- 1. Windows EoP Bug Detailed by Google Project Zero
It's no surprise that an operating system with decades of backwards compatibility has a huge attack surface. Microsoft developed the AppContainer as a sandbox for legacy apps. It requires explicit allow lists of resources for a process to access. The folks at Google's Project Zero identified a weakness in the AppContainer rule sets that would allow for elevation of privilege (EoP). However, the risk associated with the flaw was such that Microsoft initially chose not to address it and followup from Project Zero notes that the flaw requires very specific scenarios. What's good to see in this kind of vuln analysis is a deep dive into the technology that highlights the basics of the technology and where more fundamental issues might be in its architecture. Check out this background at https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html
- 2. Fortinet FortiWeb OS Command Injection
This is the kind of throw-back vuln that has an underlying design pattern that needs to be thrown out. The exploit works by smuggling backticks into a "Name" field of a SAML configuration page, which get passed to an snprintf() function for some command-line concatenation. Since backticks have a special semantic meaning in a command shell, it gives an attacker command execution. Ultimately, the vulnerable function was trying to copy a file from one destination to another -- something that could be more securely handled with functions dedicated to copying files than building up a command line for "cp".
- 3. A New Attack Surface on MS Exchange Part 1 – ProxyLogon!
The ProxyLogon technical details are out now! We first covered this back in episode 142. This write-up goes into nice detail about the attack surface of Exchange Server and some of the thought process in searching for vulns. If you enjoy technical write-ups you'll like it. If you enjoy running your own mail server, maybe think again about doing so -- mail is a critical service with all sorts of threats that the modern choice is to just go with a SaaS provider.
Check out episode 142 at https://securityweekly.com/asw142
- 4. How to Hack Apple ID
- 5. BadAlloc Vulnerability Affecting BlackBerry QNX RTOS
Here's the CISA alert for BlackBerry's RTOS that accompanies the article John highlighted for this week. We first noted BadAlloc back in May and how it demonstrated some nice fuzzing at scale coming out of Microsoft. It may not be a surprise that these C-based SDKs and operating systems have memory safety issues, but these are also the kinds of issues that compilers, linters, and the fuzzing techniques used by Microsoft should be finding early on in the development process before these builds go to production. Of course, it'll also be nice to see the day when the implementations shift to different programming languages in order to avoid this class of vulns.
Check out episode 149 at https://securityweekly.com/asw149.
- 6. Introducing GoKart, a Smarter Go Security Scanner
Golang already has a popular open source security scanner: Gosec. Even so, it's nice to see a project that expands on static analysis for Go programs. In this case, GoKart improves on taint analysis in order better track input validation issues and therefore reduce false positives while also hoping to find more exploitable vulns, thus reducing false negatives. We're curious what your experience has been with gosec and how you've adopted static analysis into your Go projects. Let us know!
Check out the repo at https://github.com/praetorian-inc/gokart