Misc things from 2020
A bunch of things that were noteworthy from 2020 that might have been missed
I’m doing this because i’ve got too many Trello tickets with little interesting tidbits in them, which sound like something worth sharing.
“UUIDS GENERALLY DO NOT MEET SECURITY REQUIREMENTS”
Thanks to littlemaninmyhead, which can be found at https://littlemaninmyhead.wordpress.com/2015/11/22/cautionary-note-uuids-should-generally-not-be-used-for-authentication-tokens/
Summarised as “Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example.”
Assetnote wordlists
https://wordlists.assetnote.io/
Assetnote published some wordlists, they’re pretty good, go check them out. They’re meant to be automatically generated, which seems to be failing since December last year (https://github.com/assetnote/wordlists/runs/1617218746?check_suite_focus=true)
VXUnderground
https://github.com/vxunderground/MalwareSourceCode
I’m unsure when these guys came to play, but they’ve been putting up source code for some fairly high profile implants. Curiously, they dump anything ‘APT’ too, which might be of interest if you’re looking to make some better tooling.
GPS issues
https://www.jpost.com/breaking-news/gps-glitches-overwhelm-phones-in-tehran-653667
More instances of GPS being ‘glitchy’ are becoming more common.
ZXSecurity did a cool talk on what would be illegal, but also what could go wrong if someone was tampering with RF: https://paper.seebug.org/papers/Security%20Conf/Defcon/2017/DEFCON-25-Karit-ZX-Security-Using-GPS-Spoofing-To-Control-Time.pdf
Samesite cookies lax by default
Chrome changed to automatically treat all cookies as samesite lax, making CSRF attacks seem a thing of the past. This happened back in Feburary 2020, nothing major seemed to break - perhaps this is another successful case of removing an entire bug class.
Curious to see if Pentesting shops stop reporting CSRF now? However:
- Google initially published this at https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html
- Firefox apparently had samesite lax in nightly since feburary 2020, https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
- They seemingly made it default in August 2020
- Edge would be fine, because Chromium upstream
- I can’t see if IE11 defaults to same site lax
- Safari apparently has some issues
- I don’t really care about brave/whatever browsers
So CSRF isn’t dead but only because people are still using old or stupid (Safari) browsers.
Flash dies
Everyone knows, I’m sure it’s still used in critical places.
Unfortunately, Silverlight is still around until 2021 - https://support.microsoft.com/en-us/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788
Stress testing C2
Although not in 2020, a talk seemed to go by mostly unnoticed - where an RSA guy fiddles with outbound comms to command and control, resulting in crashes, weird behaviour, or just pissing off operators significantly. A lot more work could be done here, albeit it depends on the successful identification and reverse engineering of communications.
https://www.youtube.com/watch?v=Z1-4-amGdaM&feature=youtu.be
Domain fronting
Still works.
Shandyman Tracelabs CTF
A reputable team does a writeup, mostly coming down to communicating with your team rather than fancy tools.
https://www.tracelabs.org/blog/shandy-perspective
Hashing TLS responses (JARM)
The creators of JA3 (https://github.com/salesforce/ja3) make a tool to fingerprint systems based on hashing responses to TLS handshakes (options, how it handles things). Turns out, it’s good enough to spot weird things like Cobalt Strike servers in the wild with pretty good (ie low false positive) rates. The hashes are fuzzy, meaning you can kind of tell if something is close to something else.
A really good writeup is at https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
Probably worth looking into if you’re a defensive team and trying to understand more about a server you’re clients are communicating with.
Check it out at https://github.com/salesforce/jarm
Modern attacks on Chrome
An Azimuth employee gets approval to publish a blog post based on an internal talk, showing you the calibre of their staff.
Ticketmaster tries Project Hell, also gets caught
(For those who didn’t know, Project Hell was Uber’s way of fucking with their competitors, Lyft - https://techcrunch.com/2017/04/12/hell-o-uber/)
https://threatpost.com/ticketmaster-10-million-fine-hacking-rival/162695/
Turns out you should probably offboard employees properly and revoke their access when they leave, otherwise they’ll be stupid enough to re-use them and tell the executives about their accesses, in writing.
The short edition is as follows:
- Guy works at competitors
- Guy leaves competitors
- Guy joins Ticketmaster
- Guy realises his creds still work for other place
- Guy logs in and uses it to figure out who the competition is working with
- ???
- Guy gives it to execs, somehow gets more creds, they presumably use this information for a competitive edge
The funny highlights out of the case (https://www.justice.gov/usao-edny/press-release/file/1349741/download - page 22, ‘Attachment A - Statement of Facts’):
- “After joining Live Nation, Coconspirator-1 explained to Zaidi and others how the “store ID” numbers in the URLs for the Victim Company’s ticketing web pages were numbered sequentially, enabling TICKETMASTER employees to browse through them to find and monitor new ticketing web pages to learn which artists planned to use the Victim Company to sell tickets for their shows.”
- Sounds like direct object reference
- If they just stuck with bruting these instead of using creds, would they have been breaking CFAA?
- " Log data obtained from the Victim Company indicates that the three new Victim Company Toolboxes identified in Coconspirator-1’s email were accessed from an IP address registered to TICKETMASTER’s New York offices on or about June 2, 2014"
- Don’t do crimes from your own IP space
- The bad guy emails his executives with the following nuggets:
- “I must stress that as this is access to a live [Victim Company] tool I would be careful in what you click on as it would be best not to giveaway that we are snooping around.”
- “screen-grab the hell out of the system”
It’s unclear how they were caught though, other than their shitty opsec and that his account was attributed directly to him, although it’s unclear where the other account credentials came from.