December 2019 Summaries
11 posts from GitHub
Filter
Month:
Year:
Post Summaries
Back to Blog
In the final installment of a four-part series, Kevin Backhouse discusses the exploitation of a vulnerability in the Ubuntu crash reporting tool "whoopsie," identified as CVE-2019-11484. This vulnerability, an integer overflow leading to a heap buffer overflow, can be exploited by chaining it with another vulnerability to obtain the Address Space Layout Randomization (ASLR) offsets of whoopsie, ultimately allowing a shell to be obtained as the whoopsie user. The exploit involves manipulating memory allocation using a flaw in the bson_ensure_space function from an old libbson fork, which fails to allocate additional memory when required due to an integer overflow. This leads to a heap buffer overflow that overwrites parts of the memory allocator, the GSlice allocator, enabling the execution of arbitrary code. Despite challenges such as the need for valid UTF8 strings and the constraints of the ASLR, Backhouse devised a method to exploit the vulnerability by redirecting memory allocation to crafted objects, allowing for the execution of a shell script. He also shares insights and the learning process throughout his research, aiming to enhance open-source software security by identifying and mitigating vulnerabilities.
Dec 23, 2019
2,818 words in the original blog post.
In this third post of a four-part series, security researcher Kevin Backhouse delves into the apport CVE-2019-15790 vulnerability, which allows a local attacker to obtain ASLR offsets of any process they can control. The vulnerability arises from using PIDs as authorization tokens, which can be recycled and reassigned, enabling attackers to trick apport into leaking sensitive information. Backhouse explores two exploitation plans, with the second, Plan B, proving successful. This plan involves deliberately crashing an innocuous process to manipulate the PID recycling system, allowing a privileged process to be assigned the same PID. By pausing apport during this transition, Backhouse accesses sensitive information from the /proc/[pid]/maps file, crucial for gaining ASLR offsets. This exploit is part of a broader strategy targeting the whoopsie daemon, which will be further explored in the final post of the series, focusing on exploiting a heap buffer overflow vulnerability to gain code execution.
Dec 19, 2019
1,566 words in the original blog post.
In the second post of a series on Ubuntu's crash reporting system, Kevin Backhouse examines the apport CVE-2019-7307 vulnerability, a TOCTOU flaw that allows local attackers to include the contents of any file in a crash report by exploiting symlinks and timing. Apport's mechanism for temporarily dropping privileges creates a window where a symlink can redirect file reading to unauthorized files, bypassing permission checks. The exploit involves precise timing to replace a file with a symlink, manipulating locks, and using signals to crash apport in a way that includes sensitive file contents in a crash report. Although the exploit is reliable, the resulting crash report is owned by root, limiting access unless further vulnerabilities, such as those in the whoopsie daemon, are exploited. Backhouse provides a proof-of-concept exploit on GitHub and plans to explore related vulnerabilities in subsequent posts.
Dec 17, 2019
2,525 words in the original blog post.
GitHub's Black Employee Resource Group, Blacktocats, organized their first hackathon event in Africa, the CodeNaija Hackathon 2019, held in Lagos, Nigeria, aiming to empower Black lives in tech and highlight the fast-growing Nigerian open source community. The event drew over 100 mid-level and senior software engineers from more than 800 applicants, with participants working in teams to devise technological solutions to social issues in Nigeria. Ahead of the hackathon, a developer roundtable was conducted in partnership with Ingressive, bringing together developers and social entrepreneurs to discuss the community ecosystem. The event was supported by partners such as Andela, Flutterwave, Microsoft, and M12, who provided resources and sponsorship, underscoring the collaborative effort to connect with and understand the local developer community.
Dec 16, 2019
308 words in the original blog post.
GitHub announced that while GitHub Enterprise and related products are no longer available for purchase through the AWS Marketplace as of May 12, 2021, customers interested in these services should contact GitHub's sales team directly. This decision came after GitHub initially made its Enterprise products available on the AWS Marketplace, responding to user feedback that highlighted compliance and budgetary benefits of purchasing through this channel. The AWS Marketplace listing had offered flexible purchasing options, including self-serve and custom orders for GitHub Enterprise Cloud and Server, appealing particularly to AWS Enterprise Discount Plan customers who could utilize their credits. Despite the change, GitHub remains committed to enhancing the GitHub Enterprise experience on AWS by collaborating with AWS, GitHub Partners, and customers.
Dec 16, 2019
284 words in the original blog post.
GitHub Enterprise Cloud has introduced IP allow lists in public beta, enabling businesses to restrict access to their enterprise assets to a specified set of IP addresses, enhancing security by ensuring that credentials like personal access tokens can only be executed from approved locations. This feature leverages IP filtering based on CIDR notation, applicable to all user credentials, including administrators, and is configured at the enterprise or organization account level. It is particularly beneficial for managing access pathways for remote contractors who cannot access a corporate VPN. While IP allow lists apply to private resources, they do not affect traffic to public repositories. Feedback on this feature is encouraged during the beta period through GitHub's product feedback contact form.
Dec 12, 2019
360 words in the original blog post.
In the overview of vulnerabilities in Ubuntu's crash reporting system, five specific issues are highlighted: CVE-2019-7307, CVE-2019-11476, CVE-2019-11481, CVE-2019-11484, and CVE-2019-15790. While two of these vulnerabilities pose low-severity local denial-of-service risks, the others present a more serious threat by allowing local unprivileged attackers to read arbitrary files, leading to a read-only local privilege escalation vulnerability. This could enable attackers to access sensitive information such as SSH keys. The exploit chain of these vulnerabilities includes CVE-2019-15790, which helps in obtaining ASLR offsets that facilitate the exploitation of memory corruption vulnerabilities. The vulnerabilities were disclosed and subsequently fixed in updates released in July and October 2019. The article also delves into the architecture of Ubuntu's crash reporting system, highlighting its components like apport and whoopsie, and discusses the security boundaries, attack surfaces, and mitigation strategies for the system.
Dec 12, 2019
1,897 words in the original blog post.
GitHub's security vulnerability alert system has significantly impacted the software development community by sending over 62 million alerts for vulnerable dependencies, leveraging a combination of dependency graphs and curated lists of known vulnerabilities from various sources. This system operates by parsing dependency manifest files to build a dependency graph, which then triggers alerts when vulnerabilities are detected, using data from the National Vulnerability Database, open-source maintainers, community sources, and partners like WhiteSource. A machine learning model filters vulnerabilities, and a team of experts manually curates the data to ensure accuracy before notifying affected users. GitHub Enterprise Server offers a similar experience with added privacy considerations. The process of vulnerability curation is complex, as highlighted by Rob Schultheis, a member of GitHub's security team, who shares insights into the challenges and successes of managing security alerts. The system aims to enhance the public good by publishing curated vulnerabilities for community and enterprise use, while feedback from users is utilized to continuously improve the feature.
Dec 11, 2019
1,048 words in the original blog post.
Git has released security patches for versions 2.24 and older to address multiple vulnerabilities, particularly emphasizing the importance of updates for Windows users due to specific CVEs that could lead to remote code execution when cloning untrusted repositories. Although users of other operating systems are also urged to update, precautions can be taken if immediate updates are not possible, such as avoiding certain commands with untrusted repositories and not cloning into NTFS mounts. While the new releases offer partial protection against exploitative pushes, they do not cover all scenarios, necessitating user updates rather than relying solely on hosting providers. These security fixes will be included in the next patch release for GitHub Enterprise Server's supported versions, and it's crucial for users to update to the newly available Git 2.24.1 to mitigate these risks.
Dec 10, 2019
269 words in the original blog post.
Creating a GitHub repository marks a significant milestone for developers, whether novices or experts, as it provides a personal space for code storage and collaboration. The #myfirstrepo contest invited participants to share stories of their inaugural repositories, leading to over 500 entries showcasing diverse experiences, such as securing a NASA job through pull requests. Two notable stories featured GitHub Education students: Zé Vinícius, who started with a fork of an open-source astronomy project and advanced to a role with NASA, and Rea, who began with a simplistic game backend and evolved into an entrepreneur developing a collaborative GitHub integration called Toast. Their journeys illustrate how initial GitHub experiences can lead to significant career advancements and contributions to open-source communities.
Dec 10, 2019
942 words in the original blog post.
Security has become a top priority for organizations, especially in environments like GitHub Enterprise Server, where secure collaboration is essential. To enhance security without hindering collaboration, GitHub Enterprise admins can employ advanced features and best practices such as enforcing strong password guidelines, using two-factor authentication (2FA), and integrating with identity management systems like SAML, CAS, or LDAP. These measures help in fine-tuning access control by implementing a least privilege model, which restricts permissions to necessary levels only, thereby minimizing risks. Additionally, enabling security alerts for vulnerable dependencies and utilizing log aggregation tools for auditing and monitoring are crucial for maintaining a secure environment. Regular maintenance, including periodic audits of users and SSH keys, ensures that unauthorized access is prevented. GitHub Professional Services offers support in setting up and maintaining these security measures, providing organizations with comprehensive reviews and consultations to optimize their security and software development practices.
Dec 05, 2019
1,388 words in the original blog post.