Security Weekly
Application Security WeeklySubscribe
Cloud Security, Application security

Android Platform Certs Leaked, Hell’s Keychain, Web Hacking Cars, Bug Bounty Tips – ASW #222

Android platform certs leaked, SQL injection to leaked credentials to cross-tenant access in IBM's Cloud Database, hacking cars through web-based APIs, technical and social considerations when getting into bug bounties, a brief note on memory safety in Android

Full episode and show notes

Announcements

  • Join our Discord channel to chat with us throughout the live show today! Visit securityweekly.com/discord to receive an invite and become part of our community.

Hosts

Mike Shema
Mike Shema
Tech Lead at Block
  1. 1. Issue 100: Platform certificates used to sign malware

    Trust chains that mark authorization grants for apps are a hallmark of modern system design, where apps must be signed by an appropriate authority before they're allowed to gain privileges such as system-level privileges or which other apps they can communicate with. So, it's never a good sign when there's evidence of malware executing because it's been signed with a trusted cert.

    Fortunately, it appears to OEMs were able to respond quickly with OTA updates that mitigated the potential misuse of these certs.

    Read more about it in this Wired article.

    Although these leaked platform certificates can't be used to install OTA updates, here's a recent presentation about malicious updaters from the researcher who identified these leaked certs.

  2. 2. Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access

    More cloud provider research from Wiz, this time on IBM's environment for PostgreSQL. Once again, it's a well-written walkthrough. It also touches on some fundamental security principles like hard-coded secrets and network isolation.

    It also starts off with a classic SQL injection that allowed the researchers to create a DB account with elevated privileges (superuser). They created a reverse shell and began collecting information about the system.

    What's interesting at this point is that IBM's monitoring identified this activity. They reached out to the researchers and, presumably after some friendly discussion about rules of engagement, collaborated with them to continue their research. This was a very constructive approach to security that prioritized identifying potential security flaws.

  3. 3. Researchers find bugs allowing access, remote control of cars

    This research shows the security pitfalls of web-enabled hardware -- where the hardware just so happens to be cars. The techniques are straightforward (and clever) web API hacking that involves JWTs and CRLF injections. It's been quite a while since I've seen an interesting CRLF example.

    So, while you won't get any insights on an automotive CAN bus or reverse engineering microcontrollers, you will get some good reminders on the patience in manipulating web authentication and authorization requests. Plus, being able to "remotely start, stop, lock, unlock, honk, flash lights, or locate any vehicle that had the remote functionality enabled" is more impressive than old-school hacks like opening a computer's optical drive tray.

  4. 4. Go SAML library vulnerable to authentication bypass

    The details are light on this one, but boils down to the library mishandling error conditions such that by providing a signed and an unsigned assertion in an XML blob an attacker could make the library believe the unsigned assertion was signed.

    This is one of those articles where I find it more interesting to read through the patch than about the vuln itself. Reading code can help you become a better programmer and help you understand new languages. If you're interested in Go, check out the commit here.

  5. 5. So, you want to get into bug bounties?

    We talk about bug bounties quite often, but we don't talk as much about the process of becoming a bug bounty researcher or the dynamics of working with bounty programs. This article walks through technical and social aspects of the bug bounty world.

  6. 6. Memory Safe Languages in Android 13

    Mentioning this article very quickly to highlight that code written in memory safe languages is becoming predominant in Android. And the reason is largely because new code is being written in these languages rather than C or C++. There's (understandably) very little engineering invested in rewriting existing code. Consequently, there'll likely be memory safety issues in that legacy code to be discovered for years to come, but the trend for this vuln class is happily going down and will dwindle because of the choice to implement new code in safer languages.

  7. 7. Supply Chain Vulnerabilities Put Server Ecosystems at Risk
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
  1. 1. More fbsd vulnerabilites

    It interests me how freeBSD security is returning to the spotlight (as I see it) as more focus goes into cracking playstations

  2. 2. Some of my favorite talks from AWS Re:Invent 2022

Related