Break things, write reports

Misc things from 2020

A bunch of things that were noteworthy from 2020 that might have been missed

Tags — | cryptography | wordlists | malware | pentesting | Categories: — misc |
Posted at — Jan 13, 2021

I’m doing this because i’ve got too many Trello tickets with little interesting tidbits in them, which sound like something worth sharing.

“UUIDS GENERALLY DO NOT MEET SECURITY REQUIREMENTS”

Thanks to littlemaninmyhead, which can be found at https://littlemaninmyhead.wordpress.com/2015/11/22/cautionary-note-uuids-should-generally-not-be-used-for-authentication-tokens/

Summarised as “Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example.”

Assetnote wordlists

https://wordlists.assetnote.io/

Assetnote published some wordlists, they’re pretty good, go check them out. They’re meant to be automatically generated, which seems to be failing since December last year (https://github.com/assetnote/wordlists/runs/1617218746?check_suite_focus=true)

VXUnderground

https://github.com/vxunderground/MalwareSourceCode

I’m unsure when these guys came to play, but they’ve been putting up source code for some fairly high profile implants. Curiously, they dump anything ‘APT’ too, which might be of interest if you’re looking to make some better tooling.

GPS issues

https://www.jpost.com/breaking-news/gps-glitches-overwhelm-phones-in-tehran-653667

More instances of GPS being ‘glitchy’ are becoming more common.

ZXSecurity did a cool talk on what would be illegal, but also what could go wrong if someone was tampering with RF: https://paper.seebug.org/papers/Security%20Conf/Defcon/2017/DEFCON-25-Karit-ZX-Security-Using-GPS-Spoofing-To-Control-Time.pdf

Samesite cookies lax by default

Chrome changed to automatically treat all cookies as samesite lax, making CSRF attacks seem a thing of the past. This happened back in Feburary 2020, nothing major seemed to break - perhaps this is another successful case of removing an entire bug class.

Curious to see if Pentesting shops stop reporting CSRF now? However:

So CSRF isn’t dead but only because people are still using old or stupid (Safari) browsers.

Flash dies

Everyone knows, I’m sure it’s still used in critical places.

Unfortunately, Silverlight is still around until 2021 - https://support.microsoft.com/en-us/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788

Stress testing C2

Although not in 2020, a talk seemed to go by mostly unnoticed - where an RSA guy fiddles with outbound comms to command and control, resulting in crashes, weird behaviour, or just pissing off operators significantly. A lot more work could be done here, albeit it depends on the successful identification and reverse engineering of communications.

https://www.youtube.com/watch?v=Z1-4-amGdaM&feature=youtu.be

Domain fronting

Still works.

Shandyman Tracelabs CTF

A reputable team does a writeup, mostly coming down to communicating with your team rather than fancy tools.

https://www.tracelabs.org/blog/shandy-perspective

Hashing TLS responses (JARM)

The creators of JA3 (https://github.com/salesforce/ja3) make a tool to fingerprint systems based on hashing responses to TLS handshakes (options, how it handles things). Turns out, it’s good enough to spot weird things like Cobalt Strike servers in the wild with pretty good (ie low false positive) rates. The hashes are fuzzy, meaning you can kind of tell if something is close to something else.

A really good writeup is at https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a

Probably worth looking into if you’re a defensive team and trying to understand more about a server you’re clients are communicating with.

Check it out at https://github.com/salesforce/jarm

Modern attacks on Chrome

An Azimuth employee gets approval to publish a blog post based on an internal talk, showing you the calibre of their staff.

https://doar-e.github.io/blog/2020/11/17/modern-attacks-on-the-chrome-browser-optimizations-and-deoptimizations/?s=09

Ticketmaster tries Project Hell, also gets caught

(For those who didn’t know, Project Hell was Uber’s way of fucking with their competitors, Lyft - https://techcrunch.com/2017/04/12/hell-o-uber/)

https://threatpost.com/ticketmaster-10-million-fine-hacking-rival/162695/

Turns out you should probably offboard employees properly and revoke their access when they leave, otherwise they’ll be stupid enough to re-use them and tell the executives about their accesses, in writing.

The short edition is as follows:

The funny highlights out of the case (https://www.justice.gov/usao-edny/press-release/file/1349741/download - page 22, ‘Attachment A - Statement of Facts’):

It’s unclear how they were caught though, other than their shitty opsec and that his account was attributed directly to him, although it’s unclear where the other account credentials came from.