BingBang, Super FabriXss, 3CX on macOS, Secure Code Game, Real World Crypto 2023 – ASW #235
BingBang and Azure, Super FabriXss and Azure, reversing the 3CX trojan on macOS, highlights from Real World Crypto, fun GPT prompts, and a secure code game
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape.
We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register.
Visit securityweekly.com/cybersecuritysummit to learn more and register today!
- 1. BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover
Using Azure's over-active directory to modify bing results (and more).
- 2. Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383)
I haven't grabbed an XSS vuln in a while because they're either boringly simple or in boring apps. In this case Orca Security found one that they could leverage "to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication."
That doesn't sound boring.
- 3. Ironing out (the macOS details) of a Smooth Operator
First of all, props to SentinelOne for naming this campaign "SmoothOperator", because here at ASW we'll take any chance to highlight music from the 80s. In this case, Sade's song of the same name.
But I wanted to highlight this article in particular because it's a nice technical walkthrough of reverse engineering a macOS binary to confirm that the 3CX supply chain attack indeed made its way into macOS.
- 4. FUN: GPT Prompt Attack (and defense)
Here are some exercises in GPT prompt injection attacks and defenses. It's a fun way to spend some time testing your creativity against the brains of an LLM (aka the randomly determined paths it takes in putting text together).
Here's a hint with a trick I found early on: ebg13
- 5. A new era of transparency for Twitter
For April Fools we need at least one joke topic. It might as well be Twitter.
The joke isn't that they open sourced their recommendation algorithm or that a component of that system is called Heavy Ranker, which sounds like an 80s hair metal band.
The joke's on Twitter because they received issues and pull requests with jokes, noise, and some abuse. This is the appsec angle I wanted to touch on: how users find ways to misuse or abuse features, and how app owners build tools to handle that. In this case, the conversations is more about GitHub, but there's plenty that could be covered about Twitter, too.
- 6. conference: RWC 2023 Program
Real World Crypto just finished up last week. You don't need to be a cryptography expert to appreciate or understand many of the talks. Here are a few that caught my attention:
- “Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues” (slides) -- subtle flaw due to ambiguity in the spec for how to handle buffered packets
- “Cellular Radio “Null Ciphers” and Android” (slides) -- quick way to catch up on how 2G through 5G encrypt (or don't) cellular traffic
- “Crypto for People” (video) -- identifying and supporting populations of users who need crypto
- “Updates on Standardization” (video) -- if you're interested in recent and upcoming standards for the web
- “CFRG: Bringing Cryptography to the Internet Community” (Slides)
- 7. INFO: How to avoid the aCropalypse
This one's just for the folks who read the show notes. We've already covered aCropalypse in the last two episodes, so no need to revisit it again. But I wanted to highlight this post from Trail of Bits because it covers the technical details so well.
- 1. GitHub releases Secure Code Game
GitHub's released a interactive game to learn how to find and fix some appsec issues. What's neat about this is you can "run" it on GitHub, in Codespaces at the free tier. I'd like to see more languages used besides python and C, but at the same time this gives folks an easy way to experience hands-on what it takes to fix some appsec issues.
- 2. TOOL: k8sgpt
After my old-man-grumbling last week about the chatgpt thing was a little like web3, I found a tool being developed by some of the CNCF/k8s community that "gives SRE superpowers to anyone" - in regards to managing kubernetes clusters. So far it's able to analyze error states across a collection of k8s components and display solutions on how to resolve them, but with 15 contributors already, I suspect this is just the beginning.
- 3. More bug bounties and kernel exploits for Playstation
I haven't touched a gaming console in years, but for whatever reason I'm tickled to see ongoing security research for the playstation. I'll presume this happens for the xbox and others as well, I'll have to keep an eye out to mention those in the future.
One downside, here - Sony's capturing the exploits via H1 and patching, but from first glance it looks like they're not disclosing the vulnerabilities, in effort to minimize the chance of exploits in the wild...
- 4. Overvolt and kill your AMD Ryzen
Igors Lab figured out that while MSI bios disables some overclocking and overvoltage settings that would damage a X3D CPU, MSI's Windows-based software does not have such restrictions. Overclocking works as would be expected, but a few increases to the voltage setting and the CPU is permanently killed. Further input from the community shows this is also an issue with software from Gigabyte, ASRock, and Asus.
I presume this could be weaponized?
- 5. Power-save wifi flaw results in plaintext leakage
I'm looking at this as a "deauth" related flaw: Briefly, wifi APs have caches to store some packets if a client announces it's going into sleep mode. The bug is when the client "wakes up" - it doesn't have to send that message via the previously negotiated encryption method, and some APs will negotiate down to plaintext and send the cached packets to the newly "awake" client without encryption.