The Weekly Ink #22
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links that you think would be interesting to the company, be sure to send them to firstname.lastname@example.org
Never Doubt Someone's Ability to Write Amazingly Bad Code
Vulnerabilities come in a wide mixture of complexity from "OMG Project Zero" to "What? No. Wait, what? No. NO. NO WAY!" As an early Christmas gift to all of humanity, the fine folks at "RedTeam Pentesting" provide for an amazingly horrific, but so super-duper awesome, vulnerability in the EntryPass N5200 Active Network Control Panel.
The research done found that this product takes in a URL path that apparently only cares about the first character passed. For instance, it was found that http://example.com/7 will always pull up the login form, regardless of what characters come after the '7'. Similarly, other single numbers had specific pages they would pull up. Things got really strange, though, when the researchers started to pass alpha characters instead of numerics. It was found that passing lower case o-z and uppercase A-D apparently dump memory.
Yes, this is like some crazy Heartbleed "feature" to this software. Once you pick your jaw up off the floor, remember – there's no such thing as too crazy of a bug. When you're testing software, never, ever doubt the ability for a developer to surprise you with functionality you could only dream about finding on a pen test.
Google Sets Phasers to Pew Pew Mode
In an effort to give some sanity to testing vulnerability assessment tools, Google has released the site (and associated source) called Firing Range. While plenty of broken web applications exist precisely for the purpose of testing security tools, Google has certainly taken a much simpler, no nonsense approach to the problem.
Associated attacks you can easily test with their site are: Address DOM XSS; Redirect XSS; Reflected XSS; Tag based XSS; Escaped XSS; Remote inclusion XSS; DOM XSS; CORS related vulnerabilities; Flash Injection; Mixed content; and Reverse ClickJacking. Even if you don't want to test tools, this site can provide an easy test bed for employees to get better at identifying – and exploiting – typical DOM vulnerabilities.
Riot Games: A Bug Bounty Darling
Bug bounty programs are really taking off. With great companies like Bugcrowd and HackerOne leading the charge, bounty programs aren't just happening for big names SaaS companies and security-forward corporations. Riot Games, makers of the hugely successful game League of Legends, released an amazing blog post detailing how, and why, they went from no real bug handling to a full-blown bug bounty program.
According to an article in Security Week, Riot's bounty program has actually been going on behind closed doors with a select group of researchers (not uncommon) since April 2013 and has awarded over $100,000 so far! It's amazing to see the genesis of companies finally "getting" information security and working with researchers. Good work, Riot Games!
Evil 32 Wants You To Be More Specific
There's no doubt that cryptographically signing files, emails, and the alike is a net positive for helping ensure the integrity of data you're sending and receiving. To do this, many organizations rely on GPG for such activities and will often refer to the last few digits of a key's fingerprint to verify a good signature.
A couple folks recently launched a web site/project called Evil 32 that discusses the reality of brute-forcing keys to create fingerprints with the final digits matching the desired "real" fingerprint. In real life they were able to perform this attack against Puppet Labs' own signing key and following Puppet's documentation, successfully "trick" a malicious package being validated through normal procedures.
Ultimately, this comes down to a lack of specificity in how people usually import GPG keys and then verify a matching signature. There's still social engineering involved in some of this but careless users could easily be duped. Further, code that handles such operations could also be easily tricked as well. It's a great reminder that security can fall apart, not only through complex attacks, but also "minor" details not being paid enough attention.