This week Jonathan Bennett and and Randal Schwartz chat with Michael and Benedikt about Emba, the embedded firmware analyzer that finds CVEs and includes the kitchen sink! It does virtualization, binary analysis include version detection, and more. Check it out!
Continue reading “FLOSS Weekly Episode 802: Emba – Layers Upon Layers Of Bash”
Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.
Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.
A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.
Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.
Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops. Continue reading “This Week In Security: Open Source C2, Raptor Trains, And End To End Encryption”
This week Jonathan Bennett and Jeff Massie chat with Max Rydahl Andersen about JBang, the cross-platform tool to run Java as a system scripting language. That’s a bit harder than it sounds, particularly to take advantage of Java’s rich debugging capabilities and the ecosystem of libraries that are available. Tune in to get the details, as well as how polyglot files are instrumental to making JBang work!
Continue reading “FLOSS Weekly Episode 801: JBang — Not Your Parents Java Anymore”
It’s time to talk about Microsoft’s patch Tuesday, and the odd vulnerability rollback that happened. CVE-2024-43491 has caught some attention, as it’s a 9.8 on the CVSS scale, is under active exploitation, and results in Remote Code Execution (RCE). Yikes, it sounds terrible!
First off, what actually happened? The official statement is that “build version numbers crossed into a range that triggered a code defect”. We don’t know the exact details, but it’s something like an unsigned integer that was interpreted as a signed integer. A build number could have rolled over 32767, and what was intended to be 32768 or higher suddenly became −32767. Lots of “if greater than or equal” logic breaks down in that situation. Because of a logic flaw like this, certain versions of Windows 10 were unintentionally opting out of some historical security fixes.
And that’s where the high CVSS score and active exploitation descriptor comes from. This is simply the highest score of the resurgent flaws, and an acknowledgement that they have been exploited in the past. The good news is that this only applies to Windows 10 build 1507, so either the original install without any of the major updates installed, or one of the Windows 10 Enterprise Long-Term Servicing Branch (LTSB) versions. It seems that the March 2024 monthly security update introduced the problem, and it wasn’t fixed until this month’s updates. Continue reading “This Week In Security: Malicious Rollback, WHOIS, And More”
This week Jonathan Bennett and Aaron Newcomb chat with Andreas Kling about Ladybird, the new browser in development from the ground up. It was started as part of SerenityOS, and has since taken on a life of its own. How much of the web works on it? How many people are working on the project? And where’s the download button? Listen to find out!
Continue reading “FLOSS Weekly Episode 800: Champagning The Ladybird Browser”
[Thomas Roche] of NinjaLab is out with EUCLEAK, (pdf) a physical attack against Infineon security microcontrollers, and the security tokens that contain them. The name is a portmanteau of Euclidean and leak. And no surprise, it’s a data leak in some implementations of the Extended Euclidean Algorithm (EEA), a component of an Elliptical Curve Digital Signature Algorithm (ECDSA).
OK, time to step back. Infineon microcontrollers are the digital smart parts inside popular security tokens like the Yubikey 5, some Java smart cards, and even the Infineon TPMs. These devices all serve a similar purpose. They store one or more secret keys, and are guaranteed to never disclose those keys. Instead, they use their secret keys to do cryptographic functions, like ECDSA signatures, and output the result. There’s even a special set of tests, the Common Criteria, that are intended to backstop these guarantees. What’s interesting is that an otherwise excellent product like the Yubikey 5, that passes all these auditing and certification processes, is still vulnerable.
The actual attack is to perform ECDSA signatures while monitoring the physical chip with an electromagnetic probe. This tiny directional antenna can pick up on EM noise generated by the microprocessor. That EM noise leaks timing information about the internal state of the cryptography, and the secret key can be derived as a result.
This process does require physical access to the token for several minutes. To get useful readings, the plastic case around the security token does need to be disassembled to get the probe close enough to pick up signals. From there it’s at least an hour of post-processing to actually get the key. And most of these security tokens intentionally make the disassembly process rather difficult. The point isn’t that it’s impossible to open up, but that it’s impossible not to notice that your token has been tampered with. Continue reading “This Week In Security: EUCLEAK, Revival Hijack, And More”
This week Jonathan Bennett chats with Lori Lorusso and Steve Hoffman, the Head of Community and SVP of engineering at Percona, the open source database experts.
Continue reading “FLOSS Weekly Episode 799: Still Open Source At Percona”
