CI/CD support is next for WAF security tool

CI/CD support is next for WAF security tool

Popular open source hacking tool GoTestWAF has become the first utility of its type to evaluate API security platforms, Black Hat USA attendees have learned.

Launched in April 2020, the security testing tool simulates OWASP and API exploits to test the detection capabilities of web application firewalls (WAFs), NGWAFs, RASPs, WAAPs, and, now, API security tools.

It supports REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC, and legacy APIs.

Read more about the latest security research and Arsenal talks at Black Hat USA 2022

OpenAPI-based scanning has been introduced “so you can scan exactly what is defined in your API spec during the attack simulation”, Brandon Shope, principal security engineer at Wallarm, told attendees at his Arsenal session yesterday (August 11).

The GoTestWAF GitHub repo explains how OpenAPI (formerly Swagger) file scans work, which OpenAPI features are supported, and how “instead of constructing requests that are simple in structure and send them to the URL specified at startup, GoTestWAF creates valid requests based on the application’s API description in the OpenAPI 3.0 format”.

**More attack types incoming**

Other new features currently in development, meanwhile, are a daemon for CI/CD pipelines with API and server mode, and support for additional attack types, including Java, Python, and .NET serialization attacks, said Shope.

GoTestWAF generates malicious requests using encoded payloads placed in different parts of HTTP requests. The results indicate the number and percentage of path traversal, shell injection, cross-site scripting (XSS), and various other attack types blocked by the security tool.

RELATED Black Hat USA: Log4j de-obfuscator Ox4Shell ‘dramatically’ reduces analysis time

GoTestWAF compares scan results to ModSec as a baseline, Shope said, and presents them in a “readable, nicely formatted PDF”. Wallarm CEO Ivan Novikov described this as a “really important” feature ahead of Shope’s presentation.

Testing for false negatives and positives is seen by Wallarm as invaluable given WAFs’ notoriety for generating false positives, which the API security firm says often occupies users at the expense of testing false negative rates.

**Community payloads**

Multiple ‘nested’ encoding support, codeless checks with YAML files, dockerization, and community payloads were also highlighted at the Las Vegas event.

Community support is a significant factor in the tool’s appeal, Novikov told The Daily Swig, citing community test cases documented by researchers from security intelligence search engine Vulners team “and then supported by others”.

GoTestWAF is already “used about 100 times a week” and asked about during sales and marketing calls by “about five enterprise companies a week”, according to Novikov.

Wallarm launched a free Online WAF tester for the tool last month.

RECOMMENDED Black Hat USA: Deliberately vulnerable AWS, Azure cloud infrastructure is a pen tester’s playground

GoTestWAF adds API attack testing via OpenAPI support

Categories: Exploits and vulnerabilities
Categories: News
Tags: Discord

Tags:  Spotify

Tags:  MicrosoftTeams

Tags:  Electron

Tags:  ElectronJS

Tags:  NodeJS

Tags:  V8 Chrome

Tags:  Log4Shell

Tags:  Log4j

A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, and many others



(Read more...)




The post Researchers found one-click exploits in Discord and Teams appeared first on Malwarebytes Labs.

A group of security researchers have discovered a series of vulnerabilities in Electron, the software underlying popular apps like Discord, Microsoft Teams, and many others, used by tens of millions of people all over the world.

Electron is a framework that allows developers to create desktop applications using the languages used to build websites: HTML5, CSS, and JavaScript. It's an open source project that has been used as the foundation for some extremely popular apps. Electron itself is built on the open source Chromium browser project (the basis of Google Chrome), and the NodeJS JavaScript runtime which is built on Chromium's V8 JavaScript engine—a significant source of Chrome security problems.

**Building blocks**

It is not uncommon for developers to use other projects, frameworks and libraries as building blocks for their projects. Building on proven code makes sense: It saves time, it is easier for others to get involved, and everyone benefits from all the layers of solved problems in the existing codebase.

The problem with building software on existing foundations, provided by others, is that its developer may not fully understand the security implications of certain decisions or configurations. And they need to rebuild their own application whenever a security vulnerability is fixed in the software they're building on top of, and then distribute that update to their users.

Probably the most famous example of such a building block vulnerability is Log4Shell. Log4Shell is a vulnerability that was found in Log4j, an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the impact of the vulnerability was enormous.

The chances of applications harboring out-of-date underpinnings are software are high. And the reservoir of known bugs that are fixed in, say, Chrome, but not yet fixed in Electron, or fixed in Electron but not yet fixed an application built on top of Electron, is something that criminals and researchers can exploit.

A group of researchers recently presented research into Electron vulnerabilities at the Black Hat security conference having done exactly that. For a peek into what they did, and a look at how complicated modern bug hunting is, read researcher s1r1us's explanation of how they went about finding a remote code execution (RCE) vulnerability in Discord by chaining a new cross-site scripting vulnerability, a CSP bypass in Discord's out-of-date Chrome version, and an exploit for an existing V8 vulnerability.

In the case of s1r1us's Discord bug, what the researchers found could be exploited with nothing more than a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, an attacker would have been able to take control of their computers.

**Mitigation**

The most general and best advice in many cases is to avoid clicking on links that come in unexpected or in unusual ways. In an ideal world you would distrust them with the same vigor as the links in your mailbox and on social media. However, this can be very difficult in practice because many of these applications _require_ you to click on links to join meetings, accept invitations and so on.

A more workable solution, suggested by the researcher, is to use apps like Discord or Spotify inside your browser, because then you have the protection afforded by Chrome, which is much larger than the one provided by Electron, and you have control whether it’s up to date or not.

Most of us though, will simply stick to downloading our security updates, and hoping the people who make the software are too.

Researchers found one-click exploits in Discord and Teams

More than 1 million instances of firewalls running Cisco Adaptive Security Appliance (ASA) software have four vulnerabilities that undermine its security, a researcher finds.

BLACK HAT USA — Las Vegas — Cisco's enterprise-class firewalls have at least a dozen vulnerabilities — four of which have been assigned CVE identifiers — that could allow attackers to infiltrate networks protected by the devices, a security researcher from vulnerability management firm Rapid7 plans to say in a presentation at the Black Hat USA conference on Aug. 11.

The vulnerabilities affect Cisco's Adaptive Security Appliance (ASA) software, the operating system for the company's enterprise-class firewalls, and its ecosystem. The most significant security weakness (CVE-2022-20829) is that the Adaptive Security Device Manager (ASDM) binary packages are not digitally signed, which — along with the failure to verify a server's SSL certificate — allows an attacker to deploy customized ASA binaries that can then install files onto administrators' computers.

Because administrators just expect the ASDM software to come preinstalled on devices, the fact that the binaries are not signed gives attackers a significant supply chain attack, says Jake Baines, lead security researcher at Rapid7.

"If someone buys an ASA device on which the attacker has installed their own code, the attackers don't get shell on the ASA device, but when an administrator connects to the device, now \[the attackers\] have a shell on \[the administrator's\] computer," he says. "To me, that is the most dangerous attack."

The dozen security weaknesses include issues that impact devices and virtual instances running the ASA software, as well as vulnerabilities in the Firepower next-generation firewall module. More than 1 million ASA devices are deployed worldwide by Cisco's customers, although a Shodan search shows that only about 20% have the management interface exposed to the Internet, Baines says.

As a supply chain attack, the vulnerabilities would give threat actors the ability to compromise a virtual device at the edge of the network — an environment that most security teams would not analyze for security threats, he says.

**Full Access**

"If you have access to the virtual machine, you have full access inside the network, but more importantly, you can sniff all the traffic going through, including decrypted VPN traffic," Baines says. "So, it is a really great place for an attacker to chill out and pivot, but probably just sniff for credentials or monitor the traffic flowing into the network."

Baines discovered the issue when he was investigating the Cisco ASDM to get "a level set on how the GUI (graphical user interface) works" and pull apart the protocol, he says.

A component installed on administrators' systems, known as the ASDM launcher, could be used by attackers to deliver malicious code in Java class files or through the ASDM Web portal. As a result, attackers could create a malicious ASDM package to compromise the administrator's system through installers, malicious Web pages, and malicious Java components.

The ASDM vulnerabilities discovered by Rapid7 include a known vulnerability (CVE-2021-1585) that allows an unauthenticated remote code execution (RCE) attack, which Cisco claimed was patched in a recent update, but Baines discovered it remained.

In addition to the ASDM issues, Rapid7 found a handful of security weaknesses in the Firepower next-generation firewall module, including an authenticated remote command injection vulnerability (CVE-2022-20828). The Firepower module is a Linux-based virtual machine hosted on the ASA device, and it runs the Snort scanning software to classify traffic, according to Rapid7's advisory.

"The final takeaway for this issue should be that exposing ASDM to the internet could be very dangerous for ASA that use the Firepower module," the advisory states. "While this might be a credentialed attack, as noted previously, ASDM's default authentication scheme discloses username and passwords to active MitM \[machine-in-the-middle\] attackers."

Updating can be complex for Cisco ASA appliances, presenting a problem for companies in mitigating the vulnerabilities. The most widely deployed version of the ASA software is five years old, Baines says. Only about half a percent of installations updated their ASA software within seven days to the latest version, he adds.

"There is no auto-patch feature, so the most popular version of the appliance operating system is quite old," Baines says.

Cisco has had to deal with security issues in its other products as well. Last week, Cisco disclosed a trio of vulnerabilities in its RV series of small business routers. The vulnerabilities could be used together to allow an attacker to execute arbitrary code on Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers without authenticating first.

4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls

Renowned researcher James Kettle demonstrates his latest attack technique in Las Vegas

Renowned researcher James Kettle demonstrates his latest attack technique in Las Vegas

  

A new class of HTTP request smuggling attack allowed a security researcher to compromise multiple popular websites including Amazon and Akamai, break TLS, and exploit Apache servers.

Speaking at Black Hat USA yesterday (August 10), James Kettle unveiled research that opens the new frontier in HTTP request smuggling – browser-powered desync attacks.

The briefing and it’s whitepaper, titled ‘Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling’, builds on Kettle’s previous research into desync attacks.

Read more of the latest news from Black Hat USA

Traditional desync attacks poison the connection between a front-end and back-end server and are therefore impossible on websites that don’t use a front-end/back-end architecture.

However this new technique causes a desync between the front-end and the browser, allowing an attacker to “craft high-severity exploits without relying on malformed requests that browsers will never send”, Kettle noted.

This can expose a whole new range of websites to server-side request smuggling and enables an attacker to perform client-side variations of these attacks by inducing a victim’s browser to poison its own connection to a vulnerable web server.

Kettle demonstrated how he was able to turn a victim’s web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks.

He was able to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms – in turn compromising targets including Amazon, Apache, Akamai, Varnish, and multiple web VPNs.

**Discovery**

Kettle told attendees at the 25th anniversary of the annual hacking conference that four separate vulnerabilities led to the discovery of browser-powered desync attacks.

The first, involving request validation, leverages a technique in which an attacker can use two requests down the same connection with a valid host header in order to gain access to the host in the second request, because the reverse proxy only validates the first host.

The second, first-request routing, is a closely related flaw which occurs when the front-end uses the first request’s header to decide which back-end to route the request to, and then routes all subsequent requests from the same client connection down the same back-end connection.

Kettle also discovered a technique to detect connection-locked request smuggling by using a delay and reading the data early to decide if the front-end is using the header.

James Kettle presents at the annual hacking conference held in Las Vegas

If it is using the it will time out, which will signify the difference between connection-locked HTTP/1 request smuggling and harmless HTTP pipelining.

A fourth vulnerability caused a desync known as CL.0/H2.0. Kettle was able to use this to compromise Amazon users’ accounts, enabling him to steal users’ requests and add them to his shopping list. He could capture all their requests, including tokens which could have enabled him to impersonate those users.

Speaking to The Daily Swig, Kettle said: “I was really surprised that it was possible to cause a CL.0 desync and also a client-side desync using a legitimate, valid HTTP request.

“It’s understandable when servers get confused by requests that use header obfuscation to hit edge-cases, but getting desync’d by a completely valid, RFC-compliant HTTP request is something else.”

**‘Much cooler’ exploit**

Kettle reported this issue to Amazon, which fixed it, but he soon realized that he had “made a terrible mistake and missed out on a much cooler potential exploit”.

“The attack request was so vanilla that I could have made anyone’s web browser issue it using fetch(),” Kettle noted in a whitepaper.

“By using the HEAD technique on Amazon to create an XSS gadget and execute JavaScript in victim’s browsers, I could have made each infected victim re-launch the attack themselves, spreading it to numerous others.

“This would have released a desync worm – a self-replicating attack which exploits victims to infect others with no user-interaction, rapidly exploiting every active user on Amazon.

“I wouldn’t advise attempting this on a production system, but it could be fun to try on a staging environment. Ultimately this browser-powered desync was a cool finding, a missed opportunity, and also a hint at a new attack class.”

ALSO READ Ancient technique tears a hole through modern web stacks at Black Hat 2019

Most server-side desyncs can only be triggered by a custom HTTP client issuing a malformed request, but as Kettle proved with Amazon, it is sometimes possible to create a browser-powered server-side desync.

This enables exploitation of single-server websites, which Kettle noted “is valuable because they’re often spectacularly poor at HTTP parsing”.

“A client-side desync attack starts with the victim visiting the attacker’s website, which then makes their browser send two cross- domain requests to the vulnerable website,” Kettle explained.

“The first request is crafted to desync the browser’s connection and make the second request trigger a harmful response, typically giving the attacker control of the victim's account.”

BACKGROUND Black Hat USA: HTTP/2 flaws expose organizations to fresh wave of request smuggling attacks

Kettle also demonstrated how he was able to carry out a pause-based desync attack, which occurs if a server doesn’t close a connection when timing out. If an attacker issues half of the request and pauses, the server times out and leaves the socket open. They can then issue the second half of the request that is issued as a new request.

Kettle also demonstrated how he was able to perform a client-side pause-based desync attack, where he broke TLS performing a manipulator-in-the-middle (MiTM) attack but instead of trying to decrypt the traffic, caused a delay when a specific packet size is encountered which can cause a client-side pause desync attack, which he successfully carried out on Apache.

He also automated detection of these client-side and identified a range of real vulnerable websites, including Akamai, Cisco’s web VPN, and Pulse Secure VPN.

Kettle told The Daily Swig that he plans to do a few followup research drops continuing the request smuggling theme over the next couple of months, but that his next major research project “will target something entirely different”.

The full whitepaper is available here.

DON’T MISS The best Black Hat and DEF CON talks of all time

Browser-powered desync: New class of HTTP request smuggling attacks showcased at Black Hat USA

Core Components version 2.20.6 (and earlier) suffer from a reflected cross-site scripting (XSS) vulnerability in `AdaptiveImageServlet` via SVG images. An attacker with author access can upload a special crafted SVG image (including a malicious Javascript) and obtain a link that, when loaded by another authenticated users, will execute the malicious script and gain access to other user's session. The issue has been resolved in 2.20.8. There are currently no known workarounds.




Core Components version 2.20.6 (and earlier) suffer from a reflected cross-site scripting (XSS) vulnerability in AdaptiveImageServlet via SVG images. An attacker with author access can upload a special crafted SVG image (including a malicious Javascript) and obtain a link that, when loaded by another authenticated users, will execute the malicious script and gain access to other user's session. The issue has been resolved in 2.20.8. There are currently no known workarounds.

**References**

*   GHSA-qcgc-6q86-7x2p
*   https://nvd.nist.gov/vuln/detail/CVE-2022-35697

GHSA-qcgc-6q86-7x2p: AEM WCM Core Components CVG Image vulnerable to Reflected Cross-site Scripting

Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called ROMCOM RAT on compromised systems.
The new findings come from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the constellation-themed moniker

Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called **ROMCOM RAT** on compromised systems.

The new findings come from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the constellation-themed moniker **Tropical Scorpius**.

Cuba ransomware (aka COLDDRAW), which was first detected in December 2019, reemerged on the threat landscape in November 2021 and has been attributed to attacks against 60 entities in five critical infrastructure sectors, amassing at least $43.9 million in ransom payments.

Of the 60 victims listed on its data leak site, 40 are located in the U.S., indicating a not as global distribution of targeted organizations as other ransomware gangs.

"Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims' networks," according to a December 2021 alert from the U.S. Federal Bureau of Investigation (FBI).

"Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim's network."

In the intervening months, the ransomware operation has received an upgrade with an aim to "optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate," per Trend Micro.

Chief among the changes encompassed terminating more processes before encryption (viz Microsoft Outlook, Exchange, and MySQL), expanding the file types to be excluded, and revision to its ransom note to offer victim support via quTox.

Tropical Scorpius is also believed to share connections with a data extortion marketplace called Industrial Spy, as reported by Bleeping Computer in May 2022, with the exfiltrated data following a Cuba ransomware attack posted for sale on the illicit portal instead of its own data leak site.

The latest updates observed by Unit 42 in May 2022 has to do with the defense evasion tactics employed prior to the deployment of the ransomware to fly under the radar and move laterally across the compromised IT environment.

"Tropical Scorpius leveraged a dropper that writes a kernel driver to the file system called ApcHelper.sys," the company noted. "This targets and terminates security products. The dropper was not signed, however, the kernel driver was signed using the certificate found in the LAPSUS$ NVIDIA leak."

The main task of the kernel driver is to terminate processes associated with security products so as to bypass detection. Also incorporated in the attack chain is a local privilege escalation tool downloaded from a remote server to gain SYSTEM permissions.

This, in turn, is achieved by triggering an exploit for CVE-2022-24521 (CVSS score: 7.8), a flaw in the Windows Common Log File System (CLFS) that was patched by Microsoft as a zero-day flaw in April 2022.

The privilege escalation step is followed by carrying out system reconnaissance and lateral movement activities through tools like ADFind and Net Scan, while also using a ZeroLogon utility that exploits CVE-2020-1472 to gain domain administrator rights.

Furthermore, the intrusion paves the way for the deployment of a novel backdoor called ROMCOM RAT, which is equipped to start a reverse shell, delete arbitrary files, upload data to a remote server, and harvest a list of running processes.

The remote access trojan, per Unit 42, is said to be under active development, as the cybersecurity firm discovered a second sample uploaded to the VirusTotal database on June 20, 2022.

The improved variant comes with support for a broadened set of 22 commands, counting the ability to download bespoke payloads to capture screenshots as well as extract a list of all installed applications to send back to the remote server.

"Tropical Scorpius remains an active threat," the researchers said. "The group's activity makes it clear that an approach to tradecraft using a hybrid of more nuanced tools focusing on low-level Windows internals for defense evasion and local privilege escalation can be highly effective during an intrusion.

The findings come as emerging ransomware groups such as Stormous, Vice Society, Luna, SolidBit, and BlueSky are continuing to proliferate and evolve in the cybercrime ecosystem, at the same using advanced encryption techniques and delivery mechanisms.

SolidBit stands out for its targeting of users of popular video games and social media platforms by masquerading as different applications like a League of Legends account checker tool and tools like Social Hacker and Instagram Follower Bot, allowing the actors to cast a wide net of potential victims.

"SolidBit ransomware is compiled using .NET and is actually a variant of Yashma ransomware, also known as Chaos," Trend Micro noted in a write-up last week.

"It's possible that SolidBit's ransomware actors are currently working with the original developer of Yashma ransomware and likely modified some features from the Chaos builder, later rebranding it as SolidBit."

BlueSky, for its part, is known to utilize multithreading to encrypt files on the host for faster encryption, not to mention adopt anti-analysis techniques to obfuscate its appearance.

The ransomware payload, which kicks off with the execution of a PowerShell script retrieved from an attacker-controlled server, also disguises itself as a legitimate Windows application ("javaw.exe").

"Ransomware authors are adopting modern advanced techniques such as encoding and encrypting malicious samples, or using multi-staged ransomware delivery and loading, to evade security defenses," Unit 42 noted.

"BlueSky ransomware is capable of encrypting files on victim hosts at rapid speeds with multithreaded computation. In addition, the ransomware adopts obfuscation techniques, such as API hashing, to slow down the reverse engineering process for the analyst."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Behind Cuba Ransomware Attacks Using New RAT Malware

Open source utility exposes payloads without running vulnerable Java code

Open source utility exposes payloads without running vulnerable Java code

A Log4Shell de-obfuscation tool that promises simple, rapid payload analysis without the risk of “critical side effects” has been showcased at Black Hat USA.

The open source ‘Ox4Shell’ utility was demonstrated on the Arsenal track in Las Vegas yesterday (August 10) by Daniel Abeles and Ron Vider of AppSec testing platform Oxeye.

**‘True intent’**

Abeles believes the tool offers a potent combination of benefits lacking among other de-obfuscators of the critical vulnerability in Apache Log4j, the Java logging utility so widely distributed that the ‘Log4Shell’ flaw (CVE-2021-44228) affects hundreds of millions of devices.

“I worked on a web application firewall \[WAF\] myself for several years, so I can personally relate to the struggle of understanding the true intent of obfuscated payloads and the challenge it poses to security teams,” he told The Daily Swig said in advance of his presentation.

RELATED ‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns

The researchers couldn’t find any other tools that were as easy to use as Ox4Shell – a simple Python script – but didn’t require the user to run any vulnerable code in the process.

“We emulated most of the transformations a parallel Java code would do, without the risk of running vulnerable Java code,” Abeles said. “This is especially important when integrating such tools in a production pipeline (e.g. WAF rules), to ensure no critical side effects.”

**Maximizing accuracy**

With obfuscated payloads “intimidating for most security engineers” and “time-consuming and tedious” for even the most experienced, Oxeye set out “to provide the security community a lean, simple way to de-obfuscate Log4Shell payloads.”

Abeles said the needs of AppSec engineers informed the tool’s specification, while the scarcity “of public obfuscated payloads to test Ox4Shell against” prompted them to “team up with several application security teams to gather a wide variety of payloads, so we can ensure minimum false negatives and false positives rate”.

Catch up on the latest Log4Shell news and analysis

This process culminated with Ox4Shell’s release in January 2022, a month after Log4Shell surfaced.

The tool counters threat actors’ attempts to circumvent WAF rules and complicate exploit analysis, by decoding obfuscated payloads, including base64 commands, “into an intuitive and readable form” – thus revealing their “true functionality” and “dramatically” reducing security teams’ analysis time.

**Mock data**

Oxeye says Ox4Shell enables defenders to comply with lookup functions that attackers can abuse via Log4Shell to identify targeted machines by feeding them mock data that they can control.

A mock.json file is used to insert common values into lookup functions. “For example, if the payload contains the value , we can replace it with a custom mock value,” reads the Ox4Shell GitHub page.

This ‘lookup mocking’ means users can “replace certain data lookups with mocked data, so the final result would look more realistic and well suited to the specific organization using it”, Abeles told The Daily Swig.

A recent US government report warned that vulnerable Log4j instances could persist for “a decade or longer”. With Ox4Shell set to remain useful for some time to come, Oxeye is planning to expand the tool’s capabilities to mock even more lookup functions based on community feedback.

TBC article TBC

Black Hat USA: Log4j de-obfuscator Ox4Shell ‘dramatically’ reduces analysis time

The Gumstix Overo SBC on the VSKS board through 2022-08-09, as used on the Orlan-10 and other platforms, allows unrestricted remapping of the NOR flash memory containing the bitstream for the FPGA.

**Background**

Subreption’s research and development team, for the past few months, has been dedicating manpower and resources to investigate and analyze military and paramilitary drone platforms operating in Asia and Europe. Our background is primarily vulnerability research and reverse engineering, enabling us to understand these platforms for both offensive and defensive purposes, including but not limited to detection, forensics data acquisition and active countermeasures.

**Demystifying the Orlan: a technical report**

As part of the announcement, we are releasing our first public report from the program, related to the Orlan (primarily Orlan-10) platforms in use by the armed forces of the Russian Federation. The Orlan-10 has been a center piece in the Russo-Ukrainian war of 2022, with sensational coverage from the press. Very little factual or in-depth information has been published, and most of the journalism involved has been heavily connected to counter-drone (CUAS) commercial vendors making claims without third-party verification.

We are taking the opportunity to release the first documented exploit against a military drone platform (in this case, one targeting the FPGA used in the Orlan-10 communications system), while providing in-depth analysis of the hardware and software internals, detailing the reverse engineering efforts involved. Hopefully, this invites and motivates others (including academia and industry peers) to publish factual, technically verifiable research instead of “marketing in disguise”. While the topic is sensitive, we have carefully assessed the information published, withholding details that might not be ready for public disclosure yet.

For the better and the worse, information related to the Orlan platform has been circulating in a mostly uncontrolled and unsupervised fashion with third-parties for the last few months.

In many cases, this was directly connected with for-profit organizations attempting to develop products for the Ukrainian market, and more often than not, security practices left much to be desired (admittedly, many of the organizations involved with CUAS products are not qualified as software security vendors, and typically radiofrequency engineers and hardware development vendors do not have a spotless security posture, most of them being wildly unaware of the state of the art in offensive security).

Contrary to propaganda, the Orlan platform, contains sophisticated original research and development, especially in its communications system. We are dedicated to providing truthful, unbiased information to our customers and the general public, as part of our principles and values, beyond any commercial, personal or political agenda.

**The report can be downloaded here:**

*   https://subreption.com/downloads/reports/demystifying-the-orlan-10\_opt.pdf (optimized PDF)
*   https://github.com/subreption/birdwatch-report-1-repo (including source code and additional files, mirror/fork freely)

**What does the exploit do?**

*   The exploit abuses a vulnerability in the FPGA application and Linux kernel driver, to remap access to the NOR flash memory containing the actual “application” or bitstream the FPGA boots from.
*   This allows rendering the drone inoperable and/or trojanizing the FPGA software.
*   Remote (over the network) vectors exist to abuse the vulnerability, allowing a full remote exploit chain to exist when paired with a traffic injection attack.

**Take-aways**

*   The technical report is the **first of its kind**, with no technical resources of reverse engineering or in-depth analysis of the Orlan-10. Every news piece to date merely focused on unverified claims or marketing attempts for products sold by CUAS vendors.
*   This is the **first publicly documented military drone vulnerability published or disclosed openly**.
*   The code to the FPGA NOR remapping exploit has been publicly released at https://github.com/subreption/birdwatch-report-1-repo/tree/master/src
*   The report and tools developed are the result of the BIRDWATCH program, a months-long initiative to collaborate with groups interested in independent, unbiased investigation of (mostly military) drone security.

**The BIRDWATCH program**

Subreption recently opened up the BIRDWATCH program to be more accessible and transparent, focusing on a non-commercial approach. Our intentions with the program are fairly straightforward: to provide reverse engineering and accurate analysis of drone platforms used for defensive and offensive purposes. We have successfully collaborated with multiple groups internationally, including groups based out of Ukraine.

The nature and motivations of the program are not political. We strive to remain impartial, focused on the technical details and unbiased analysis. We will consider cooperation with any organizations and individuals, with no discrimination, so as long as it is permitted by law, including any applicable restrictions due to sanctions.

**How to participate**

At the moment, there are two distinct venues for collaboration, for commercial and non-commercial engagements.

*   **If you are a non-government not-for-profit organization or institution**, not presently taking bribes or commissions in any shape or form from commercial vendors, we can offer pro bono services including research and forensics data analysis.
    *   This service requires transparency and accountability, as we will independently take the appropriate measures to **identify and validate partners and their affiliations**.
    *   We do not offer pro bono services to individuals, business entities or governments, with no exceptions.
    *   Any form of profit (direct or indirect) is an instant disqualifier from our “pro bono” work. This includes, but is not limited to, employment or income sources directly related or benefiting from activities related to cooperation with the program.
    *   Organizations engaging in procurement or contracting of foreign vendors and their products are typically excluded as well.
*   **If you are a for profit organization** (including but not limited to charities receiving financial aid and at the same time purchasing or engaging in the trade of high value products and services), we can offer competitive pricing on our consulting and research and development services.

While we might occasionally make exceptions, we do not engage with pseudonymous individuals or organizations without adequate accountability. We are also not interested in the illegal or illegitimate trade of hardware or captured systems. In order to protect both the work and the interests of all parties involved, Subreption will require both a Mutual Non-disclosure Agreement and a Non-compete Agreement signed by all the recipients of the information and hardware exchanged.

**Sending applications**

If you meet the criteria, feel absolutely **welcome** to contact us at including as much detail as possible in your application. **We will consider all applicants carefully on a case-by-case basis.**

**Conflicts of interest**

Subreption is not currently involved in the sale or procurement of counter drone-related products for Ukraine. All research related to military drone platforms until August 2022 has been provided free of charge, as part of the BIRDWATCH program.

Our staff has no assets or financial instruments associated in any way to any consumer or industrial drone (or counter-drone) vendor.

Subreption is providing pro bono consulting and research to multiple institutions in Europe and Asia, as well as volunteer organizations, in the context of information security (defensive and offensive).

**References**

*   US Army OE Data Integration Network (ODIN) resources on Orlan systems
*   Orlan-10 (Wikipedia)
*   Russia’s Deadly Artillery Drones Have A Strange Secret (Forbes)

**Updates**

Any updates and amendments to this press release will be listed in this section.

Press and media can reach us at regarding this announcement or any other inquiries.

Feel welcome to use PGP if you have sensitive information or special confidentiality needs.

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQGNBGLyeDQBDACk0Q63sgSuwrT0ovQO2hyYFW5fzSZD+8BeXbINNlJawnuv3FHR
    IQgeaG37sRWzVtsIrczFfpCz/MVeJ5HqzCLallnzQ4RBpFQifEA7TeQQTkF7iKCy
    2knpD3MpQ5RS2u9karo09sKf22yc43EJEuiD8I4LHlkHUHdzinFIr31206xyh7vM
    9hIC383lLf5+C8jJm6dnGepgKOiCh+MGAhgs42ahwkEjvYqRveX7OOTRf3JlUGqI
    ezTtk7+dDPpBQDC9feW5VctNrK4HJSUFzO/MOWezmr5J2dUZzt0Zr5R6N3neMNpu
    wV2QfGx41Jq+NytNVnTj7VdLPApICI7MLWu+r3y+qV2yvyvN0ZYVp7utAEm3a87S
    rXaRROTOdJwTQrS0dTgad5a2yGE4Z2r0sPGgmLZQQAzy+xh2T6Wf1MT7LwELLAyq
    PYEf/kYsQ6WTDnETJe976lnKcgM2ljTab9Nl2IHyEUg8i5uFEV8hLsHJH5UzH9oZ
    6cCSeHGopI8I5JkAEQEAAbQzU3VicmVwdGlvbiBMTEMgKFByZXNzL01lZGlhKSA8
    cHJlc3NAc3VicmVwdGlvbi5jb20+iQHUBBMBCgA+FiEEAeK3eZRmSGeYNCqsPyQj
    i1sneYgFAmLyeDQCGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
    PyQji1sneYjXfQwAj9V7l9cDKjQ8BzURR18I7H/3MqeuBDON+xMONHYiuOQVImaF
    L3t89+W2OFCGu3vHQB93lvL3htc/2QdUGmtwrVfUNVn/BGkEWa1vE8JyQfeWbvIi
    5CtG1XtEvSCifGyE5tgCG4lNVYp+37By6+UMfMHOgRPtP2YCQebCylujlln08xxA
    NC7DMbdpommk0oVc1glcyKnkyBh2r9Nqp8t/RccbA2K7n4GE4VOpcaetyujpH+gK
    zhvPk9e4NZDVMS6cIlKGvgooKkUMyS3ilhQVpwn6pSW/QWDhkle4Hkhi+srFzxGt
    tSmAUOFfZx9tOxQJcF5FvZm055mkG0hy+htYHr+DH0nMDlR3SWfNdJw81ar6W92X
    F1ub8gBJaChUFAAUSq2wQMTEwfCIdEhzBLj1tbW6jqknRkATWCGp9mGwTHR5p8A5
    puRQR/aPT8mkvGP2XbPW0vh5vyigHzHFp9F271mDtI75vMA6MRdT+7eGgef0Ag7+
    IjulZhJt45eANo6/uQGNBGLyeDQBDAC/SoQLyjSLAlka+i9NqdvKgRPW8sA8qZS+
    farFhJ1z6cyGryVDi6pNfoWud2QjcdnZED+WlvwVBC62d6SBCiUt7Oor+/LjMbFf
    Y09jkWNAS7HO5kTTP48Cuil6kPzUAaz9DFA8vywqsUD0rY9xhTP0DbGSYqhGOQUh
    sgQ/pfqmD/oEeEaEEp+lj2wngXngUEl+MQ36JgYL02Hby+zZtdOrtkqYZ0f+3wHc
    am2VfRM+kD83WiX5rNnM5JBDEV80wPSdASNrhzjGfw7U2XZpFbi1i+BdBz0KZjs3
    sIxEtXWZBERvaVFUqdPL/rRYCLzG477mjtyf3AIfhfGYxcYJM+flpoMwoWbbfAj9
    RuSyFGmDIBmOAlcorFvo4jfzJIS2SvtZqg5bUqE9LBFBTtj69XKnD79uNkNd6Enm
    SYqfLBnzhWzCV8LKncDMomhrwIhXtVXFcoqfAFpsp/Tvaey2nZv5yKRmMbs1+k18
    xnU+UA0ZWnCy38Fo2592ga7CEWur9I8AEQEAAYkBvAQYAQoAJhYhBAHit3mUZkhn
    mDQqrD8kI4tbJ3mIBQJi8ng0AhsMBQkDwmcAAAoJED8kI4tbJ3mItqwL/2suKQuA
    jKsC8smjwgM3phxZ1W2Oc/Pz6zGn1XrinO9xsezpUiflL/FZMKKH1E0hcxUboF5R
    VfJCFI3Oj6L8hayeSQqPYU5iayq5DPBcO5a4gxi8YmjyuG/NeGJW+u/uhnkvH6JQ
    XQ/BvzDqGOgFTv6WDcBfParA5VxUye1565flFiwg/pKYRiBa2SgB9F9Nw0hNJ/8u
    Xu2Zk7VB/6Je6A4klZQLnZMolYwNDpfqwdgbKS4M02EYk1M/6p1fiq5jjcrDI7id
    jDRC6OZIWWzWaQi2GaTfN0LW0fsoRHFTbV+cVHJRElTyS234ceyigyjlJ7twsf/D
    UmREdtboKx2O+026/OLmW+04BovXE6xzzM1yfBWEyfia3fahQuywqoVxqpNXi1ZO
    z1iwS/hcjEIe/6rhPgnAgsMMbO/dbZzVsZlJLtUN+LiUEC8WWFjn88FZB3d+kyP/
    khZAs7qBm41vruJH4mcmzI2VITT0m+7ree7yFagYPyZ2eywU60X4zMrFzg==
    =D+RF
    -----END PGP PUBLIC KEY BLOCK-----

CVE-2022-38161: BIRDWATCH program: Ghost in the Orlan: demystifying a military drone platform

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2022-1962

Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.

Tag

#java