Vulnerabilities - Case Studies

IDOR

• Preventing Web Application Access Control Abuse (by CISA and other agencies) IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
• Insecure direct object references (IDOR) From the BURP website.
• Garante della Privacy, Provvedimento del 23 marzo 2023 [9883731] To be translated from the lengthy and boring "avvocatese". If you find other "provvedimenti" related to IDOR please let me know (I found some others but did not save their links...)

PaloAlto Networks (CVE-2024-3400)

• Analysis by Rapid7
• Python subprocess.Popen Quite a complex library function. This is a (correct) ChatGPT explanation of its usage in the vulnerable webapp, i.e., of the meaning of all those parameters.
• Bash scripting: Moving from backtick operator to $ parentheses One of the many explanations of backticks in Linux shell.
• Shodan query for finding potentially vulnerable devices exposed on the Internet (not sure of its accuracy).

Actual Exploitation

• Exploitation alert by Greynoise threat intelligence.
• European Cyber Incident Tracker (click on "Key information" and then "Source URLs"). What has happened is more or less what we expected in the lectures: Execution via reverse shell and then Persistence, in this case with a Python "backdoor", i.e., a Python script downloaded from an attacker-controlled location that should remain unnoticed.
• A Look at CVE-2024-3400 Activity and Upstyle Backdoor Technical Analysis This is interesting because it describes the full attack chain, at least on some observed instances.

Heartbleed (CVE-2024-3400)

One could write almost an encyclopedia on this topic.

• The Heartbleed Bug, explained
• The Heartbleed Bug The "official" website set up by the researchers that disovered this vulnerability.
• Heartbleed@Wikipedia

Examples

• I know what you did last summer - and also what you will be doing this one.
• Uno studente riesce ad hackerare il sito di 18app, poi decide di collaborare
• Giggle; laughable security. "I had been diagnosed with premature menopause I and wanted to find a safe space in a woman centric environment."
• Fertility tracker Glow fixes bug that exposed users’ personal data A bug in the online forum for the fertility tracking app Glow exposed the personal data of around 25 million users.

Not discussed in any lecture

Just some of many examples that we could find.

ICS / IoT / Medical and so on...

• Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More During our engagement, we found the following vulnerabilities in the companies listed below...
• Commercial Flights Are Experiencing 'Unthinkable' GPS Attacks and Nobody Knows What to Do New "spoofing" attacks resulting in total navigation failure have been occurring above the Middle East for months, which is "highly significant" for airline safety.
• CAN Injection: keyless car theft This is a detective story about how a car was stolen - and how it uncovered an epidemic of high-tech car theft.
• Hackers can infect network-connected wrenches to install ransomware Researchers identify 23 vulnerabilities, some of which can exploited with no authentication. These vulnerabilities could allow hackers to sabotage or disable a popular line of network-connected wrenches that factories around the world use to assemble sensitive instruments and devices.
• CISA Advisories: "health"

More traditional application domains

Extreme Networks / Aerohive Wireless AP

Buffer overflow whose exploitation requires circumventing ASLR. An excellent description that explains all the steps in a very clear and easy to understand style. - Bee-yond Capacity: Unauthenticated RCE in Extreme Networks/Aerohive Wireless APs Fully unauthenticated Remote Code Execution (RCE) vulnerability. This blog post details the discovery and exploitation of the vulnerability, which is a buffer overflow in a service. Proof-of-Concept (PoC) available.

MOVEit

A service for secure file transfer within large organizations. On May 31, 2023, Progress released a security advisory for their MOVEit Transfer application which detailed a SQL injection leading to remote code execution and urged customers to update to the latest version. The vulnerability, CVE-2023-34362, at the time of release was believed to have been exploited in-the-wild as a 0-day dating back at least 30 days.

• Deep Dive and Indicators of Compromise analyzes the vulnerability in detail; it is caused by a set of bugs in the code that parses HTTP requests.
• Understanding CVE-2023-34362: A critical MOVEit Transfer vulnerability

FortiNAC (Secure Network Access Control)

FortiNAC is an appliance for protecting networks.

• Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs Critical vulnerability CVE-2022-39952 allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user. Description not difficult to follow and understand. Basically, there is an URL that allows unauthenticated file upload at an arbitrary position in the filesystem. They upload a file that, when written in the filesystem, provokes the definition of a new cron job (launch of a specified process at a specified time) where the job is a reverse shell. "We first create a zip that contains a file and specify the path we want it extracted. Then, we send the malicious zip file to the vulnerable endpoint in the key field. Within a minute, we get a reverse shell as the root user."
• FortiNAC - Just a few more RCEs Two more vulnerabilities discussed in June 2023. The first of them is easy to follow and understand. Basically, there is an URL that allows unauthenticated upload of an arbitrary JAR file that will be executed automatically (CVE-2023-33299, Untrusted Deserialization). They prepare a JAR with a reverse shell and uploads it at that URL. The other vuln is also interesting and not particularly difficult to understand, but much longer and more tricky to follow (CVE-2023-33300, Command Injection).

OAuth in Microsoft Azure

• Anyone in the world is able to access your apps AS YOU with MS OAuth if the app is configured to use email as the account identifier (video). Since the email field is arbitrary for Azure AD users, there's nothing stopping an attacker from using their own free Azure tenant to create a user with your email address.
• Migrate away from using email claims for user identification or authorization Microsoft guidance.

Java Digital Signatures

• CVE-2022-21449: Psychic Signatures in Java An ECDSA signature consists of two values, called r and s. To verify an ECDSA signature, the verifier checks an equation involving r, s and a lot of other stuff. The very first check in the ECDSA verification algorithm is to ensure that r and s are both >= 1. They forgot this check, so you could produce a signature value in which they are both 0 and Java would accept it as a valid signature for any message and for any public key. The digital equivalent of a blank ID card.