Downclimb: Summit Route's Weekly Infosec News Recap
2015.05.10 – 2015.05.17: https://SummitRoute.com
"80% of finding security vulnerabilities is bothering to look." Aldo Cortesi
"Software vendors: If your software retains the same MD5, I'm unlikely to believe your claim that you fixed the bugs I reported to you." Will Dormann
"New rule: You only get to give your vuln a cutesy name if mass exploitation is possible. RT if you are sick of naming every damn CVE." Chris Eng
"Found 0day in the tablet driver. Looks like an OOB write, or as we like to call it, 'coloring outside the lines'" Doug D
Format parsing vulns in web apps
Parsing data has always been a boon to vulnerability researchers, as it often has vulns. There have been some interesting recent vulns found in web libraries that are caused by failing to validate data. These are interesting because there is not a standard way of finding them and no generic mitigations against them. For example, XSS, SQL injection, and CSRF are all pretty easy to identify when they are possible through static or dynamic audits, and for XSS you have HTTP headers that can mitigate it. Parsing vulns are found by code auditing and aren't as easily spotted.
Egor Homakov from Sakurity found one such vuln in a library called Pusher. Pusher's main claim to fame was probably for it having been the main technology that was used by the failed company Secret, which had taken on $33M in investor money to allow users to anonymously share their secrets. Pusher is a separate company though. The vulnerability is described here, and you can see the simple code fix here which just adds a validation check.
A similar format issue was found by LinkedIn's security team in the Netty library. The discussion of that vuln is here.
- Pusher vuln: http://sakurity.com/blog/2015/05/08/pusher.html
- Pusher vuln fix: https://github.com/pusher/pusher-http-go/commit/7c43176a4fb722863498606a3f06f9fe7237cbb3
- Netty vuln: https://security.linkedin.com/
Analyzing MS15-050 With Diaphora
Alex Ionescu shows how to use Joxean Koret's recently released Diaphora plugin for IDA Pro to diff the recent Microsoft patch for CVE-2015-1702, which was a privilege escalation bug using the Service Control Manager.
VENOM (CVE-2015-3456) is the name for a vulnerability in QEMU's virtual Floppy Disk Controller, which also affects Xen and KVM. It has been around since 2004. It allows for a guest escape to the host. It can be exploited even if the guest does not have a virtual floppy drive. This vuln was disclosed to AWS and DigitalOcean prior to the announcement so they are already patched, and this is only really a concern for VPS (virtual private server) providers. This was discovered through a code audit, and not discovered in the wild. It was found by an employee of Crowdstrike (thus the name and marketing for it). Interestingly, for their marketing push, some info about this issue was released to the press prior to a public disclosure.
Fuzzer that found MS15-053 - CVE-2015-1686
It's great to see what a real world fuzzer looks like that found a real vuln in real software (Internet Explorer), instead of tutorials for toy programs.
Hacker told FBI he made plane fly sideways after cracking entertainment system
A month ago a "security researcher" tweeted about how he could hack a plane, and he ended up being arrested. A lot of racket was made on twitter about free speech and the value of security researchers. However, his tweet was:
"Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone ? :)".
It's now been disclosed (or alleged) that he actually did hack into a number of planes on actual flights and even manipulated the engines of one while in flight.
United does have a bug bounty program, but it's only for it's web sites, and specifically mentions that hacking airplanes is not within scope (as should be obvious).
There is concern that some security researchers are more focused on trying to make a name for themselves than actually helping improve security. If a company doesn't pay a researcher when they tell them about a problem, researchers are publicly shaming the company. Good advice and insight comes from attackresearch when he says:
"Just because a client says they don't like the way you do biz so wont work with you, doesn't mean lack of resp or aren't working with others. Infosec has largely become an industry of client extortion, especially via stunt hacking. This must stop. A refusal to pay you specifically != refusing security. Maybe they hired someone better. Professionals working with vendors and regulators is what solves problems over time, not random hax. The 90's are over, The L0pht did good. But maybe your goal isn't fixes. Maybe its looking elite, getting on the news and forcing vendors to pay you for 'research'." attackresearch
- Insurer cites cyber policy exclusion to dispute data breach settlement: Improvements in infosec are more likely to come from insurance companies than they are through compliance regulation. Whereas a company can claim compliance by ticking some boxes, insurance companies are likely to be more rigorous in their analysis of a company's security if that company attempts to file a claim.
- Intel, Google, VCs Pour Billions into Cybersecurity Startups: This post states "in the last five years, $7.3 billion has been invested into 1,208 private cybersecurity startups."
Conference materials and publications
- Syscan videos: Slides have been up for a while for most Syscan presentations, but videos are now online.
- BSides Boston
- ElastAlert: Open-source tool from Yelp, adds alerting to ELK stacks (Elasticsearch, Logstash, and Kibana). Alerts on frequency of events, rate of increase for events, when fields in an event match (or don't match) some value, and more.
- Modern Honey Network application for Splunk: If you have a lot of honeypots and want to centralize info about them in Splunk, this is a tool to assist with that.