In this article, we'll discuss possible avenues of abuse that may result in code and command injection in otherwise seemingly secure workflows. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to maintainers.
Jaroslav LobačevskiThe GitHub Security Lab is celebrating its very first birthday! In this post we will highlight some of our inaugural research findings and initiatives as we gear up for the 2021 bug hunting season.
GitHub Security Lab TeamIn this post we look back on one year of building a home for the security research' community on GitHub, and announce exciting milestones and next steps for our bounty program
GitHub Security Lab TeamIn this article, we'll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to maintainers.
Jaroslav LobačevskiAimed at developers, in this series we introduce and explore the memory unsafe attack surface of interpreted languages.
Bas AlbertsThis blog describes a security vulnerability in the infrastructure that supports Germany’s COVID-19 contact tracing efforts. The mobile (Android/iOS) apps are not affected by the vulnerability and do not collect and/or transmit any personal data other than the device’s IP address. The infrastructure takes active measures to disassociate true positives from client IP addresses.
Alvaro MuñozUbuntu 20.04 local privilege escalation using vulnerabilities in gdm3 and accountsservice (CVE-2020-16125, CVE-2020-16126, CVE-2020-16127)
Kevin BackhouseIn this post I'll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome that I discovered in March 2020. I'll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click (and perhaps a 2 minute wait) on a malicious website.
Man Yue MoIn this post we recap the intended solutions for the GitHub levels of the EkoParty 2020 main CTF.
Bas AlbertsSecurity is a complex area. One software component may break the assumptions made by another component and it is not always clear who should fix the code to remediate the security implications.
Jaroslav LobačevskiIn this post we will talk about how we identified an important design detail in a C library called eventmachine and how it undermined the security of several ruby packages.
Agustin GianniAimed at developers, in this series we introduce and explore the memory unsafe attack surface of interpreted languages.
Bas AlbertsIn this second installment, I’ll delve into the research conducted on FreeRDP (http://www.freerdp.com/).
Antonio Moralesin this Q&A with Alvaro Muñoz, dive in a recent research that uncovered more than 30 CVEs across 20 different CMS.
GitHub Security Lab TeamIn this second part of a two-part series about common challenges you usually face in your fuzzing work, we'll visit some advanced fuzzing tricks.
Antonio MoralesIn this post I'll give some details of how to use libprotobuf-mutator on Android to fuzz the NFC component.
Man Yue MoIn this post I'll show how input validation which should be used to prevent malformed inputs to enter our applications, open up the doors to Remote Code Execution (RCE).
Alvaro MuñozIn this post I'll look at some use-after-free vulnerabilities in Chrome which were the result of object lifetime misassumptions based on objects being kept alive unexpectedly in audio callbacks.
Man Yue MoA glibc heap exploitation tutorial, using a heap buffer overflow in SANE Backends as an example.
Kevin BackhouseThis post details how an open source supply chain malware spread through build artifacts. 26 open source projects were backdoored by this malware and were actively serving backdoored code.
Alvaro MuñozWe examine the dangers of network integer arithmetic based on a case study of flaws reported to the ntop project.
Bas AlbertsIn this post I'll show how garbage collections (GC) in Chrome may be triggered with small memory allocations in unexpected places, which was then used to cause a use-after-free bug.
Man Yue MoAntonio shares his research on socket-based fuzzing, starting with the audit of three widely-used FTP servers. With details on interesting CVEs found along the way.
Antonio MoralesIn this first part of a series about cryptography, Agustin explores identity validation issues in TLS.
Agustin GianniLearn more about how we found ways to scale our vulnerability hunting efforts and empower others to do the same. In this post, we’ll take a deep-dive in remediation of CVE-2020-8597 with CERT.
Nico WaismanLearn about how reusing hardcoded HMAC keys led to remote code execution on Exchange servers.
Alvaro MuñozLearn about Reflected File Downloads by reviewing how Spring MVC and WebFlux were affected.
Alvaro MuñozThe story of how I became an Exiv2 contributor last year, and joined the struggle to escape from the fuzzing police.
Kevin BackhouseGCHQ Stroom is vulnerable to Cross-Site Scripting due to the ability to load the Stroom dashboard on another site and insufficient protection against window event origins.
Jonathan LeitschuhThis is the first part of a two-part series about common challenges you usually face in your fuzzing work.
Antonio MoralesIn this post I’ll discuss some recent Chromium IPC vulnerabilities discovered by the security research community and how analyzing them helped me to discover new ones.
Man Yue MoThis is the fourth and final post in a series about Ubuntu's crash reporting system. We'll review CVE-2019-11484, a vulnerability in whoopsie which enables a local attacker to get a shell as the whoopsie user, thereby gaining the ability to read any crash report.
Kevin BackhouseThis is the third post in a series about Ubuntu's crash reporting system. We'll review CVE-2019-15790, a vulnerability in apport that enables a local attacker to obtain the ASLR offsets for any process they can start (or restart).
Kevin BackhouseThis is the second post in our series about Ubuntu's crash reporting system. We'll review CVE-2019-7307, a TOCTOU vulnerability that enables a local attacker to include the contents of any file on the system in a crash report.
Kevin BackhouseFollow GitHub security researcher Agustin Gianni in his bug hunting process, from threat modeling to variant analysis.
Agustin GianniLearn how I found wireless vulnerabilities in the Linux Kernel, and variants, thanks to CodeQL.
Nico WaismanGitHub security researcher Kevin Backhouse describes a new integer overflow vulnerability in libssh2 and explains the benefits of using variant analysis with QL when reporting a vulnerability.
Kevin BackhouseIn-memory data grid applications often make heavy use of serialization to transfer data. Our security researchers look at Java deserialization vulnerabilities in Apache Geode, Red Hat Infinispan, Ignite, and Hazelcast.
Man Yue MoGitHub Security Lab’s research team discovers 11 bugs in VLC, the popular media player. The VLC vulnerability CVE-2019-14438 could potentially allow an attacker to take control of the user’s computer.
Antonio MoralesSemmle’s security research team discovers 13 U-Boot RCE vulnerabilities in its bootloader, which is commonly used by IoT, Kindle, and ARM ChromeOS devices.
Fermin J. SernaGet a technical deep dive into some libssh2 integer overflows and an out-of-bounds read. GitHub security researcher Kevin Backhouse shows how the vulnerability can be triggered by connecting to a malicious ssh server.
Kevin BackhouseDeserialization of untrusted data can lead to vulnerabilities that allow an attacker to execute arbitrary code. We can use CodeQL, the code query technology of LGTM, to find such deserialization vulnerabilities.
Anders Schack-MulligenAn unauthenticated remote attacker could trigger an infinite loop in Fizz, Facebook's open source TLS library.
Kevin BackhouseThis post describes how I used variant analysis to develop an exploit for Ghostscript CVE-2018-19134, a type confusion vulnerability that allows arbitrary shell command execution.
Man Yue MoThis post describes how to perform variant analysis with CodeQL to catch missing type checking in Ghostscript, leading to the discovery of 3 new type confusion vulnerabilities (CVE-2018-19134, CVE-2018-19476, CVE-2018-19477)
Man Yue MoThis post describes how I carried out variant analysis on a vulnerability found by Google Project Zero member Tavis Ormandy and ended up with a new one.
Man Yue MoA few weeks ago, we disclosed 6 vulnerabilities in Apple's XNU operating system kernel. This post gives the details of our proof-of-concept exploits. It also explains how a query helped us find a path to the vulnerable code.
Kevin BackhouseThis post reviews various security measures that were implemented in Apache Struts to constrain the power of OGNL, and how to bypass them (up to version 2.5.16).
Man Yue MoOur automated analysis found a remote code execution vulnerability in the Icecast streaming media server.
Nick RolfeA custom query, written for Apple's macOS operating system kernel, has found multiple stack and heap buffer overflows which are triggerable by connecting to a malicious NFS file server.
Kevin BackhouseThe networking implementation in iOS and macOS contained an out-of-bounds write, which could be triggered by sending a malicious packet to the device. No user interaction was required. This post explains how it was found using CodeQL.
Kevin BackhouseThis post takes a look at a type of RCE vulnerability in Apache Struts known as a double evaluation and explains how to find it using CodeQL.
Man Yue MoThis post gives more technical detail about general taint-tracking analysis in Apache Struts. It also provides more information on how to write queries that take the architecture of Struts into account to discover various OGNL injection issues.
Man Yue MoSemmle security researcher Man Yue Mo explains how he used CodeQL's Data Flow library to discover multiple RCE vulnerabilities (CVE-2018-11776) in Apache Struts.
Man Yue MoThis is a joint blog post, from Adiscon and Semmle, about the finding and fixing of CVE-2018-1000140, a security vulnerability in librelp.
Kevin BackhouseThe packet-mangler component of Apple's macOS operating system kernel contained a remote code execution vulnerability which could be triggered by sending a malicious network packet to the Mac over the internet. This post explains how it we found it using CodeQL.
Kevin BackhouseTThis post explains how to use CodeQL to find calls to bcopy where the size argument might be negative.
Kevin BackhouseThis blog post explains how CodeQL can be used to discover so-called 'Reflected File Download' vulnerabilities in JavaScript applications. As an example, we look at CVE-2018-6835 which we recently found in the Etherpad collaborative editor.
Man Yue MoThe query language that forms the foundation of LGTM's code analysis makes it very easy to find new security vulnerabilities and variants of it. In this post we look at Spring Data REST, and how CodeQL helped making sure a remote code execution vulnerability was truly eradicated.
Man Yue MoThis post describes some past Android deserialization vulnerabilities that exploited C++ pointers wrapped inside Java objects. Using a single query, we can find the classes responsible for them with great precision.
Man Yue MoThis post describes how we can use CodeQL to find unsafe uses of copy_from_user - a C function that is used to copy data from user memory into kernel memory. When used incorrectly, it could cause a stack buffer overflow in the kernel.
Kevin BackhouseThis post shows how to use the new TaintTracking library to easily identify unsafe deserialization vulnerabilities associated with the Castor and Hessian deserialization framework. In particular, two new vulnerabilities, CVE-2017-12633 and CVE-2017-12634 are discovered in Apache Camel.
Man Yue MoThis post shows how the out-of-the-box XXE query in LGTM catches an exploitable XXE vulnerability in the JBoss business process manager that is difficult to find using fuzzing or testing.
Man Yue MoApple's macOS XNU kernel can be tricked into leaking sensitive kernel memory. This post describes how we can use CodeQL to find such vulnerabilities in C code.
Kevin BackhouseUnsafe parsing of user input XML data in Restlet leads to remote information disclosure by sending a malicious request to applications built using Restlet's REST API. In this post I will explain the details of the vulnerability, how it is found using CodeQL and why this type of mistake is easy to make when configuring XML parsers.
Man Yue MoParsing YAML data from untrusted source can lead to arbitrary code execution. This post discusses a vulnerability of this type in Swagger Parser (caused by unsafe use of SnakeYaml), and shows how such vulnerabilities can be found using QL.
Man Yue MoUnsafe parsing of user input XML data allows remote attacker arbitrary file access.
Man Yue MoDeserialization of untrusted user data caused a severe remote code execution vulnerability in Spring AMQP's implementation for handling errors. This post explains the details of the vulnerability and how we found it using our query language.
Man Yue MoDeserialization of untrusted user data caused a remote code execution vulnerability in Apache Struts. This post explains how CodeQL, LGTM's code query technology, was used to find this vulnerability.
Man Yue Mo
