Android Platform Certs Leaked, Hell’s Keychain, Web Hacking Cars, Bug Bounty Tips – ASW #222
Android platform certs leaked, SQL injection to leaked credentials to cross-tenant access in IBM's Cloud Database, hacking cars through web-based APIs, technical and social considerations when getting into bug bounties, a brief note on memory safety in Android
Announcements
Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!
Hosts
- 1. Issue 100: Platform certificates used to sign malware
Trust chains that mark authorization grants for apps are a hallmark of modern system design, where apps must be signed by an appropriate authority before they're allowed to gain privileges such as system-level privileges or which other apps they can communicate with. So, it's never a good sign when there's evidence of malware executing because it's been signed with a trusted cert.
Fortunately, it appears to OEMs were able to respond quickly with OTA updates that mitigated the potential misuse of these certs.
Read more about it in this Wired article.
Although these leaked platform certificates can't be used to install OTA updates, here's a recent presentation about malicious updaters from the researcher who identified these leaked certs.
- 2. Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access
More cloud provider research from Wiz, this time on IBM's environment for PostgreSQL. Once again, it's a well-written walkthrough. It also touches on some fundamental security principles like hard-coded secrets and network isolation.
It also starts off with a classic SQL injection that allowed the researchers to create a DB account with elevated privileges (superuser). They created a reverse shell and began collecting information about the system.
What's interesting at this point is that IBM's monitoring identified this activity. They reached out to the researchers and, presumably after some friendly discussion about rules of engagement, collaborated with them to continue their research. This was a very constructive approach to security that prioritized identifying potential security flaws.
- 3. Researchers find bugs allowing access, remote control of cars
This research shows the security pitfalls of web-enabled hardware -- where the hardware just so happens to be cars. The techniques are straightforward (and clever) web API hacking that involves JWTs and CRLF injections. It's been quite a while since I've seen an interesting CRLF example.
So, while you won't get any insights on an automotive CAN bus or reverse engineering microcontrollers, you will get some good reminders on the patience in manipulating web authentication and authorization requests. Plus, being able to "remotely start, stop, lock, unlock, honk, flash lights, or locate any vehicle that had the remote functionality enabled" is more impressive than old-school hacks like opening a computer's optical drive tray.
- 4. Go SAML library vulnerable to authentication bypass
The details are light on this one, but boils down to the library mishandling error conditions such that by providing a signed and an unsigned assertion in an XML blob an attacker could make the library believe the unsigned assertion was signed.
This is one of those articles where I find it more interesting to read through the patch than about the vuln itself. Reading code can help you become a better programmer and help you understand new languages. If you're interested in Go, check out the commit here.
- 5. So, you want to get into bug bounties?
We talk about bug bounties quite often, but we don't talk as much about the process of becoming a bug bounty researcher or the dynamics of working with bounty programs. This article walks through technical and social aspects of the bug bounty world.
- 6. Memory Safe Languages in Android 13
Mentioning this article very quickly to highlight that code written in memory safe languages is becoming predominant in Android. And the reason is largely because new code is being written in these languages rather than C or C++. There's (understandably) very little engineering invested in rewriting existing code. Consequently, there'll likely be memory safety issues in that legacy code to be discovered for years to come, but the trend for this vuln class is happily going down and will dwindle because of the choice to implement new code in safer languages.
- 7. Supply Chain Vulnerabilities Put Server Ecosystems at Risk
- 1. More fbsd vulnerabilites
It interests me how freeBSD security is returning to the spotlight (as I see it) as more focus goes into cracking playstations
- 2. Some of my favorite talks from AWS Re:Invent 2022
- Monday night live https://www.youtube.com/watch?v=R11YgBEZzqE
- David Brown leadership compute talk https://www.youtube.com/watch?v=rxcHEIDil1s
- SaaS microservices deep dive: Simplifying multi-tenant development (SAS405) https://www.youtube.com/watch?v=NpThwz0z_D0
- Best practices for advanced serverless developers (SVS401) https://www.youtube.com/watch?v=PiQ_eZFO2GU
- A close look at AWS Fargate and AWS App Runner (CON406) https://www.youtube.com/watch?v=MZBbhqt6bQs
- Powering Amazon EC2: Deep dive on the AWS Nitro System (CMP301) https://www.youtube.com/watch?v=jAaqfeyvvSE
- A day in the life of a billion requests (SEC404) https://www.youtube.com/watch?v=tPr1AgGkvc4
