Breaking

Lua-Resty-JWT Authentication Bypass

I was writing some challenges for PacketWars at TROOPERS22. One was intended to be a JWT key confusion challenge where the public key from an RSA JWT should be recovered and used to sign a symmetric JWT. For that, I was searching for a library vulnerable to JWT key confusion by default and found lua-resty-jwt. The original repository by SkyLothar is not maintained and different from the library that is installed with the LuaRocks package manager. The investigated library is a fork of the original repository, maintained by cdbattags in version 0.2.3 and was downloaded more than 4.8 million times according to LuaRocks.

While looking at the source code I found a way to circumvent authentication entirely.

Continue reading “Lua-Resty-JWT Authentication Bypass”

Continue reading
Breaking

Jasper Reports Library Code Injection

During the past year we had several projects where our target application used Jasper Reports in some way. In a few of the cases we found an API that offered to render a template along with some arguments into a PDF file. This was done with the help of the Jasper Reports Java library. Due to the way the library and the expression mechanism works, this endpoint gave us the possibility to inject Java code and gain remote code execution on the target systems.

In this blog post we want to provide an overview over the Jasper Reports Java library in terms of security especially with regard to expression injection attacks.

TL;DR; If you come across an API that lets you freely define a Jasper Report template you very likely have code execution. Or to put it differently: Never let Jasper Report templates be user or attacker controlled.

Continue reading “Jasper Reports Library Code Injection”

Continue reading
Breaking

Some experiments with Process Hollowing

Process Hollowing is a technique used by various malware families (such as FormBook, TrickBot and Agent Tesla) to hide their malicious code within a benign appearing process. The typical workflow for setting up such a hollowed process is as follows:

  1. Create a new process (victim) using a benign executable, in suspended state.
  2. Unmap the executable from that process.
  3. Allocate memory for the malicious executable at the address of the previously mapped victim executable.
  4. Write the malicious executable to the new memory area and potentially apply relocations.
  5. Adjust the entry point.
  6. Resume process.

We will refer to this as the “normal” Process Hollowing workflow. There are also variants of this technique, one being to not unmap the original executable and to allocate the new memory somewhere else. We will call this one no-unmap. But wait, why does malware not simply overwrite the existing executable but creates a new memory area which stands out due to its characteristics? In this blog post we will have a closer look at this overwrite approach but also on the no-unmap method, their effects on analysis/detection tools and on some tricks to make the detection harder. We are also releasing Proof of Concept implementations of all mentioned tools/plugins (the links are at the end of this post).

Continue reading “Some experiments with Process Hollowing”

Continue reading
Breaking, Misc

Security Advisories for Broadcom Automic Automation (UC4)

Updated on 20.06.22 with CVEs and link to Broadcom Security Notice.

In April 2021 we reported seven vulnerabilities in Broadcom Automic Automation (UC4) 12.3.5+hf.3. CVE IDs were assigned on 16.06.22, the corresponding Broadcom Security Notice can be found here.

The vulnerabilities have been found in the course of a research project, in which we analyzed the security of multiple Endpoint Management solutions. Similar vulnerabilities have been found in other solutions as we pointed out in previous posts about the Ivanti DSM Suite, Nagios XI, and Solarwinds N-Central.  The outcome of the research project will be published as a whitepaper and a conference talk at Troopers 2022.

In this blog post we will provide a short description of the vulnerabilities outlining the impact. More technical details will be published in the whitepaper and conference talk. All vulnerabilities were found in Broadcom Automic Automation (UC4) version 12.3.5+hf.3.

Continue reading “Security Advisories for Broadcom Automic Automation (UC4)”

Continue reading
Breaking, Misc

Change Your BLE Passkey Like You Change Your Underwear

Using a static passkey for Bluetooth Low Energy pairing is insecure. Recent versions of the Bluetooth specification contain an explicit warning about this. However, in practice, we often see static passkeys being used. Moreover, there are no public implementations of proofs-of-concept that can practically show why using a static passkey is an issue. This is why we implemented one.

Continue reading “Change Your BLE Passkey Like You Change Your Underwear”

Continue reading
Breaking

ManiMed: Ypsomed AG – mylife YpsoPump System Vulnerabilities

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Continue reading “ManiMed: Ypsomed AG – mylife YpsoPump System Vulnerabilities”

Continue reading
Breaking, Misc

Attack llvmpipe Graphics Driver from Chromium

In this post, we are discussing a bug we came across in Mesas llvmpipe Gallium3D graphics driver. This bug was accessible through Chromium’s WebGL implementation and can provide control of the program counter (pc) within Chromium’s GPU process if llvmpipe is used. Llvmpipe is a software rasterizer that is used on Linux if no hardware acceleration (graphics card) is available. This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020.

Continue reading “Attack llvmpipe Graphics Driver from Chromium”

Continue reading
Breaking, Misc

fpicker: Fuzzing with Frida

Introduction

In this post, I will introduce fpicker. Fpicker is a Frida-based coverage-guided, mostly in-process, blackbox fuzzing suite. Its most significant feature is the AFL++ proxy mode which enables blackbox in-process fuzzing with AFL++ on platforms supported by Frida. In practice, this means that fpicker enables fuzzing binary-only targets with AFL++ on potentially any system that is supported by Frida. For example, it allows fuzzing a user-space application on the iOS operating system, such as the Bluetooth daemon bluetoothd – which was part of the original motivation to implement fpicker.
Continue reading “fpicker: Fuzzing with Frida”

Continue reading
Breaking

ManiMed: Hamilton Medical AG – HAMILTON-T1 Ventilator Vulnerabilities

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Continue reading “ManiMed: Hamilton Medical AG – HAMILTON-T1 Ventilator Vulnerabilities”

Continue reading
Breaking

ManiMed: B. Braun Melsungen AG – Space System Vulnerabilities

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Continue reading “ManiMed: B. Braun Melsungen AG – Space System Vulnerabilities”

Continue reading