidentally leaking things log. There's nothing stopping someone who's determined enough to exfil by like wrapping the secrets and obfuscation or something. So they end off the post with what you should do. If you absolutely need to use untrusted input and workflows, which is basically utilizing intermediate and environment variables setup directly using them. But yeah, I mean, this is a good informative. Post that anyone who manages a project and uses GitHub actions or probably any form of continuous integration on like it honestly should probably give a read workflows are really awesome for CI, but they're also really powerful and they can be abused by anybody who can you know open issues or add comments or make commits or something like that?
zi
02:06:05
Yeah. It's an interesting attack Vector because of that like anybody can open the pull request so you might I think it's kind of an Aquos yeah just you know Echo with the name and here and let's use that not really thinking of the fact that an attacker can actually control that because he kind of think of the information is coming from GitHub so it's a little bit more trusted or at least that's what I could imagine kind of going through a developer's mind is okay this is the information from GitHub and must be safe and seeing it as having gone for that so I thought it was a really good right I'm just kind of covering it they don't like they don't cover any sort of Pacific attack on like some well-known thing it's just a bit of research on here things you should be aware
Specter
02:06:52
of yeah that's totally fair that they wouldn't cover like specific attacks where this is coming out of GitHub security lab they probably wouldn't want to help anybody who's trying like who finds an issue In
zi
02:07:04
fairness they do in write-ups also like this is just part of their research but they do actually do a write ups about other vulnerabilities we've talked about stuff they've covered before I just included this though because I think it's a really valuable as a
Specter
02:07:16
reference Yeah, for sure. Yeah, like I will quickly show it as well. If you are doing like project management near not using GitHub actions or CI at all. I do recommend looking at it obviously do it securely like blog posts is saying but like GitHub actions is a really awesome feature that got added to get up. I think it was added like last year. I think it was in like a closed beta or something in 2019 or That but yeah, I mean, it's a really awesome feature. Just you just got to be careful when you use it. That's all. So we didn't move into our shadows section. I'll do my showed up first. I really just saw this on Twitter shortly before went live today, but it's a video by Billy Ellis. He's done a lot of tutorials and he also wrote a book in the past about like getting into arm and I OS and iOS security. So I wanted to quickly shift this out. It's a video on how it's all our works. Sorry how asshole are works in the kernel when it comes to iOS and it just it. It's that background knowledge, which is something that we like shouting out on this show. It's something that's not always easy to find especially when you're talking about iOS where it's such a gated Target like anything apple is going to be kind of tricky to get into so yeah, I mean, this is cool. If you're looking to get into iOS stuff or just want to know how a solar Works in this video. Listen, it's not that long. It's only like 12 minutes long so you can just put it on and listen to it while you're doing something or whatever. But yeah, that's mine zi. I'll let you get into your shadows now.
zi
02:09:04
Yes, my shuttered actually kind of falls on your zi at least in the sense of covering a little bit about iOS our project zero put out another post look at iMessages in iOS. It's a lot of background on the sandbox saying on the architecture not so much any attack just a good look at the background. So we're not going to cover it here. I did want to leave it as a shout-out for hear some background to go reference. I found it a little bit interesting. I didn't read the entire thing if I'm being honest. But yeah, I still want to kind of give that a shout-out and on a similar vein of Mozilla has attack and defense blog put out a article about effectively fuzzing the inter-process communication layer in Firefox. So a little bit of background on how they do IPC because that is I guess it's been around for now couple years and they did the Firefox Quantum that was like the main change of the happened there but a little bit about that about how that works and and quite literally built gang into actually fuzzing that aspect of Firefox. I'm game just some good background information. No actual vulnerability covered but still worth taking a look at. All right, cool.