Josh Pitts

I can be Apple, and so can you

A Public Disclosure of Issues Around Third Party Code Signing Checks Summary: A bypass found in third party developers’ interpretation of code signing API allowed for unsigned malicious code to appear to be signed by Apple. Known affected vendors and open source projects have been notified and patches are available. However, more third party security, forensics, and incident response tools that use the official code signing APIs are possibly affected. Developers are responsible for using...

Josh Pitts

Hey Chef, What's the Length of your Encrypted Password?

TL;DR This post takes a quick look at Chef Data-Bags and SaltStack Pillar (GPG.Renderer) and identifies methods to determine if encrypted information leaks details about the plaintext, such as password length, that could aid an attacker. Introduction Does your organization, or one you are testing/auditing, use Chef Data Bags or SaltStack Pillar with the GPG.renderer to secure secrets for deployment and operations? If so, you have probably looked at these encrypted blobs of data and thought,...

Josh Pitts

Teaching Shellcode New Tricks - DEF CON 25 Addition

My REcon Brussels talk of the same title was accepted for DEF CON 25. It was supposed to be a release of x64 bit Import Address Table (IAT) based payload parsing stubs to get them into the Metasploit Framework as a feature. It was supposed to be straight forward, no issues, no surprises kind of talk. Until June 18th, everything was great. Then I checked twitter. Surprise, Surprise! Microsoft is shipping in Windows 10 RS3 not only EMET in the Windows Kernel, but they added an Import Address...

Down the SAML Code

Working for an identity company like Okta forces you to constantly be aware of new, old and obscure authentication methods — and also encourages you to dive deep into the underlying protocol to discover whether engineers have correctly implemented the technology. Okta’s Research & Exploitation Team does exactly that, by researching commonly used libraries, protocols and security methods. At Okta we work by the idea that security is not just about how good your code is — it’s about securing...

Josh Pitts

Fido: Teaching Old Shellcode New Tricks

Last month at the initial REcon Security Conference in Brussels, I gave a talk on ‘Teaching Old Shellcode New Tricks’ or breathing new life into existing MetaSploit Framework (MSF) Windows exploit payloads.  During the talk, I released Fido, a tool that enables penetration testers to bypass EMET EAF/Caller protections and various antivirus provider detections by modifying existing MSF payloads on the fly. The talk is a result of research that led to a surprising conclusion: A stable EMET EAF...

Josh Pitts

A Peek at 0patch

TL;DRThere has been some recent buzz around hot-patching with 0patch and the longevity it could add to end-of-life, unsupported software via crowd sourced community patches. This post provides a primer on hot patching and explores some of the vulnerabilities and attacker usages of 0patch. Overall, while 0patch could be useful for edge case end-of-life scenarios, it opens attacker avenues for performing subtle modifications to fully patched systems making the defender’s job exponentially more...

Josh Pitts and Travis Morrow

New Vectors, New Keys – Updated EBOWLA

Six months ago, Okta’s Infosec team built on the work of Riordan and Schneier to create an open source, environmentally-targeted keying solution, EBOWLA, for the security community to research, tear apart and learn from. Today, we’re pleased to share an update on the project we presented at the Ekoparty Security Conference in Buenos Aires. Our hope is that defenders and reverse engineers can make use of the project updates to validate their preparedness and techniques against highly targeted...

Josh Pitts

Deploying JAMF Server Software: Just Check the Box

Overview We came across a default setting in JAMF Software Server (JSS), which we believe can put companies leveraging the solution at risk. Organizations should make sure they have enabled a very simple configuration setting, e.g. checking a box. We alerted JAMF Software and it has been responsive with its next steps to address the issue. What is JAMF Software? JAMF Software encompasses a number of solutions for fleet management of Apple products, including their own Apple MDM. Specifically...

Josh Pitts

The EMET Serendipity: EMET's (In)Effectiveness Against Non-Exploitation Uses

TL;DR This post discusses a method of bypassing Microsoft’s Enhanced Mitigation Toolkit (EMET) protections post Address Space Layout Randomization/Data Execution Prevention (ASLR/DEP) protections. The closer your position independent execution shellcode is to working like compiled code, the harder it will be to stop with bolt-on user-land protections. DEP/ASLR/SEH are still solid protections: all the additional protections are to stop people that can't write their own payloads. The production...

Josh Pitts and Travis Morrow

DIY Genetic Malware: EBOWLA

Back in 1998, the year that Mongolia went from a 46 hour to a 40 hour work week, another ground breaking event happened— the publishing of Environmental Key Generation towards Clueless Agents by Riordan and Schneier. This paper discussed using environmental factors on a host as a means to encrypt and protect data and code from inspection. The idea discussed is simple: use unique identifiable information from the host as the key to encrypt the data/code you want to protect. If encrypted blobs...

Page 3 of 3