Yohanes Nugroho @[email protected]

NEW ONES. plus the n-gage one from back then

This is the kind of librarian I work to be every day. From the Unshelved comic strip.

"I love the sound policy makes when I break it."

#librarians #books #reading #literacy

🔥 It's time for my top 10 list of the best blog posts I read in 2022! 🧵

I want to make it clear that this list is subjective and based on my own personal preferences. There are many other great articles and blog posts out there that didn't make it onto my list.

The infosec community is full of talented and knowledgeable individuals, and it's important that we continue to share our insights and experiences with each other to improve as a whole.

Here are my top 10 picks 👇 (ordered by release date)

1. Windows Drivers Reverse Engineering Methodology by @Void_Sec

This blog post details a methodology for reverse engineering and finding vulnerable code paths in Windows drivers.
Including a guide for setting up a lab for (the pesky) kernel debugging.

https://voidsec.com/windows-drivers-reverse-engineering-methodology/

2. Sandboxing Antimalware Products for Fun and Profit by @GabrielLandau

The concept of nerfing the token of a privileged process in order to bypass Anti-Tamper protections is mindblowing.
I bet this worked against most of EDRs when it was released

https://www.elastic.co/security-labs/sandboxing-antimalware-products

3. Exploring Windows UAC Bypasses: Techniques and Detection Strategies by @sbousseaden

Not lying here saying UAC it's one of my favorite topics
This blogpost details multiple aspects of it, including exploitation primitives and detection opportunities

https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies

4. Bypassing UAC in the most Complex Way Possible! by @tiraniddo

There should be a dedicated Top 10 for all the vulnerabilities reported by James in 2022
This is probably the less relevant but the one i enjoyed most, a way to abuse Kerberos to bypass UAC

https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html

5. Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime by @nachoskrnl and @ophirharpaz

Do you remember the panic back in April when the CVSS 9.8 vuln was released?
This was the main technical ref, great contribution to the community

https://www.akamai.com/blog/security/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime

6. Why Are My Junctions Not Followed? Exploring Windows Redirection Trust Mitigation by @galdeleon

Symlink attacks have been a major source of privesc vulnerabilities in Windows
This article discusses the mitigations (trying) to address this issue

https://unit42.paloaltonetworks.com/junctions-windows-redirection-trust-mitigation/

7. Using process creation properties to catch evasion techniques by Microsoft

The infosec community has often criticized Microsoft for its wellknown lack of documentation
This article provides valuable information on detecting stealthy process injections

https://www.microsoft.com/en-us/security/blog/2022/06/30/using-process-creation-properties-to-catch-evasion-techniques/

8. The End of PPLdump by @itm4n

The "legendary" tool that forced Microsoft to unexpectedly fix an Admin->Protected Process boundary violation is described in this blog post.
It also details all the changes that were implemented to prevent the attack.

https://itm4n.github.io/the-end-of-ppldump/

9. Stopping Vulnerable Driver Attacks by @dez_

This post discusses a trend among ransomware groups of using vulnerable drivers for kernel code execution and tampering with security solutions
The 65 released YARAs are an invaluable community contribution

https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks

10. Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions by @diversenok_zero

This article highlights the complex decisions and difficulties involved in minifilter driver development and how attackers can exploit them

https://www.huntandhackett.com/blog/bypassing-sysmon

[BONUS] 11. Giving JuicyPotato a second chance: JuicyPotatoNG by @decoder_it and I

I tried to avoid including any of my own research, but reviving JuicyPotato is priceless
Written with my friend Andrea, this details the latest JuicyPotatoNG implementation
https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/

That's a wrap on my top 10 list.
These articles provided valuable insights and knowledge on a variety of security topics, and I'm sure they'll be just as useful for you.
Here's to hoping for even more great content in 2023!
Cheers 🍻

An easy-to-miss, but pivotal, change has just been committed to the MAME source repository: https://github.com/mamedev/mame/tree/new68k

This is a brand new Motorola 68000 emulation core, using the actual 68000 microcode to generate the emulation code from a roughly 2400-line Python script.

Beyond having a positive impact on how granular MAME can get in emulating arcade games, this allows for cleaner handling of *any* system that used /DTACK. Low-level emulation of the CD-i peripheral controller is on the horizon.

In 2022 I spent a reasonable amount of time researching #linux kernel exploitation. As we come towards the end of the year I thought I would look back at some of the resources which were super useful to me coming from a Windows/macOS background and why this was.

1. Understanding and Improving Linux Kernel Exploit Reliability https://usenix.org/system/files/sec22fall_zeng.pdf by ky1ebot. Developing memory corruption exploits is an art and the more complex an exploit, often the reliable goes down. This paper evaluate past methods and proposed a novel technique of context conservation.

My team actually used this within
https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ to help increase the reliability of exploiting multiple UAFs.

2. userfaultfd technique is dead on most Linux distros due to vm.unprivileged_userfaultfd. Fuse has come through as a good replacement for this technique. @jann mentions in 2016 and still applicable today. e.g https://graplsecurity.com/post/iou-ring-exploiting-the-linux-kernel by @chompie1337 and https://willsroot.io/2022/01/cve-2022-0185.html

3. Syzkaller is a game changer in kernel. There's a few things to say 1) Even existing publics grammars can find bugs when targeted at areas. 2) Extending coverage is a quick way to find bugs 3) N-day often sits around in https://syzkaller.appspot.com/upstream

4. So N-day often just sitting around.. KCTF encourages researchers to triage existing bugs and develop new techniques to bypass existing mitigations https://security.googleblog.com/2021/11/trick-treat-paying-leets-and-sweets-for.html both 0-day/N-day. As a researcher you can learn a lot from past bugs: https://docs.google.com/spreadsheets/d/e/2PACX-1vS1REdTA29OJftst8xN5B5x8iIUcxuK6bXdzF8G1UXCmRtoNsoQ9MbebdRdFnj6qZ0Yd7LwQfvYC2oF/pubhtml. There’s also another great write-up https://blog.kylebot.net/2022/10/16/CVE-2022-1786/ by ky1ebot for his win here. Awarau and pql also described a vuln they found in io_uring and exploited here https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/

5. Keeping on top of mitigations in your head is hard. Especially if you are working on multiple platforms. My colleagues @saidelike and @fidgetingbits created https://github.com/nccgroup/exploit_mitigations to try to help track these. Really early days, but any contributions appreciated!

6. Finding the correct size structures with elements you want to control at certain offsets with them is tedious and time consuming. CodeQL massively helps speed up this process.
mmolgtm's article https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/ shows a query which can be used for this. Again we used this within https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ to identify new exploit primitives

7. The msg_msg technique which has been a favourite by exploit writes used in https://willsroot.io/2022/01/cve-2022-0185.html / https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html / https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/ becomes less useful in 5.14 when GFP_KERNEL_ACCOUNT end up in kmalloc-cg-* caches and your vulnerable object is not.

8. Talking of kmalloc cache's, cross-cache attacks are a thing and can be used when its not possible to find an interesting object within your initial target cache. Markak describes this and other factors to consider when evaluating AUTOSLAB https://grsecurity.net/how_autoslab_changes_the_memory_unsafety_game

9. Finally a recent article by Awarau https://interruptlabs.co.uk/labs/pipe_buffer/ was posted about a technique which provides an intuitive way to gain arbitrary read/write by targeting the page pointer of a pipe buffer.

10. This list wouldn't be complete andreyknvl and a13xp0p0v with linkersec and https://github.com/xairy/linux-kernel-exploitation which goes into way more things going back over the years.

Apologies if I didn’t have some of your handles on here, I’m still getting to grips with who’s here now and who’s not :)

Did you know you can change the ‘Subscribed language’ of the people you are following?

Just hit the three little dots button on someone’s profile👌🏻♥️

#Mastodon #Tip #FediTip

yes.

Show this to whoever tries to tell you that portscanning is illegal, or that shodan safaris are 'hacking', or any other horrifically uninformed absurdist nonsense.

https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act

I know lots of people getting into #infosec want to do the "fun" thing and get into pentesting/red teaming. Here's some truths:

* It's not a bunch of crazy typing on a keyboard and saying "I'm in". It starts with a clearly defined scope, timeframe for testing (including potentially restricted hours for testing). You need to start with a lot of recon and get an understanding of the landscape before you even start.
* Recon is where you're going to spend ~40-50% of your time, if not more. The actual "hacking" will take about 10-20% of the engagement.
* Post-exploitation is going to be another small part of the engagement, which depends on what you're allowed to do. Some clients only want the web app looked at, nothing more.
* Make sure to document/clean up any exploits left on the system. You were keeping track, right?
* Report writing is where the other majority of the time is going to be spent.

In reality, clients are paying for the report. When I used to teach, I would ask my class what the #1 hacking tool was. Lots of guesses for nmap, Metasploit, Cobalt Strike, etc. Nope. It's MS Word. That's the #1 tool that's used. But why?

Simple, clients want to know what's wrong, and more importantly they want to know why it's a problem and how to fix it. This is where the report comes in.

Report writing is hard. You need to be clear, concise and to the point. Yes you can get technical in the findings section where you explain the problem, how it was discovered and how you exploited it. That's going to a technical audience. But the summary of the finding needs to be concise and clear, since a non-techie may be reading it and deciding which of the findings in the report are going to get attention, so you need to do your best to provide information on why each finding is super important.

You also need to be humble. Why? Because you're going to get more than a few customers who will just use your report to satisfy customers asking for them, and unless those customers complain about some findings, then any/all of your findings may be ignored. Nothing burns out pentesters more than watching the same findings re-appear year after year from the same customer. Questioning what value you bring to the table is a common one and it can absolutely be devastating to your ego. You can lead a horse to water and all that is a very important thing to keep in mind.

So yeah, it's not all sunshine and rainbows on one side vs the other. I like blue teaming, I like pentesting. Each have their ups and downs, but just keep in mind that it's two sides of the same coin. There are lots of tools and techniques for both sides, and to be honest, the overlap is a LOT bigger than you think! Your skills will be transferable to either attacking or defending, so you're never going to be "tied" to one side or the other if you put the effort in.

Stay classy #infosec peeps, especially if you're just getting started.

Here's a neat #Mastodon trick I just discovered:

You can access an RSS feed of any user's posts simply by adding .rss onto the end of their profile URL — so, for instance:

https://twit.social/@jr.rss

You can then use that link to follow all of that person's posts in Feedly, Feedbin, or any other RSS reading service.

Heck, you can even do it directly in #Chrome, if you want!

To this extent I'm really interested to know how the age breakdown of people on the #Fediverse. On one hand it would seem to make sense to me that most people here remember the "old internet" before the centralization and they're here to rekindle that flame of independence. On the other hand the youths are generally pretty up on this whole technology thing. I grew up on the internet and since then smartphones have become even more ubiquitous.

(Please boost for reach)

Alright it's ready! The "Gauss Speedway".

https://youtu.be/ZIINCeOVgow

I prototyped this months ago, and now finally did the re-spin into a better package without the mess of wires.

- Controlled by an STM32F051 on the back running #RustLang.
- Designed in #kicad, with my CurvyCad python library
- The cars are 3D printed, with 2mm diam. axial magnets glued in
- Gratuitously featuring my first ever #blender animation

#electronics
#projects
#maker
#embedded

I keep seeing lots of long-time #fediverse users saying 'don't favourite posts it does nothing' but actually when you favourite my posts it makes me smile and I'm sure I'm not the only one.

If you want to master API security, open this thread!

APIs are used EVERYWHERE for applications to communicate, but let's see how you can HACK them! 👩‍💻

A Thread 🧵👇

I love how the EU doesn't recognise e-sport as sports because the games are privately owned and controlled by corporations. Like, I'm not joking, that's such a great stance!

A corporation running a game can ruin someone's career by making a balance change to the game. They can somewhat fix matches that way by pushing an update just before a tournament.

For videogames to qualify as an actually sports, they'd have to be standards-based rather than implementation-based. Ergo, I can play chess on any kind of board with any pieces so long as they meet the criteria for the rules of the game. But videogames aren't built like that. They're implementation-based and owned by private corporations which makes them really unfit as sports.

I uploaded a small revision of my JPEG image format dissection, along with a PDF version - and a minor bugfix.
https://github.com/corkami/pics

Let's start hardware hacking posts with simple power analysis.

Each instruction executed on the CPU will use different amounts of power (whatever it means, just go with me, don't listen to the physics part of your brain). Based on the power usage you can determine not only what instruction is being executed but also what arguments it took!
Seriously.

Let's take the following example:

bool checkPass(String buffer) {
bool result = true;
for (int i = 0; i < PASSWORD.length(); i++) {
if (buffer[i] != PASSWORD[i]) {
result = false;
}
}
return result;
}

As you can see it's a very simple password check, without the usual timing attack bug. It's worth noting that the whole if is one assembly instruction on Arduino (hence it doesn't take longer to execute the loop because of the value assignment).

Now if we assume that the password is just 5 digits we can try ten different passwords: 00000, 11111, ..., 99999 and get 10 power traces. If we overlay all of them we will see the odd ones out (like in the picture below).

If you look closely at the picture below you will see that there are five distinct places in which the power traces differ. If you match the colours of traces to the password attempts you will get the 5 digits password in just 10 tries!

Magic!

This week, the world’s human #population is expected to reach 8B. About 109B people have lived and died. Each grain of sand represents 10M.

Spectacular #data visualization of human life on Earth by Max Roser #science #SharedPlanet