The Month in Security [0x02]

Okay, you know the drill. In this post I've attempted to put together some of the interesting news, takes and contributions in security space over the last month or so. As always, feel free to let me know if I've missed anything cool!

The Apple Saga Continues

Whew, this one certainly didn't die down since I covered it in last month's post. Since their initial announcement of new measures to tackle child sexual abuse material (CSAM), there has continued to be backlash regarding privacy and efficacy concerns.

tl;dr there's been criticisms of the hashing technology used for their CSAM mitigations^[1][2], to which Apple responded^[3], and then there were also the concerns from within Apple and other tech companies^[4][5]; all of which have culminated in Apple "delaying" the release of their Child Safety Plan.^[6] All in all...

1. https://www.hackerfactor.com/blog/index.php?/archives/929-One-Bad-Apple.html
2. https://blog.roboflow.com/neuralhash-collision/
3. https://news.ycombinator.com/item?id=28225706
4. https://www.reuters.com/technology/exclusive-apples-child-protection-features-spark-concern-within-its-own-ranks-2021-08-12/
5. https://www.theverge.com/2021/8/6/22613365/apple-icloud-csam-scanning-whatsapp-surveillance-reactions
6. https://www.reuters.com/technology/apple-take-more-time-roll-out-child-safety-features-2021-09-03/

Pwns of The Month

So this month saw quite a few cool writeups and vulnerabilities, so welcome to the impromptu Pwns of The Month! Without further ado, let's dive in and take a look at some of the things that took my fancy.

It's A Mouse Trap Billy & You've Been Caught

Boomtown Rats anyone? Nope? Anyway, there was a funny tweet I saw in July, where @Foone posted a screenshot of their mouse driver asking for a firewall exemption to accept incoming connections^[1]... yes, a mouse driver. I exhaled heavily in amusement and continued on with my doom scrolling.

Only a few weeks later @jonhat dropped another mouse-themed tweet^[2], except this wasn't a firewall exemption but a full local privesc in a handful of steps. It involved plugging a mouse in, installing Synapse (Razer's companion software) and abusing a File Explorer opened as SYSTEM; as Synapse is part of the Windows Update Catalog even an unprivileged user can plug in a Razer mouse and trigger this installation.

1. https://twitter.com/Foone/status/1146135405793669121
2. https://twitter.com/j0nh4t/status/1429049506021138437

Homing BEEcon

Honestly, this isn't my usual kind of vuln but the heading was too good an opportunity to miss (sorry).  Towards the end of August @RobJHeaton published a cool writeup on a successful trilateration attack, drawing from a similar vulnerability in Tinder from 2013, to leak users locations.^[1] Bumble awared a $2,000 bounty for the vulnerability and fixed it within 72 hours.

• https://robertheaton.com/bumble-vulnerability/

Are You Azure You're Secure?

At the end of August Wiz.io, a cloud security provider, dropped a comprehensive writeup on their blog for a vulnerability they dubbed ChaosDB.^[1] The vulnerability affected Azure's cloud service CosmosDB and was the result of a series of flaws in the service designed by Microsoft. The vulnerability resulted in unrestricted access to thousands of commercial databases running the service on Azure.

Wiz.io made sure to credit Microsoft's Security team for their quick response, disabling the vulnerable feature within 48 hours of receiving the report, however they also noted that while their research period lasted around a week, the vulnerability was likely present for months if not years, meaning less transparent actors could have been exploiting the vulnerability.

1. https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases

Pwned²

I can't say this one surprised me but that didn't prevent the second-hand frustration I felt on behalf of the author. This isn't exactly a pwn writeup, there isn't explanation of how the culprit managed to beat the author's 2FA, but it sure highlights how Facebook was more than willing to pwn him while he was down.

Check out this mildly frustrating read, on how "a Facebook hacker beat my 2FA, bricked my Oculus Quest, and hit the company credit card".

corCTF 2021 Writeups

I know, I know. Slacking on the heading, but the challenge names for the CTF sure make up for it, I promise. corCTF 2021 was the first CTF organized by the Crusaders of Rust (aka Starrust Crusaders), an American and European collegiate team, and featured an awesome range of challenges.^[1]

For the CTF FizzBuzz101 & D3v17 wrote two kernel modules for pwn challenges: Fire of Salvation and Wall of Perdition (see, the names are pretty cool). The modules provided a fairly obvious UAF primitive, however the gotcha was the environment: a 5.8 kernel using the SLAB allocator, most modern mitigations and some additional extras enabled for good measure.

Both challenges remained unsolved during the CTF but you can find some awesome technical writeups for each by the authors, were they present some novel techniques.^[2][3]

1. https://ctftime.org/event/1364
2. https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html
3. https://syst3mfailure.io/wall-of-perdition

Papers, Please

Early this month saw the 30th USENIX Security Symposium and with it plenty of interesting papers^[1]; colocating with the event was the 17th Symposium on Usable Privacy and Security.^[2]

On the topic of papers, tmp.0ut put out a call for papers on the 28th August for their 2nd edition releasing Halloween 2021. For those who've not heard of tmp.0ut is a throwback to the zines of old, focusing on ELF related shenanigans, hackery and research.

1. https://www.usenix.org/conference/usenixsecurity21/technical-sessions
2. https://www.usenix.org/conference/soups2021

Extras

• On the 12th we saw Github finally stop password authentication for git commands^[1]
• Throw back to Github Copilot, also mentioned last issue. On the 20th August an interesting paper titled "An Empirical Cybersecurity Evaluation of GitHub Copilot's Code Contributions" was published^[2]

1. https://github.blog/changog/2021-08-12-git-password-authentication-is-shutting-down/
2. https://arxiv.org/abs/2108.09293

exit(0);