Shamir Secret Sharing
https://max.levch.in/post/724289457144070144/shamir-secret-sharing [max.levch.in]
2023-08-06 21:38
tags:
auth
c
crypto
development
programming
security
unix
It’s 3am. Paul, the head of PayPal database administration carefully enters his elaborate passphrase at a keyboard in a darkened cubicle of 1840 Embarcadero Road in East Palo Alto, for the fifth time. He hits Return. The green-on-black console window instantly displays one line of text: “Sorry, one or more wrong passphrases. Can’t reconstruct the key. Goodbye.”
This is the story of a catastrophic software bug I briefly introduced into the PayPal codebase that almost cost us the company (or so it seemed, in the moment.)
Today, should you try to read up the programmer’s manual (AKA the man page) on getpass, you will find it has been long declared obsolete and replaced with a more intelligent alternative in nearly all flavors of modern Unix.
source: Dfly
BitLocker Lockscreen bypass
https://secret.club/2021/01/15/bitlocker-bypass.html [secret.club]
2021-01-18 00:41
tags:
auth
exploit
security
turtles
windows
BitLocker is a modern data protection feature that is deeply integrated in the Windows kernel. It is used by many corporations as a means of protecting company secrets in case of theft. Microsoft recommends that you have a Trusted Platform Module which can do some of the heavy cryptographic lifting for you.
If we smash shift 5 times in quick succession, a link to open the Settings app appears, and the link actually works. We cannot see the launched Settings app. Giving the launched app focus is slightly tricky; you have to click the link and then click a place where the launched app would be visible with the correct timing. The easiest way to learn to do it is, keep clicking the link roughly 2 times a second. The sticky keys windows will disappear. Keep clicking! You will now see a focus box is drawn in the middle of the screen. That was the Settings app, and you have to stop clicking when it gets focus.
Accessibility UX wins again.
source: HN
Stealing Your Private YouTube Videos, One Frame at a Time
https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one-frame-at-a-time/ [bugs.xdavidhu.me]
2021-01-11 19:53
tags:
auth
cloud
investigation
security
web
I quickly Googled “base64 to image”, and pasted the base64 into the first decoder I found, and it displayed a thumbnail from the target Private video! It worked! I have found a working IDOR (Insecure Direct Object Reference) bug, where I could get a frame from any private video on YouTube!
source: HN
Bouncy Castle crypto authentication bypass vulnerability revealed
https://www.bleepingcomputer.com/news/security/bouncy-castle-crypto-authentication-bypass-vulnerability-revealed/ [www.bleepingcomputer.com]
2020-12-20 01:19
tags:
auth
hash
java
security
That is, the Bcrypt.doCheckPassword() function responsible for performing a byte-by-byte password hash match has an erroneous logic in place.
“The code checks for an index of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match,” reads the report published by Synopsys.
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
PAM Bypass: when null(is not)ok
https://linderud.dev/blog/pam-bypass-when-nullis-notok/ [linderud.dev]
2020-11-25 01:55
tags:
auth
exploit
linux
security
turtles
The commit attempts to avoid a timing attack against PAM. Some attacker can know valid user names by timing how quickly PAM returns an error, so the fix is to use an existing user in the system we always validate against to ensure a consistent timing. But which user is always present on a Linux system? root!
The code does not check if root has any valid passwords set. An invalid user would fail, loop over to root and try validate. root has no password. It’s blank. We have nullok set. And we have pam_permit.so. The invalid user is authenticated. We have enough information to do a quick POC.
1 + 1 = 3.
source: L
Enter the Vault: Authentication Issues in HashiCorp Vault
https://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-hashicorp-vault.html [googleprojectzero.blogspot.com]
2020-10-11 21:11
tags:
auth
cloud
exploit
security
This is tediously complex, IMO (as someone who doesn’t use the service in question), but the conclusion is worth considering.
In my experience, tricky vulnerabilities like this often exist where developers have to interact with external systems and services. A strong developer might be able to reason about all security boundaries, requirements and pitfalls of their own software, but it becomes very difficult once a complex external service comes into play. Modern cloud IAM solutions are powerful and often more secure than comparable on-premise solutions, but they come with their own security pitfalls and a high implementation complexity. As more and more companies move to the big cloud providers, familiarity with these technology stacks will become a key skill for security engineers and researchers and it is safe to assume that there will be a lot of similar issues in the next few years.
Finally, both discussed vulnerabilities demonstrate how difficult it is to write secure software. Even with memory-safe languages, strong cryptography primitives, static analysis and large fuzzing infrastructure, some issues can only be discovered by manual code review and an attacker mindset.
The Watchdog Hydra
https://thedailywtf.com/articles/the-watchdog-hydra [thedailywtf.com]
2020-09-29 01:23
tags:
auth
bugfix
concurrency
Ammar checked, and sure enough, his code was sending hundreds of thousands of requests per second. It didn’t take him long to figure out why: requests from the watchdog were failing with a 500 error, so it called the login method. The login method had been succeeding, so another watchdog got scheduled. Thirty seconds later, that failed, as did all the previously scheduled watchdogs, which all called login again. Which, on success, scheduled a fresh round of watchdogs. Every thirty seconds, the number of scheduled calls doubled. Before long, Ammar’s code was DoSing the API.
Fun times.
JWT none
https://twitter.com/__agwa/status/1288953720668119045 [twitter.com]
2020-08-01 01:46
tags:
auth
security
tweet
web
Every time there is another JWS/JWT vulnerability involving “alg“:“none” (like today, lolsob), people focus on the “none” part. But the real problem is the “alg” part.
source: white
CVE-2020–9934: Bypassing TCC
https://objective-see.com/blog/blog_0x4C.html [objective-see.com]
2020-07-30 16:50
tags:
auth
exploit
mac
security
The Transparency, Consent, and Control (TCC) Framework is an Apple subsystem which denies installed applications access to ‘sensitive’ user data without explicit permission from the user (generally in the form of a pop-up message)
source: L
Zero-day in Sign in with Apple
https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/ [bhavukjain.com]
2020-05-30 21:35
tags:
auth
cloud
exploit
security
web
In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.
source: HN
Experiences with email-based login
https://www.arp242.net/email-auth.html [www.arp242.net]
2020-05-18 05:22
tags:
auth
email
ux
web
The way it originally worked is that you would sign up with your email, and to login a “magic link” with a secret token would be emailed to you, which will set the cookie and log you in. I did it like this after a suggestions/discussion at Lobste.rs last year, and I thought it would be easier to implement (it’s not) and easier for users (it’s not).
source: L
Psychic Paper
https://siguza.github.io/psychicpaper/ [siguza.github.io]
2020-05-02 00:39
tags:
auth
exploit
hash
iphone
security
text
turtles
Yesterday Apple released iOS 13.5 beta 3 (seemingly renaming iOS 13.4.5 to 13.5 there), and that killed one of my bugs. It wasn’t just any bug though, it was the first 0day I had ever found. And it was probably also the best one. Not necessarily for how much it gives you, but certainly for how much I’ve used it for, and also for how ridiculously simple it is. So simple, in fact, that the PoC I tweeted out looks like an absolute joke. But it’s 100% real.
I dubbed it “psychic paper” because, just like the item by that name that Doctor Who likes to carry, it allows you get past security checks and make others believe you have a wide range of credentials that you shouldn’t have.
source: grugq
Surrounded by Elligators: Implementing Crypto With Nothing to Compare to
http://loup-vaillant.fr/articles/implementing-elligator [loup-vaillant.fr]
2020-04-16 15:52
tags:
auth
crypto
development
security
When I first learned about Elligator, I sought the reference implementation so I could get a feel of what was going on. There were none, though. Even SUPERCOP limited itself to a Curve448goldilocks instantiation, there was nothing for Curve25519. Oh well, at least there’s no harm in looking at the paper for now.
And then the murders began.
source: L
Webcam Hacking
https://www.ryanpickren.com/webcam-hacking [www.ryanpickren.com]
2020-04-03 22:45
tags:
auth
browser
exploit
iphone
mac
security
turtles
web
The story of how I gained unauthorized Camera access on iOS and macOS
We are beginning to form the attack plan - if we can somehow trick Safari into thinking our evil website is in the “secure context” of a trusted website, we can leverage Safari’s camera permission to access the webcam via the mediaDevices API.
Microsoft's Chain of Fools
https://blog.lessonslearned.org/chain-of-fools/ [blog.lessonslearned.org]
2020-01-15 17:59
tags:
auth
crypto
security
turtles
windows
Hacking GitHub with Unicode's dotless 'i'.
https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/ [eng.getwisdom.io]
2019-12-17 02:51
tags:
auth
best
email
security
text
turtles
web
GitHub’s forgot password feature could be compromised because the system lowercased the provided email address and compared it to the email address stored in the user database. If there was a match, GitHub would send the reset password link to the email address provided by the attacker- which was technically speaking, not the same email address.
This is beautiful.
source: HN
Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)
https://marc.info/?l=oss-security&m=157609898721656&w=2 [marc.info]
2019-12-11 23:22
tags:
auth
exploit
malloc
openbsd
programming
security
1a/ we set the LD_LIBRARY_PATH environment variable to one single dot (the current working directory) and approximately ARG_MAX colons (the maximum number of bytes for the argument and environment list); as described in man ld.so:
1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *) (2MB on amd64, 1MB on i386); as described in man setrlimit:
Authentication vulnerabilities in OpenBSD
https://www.qualys.com/2019/12/04/cve-2019-19521/authentication-vulnerabilities-openbsd.txt [www.qualys.com]
2019-12-04 20:08
tags:
auth
development
exploit
openbsd
programming
security
We discovered an authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
It’s super easy to bypass Android’s hidden API restrictions
https://www.xda-developers.com/android-development-bypass-hidden-api-restrictions/ [www.xda-developers.com]
2019-11-10 02:35
tags:
android
auth
development
exploit
java
security
The API blacklist tracks who’s calling a function. If the source isn’t exempt, it crashes. In the first example, the source is the app. However, in the second example, the source is the system itself. Instead of using reflection to get what we want directly, we’re using it to tell the system to get what we want. Since the source of the call to the hidden function is the system, the blacklist doesn’t affect us anymore.
The call is coming from inside the system!
source: grugq
'Mario Maker 2' Creators Are Using Cryptography to Make Impossible Levels
https://www.vice.com/en_us/article/qvg5aw/mario-maker-2-creators-are-using-cryptography-to-make-impossible-levels [www.vice.com]
2019-11-08 02:59
tags:
auth
crypto
development
gaming
security
A strange competition has popped up to create levels with audacious passcodes that you could spend a lifetime trying to guess.
source: cox