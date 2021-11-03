Security Leftovers
Security updates for Wednesday
Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak).
Finding and Fixing DOM-based XSS with Static Analysis – Attack & Defense
Despite all the efforts of fixing Cross-Site Scripting (XSS) on the web, it continuously ranks as one of the most dangerous security issues in software.
In particular, DOM-based XSS is gaining increasing relevance: DOM-based XSS is a form of XSS where the vulnerability resides completely in the client-side code (e.g., in JavaScript). Indeed, more and more web applications implement all of their UI code using fronted web technologies: Single Page Applications (SPAs) are more prone to this vulnerability, mainly because they are more JavaScript-heavy than other web applications. An XSS in Electron applications, however, has the potential to cause even more danger due to the system-level APIs available in the Electron framework (e.g., reading local files and executing programs).
The following article will take a deeper look into Mozilla’s eslint-based tooling to detect and prevent DOM-based XSS and how it might be useful for your existing web applications. The eslint plugin was developed as part of our mitigations against injection attacks in the Firefox browser, for which the user interface is also written in HTML, JavaScript and CSS.
'Trojan Source' a Threat to All Source Code, Languages | eSecurityPlanet
Researchers have outlined a method that could be used by bad actors to push vulnerabilities into source code that are invisible to human code reviewers.
In a paper released this week, two researchers at the University of Cambridge in the UK wrote that the method – which they dub “Trojan Source” – essentially can be leveraged against almost every programming language in use today and could be effective in supply-chain attacks similar to the one launched against SolarWinds last year.
Victory! U.S. blacklists NSO Group and Candiru - Access Now
Today, the U.S. Government added NSO Group, Candiru, and two other foreign companies to the Entity List for engaging in activities contrary to the national security or foreign policy interests of the United States.
While long overdue, Access Now applauds this announcement, and urges the European Union and other governments to implement similar restrictions on surveillance tech companies who facilitate human rights violations.
“This is a huge win,” said Natalia Krapiva, Tech-Legal Counsel at Access Now. “NSO and Candiru like to brag that their spyware technologies are all about protecting public safety and national security. But here, we have the United States, a major power, coming out and saying these companies are violating not only human rights, but also U.S. national security.”
FBI Releases PIN on Attacks Using Significant Financial Events for Extortion
The Federal Bureau of Investigation (FBI) has released a Private Industry Notification (PIN) on ransomware actors using significant financial events, such as mergers and acquisitions, to target and leverage victim companies.
CISA encourages users and administrators to review Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims and apply the recommended mitigations.
DCOM abuse and lateral movement with Cobalt Strike | Pen Test Partners
It is possible to bypass certain AVs by encoding executables containing payloads with tools such as Msfvenom. Alternatively, using tools such as Shellter or Veil to create custom Portable Executables (PE) capable of bypassing common anti-virus solutions. These tools also allow you to inject payloads into legitimate software to even better mask your malicious code from the AV.
These tools can be successful at performing their task, however if one used the same binary several times there is a good chance it would be added to existing AV/EDR signature databases. Using websites like VirusTotal to test the detection rate of your executables will also likely speed up the process of your malware getting added to a AV signature database. In general, uploading binaries onto a target currently is a bit of an unnecessary risk, therefore I wanted to look into ways of performing lateral movement with malware that does not need to be transferred to the disk of the target.
The great thing about Cobalt Strike is the option to execute .NET binaries in memory of the target (execute-assembly), without needing to transfer it. Following the same idea, I wanted to be able to transfer malware to the target, that would execute in memory and avoid the unnecessary triggering of AV by the fact that it is present on the disk. I came across a technique called reflective DLL injection and thought it was genius.
Reflective DLL injection involved loading a .NET Dynamic Link Library (DLL) into the memory of the target. Common tooling such as powershell can be used to load the DLL and allows the execution of your choice of methods available within the DLL. This results in diskless malware execution. I liked the concept however, performing the preparation for such a task was slightly lengthy, therefore my programmer instincts kicked in and I thought why not create some automation.
Devices: ESP8266, Pis, Arduinos, and More
Programming Leftovers
Proprietary Failure and Linux Foundation Openwash
GStreamer 1.19.3 unstable development release
GStreamer 1.19.3 unstable development release The GStreamer team is pleased to announce the third development release in the unstable 1.19 release series. The unstable 1.19 release series adds new features on top of the current stable 1.18 series and is part of the API and ABI-stable 1.x release series of the GStreamer multimedia framework. The unstable 1.19 release series is for testing and development purposes in the lead-up to the stable 1.20 series which is scheduled for release in a few weeks time. Any newly-added API can still change until that point, although it is rare for that to happen.
