Weekly Reading's from Anant: Week #4

#4・
7

issues

Anant Shrivastava
Anant Shrivastava
This week has been one of those weeks where you put your head down and prepare for the next few months. I am so excited about the next few weeks as we prepare to put the results out in public. As with all of my other projects, this again will be an open source.
Before we jump to new topics, Last week’s newsletter started an interesting discussion on twitter.
Anant Shrivastava
🔥 Hot off the press: "Weekly Reading's from Anant - Feb Week 2" this week I have focused specifically on Software Supply Chain Attacks & my readings so far on that topic. https://t.co/RXVdX1knJo Please RT for reach and provide your feedback.
This resulted in multiple contributions, and some interesting outcomes were
  1. Kushal started the discussion with an example from Securedrop. Interesting read / watch would be his rootconf talk on reproducible builds in python.
  2. Abhisek chimed in with how they are doing things: dependency locking, private repos, and signed dependencies
When ever we talk about code, dependencies, and how fragile the world is right now. Build on shoulders of smaller code bases, it reminds me of two things:
a. XKCD post on dependencies
XKCD: Dependencies: How the world stands on the shoulders of tiny entities
XKCD: Dependencies: How the world stands on the shoulders of tiny entities
b. The funny situation called npm dependencies. We talked about these a few months back here but Kingsly again pointed out about the fact that we still have so many packages depending on “left-pad”. Weekly download count of 3,967K for a package deprecated, GitHub repo archived and last update happened 3 years back.
left-pad - npm
However, almost always discussions of this nature end up turning towards ROI, giving rightful place for defenders or finding that right balance between security usability and “is security just support” or “is security bigger than just support”. I would selfishly plug my old article here:
The Glorification of Pentesters
With that covered lets turn our sight on events that happened in last week.
Sudo Bug: Baron Samedit CVE-2021-3156
This bug is one hell of a bug and is not ready to lose the shine on itself. I talked about this bug in deep details in my first newsletter. However, the exploit worked only on Ubuntu 20.04, 18.04 and Debian 10. Other OS combinations were not getting exploited because of older glibc missing references used in exploits. This week a new blog post came out. Describing in all gory details how the exploit can now work with Debian 9, CentOS 7, and Ubuntu 14.04.
Brave and Privacy Leak
Last week some news came out that Brave was leaking DNS data for tor requests and leaving all dot-onion addresses you visited in your service provider’s DNS Cache. Multiple things happened along with this. While Brave fixed the issues they in parallel opened up another bug report on upstream service provider here suggesting not just this one but there are other holes in the setup. This thread covered the event.
yan
tl;dr
1. this was already reported on hackerone, was promptly fixed in nightly (so upgrade to nightly if you want the fix now)
2. since it's now public we're uplifting the fix to a stable hotfix

root cause is regression from cname-based adblocking which used a separate DNS query https://t.co/dLjeu4AXtP
Virtual Machines, OVA, and download bandwidth
While I have been messing around with all this, thefluffy007 contacted me over twitter and we started discussing their android VM work (VM available for download here). While discussing with them, I realized I have collected an extensive set of tricks around VM space optimization which results in OVA size reduction. So I sat down and listed all of them in a simple blog post:
VM Size reduction tips for OVA distribution
Vulnerability Disclosure, Bug Fixes and Ethics
Recently an interesting white paper was published in academia dealing with FAVICONs and how they can track people. This was a decent white paper and would not have made a big headline. However, the actions of the author presented a rather peculiar scenario and shot this white paper on the center of a massive debate.
TL:DR: The author realized Firefox is immune to the attack they were showing however they realized it deviates from standard behaviour. So without disclosing the fact that this behaviour is preventing an attack, they raised an issue to fix the behaviour. If they applied the fix, this would have resulted in Firefox being vulnerable to an attack.
1618257 - Firefox fails to load favicon from HTTP cache
Accepting Donations
Throughout my career I have not accepted donation, however with so many projects running parallelly it was something that was always in my “things to do one day” list. If you feel my work in open source and security has helped you and if you feel like supporting me, buy me a book/coffee.
Anant Shrivastava is open-source security solutions developer
More Reading
This brings me to the last section, covering multiple references I didn’t have time or space to cover in the newsletter.
  1. A Chrome exploit using Web Assembly (PoC Included): https://bugs.chromium.org/p/chromium/issues/detail?id=1146670
  2. Shield - An app to protect against process injection on macOS: https://github.com/theevilbit/Shield
  3. A tool focused on unexplored side of AD Attacks: Client being a MAC OSX Machine: https://www.xmcyber.com/introducing-machound-a-solution-to-macos-active-directory-based-attacks/
  4. Running Safe mode remotely and bypassing AV / EDR in Safe Mode: https://medium.com/@markmotig/bypass-av-edr-with-safe-mode-975aacecc809
I hope you enjoyed the newsletter. If you are reading it on the website, remember to subscribe so you can get it every week on your email.. Till next time. Have a wonderful week.
Did you enjoy this issue? Yes No
Anant Shrivastava
Anant Shrivastava @anantshri

This infrequent newsletter contains my commentary around IT (sec) topics

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.
Bhopal, India