ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
So, Apple announced a new bug bounty program at BlackHat, and there are some interesting deviations from the norm in their plan to implement and pay out. First of all, Apple will be selecting a core group of researchers to be eligible for bounties, so no, a person cannot simply find a bug in Apple and get a bounty for it. Rather your submission of a serious bug may get you considered for the approved group. One notable thing about this bounty was that Apple is offering $200,000 for bugs found in its secure boot firmware. That’s a huge number of dollars, and also a rather small target. However, as many have pointed out about bug bounties and the major operating system manufacturers, there are people willing to pay much more for that bug. Case and point: Exodus Intelligence has announced they’ll pay out $500,000 for the same bug. The Register has a far more witty rundown if you’re interested.
It would seem Microsoft has lost control of a key generated specifically to backdoor the secure boot features on many devices. The researchers are quoted in the Ars Technica article pointing out to the FBI that this is what happens when there’s a back door with a “secure golden key.” Now if OPM can’t do any better with your files than to store them as PDFs on unencrypted media, how do we expected any branch of the government to keep up with their precious golden key. Something tells me this isn’t the last time we’ll learn this lesson either.
There is a new “Off path TCP” attack described by this paper which could allow an attacker to inject packets into a TCP stream from “off path.” This is difficult because sequence numbers are randomized and typically the attacker must have some way of knowing if the victim hosts are currently communicating and on what port. Linux is the only operating system currently suffering from this attack and that is due to the fact that it’s the only operating system with a completely and correctly implemented off path attack mitigation system as described in RFC 5961. It is that mitigation system which this attack is exploiting. It should be noted that this attack can still be mitigated by tuning sysctl’s tcp_challenge_ack_limit to something absurdly large.
I have been curious for a while about bug bounty programs and their payouts. I’ve seen a few stories of great success where an airline paid out enough free miles for the bounty hunter to see the world or a company spelled their name in the numbers of the paycheck (Google), and a few horror stories where the bounty client claimed the bug was not a security issue, fixed it and stiffed the the bounty hunter. All in all it has always seemed like too much work to get into only to find out that an XSS is not “in scope” and therefore no one will be paying up. That makes this article by @albinowax an interesting read.