The pandemic maxed out our work-from-home stats, we forgot to cancel our coffee subscription and ended up hoarding Havana beans by accident, we hacked many boxes and investigated an incident or two. This article is a brief, informal overview of some things that happened at Pulse in 2021, and a chance to talk about some of that Stuff ™ that happened.
The Business Stuff
We’ve continued to work on improving both our services and how we deliver them. We’ve hired two new folks, Josh and Michael. You might remember Michael from such articles as the TOTP multifactor bruteforcing article. We look forward to watching them hack many computers.
Services – Finding Vulnerabilities and Emulating Attackers in a slightly different way
We performed a whole bunch of hybrid security assessments in 2021. These deeper dives helped us understand more complex, interconnected solutions and figure out practical security risks associated with things like bespoke multi-master clustering algorithms and SaaS platforms built on cutting-edge cloud tech.
Our work in 2021 reinforced that for certain environments, the hybrid review approach resulted in a greater understanding, better analysis of the target’s cyber-security posture and a more accurate depiction of the risks facing the target. Personally, I’ve enjoyed the more collaborative nature of these engagements. Working with clients to figure out environments and their security issues has been very fulfilling. There is some more info about how these assessments work in https://pulsesecurity.co.nz/articles/hybrid-assessment.
Our red team and attacker emulation services have received some attention as well, with Scott leading the charge on refining our internal tooling and capabilities to better match the attackers we are emulating. We have some things on the horizon around a more measured and cost-effective approach to attacker emulation, but that’s something for another article later this year. Watch this space!
Reports – Iterations
Our service deliverables (read: technical reports) were refined further in 2021, and we’ve reinforced a few of our core principles with the aim of helping our clients both understand and reproduce what we’ve done, and better fix their vulnerabilities. Three principles that are worth mentioning here are:
- Practical advice – recommendations should be actionable. This means that if the vulnerability is in a vendor product or third-party library, the recommendations are written with the client as the intended audience. You probably aren’t going to write a patch for someone else’s proprietary software, but that doesn’t mean you can’t take steps to increase the system’s security posture. Practically, this led to more intelligible recommendations and a clearer path to addressing issues.
- Always Proof-Of-Concept (POC) – findings, wherever possible, include full POCs. This means exploit code, wordlists, etcetera. This led to an uptick of appendices and source code included with reports but meant our issues could be more easily reproduced by our clients and act as training materials. Worth it.
- Additional Resources – we don’t operate in a vacuum, and practically all the issues we discuss in our reports have other supporting information and external resources that can help clarify the specific vulnerability. We’ve nailed this down as a formal reporting policy, and all findings include links to external information to help explain the vulnerability and technology better.
By far, the lengthiest and most heated discussions we get into on the work chat are around reporting and technical finding specifics. Given how much focus we place on delivering well thought out reports, I don’t suspect that will be changing any time soon.
The Nerd Stuff
Some interesting technical and miscellaneous nerdy things happened in 2021, and I’ve decided to highlight a few of them below.
Bugs, bugs and more bugs.
We found a lot of security bugs in 2021. I pestered my colleagues to talk about a few memorable issues and here’s some responses I received (after redacting and tweaking the info a little bit, these are real people’s systems after all).
Will found an abundance of SQL injection vulnerabilities in various ORM libraries throughout the year. One example of which Will explained in the article ORM, HUH, what is it good for?. This provided some interesting food-for-thought regarding security assumptions about underlying libraries and added some more weight to the section of our testing methodology that says: ‘Investigate underlying library usage and lib security’.
Adrian mentioned a particularly aggravating client-side parameter encryption implementation. This web application review involved a front-end JavaScript client which was encrypting all parameters and bodies sent to the server. This meant that before actually attacking anything, we had to write some software to decrypt the communications and let us manually issue requests. After this was done, several text-book high severity vulnerabilities fell out even though this software had been around for a good while. This was a good reminder of security-through-obscurity, and how using it as the core security control can backfire. A bonus of the testing work was we could then quantify the control’s efficacy in terms of hours of reverse engineering effort. Is it an effective anti-reversing control that makes an attacker’s life harder? Yes. How much harder? About four hours harder.
My favourite was a late entry into Bugs-of-2021. Rob found an issue during an internal network pentest where good ol’ network hijacking and insecure protocols came into play. He ended up intercepting FTP credentials for a backup server off the wire. This backup server held copies of the domain controller, which subsequently lead to a sneaky KRBTGT harvesting, golden ticket issuing, and complete compromise of an otherwise reasonably tight network. This is an old-school bug chain, and it tickles me when something like this works. When you spend so much of your time learning new things, it’s easy to forget that 30ish year old techniques of stealing passwords off the wire are still effective.
Research
The Pulse research program continued throughout 2021, with 20% of technical staff’s time being dedicated to research. Research is a key part of how we maintain our testing methodologies, stay current with new technologies and develop new tooling and techniques. As Pulse has grown, we’ve made a determined effort to maintain our research time.
Sometimes, our research results in releases, conference talks and contributions to open-source tools. You can find our advisories and articles on the releases page, but I’d like to talk about a few others here.
Opensource Contributions
2021 involved quite a few opensource contributions and new projects from Pulse staff. These included:
- The FFUF web application fuzzer, adding in timing detection and sniper modes.
- Adding in mingw/clang cross compilation support to the SysWhispers2 project
- Maintenance of the Sourcemapper, Fuzzotron and Glorp projects
- Development and publishing of various tool-bundle and hacker-helper projects
- Adding in IPv6 support into InteractSH
You can check out some of the work from Pulse staff at Michael’s SourceHut page and my GitHub page.
We’ll try make some more noise about what we’re doing in the FOSS space in the future. You can follow @pulsesecuritynz on twitter if you’d like to hear more about this throughout the year.
Conference Talks
Adrian and I both submitted to Kawaiicon, and both talks were accepted! Woo! Kawaiicon has been postponed until mid-this year, so if you’re in attendance we’ll see you there. The blurbs for these talks are available below:
- Malware Analysis when you don’t have time for Malware Analysis - https://kawaiicon.org/talks/malware-IR/
- From Bits to Burnouts – Practical Vehicle Reverse-Engineering - https://kawaiicon.org/talks/vehicle-RE/
Summary
We’ve all been battling with working through a pandemic. I’d be lying if I said 2021 was amazing and great and only good stuff happened. But hey, we went through it together, managed to achieve some things and have a laugh or two along the way.
What does 2022 hold? Let’s see! I’m excited to find out.