Articles on Infosec
Last updated: 2023/02/09
Top deep-dives on Infosec
SAST: how code analysis tools look for security flaws
Sergey Vasiliev explains how Static Application Security Testing (SAST) solutions find security issues in code.
- SAST tools look for potential vulnerabilities in source code without executing it
- Syntax trees are used as a convenient and structured representation of the code
- "The sooner a vulnerability is found, the easier and cheaper it is to fix"
The State of State Machines
A lot of applications fundamentally run on a state machine. When you get to building more complex systems, issues in the state machines can become difficult to manage. In this article, Natalie Silvanovich explores some of the vulnerabilities in state machines that run messaging applications like Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.
The Fresh Smell of ransomed coffee
The popularity of IoT devices, like smart lights, smart homes, or smart coffee makers, has been growing substantially in recent years. These devices can be fun to use (or frustrating), and convenient, but when they're not very well secured. In this instructional article, Martin Hron presents how he hacked his way into a popular smart coffee maker be reverse engineering and modifying its firmware. Martin covers all the important, and subtle points, making this a very well fleshed out article packed full of information.
New browser-tracking hack works even when you flush caches or go incognito
Pretty interesting article by Dan Goodin on how favicons can be used to get around restrictions on cookies to track users in most major browsers.
The different types of cross-site scripting (XSS)
Following along on the topic of security, in this article Omkar Hiremath describes what cross-site scripting is, how it's used in real life, and three different types of XSS attacks including reflected, stored, and DOM-based.
Breaking The Browser – A tale of IPC, credentials and backdoors
In the theme of the intro, this post is about browser security, and specifically, Chrome on Windows. In this article, Dylan does a deep dive into how he was able to inject function hook into the Chrome network service to read in plain text all data that was passed to the SSL function. Dylan then takes this a step further, reading all data that is passed between Chrome services.
The Insane Innovation of TI Calculator Hobbyists
Nothing more nostalgic of highschool math for me than the clunky body of a TI graphing calculator and the fun that could be had with it. In this justifiably extensive article, George Hilliard breaks down the iconic TI-84 and explores everything it was never meant to do.
The race condition that led to Flexcoin bankruptcy
Vlad Mihalcea demonstrates how small issues in Java concurrency implementation can lead to big financial problems.
New campaign targeting security researchers
More security related than programming, but this in this article, Adam Weidemann brings to light how a "government-backed entity based in North Korea" is up to some shady shenanigans, in an attempt to build credibility with the CompSec community. Stay vigilant, stay safe.
Guide: How To Detect and Mitigate the Log4Shell Vulnerability (CVE-2021-44228)
Pretty big news about the Log4Shell vulnerability, mostly because it's so prevalent. If you haven't heard it, check out this article by Free Wortley, Forrest Allison, and Chris Thompson that aims to inform you on trusted sources for information regarding the exploit and how to determine if you're affected/mitigate the issue if you are.
How Democracies Spy on Their Citizens
Ok as a heads up, this article is definitely not super technical, but it is a deep-dive into some areas related to articles I featured before. Plus it's just a fascinating story. Ronan Farrow presents how governments purchase and use spyware from groups like the NSO.
A Look at iMessage in iOS 14
Why all of the security articles lately? Don't know, just been feeling them. In this one, Samuel Groß summarizes the fruits of reverse engineering iOS 14 to look for any signs of previous vulnerabilities to "memory corruption based 0-click exploits".
A step-by-step analysis of a new version of Darkside Ransomware (v. 22.214.171.124)
New ransomware is released into the wild constantly, although a lot of it can be grouped into "family" structures, due to shared commonalities. In this extensive article, as the title suggests, the author undertakes a very detailed analysis of a specific set of ransomware that was "responsible for the Colonial Pipeline attack on May 7 2021". It's very thorough.
Yes, fun browser extensions can have vulnerabilities too!
I'm always cautious about adding browser extensions because it feels like I'm always giving them too much data or control. Well in this article, Wladimir Palant presents a cross-site scripting vulnerability in a seemingly harmless, popular browser extension.
IoT Hacking and Rickrolling My High School District
I don't know if you ever messed with your school's computer system, but I doubt it was to this extent. In this article, the author describes how they and a group of people broke into their school district's network and commenced a mass Rick Rolling.
Leveraging LD_AUDIT to Beat the Traditional Linux Library Preloading Technique
Windows gets a lot of crap (*cough* neckbeards *cough*) for being a breeding cesspool of vulnerabilities and their respective viruses, but Linux has its own vulnerabilities too. What are these you ask? Well Lior Ribak has written an interesting article that explores on such vulnerability. Lior discusses how using an uncommon 'feature of the dynamic linker/loader' to force all ' dynamic executables in [the] environment' to load a shared library can be defended against by another similar feature, that can be forced to load even earlier. Lior also goes into the offensive uses.
Implicit Overflow Considered Harmful (and how to fix it)
We've had a couple of articles that presented security issues as result of integer overflow. None of them really looked at this issue as a whole across multiple languages. In this informative article, the author explores why multiple integer types are necessary and how they're handled in different languages, and then presents their own solution.
The first article of two about running stuff where it wasn't mean to be running, in this article Neil Bostian describes the five year journey it took to get DOOM running on a Polycom VXX600 telephone. Why? Because he could.
How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects
Security researcher Alex Ilgayev gives a brief background on Github Actions, then dives into the juicy details of how they can exploited.
This bug doesn’t exist on x86: Exploiting an ARM-only race condition
You wanna buy some hack? No? Well you might want to read Stephen Tong's extensive article on a "real-world, modern binary exploitation" that is only relevant to ARM, and not x86 prcoessors. Why? Because it's interesting. Stephen breaks the lengthy article into three main sections; "walkthrough of the binary, and a peek into the mindset of a vulnerability researcher", "memory ordering, lock-free programming, and how this can lead to sneaky bugs", and "exploiting an object lifetime heap corruption bug. How to get arbitrary read and write and finally, a shell".
Breaking Down a Phishing Attempt
But Alex! This isn't a super technical topic! You violently scream at your screen as spittle flies from your mouth and your fist slams against the table. To be fair, Aaron Powell does go into the code behind the exploit, and I, dear reader, just want you to be informed on how sophisticated some of these malicious attempts can be.
Zooming in on Zero-click Exploits
Natalie Silvanovich describes two vulnerabilities she found while doing a security analysis of Zoom.
Earn $200K by fuzzing for a weekend: Part 1
Addison Crump presents how he wrote a smart fuzzer to find vulnerabilities in rBPF, which is extensively used by the Solana blockchain.
DirtyMoe: Worming Modules
Martin Chlumecký does a very thorough deep-dive on the DirtyMoe malware, including explaining what it is and how every part of it works.
Backdooring Rust crates for fun and profit
You know what they say, the best defense is a strong offense! Well in the case of infosec, this is a relatively new approach. In this dangerous article, Sylvain Kerkour presents several methods for hiding and executing backdoor code in Rust crates.
I won free load testing
Amos dissects a recent DDoS attack on his websites, taking us through the data and statistics for the attack, as well as some of his attempts to mitigate the issues that arose from it.
Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)
Valentin Obst and Martin Clauß make a Linux kernel vulnerability digestible using a proof of concept program as a learning aide.
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
The NSO group has been in the news a lot recently, for many reasons (mostly political) which we won't get into. Something we can get into though is how a specific part of one of their exploits work. In this thorough article, Ian Beer & Samuel Groß uncover how the company used fake gifs to exploit iMessage.
Using EM Waves to Detect Malware
The PDF for the research paper can be found in the 7th comment. I didn't link it directly because I found the comments to be fairly interesting on the website. In the paper Duy-Phuc Pham, Damien Marion, Mathieu Mastio, and Annelie Heuser present how electromagnetic wave patterns can be used to identify malware on IoT devices.
Integer Overflow to RCE — ManageEngine Asset Explorer Agent (CVE-2021–20082)
The lengths to which malicious actors go to in order to get remote code execution on a machine always facinate me. But I totally understand the drive; the rush must be like solving an extremely challenging puzzle. Fortunately David Wells isn't a malicious actor, and has his article depicts the attack vector, presents the penetration method, and walks through the process, giving us a taste of what it takes to crack into someone's server via a service like "ManageEngine ServiceDesk Plus".
A Framework for Adversarially Robust Streaming Algorithms [pdf]
Omri Ben-Eliezer, Rajesh Jayaram, David P. Woodruff, and Eylon Yogev present methods for making streaming algorithms robust against an adversary who can observe and manipulate the stream itself.
5 RCEs in npm for $15,000
Understanding Network Access in Windows AppContainers
Often times the firewall might be the only thing between you and the big bad web. It's especially essential in Windows, the OS for which the most malicious code exists (by far). James Forshaw's spanning article dives explores the ins and outs of the Windows firewall, starting with a primer on its architecture, continuing onto rules, spelunking into configurations, and concluding with AppContainer network restrictions.
Exploit Development: No Code Execution? No Problem! Living The Age of VBS, HVCI, and Kernel CFG
Connor McGarr goes on a very deep technical dive on the topic of exploiting VMs.
FORCEDENTRY: Sandbox Escape
Ian Beer and Samuel Groß dive into the technical workings of the second stage of NSO's iMessage exploit that allowed them escape the IMTranscoderAgent sandbox.
Introduction to Firmware Analysis of a Reolink IP Camera
In this series, Serhack (literally) picks apart an IP camera and goes through all of the internals, from hardware to software.
- Analyzing firmware takes a lot of time
- The internet of things brings a lot of new challenges to embedded software designing
- Most embedded operating systems use U-Boot
Turning Google smart speakers into wiretaps for $100k
Matt Kunze describes his discovery of security issues with the Google Home smart speaker that allowed an attacker within wireless proximity to install a “backdoor” account on the device, enabling them to send commands to it remotely over the Internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s LAN.
- Google Home’s architecture is based on Chromecast, which doesn't have need for very good security
- Although many researchers have looked into the security of this devices, they mostly missed the subtlety of the account linking vulnerability
- More devices, more problems
Party time: Injecting code into Teleparty extension
Wladimir Palant takes advantage of an older JQuery version to inject code into a popular browser extension.
Improving MBA Deobfuscation using Equality Saturation
Matteo Favar and Tim Blazytko extensively cover methods and techniques for de-obfuscating malicious code.
POSIX hardlink heartache
Michael Orlitzky illuminates how hardlinks on UNIX systems can be exploited.