docs.daveops.net

Snippets for yer computer needs

Journal

November, 2018

VirtualBox 0day

One of the most lucid breaks I’ve seen in a while https://github.com/MorteNoir1/virtualbox_e1000_0day

2018-10

libssh causes massive freakout

https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access/ https://www.libssh.org/security/advisories/CVE-2018-10933.txt

September, 2018

Alpine APK

https://justi.cz/security/2018/09/13/alpine-apk-rce.html

August 2018

Another Struts RCE

https://semmle.com/news/apache-struts-CVE-2018-11776

RANSOM

Routing Around Nation-States: Overlays and Measurements https://ransom.cs.princeton.edu/

OpenSSH user oracle

http://www.openwall.com/lists/oss-security/2018/08/15/5 http://www.openwall.com/lists/oss-security/2018/08/24/1

Intel L1 bug

https://www.theregister.co.uk/2018/08/14/intel_l1_terminal_fault_bugs/ https://lwn.net/Articles/762570/

July 2018

NetSpectre

https://misc0110.net/web/files/netspectre.pdf

Bluetooth broken again

https://www.kb.cert.org/vuls/id/304725

More Spectre defenses

https://arxiv.org/abs/1807.05843

June 2018

Microsoft buys GitHub

https://johansen.software/github-xp/

Simon and Speck

https://www.spinics.net/lists/linux-crypto/msg33291.html

May 2018

Throwhammer

I wonder how long before Rowhammer-style attacks make their way to networking equipment… https://www.cs.vu.nl/~herbertb/download/papers/throwhammer_atc18.pdf

EFail

A broken embargo, and lots of finger pointing. Security is awesome! https://efail.de/

Nethammer

https://arxiv.org/pdf/1805.04956.pdf

April 2018

patch runs ed

http://rachelbythebay.com/w/2018/04/05/bangpatch/

Xz format inadequate for long-term archiving

(from the lzip format author) https://www.nongnu.org/lzip/xz_inadequate.html

This of course is sad because we software developers are among the few people who are able to understand the strengths and weaknesses of formats. We have a moral duty to choose wisely the formats we use because everybody else will blindly use whatever formats we choose.

March 2018

Exim pre-auth RCE

https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/

Juggling with packets

  As such, the Internet has a non-zero momentary data storage capacity.
  It is possible to push out a piece of information and effectively have
  it stored until echoed back. By establishing a mechanism for cyclic
  transmission and reception of chunks of data to and from a number of
  remote hosts, it is possible to maintain an arbitrary amount of data
  constantly `on the wire', thus establishing a high-capacity volatile
  medium.

http://lcamtuf.coredump.cx/juggling_with_packets.txt

Temporal Return Addresses (2005)

Paper (PDF) An exploitation chronomancer is one who is capable of divining the best time to exploit something based on the alignment of certain bytes that occur naturally in a process’ address space

Abusing Certificate Transparency logs

https://github.com/UnaPibaGeek/ctfr

February 2018

Audio Adversarial Examples

Because the computer is always right. Only a matter of time before there’s malware hidden in the next pop hit. https://nicholas.carlini.com/code/audio_adversarial_examples/

30-year-old OpenVMS local root vuln

https://www.theregister.co.uk/AMP/2018/02/06/openvms_vulnerability/

Meltdown/Spectre (continued)

http://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ Spectre Mitigations in Microsoft’s C/C++ Compiler Intel Analysis of Speculative-Exectutation Side Channels (PDF) AMD Indirect Branch Control Extension (PDF)

December 2018

Meltdown/Spectre

Throw out all your computers. Again.

Intel CPU Design Flaw Meltdown and Spectre attack Reading privileged memory with a side-channel AMD processors unaffected Apple deals with KPTI with DoubleMap As expected, Intel’s CEO dumps his stock Retpoline Theo De Raadt talking about Intel flaws back in 2007

IOHIDeous

This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user.

https://siguza.github.io/IOHIDeous/

MSPaint in your browser

http://jspaint.ml/

December 2017

Advent calendar season

Avast open-sources their decompiler

https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

ROBOT Attack

It has been X many days since last TLS disaster https://robotattack.org/

Microsoft Quantum Development Kit

https://www.microsoft.com/en-us/quantum/development-kit Writing a Quantum Program

AP Christmas Tree

https://imgur.com/gallery/DZRTr

BrickerBot update

Dude destroys tons of equipment, points out internet is broken. http://archive.is/PQAnU Amazingly, the ISP didn’t try to cover up the outage as some kind of network issue, power spike or a bad firmware upgrade. They didn’t lie to their customers at all. Instead, they promptly published a press release about their modems having been vulnerable which allowed their customers to assess their potential risk exposure. What did the most honest ISP in the world get for its laudable transparency? Sadly it got little more than criticism and bad press. It’s still the most depressing case of ‘why we can’t have nice things’ to me, and probably the main reason for why 99% of security mistakes get covered up and the actual victims get left in the dark. Too often ‘responsible disclosure’ simply becomes a euphemism for ‘coverup.’

Send Crypto People Tulips

Like shorting the market, but funnier https://sendcryptopeopletulips.com/

November 2017

Fooling Neural Networks/Machine Learning

https://arxiv.org/abs/1708.05207 http://www.labsix.org/physical-objects-that-fool-neural-nets/ https://cvdazzle.com/ http://dismagazine.com/dystopia/evolved-lifestyles/8115/anti-surveillance-how-to-hide-from-machines/

So… MINIX is everywhere

Turns out there’s a lot of garbage hidden on CPU’s these days. Work is underway to defang the nastiness https://www.networkworld.com/article/3236064/servers/minix-the-most-popular-os-in-the-world-thanks-to-intel.html https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20with%20Linux.pdf

Code exec from VMWare guest

VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in VMNAT device. This issue may allow a guest to execute code on the host. https://www.vmware.com/ca/security/advisories/VMSA-2017-0018.html

Intel ME is unsurprisingly vulnerable

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Linus Rant du Jour

If it's been on a random cellphone for a few months, and real users
used it, and had facebook and candy crush running on it, that's a
pretty different deal.

https://lkml.org/lkml/2017/11/21/356 http://lkml.iu.edu/hypermail/linux/kernel/1711.2/01701.html

instant root on macOS High Sierra

I honestly have no words for how dumb this is.

http://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/

fix: sudo passwd -u root dsenableroot -d

October 2017

CommonMark

It turns out having 20+ Markdown implementations with no spec is a bad idea. Let’s see how long before there’s a competing spec ;-) http://commonmark.org/

dnsmasq RCEs

Wouldn’t it be nice if we stopped writing critical system services in C? Nah. https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Google teapot

https://www.google.com/teapot

Macro-less code exec in MS Word

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

A2 Analog Attack

An older one, but a great read. https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/

The Pathologies of Big Data

http://queue.acm.org/detail.cfm?id=1563874 "In designing applications to handle ever-increasing amounts of data, developers would do well to remember that hardware specs are improving too, and keep in mind the so-called ZOI (zero-one-infinity) rule, which states that a program should “allow none of foo, one of foo, or any number of foo.” That is, limits should not be arbitrary; ideally, one should be able to do as much with software as the hardware platform allows."

"... big data should be defined at any point in time as “data whose size forces us to look beyond the tried-and-true methods that are prevalent at that time.”

KRACK Attack

WPA2 is broken, hum-de-dum https://www.krackattacks.com/ https://github.com/vanhoefm/krackattacks

September 2017

BlueBorne attack

https://arstechnica.com/information-technology/2017/09/bluetooth-bugs-open-billions-of-devices-to-attacks-no-clicking-required/ http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

It turns out most Bluetooth stacks are terrible.

Design of Display Processors

https://twitter.com/rob_pike/status/907164275965255685 http://cva.stanford.edu/classes/cs99s/papers/myer-sutherland-design-of-display-processors.pdf

Distrusting Symantec Certs

https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

ABI Compliance Checker

http://ispras.linuxbase.org/index.php/ABI_compliance_checker

Sandsifter

Black Hat presentation https://github.com/xoreaxeaxeax/sandsifter

Root Causes of Chrome Certificate Errors

https://research.google.com/pubs/pub46359.html To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations.

CLKSCREW

https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tang

More Intel ME 0wnage

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

Fake packages in PyPI

http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Optionsbleed

CVE-2017-9798 https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

FIN7 Group Uses JavaScript and Stealer DLL Variant in New Attacks

http://blog.talosintelligence.com/2017/09/fin7-stealer.html What makes this one interesting is the obfuscation techniques

The function body of the evaluated JavaScript appears to be within a multi-line comment, however, in reality this is evaluated as a multi-line string.

Linux PIE/stack corruption (CVE-2017-1000253)

https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt