January 2021 Reviews

[A summary of my movie and TV reviews from last month, posted to Attrition.org, mixed in with other reviews.]


Soul (2020)
Medium: Movie (Disney)
Rating: 5/5 movie and music magic
Reference(s): IMDB Listing || Disney
Disney knows how to do modern cartoons and this is no exception. The story follows Joe, a school band teacher who seems to have lost his way. As he sees a spark of passion in one student’s musical ability and then lands the gig of his life, he has a mishap and finds himself at the pearly gates but refuses to accept that fate. In limbo Joe runs into an odd one known as “22” and finds himself on an adventure to help 22 find a spark so that they can live a life on earth. The movie has a great stride and flows very well with an amazing cast of vocal talent as well as some incredible music by an unlikely trio, Trent Reznor and Atticus Ross for the original score and John Batiste with original jazz songs. The movie brings the laughs and the feels and is perfect for all ages.


Kajillionaire (2020)
Medium: Movie (Netflix)
Rating: 4.5/5 stick with it
Reference(s): IMDB Listing || Amazon
This quirky movie is billed as a Crime/Drama but as far as modern movies go, that is about the farthest thing from what it really is. It’s more of a slow-play dry commentary on the nature of humans and how odd we can be, with a splash of low-end grifting, wrapped into a family-dynamic sleeper hit that also moonlights as a love-story. For me, it started out slow and confused as I couldn’t figure out what type of movie it was. About half-way through I was hooked as I realized it wasn’t trying to be any specific genre; it just did its thing with Evan Rachel Wood stealing the show. If you dig on off-the-beaten-path flicks, this one is worth a go.


Greenland (2020)
Medium: Movie (Multiple)
Rating: 2/5 the title is the most redeeming quality
Reference(s): IMDB Listing || Amazon
It must have been a few years since the last earth-snuffing porn, as we tend to get one movie like that every so often, although more recently in the form of plagues and zombies. Gerard Butler and end of the world, pretty much tells you what you need to know about this movie. All the stereotypical things from this genre of movie too; poorly manufactured explosions to tide you over before the real city-snuffing comes, impromptu gangs that make no sense, cell service outages for plot advancement, and really bad dialogue snippets. I definitely like I watched this so you wouldn’t have to.


Lupin, Part 1 (2020)
Medium: TV (Netflix)
Rating: 3.9/5 pas une série de braquages
Reference(s): IMDB Listing || Netflix
This 10 episode series is described as “inspired by the adventures of Arsène Lupin, gentleman thief Assane Diop sets out to avenge his father for an injustice inflicted by a wealthy family”. The first episode of five in part one sets the stage of a master thief and the heist of a 20-million dollar piece of jewelry. Unfortunately, we quickly learn that the main character is not really a master thief. While he has skill in makeup, blending in, and pickpocketing, there are no other grand heists involved. Instead, it becomes more of a drama around avenging his father’s death with the thief / con man / grifter components as a side piece to facilitate the main story. Overall it is fairly entertaining but entirely too predictable and not very thought-provoking. Great for falling asleep to.


News of the World (2020)
Medium: Movie (Multiple)
Rating: 3.5/5 bit of a slow read
Reference(s): IMDB Listing || Amazon
We follow Captain Kidd (Tom Hanks) as he travels from town to town reading the “news of the world”. Along the way he encounters a young girl, Johanna, played by Helena Zengel, who has grown up in an Indian tribe that was decimated by whites and speaks no English. Kidd decides to take her to the family she was going to before becoming stranded, and the story progresses. Given the movie stars Hanks and is a period piece, I expected an amazing movie. Unfortunately it just didn’t come together and became disjointed the farther it went. At almost two hours it still felt like parts ended up on the cutting room floor that might have tied some of the beginning to the end better. Worth a watch, wait for it to hit Netflix.


Freaks (2018)
Medium: Movie (Netflix)
Rating: 4/5 every single character is a freak
Reference(s): IMDB Listing || Netflix
This Canadian-made super-(anti)-hero movie is a different style than many movies of the genre. It starts out a bit slow and leaves you wondering what is happening and some of those questions go unanswered until very late in the movie. But it has a good slow buildup, good casting, a simple premise, and a solid conclusion. Slightly dystopian where anyone with any power is labeled a ‘freak’ and hunted by the government. This movie doesn’t spoon feed you a simple person with powers like most mainstream films of the sort. Worth a watch.


Joker (2019)
Medium: Movie (HBO Max)
Rating: 5/5 he’ll laugh, you’ll laugh
Reference(s): IMDB Listing || Amazon
I saw this in theaters, you know, just before the society-crippling pandemic robbed us of basic joys. I left the theater confused, not sure if I really liked the movie or really didn’t. By that night, after a discussion with Lyger, I realized that I really liked it. I re-watched it recently and still really enjoy it. The biggest factor is that it is a complete break from the DC universe as far as style goes. While we have seen Batman’s origin story, in one form or another, many times over, the villain’s origin stories are often relegated to fairly quick scenes (Suicide Squad) or not explored (The Dark Knight). Having an entire movie to see how Todd Phillips’ envisioned this iconic villain’s origin was worth the adventure. This movie leans a bit toward Nolan’s Batman trilogy as far as feel and is the polar opposite of other DC offerings like Superman, Wonder Woman, or Aquaman. Forget the DC universe when you go into this, just focus on this movie and Phoenix’s incredible portrayal of Joker.


Aquaman (2018)
Medium: Movie (Multiple)
Rating: 0.5/5 this movie s(t)inks
Reference(s): IMDB Listing || Amazon
For some reason, DC Comics has a problem making good movies with few exceptions, and this isn’t Nolan’s Batman or Wonder Woman. Instead, Aquaman had the feel of a franchise desperate to create the feel of a Marvel Universe movie. Every single thing was predictable, cliché, and boring. “There’s too many casualties!” But let’s stop for a sloppy wet kiss of course. Seriously, we need a new word for “overdone movie cliché”. They tried to make this by loading it with big names but as we often see, put that many big names together and they still can’t save a movie. Skip this, take a bath instead.


Prospect (2018)
Medium: Movie (Netflix)
Rating: 4.5/5 I dig it
Reference(s): IMDB Listing || Netflix
A sci-fi movie I hadn’t heard of that turned out pretty damn good, what gives? Oh, Pedro Pascal is in it and he has enjoyed a little attention recently. This movie has a small cast set on some distant world where brave adventurers go to prospect a part of an alien life form that requires some skill and finesse rather than brute strength. When a father / daughter duo touch down chasing the ultimate score, things go sideways. The movie is more of a thriller and sci-fi a vehicle to deliver the underlying story, which is compelling and well-done. If you can look past a few simple plot holes, you may find this movie really enjoyable like I did.


Rememory (2017)
Medium: Movie (Netflix)
Rating: 3.5/5 A bit forgettable
Reference(s): IMDB Listing || Amazon
Sam, the main character played by Peter Dinklage, injects himself into the life of a brilliant scientist who is brilliant, and the movie makes sure you know he is brilliant. The science is being able to record and playback memories, ala Strange Days. But for some reason Sam plays back mostly on a tiny screen in a briefcase that is the device. Anyway, he ends up in the middle of the life and murder of this scientist and decides to find out who did it, with this new technology being the central piece of the story. Ultimately, the movie has some neat ideas, good acting, but just falls short as it all doesn’t fully come together. It’s the kind where you can’t quite put your finger on it but just know something was lacking.

The Misery (Index) Data

The Misery Index is a game on TBS hosted by Jameela Jamil, starring The Tenderloins, better known as the Impractical Jokers (Joe Gatto, Brian Quinn, James Murray, Sal Vulcano). You can read more about the format and style of the game on its Wikipedia page. They bring humor to the game to augment the humor of the subject matter; “miserable” events depicted in news, text, or video.

Each miserable incident is scored by a team of psychologists based on the “three pillars of misery” which are “physical pain, emotional trauma, and long-term psychological impact“. That boils it down to a numeric score between 0 and 100. After watching a few episodes I was curious how they compared… so I made a spreadsheet. Big surprise there, I know. The more I watched, the more metadata I started tracking ultimately having to re-watch some past episodes to pick out data I hadn’t originally collected. In doing so it brought fun rewards quickly.

For example, in S02E09, contesting Katherine says that Sal helped win the most money during first season (10 episodes) and Brian ‘Q’ Quinn came in second. In reality, Sal helped win $64,000 while Q helped bring in $71,000. Either way, sound choice as they bring in the most by a good margin over the other two Jokers up to that point. Even better that she watched the first 10 episodes with that data point in mind. But… how about getting to that final stage where the big money is? Knowing how miserable events are scored is what it takes. That’s where this data comes in.

If you want to get on this game show you now have everything you need to better understand scoring and be ready for events. Even knowing, for example, that no event has been scored lower than 11 can help immensely in the final stage. The data:

Tab 1, “Ep Metadata” includes the season/episode number, air date, contestants, the two Jokers paired with each, winner, winner’s gender, final stage Joker assistant, total won, and notes. By the end of the second season there were four “perfect games” where the contestant won the maximum amount ($33,000 during a normal game, $50,000 during the Christmas special). Finally, it includes a running total of the prize money to date, $607,500 by the end of season two.

Tab 2, “Misery Data” is the meat of it while containing relatively few columns, but representing the most work. It includes the episode number, the miserable incident as listed on the game board, the score, a VNTO designation, the reward, if the contestant won the money, and comments. The VNTO designation indicates the format of the event which is a video, news article, text, or ‘other’. The column with the reward is color coded green or red to indicate if they won or lost that money. The time-consuming part is in column B, that lists the miserable incident but also links to it. I actually spent the time finding the exact news article or video in most cases. More on that in a bit.

Tab 3, “Statistics” is where we get the fun digestible information and the bigger take-aways like there being a single miserable incident scored at 100 or the average score of all incidents across two seasons is 56.0. It also has joker pairings, types of media totals, contestant breakdowns, and more.

Tab 4, “Charts” is a set of visual representations of the statistics, because people like colors and shapes!

Jumping back to finding the exact news article or video, that effort made it very clear early on that the news article headlines they show are often not real. The show will take the headline and make minor edits to it presumably for readability and to convey the relevant points. That’s fine, I get it. But… the problem is that on rare occasion they actually leave out something specific that might drastically alter the misery score. What isn’t clear is if the panel that scored knew that detail. Let’s look at the biggest example:

In a video clip from ABC News, the show includes some of the audio recording and transcription as seen above. The contestants are asked to then score “Your Doctor Disses You During Surgery“. OK, based on that info you consider the three pillars and make your guess and maybe you got it right (51) or maybe you guessed lower because some people said mean things behind your back. The real question is, did the panelists score based on that or did they have knowledge that it resulted in a malpractice suit that yielded $500,000 for the victim? Pretty sure that would drop the misery quite a bit. These little omissions are interesting since they can impact the game, but a contestant has no way of knowing the missing details or if it was factored in on a score.

So, there we have it! Going into season three, hopefully contestants choose Sal (213k) or Q (190k) in the final round instead of Joe (144k) or Murr (60.5k). I know it seems like Murr doesn’t do well but he has only been selected four times as compared to Sal who was selected 11 times. With that factored in, that means Sal only averages $19,363 and Murr $15,125. But when you are playing for that kind of money, every dollar matters.

Hopefully this data will help future contestants! If you notice any errors in my data please leave a comment so I can fix it up. As time permits, I will continue to update the sheet if the show for future episodes. Enjoy!

The Misery Index Data

A critique of the summary of “Latent Feature Vulnerability Rankings of CVSS Vectors”

What do you think of this?” It always starts out simple. A friend asked this question of an article titled Summary of “Latent Feature Vulnerability Rankings of CVSS Vectors”. This study is math heavy and that is not my jam. But vulnerability databases are, and that includes the CVE ecosystem which encompasses NVD. I am also pretty familiar with limitations of the CVSS scoring system and colleagues at RBS have written extensively on them.

I really don’t have the time or desire to dig into this too heavily, but my response to the friend was “immediately problematic“. I’ll cliff notes some of the things that stand out to me, starting with the first graphic included which she specifically asked me about.

  • The header graphic displays the metrics for the CVSSv3 scoring system, but is just labeled “CVSS”. Not only is this sloppy, it belies an important point of this summary that the paper’s work is based on CVSSv2 scores, not CVSSv3. They even qualify that just below: “We should note the analysis conducted by Ross et al. is based upon the CVSS Version 2 scoring system…
  • Ross et al. note that many exploits exist without associated CVE-IDs. For example, only 9% of the Symantec data is associated with a CVE-ID. The authors offered additional caveats related to their probability calculation.” That sounds odd, but it is readily explained above when they summarize what that data is: “Symantec’s Threat Database (SYM): A database extracted from Symantec by Allodi and Massacci that contains references to over 1000 vulnerabilities.” First, that data set contains a lot more than vulnerabilities. Second, if Symantec is really sitting on over 900 vulnerabilities that don’t have a CVE ID, then as a CNA they should either assign them an ID or work with MITRE to get an ID assigned. Isn’t that the purpose of CVE?
  • Ross et al. use four datasets reporting data on vulnerabilities and CVSS scores…” and then we see one dataset is “Exploit Database (Exploit-DB): A robust database containing a large collection of vulnerabilities and their corresponding public exploit(s).” Sorry, EDB doesn’t assign CVSS scores so the only ones that would be present are ones given by the people disclosing the vulnerabilities via EDB, some of whom are notoriously unreliable. While EDB is valuable in the disclosure landscape, serving as a dataset of CVSS scores is not one of them.
  • About 2.7% of the CVE entries in the dataset have an associated exploit, regardless of the CVSS V2 score.” This single sentence is either very poorly written, or it is all the evidence you need that the authors of the paper simply don’t understand vulnerabilities and disclosures. With a simple search of VulnDB, I can tell you at least 55,280 vulnerabilities have a CVE and a public exploit. There were 147,490 live CVE IDs as of last night meaning that is almost 38% that have a public exploit. Not sure how they arrived at 2.7% but that number should have been immediately suspect.
  • In other words, less than half of the available CVSS V2 vector space had been explored despite thousands of entries…” Well sure, this statement doesn’t qualify one major reason for that. Enumerate all the possible CVSSv2 metric combinations and derive their scores, then look at which numbers don’t show up on that list. A score of 0.1 through 0.7 is not possible for example. Then weed out the combinations that are extremely unlikely to appear in the wild, which is most that have “Au:M” as an example, and it weeds out a lot of possible values.
  • Only 17 unique CVSS vectors described 80% of the NVD.” Congrats on figuring out a serious flaw in CVSSv2! Based on the 2.7% figure above, I would immediately question the 80% here too. That said, there is a serious weighting of scores primarily in web application vulnerabilities where e.g. an XSS, SQLi, RFI, LFI, and limited code execution could all overlap heavily.
  • Input: Vulnerabilities (e.g., NVD), exploit existence, (e.g., Exploit-DB), the number of clusters k” This is yet another point where they are introducing a dataset they don’t understand and make serious assumptions about. Just because something is posted to EDB does not mean it is a public exploit. Another quick search of VulnDB tells us there are at least 733 EDB entries that are actually not a vulnerability. This goes back to the reliability of the people submitting content to the site.
  • The authors note their approach outperforms CVSS scoring when compared to Exploit-DB.” What does this even mean? Exploit-DB does not do CVSS scoring! How can you compare their approach to a site that doesn’t do it in the first place?

Perhaps this summary is not well written and the paper actually has more merit? I doubt it, the summary seems like it is comprehensive and captures key points, but I don’t think the summary author works with this content either. Stats and math yes. Vulnerabilities no.

Search Speak for Automaton

Alternate titles for this blog could be “Doodle Transition for Machina” perhaps! For at least a decade I have thought about just such an application and today I have Google Translate for Android. Load, aim, and it will process the text and translate on screen for you. Given the state of technology you would think it would be amazing by now, and it sometimes is.

The success largely depends on the language and that can also be seen in using translate.google.com, where some languages will translate fairly cleanly and others are very rough. One language I have to translate frequently is Chinese (simplified) and it is problematic for many things including company names and technical terms. With that in mind, I would expect it to translate with the same issues via the Google Translate app, and more specifically, do so consistently.

Since I am writing this, you know what’s coming…

This is the result of holding the phone up to a mail label from Japan. That’s all! Just moving the phone ever so slightly by tilting it or moving it half an inch closer / farther will make it change the translation. I think it finally got it a bit correct on that last one since the envelope didn’t contain anything living.

Hopefully the translation technology from Google will advance more quickly on Asian languages. Until then, I am just glad I didn’t get any “Sunrise Holy Poop” in that envelope.

Commentary on Radware’s Top Web Exploits of 2020

At the close of each year we see at least one article covering the top vulnerabilities / exploits from the prior year. This is usually written on the back of having large detection networks across the Internet that get a comprehensive view of exploitation. It’s a great way to get real intelligence for criminal hacking activity. Unfortunately, we often see a breakdown when it comes to conveying that information in a useful manner. I know there is an argument to be made that the companies releasing such blogs are primarily after PR, sure. But they also have an opportunity to help their clients and the rest of the world by ensuring the blogs contain more useful and actionable information.

For this commentary, I’ll examine Radware’s blog, “The Top Web Service Exploits in 2020” published December 23, 2020 and covered almost verbatim by Security Magazine on January 5, 2021. I don’t have a view into exploit activity itself, but I do have a good view into the vulnerability disclosure landscape that is a cornerstone of this commentary.

We’ll start by setting a few basic ideas for mutual understanding for any such blog. First, each exploit should be tied to a unique vulnerability or it should explain it is an exploit chain and clearly delineate each vulnerability in the chain or explain what it represents if not a pure vulnerability. Second, it should provide at least one external reference for each vulnerability; either a CVE ID, vendor advisory, or commonly accepted third-party advisory such as US-CERT or another similar body. This is what allows the reader to quickly determine if their organization has patched against the vulnerability or not. If I have to spend considerable time trying to determine which vulnerability is being described, many organizations may be at a complete loss trying to figure it out.

With that, let’s look at the top 10 exploited vulnerabilities in 2020, according to Radware, and try to figure out some additional information for perspective. I will also be very clear that Radware’s blog is extremely frustrating and not immediately helpful, instead requiring a lot of extra work. The fact that they only attributed three exploits to a CVE ID is a dismal commentary on the CVE ecosystem. This analysis of their analysis will server as a reminder that comprehensive vulnerability intelligence is the foundation of any good security program.


Service Exploit #1: /ws/v1/cluster/apps/new-application

Based on their description, this appears to match VulnDB 184750 “Apache Hadoop YARN ResourceManager REST API Request Handling Remote Command Execution“. The first thing of interest is it was disclosed on October 19, 2016 and does not have a CVE assignment over four years later. No wonder many organizations aren’t aware of this vulnerability and have not sought out their own remediation strategy.

Service Exploit #2: /manager/html

This is summarized as “Apache Tomcat Manager Application Upload Authenticated Code Execution” and goes on to describe it as “This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component.

Despite this description, that does not cleanly map to any vulnerability in VulnDB. The closest matches are CVE-2017-12615 and CVE-2017-12617 which is an abstraction for different platforms, but fundamentally “Apache Tomcat HTTP PUT Method JSP File Upload Remote Code Execution“. On the surface this is a match with Apache Tomcat, JSP application, and POST request to achieve code execution. However, those two CVEs cover a JSP file upload, not a WAR archive, and do not mention the /manager/html/upload component. So we’re left wondering if the exploit described is simply a misconfiguration scenario (i.e. intended functionality not secured) or an actual disclosed vulnerability.

Service Exploit #3: /level/15/exec/-/sh/run/CR

Based on the description, this is a misconfiguration scenario where an administrator sets up a Cisco router with the HTTP admin interface enabled, but without password protection. This allows an attacker to use the legitimate functionality to run arbitrary commands.

Service Exploit #4: /admin/assets/js/views/login.js

Radware says this “resource belongs to Sangoma FreePBX code and it looks like the attackers are trying to detect vulnerable FreePBX servers and exploit one of the known vulnerabilities.” The first issue is that script doesn’t immediately track to a VulnDB entry based on titles, which reflect the script name typically. However, let’s consider the URL being seen: … login.js. Rather than attempting to exploit “one of the known vulnerabilities“, I would suggest instead they are trying default credentials. At least back around 2000, the tried-and-true default credentials of admin/admin were all you needed to access the interface.

This one is curious to me because presumably a company that was detecting exploit traffic and could see e.g. POST requests as demonstrated in Service Exploit #2, would also see that the attackers were trying the default credentials. So we’re left with Service Exploit #4 being of little help and only creating confusion over what is being exploited.

Service Exploit #5: /ftptest.cgi?loginuse=&loginpas=

Radware attributes this to “many cheap Wireless IP web cameras use the same genetic code based on the GoAhead code (the tiny, embedded web server).” This tracks cleanly with VulnDB 181032 “Axis Multiple Products axis-cgi/ftptest.cgi Multiple Parameters Remote Command Execution Weakness“. This is actually a fun rabbit hole as this disclosure originally comes from an audit of a AXIS A1001 Network Door Controller and exploitation of this issue requires privileged access to the management interface. With that in mind, we’re back to a default credential scenario that may be the actual issue. Back in 2001, defaults for Axis network cameras were covered by CVE-2001-1543.

[Update: Z Balazs points out that this finding is likely due to Persirai botnet activity and links to more information.]

Service Exploit #6: /service/extdirect

This is the only one of the ten exploits covered that they include a CVE ID for. CVE-2019-7238 maps to VulnDB 198437 “Nexus Repository Manager /service/extdirect Insufficient Access Control Request Handling Remote Code Execution“. But, is that really the right ID? If we look at CVE-2020-10204 we are given a very brief summary of “Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution” and a link to the vendor advisory. However, VulnDB 226228 also maps to this and is summarized as “Nexus Repository Manager /service/extdirect Request Handling Remote Command Execution“. We immediately see the /service/extdirect from Radware’s finding in both titles. The vendor’s advisory does not include this endpoint though, but we find it in this exploit published on GitHub that tracks with the CVE-2020-10204 and we see it in a different exploit for CVE-2019-7238.

CVE-2019-7238 was fixed in Nexus Repository Manager version 3.15.0 and CVE-2020-10204 was fixed in version 3.21.2. Due to the vague vendor advisories it difficult to tell if this was a regression situation or something else. But, the CVE-2020-10204 vendor advisory gives us the interesting bit in the context of exploitation: “The vulnerability allows for an attacker with an administrative account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.” That is an important distinction! So this is likely CVE-2019-7238 as Radware says, unless there are default credentials which would allow for exploiting CVE-2020-10204 as well.

Looking at the NVD entry for CVE-2020-10204 we also see that they scored this incorrectly for their CVSSv3 score, as ‘Privileges Required‘ should be ‘High‘, notLow‘ as they have it.

Service Exploit #7: /solr/admin/info/system?wt=json

For this one, we get an Apache Bug ID (SOLR-4882) and CVE-2013-6397 as references which is great. That said, it would be very helpful if Radware would link to these resources to make it easier for their readers.

Service Exploit #8: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

This is the third exploit they match to an ID, CVE-2017-9841 and it was disclosed June 27, 2017. Another good reminder that software with disclosed vulnerabilities and vendor solutions are not being applied, causing many organizations to become low-hanging fruit in the exploit world.

One little nitpick is that the full path they include is likely not how this would manifest on a server. Everything after “src” would be the endpoint being scanned presumably: /Util/PHP/eval-stdin.php

Service Exploit #9: /hudson

With this, we run into another mess and rabbit hole. Radware summarizes this as “Hudson continuous integration tool – multiple vulnerabilities” and further describes Hudson as “a continuous integration tool written in Java, which runs in a servlet container, such as Apache Tomcat or the GlassFish application server. Over the years the project was replaced by Jenkins. The final release. 3.3.3 was on February 15, 2016. Today Hudson is no longer maintained and was announced as obsolete in February 2017.

Based on this description, this could be any one of at least 50 vulnerabilities going back to February, 2014, one of which does not have a CVE ID. 41 of these are in Jenkins software which is mentioned above.

Other Service Exploits

This is a curious conclusion to the “top 10” list, as it states “In addition to the new items that we covered in this list, we have also seen items that we already saw and covered in our previous blog Top 10 Web Service Exploits in 2019 such as /ctrlt/DeviceUpgrade_1, /TP/public/index.php and /nice%20ports%2C/Tri%6Eity.txt%2ebak.

That isn’t exactly a #10 on this list, rather a catch-all for “other stuff we saw including…“. The first listed tracks with VulnDB 170573 “Huawei HG532 Routers /ctrlt/DeviceUpgrade_1 NewStatusURL Element Remote Command Execution (Satori)” which is notable as it is used in Satori, a Mirai botnet variant.

The second tracks with VulnDB 194379 “ThinkPHP /public/index.php call_user_func_array() Function vars[1][] Parameter Remote Code Execution“. Note the different exploit path and we see it can actually be exploited via several endpoints according to analysis of the vulnerability by Knownsec 404 Team.

The third doesn’t immediately track with an entry in VulnDB. Radware gives us “/nice%20ports%2C/Tri%6Eity.txt%2ebak” which we can decode to a more friendly “/nice ports,/Trinity.txt.bak“. A quick Google for that request finds a blog from Dragos titled “Threat Hunting With Python Part 2: Detecting Nmap Behavior with Bro HTTP Logs” explaining this request:

The request for “/nice ports,/Trinity.txt.bak” comes from Nmap’s service detection routine testing how a server handles escape characters within a URI. The actual request is “GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0\r\n\r\n”.

So this isn’t an actual exploit, rather, it indicates that attackers are using the Nmap port scanner. This is a good reminder that “exploit scanning” doesn’t always cleanly map to a specific vulnerability.


Detecting exploitation is critical for every organization. Doesn’t matter if it is on-premises devices or a managed service-based detection. What is more critical is having comprehensive and timely vulnerability intelligence that can turn what you detect into actionable information. This is how you not only detect, but evaluate and remediate, assuming of course the vulnerability is known to the vendor or a mitigation can be enacted.

December 2020 Reviews

[A summary of my movie and TV reviews from last month, posted to Attrition.org, mixed in with other reviews.]


The Queen’s Gambit (2020)
Rating: 5/5 check it out mate
Reference(s): IMDB Listing || Netflix
This miniseries, based on a 1983 book with the same name, is a fictional story about a chess prodigy turned master. It has the feeling of a real story and the producing, sets, and acting strongly lend to this. The main character, played by Anya Taylor-Joy, does an epic job playing a character who has personality quirks and addiction issues. The story is set many decades ago and gives a good reminder of the expectations about women in society. While chess may not seem to be a good basis for a fast-pace drama, the series does a wonderful job maintaining a good pace. I highly recommend this series for everyone.


Tenet (2020)
Rating: 5/5 – Action-packed mind-fuck
Reference(s): IMDB Listing
OK, you have to see Tenet. I think i liked it a lot? But I won’t be sure until I see it a second time. At least. Maybe a third time? It is a very cerebral movie and it makes Inception look like a cartoon in some ways. There are several layers and I think on a second watch I will probably notice a lot of things that would have helped keep up / understand along the way the first time through. Things that are better revealed toward the end as the movie progresses and evolves that will potentially make it more enjoyable the second time around. Very neat movie; great casting, great acting, and it really draws you in.


Ted Lasso (2020) [Apple TV]
Rating: 5/5 better than a biscuit, which is a cookie
Reference(s): IMDB Listing || Apple
This comedy from Apple TV stars Jason Sudeikis as “Ted Lasso”, an American football coach recruited to coach a British football (soccer) team. It’s basically Gomer Pyle (Lasso) meets Major League (plot) to start and it delivers. Sudeikis does a wonderful job playing the always upbeat transplant assisted by coach Beard (Brendan Hunt) as they are immersed in a new culture and new sport at the same time. It’s not a sports show at all, it’s just about the people and interactions with goofy analogies and quick wit. Very light and well-done comedy, worth the watch.


Devs (2020) [Hulu]
Rating: 4.9/5 I have seen what perfection has wrought
Reference(s): IMDB Listing || Amazon
You think you have seen interesting or compelling tech company drama? You haven’t until you watch this, and you will. You will understand the concept of quantum computing before you start the show and you will embrace the many-worlds theory. You find this review confusing now but it will become clear, until it doesn’t again. And then you will find yourself the god in the machine while you ponder the implications of when computing power goes too far. You will then enjoy your new state of enlightenment and make better choices.

Described as a drama/thriller when mindfuck is more apt. This show does a great job of making you think about serious implications that quantum computing could bring. While it is certainly sci-fi in the level of computing power suggested, it creates a nice vehicle to let us have a glimpse into what “quantum supremacy” might mean.


Marauders (2016)
Rating: 4.5/5 But i’m a sucker for heist flicks
Reference(s): IMDB Listing || Amazon
Bruce Willis, Christopher Meloni, and Dave Bautista in a cops and robbers movie and somehow I completely missed this movie existed until I saw it on a Netflix scroll?! As a fan of the genre and generally not too critical of such movies, this one was surprisingly good. None of the acting stood out particularly but none of it was bad. A couple extra decent actors and the movie came together pretty well. Until halfway through I was wondering which way it would go as far as the “who done it” goes. The ending? Not how I would have played it out. If you like the genre, it’s worth a watch.


Fatman (2020)
Rating: 4/5 who let him make movies again?
This movie is a light-hearted take on Christmas and the failures of Santa, at least through the eyes of Walter Goggins’ character. This is kind of a comeback movie for Mel Gibson after his numerous personal failures, some that make it ironic with him playing a very Christian character while personally being a drunk and hating Jews / black people. Gibson’s last bit makes it all the more surprising that the amazing Marianne Jean-Baptiste would sign on to play his wife giving a modern interracial Claus family. Really surprising that despite his history that his career freeze has “thawed” as they say in the industry and that he is being given a second chance. While he can be a great actor, essentially bringing the same character “Porter” from Payback (1999) to play Santa, I have to wonder is Hollywood so hurting for actors that they would accept him back after his sordid history?

Oh sorry, enough of that shitbag that can act well. Fun movie, two great actors as main characters, fun and simple story, it really brings the true spirit of Christmas in my eyes. Think [generic assassin movie] + Toys + [cynical Christmas movie] and you know what are you in for. Worth a watch, but don’t pay for it which shows support for Gibson. Find another way to watch it for free and then find a way to support Baptiste and Goggins directly instead. Did I mention fuck Gibson?


The Midnight Sky (2020)
Rating: 2.5/5 The movie belongs on a fiery earth
Reference(s): IMDB Listing || Netflix
Based on a book I didn’t read, this movie adaptation brings some star power with Felicity Jones and George Clooney. Without spoiling, the movie screamed “this is not what it seems” from the beginning so the ending was not as impactful as it could have been. Earth on fire and nearly uninhabitable? Sure! A two (?!) year voyage to the nearest habitable planet outside the solar system? OK! Man losing supplies then falling into arctic water and surviving? Prepare to suspend disbelief in the worst way. Overall, I suspect this is a case where the movie just didn’t do the book justice and fell short.

[Update: @_pronto_ pointed out they traveled to a moon of Jupiter, not outside the solar system. But still, a new moon of Jupiter that we didn’t know about is a viable alternative to Earth and Mars apparently isn’t?]


2067 (2020)
Rating: 2.5 / 5 – Science friction is more like it
Reference(s): IMDB Listing
For fans of the sci-fi genre, I don’t know if I should recommend 2067 or not. On one hand I like near-term sci-fi and I like dystopian films, which this offers both of. On the other, there are quite a few annoying bits about this, primarily the cast. I didn’t give two shits about anyone and most were annoying enough that I wanted them to die. Throw in a couple completely illogical things to advance the plot, a sign of bad writing in my opinion, and it just didn’t mesh well. It was good enough that, a ways in, I was willing to stick with it just to see how it ended. Recommend for watching while working, doing a puzzle, or falling asleep to.


The Jesus Rolls (2019)
Rating: 2/5 between 7-10p split, don’t watch
Reference(s): IMDB Listing || Amazon
Did you know there was a spin-off to The Big Lebowski? Neither did I until recently. It follows a brief part of Jesus’ life, but not really his life bowling unfortunately. This is basically the story of two hapless and idiot guys on the lowest-end crime spree you can imagine. The humor is also some of the lowest-end too; there wasn’t that much to laugh about as the bit comedy was lacking overall. I’d pass on this and re-watch the dude. On the upside, we do learn the story behind the sex offender registry.


War Inc (2008)
Rating: 1/5 Disown the “spiritual cousin”
Reference(s): IMDB Listing || Amazon
John Cusack plays an assassin in this movie co-starring Joan Cusack and Dan Aykroyd … no, he does in this movie too. According to Wikipedia, Joan Cusack said, “.. in a way, it was a Grosse Pointe Blank 2” while John Cusack said it was a “spiritual cousin to Grosse Pointe Blank”. Sure, I can see that but it isn’t nearly as amusing. Intended to be political comedy & commentary (comedary?) it comes across as a cliché to other cliché films while borrowing from characters from the prior film. Rather than go with more subdued humor around a military presence in a fictional Middle Eastern country, they opted to go over-the-top and it really detracted from the potential. Skip this, (re)watch GPB instead.

Dystopia Arrives

The dystopia genre has enjoyed a lot of attention the last decade with hits like The Hunger Games, Blade Runner 2049, and Automata as a few examples. To me, a dystopian film is set in the near future with a focus on society more than technology. In my late teens and early 20s I loved reading the cyberpunk genre which often was a dystopian view but also focused on technology as a carrier of the film, like the more recent Ready Player One does. So dystopian and cyberpunk often blend to me and is more about the focus and story that may set them apart.

One thing common in dystopian movies is the breakdown of society, typically at the hands of a tyrannical government that does not see all citizens as equal. In The Hunger Games, society was segregated into districts that enjoyed more or less comfort. Soldiers from the capitol enforced the rules and made sure that impoverished districts stayed that way while demanding their citizens provide resources and play in games to the death, for the entertainment of the wealthy. Even the trip to the capitol in a train showed the gap with extensive platters of food, the likes of which some contestants had never seen in their life. Their homes were in a district surrounded by fences with the penalty of death for escaping. Medical care was basically non-existent in some districts and there was no way to challenge the system as democracy and voting were a thing of the past.

Similar elements can be seen in many movies including Equilibrium, Divergent, Elysium, Code 8, and the classic Fahrenheit 451 which was recently remade. We see aspects of these fictional societies in our own and it makes the movies more compelling.

We see governments becoming more authoritarian, the wealth gap widen, and millions of people being left behind. Little bits here and there keep adding up and we don’t notice the slow boil until it is too late. But I have to wonder, when does our own society reach the point that it can be considered dystopian?

I think dystopia has arrived.


During the last year, the political climate has reached critical levels as tens of millions have become disenfranchised in one manner or another. With COVID-19 devastating the entire world, even so-called “first-world” countries like the United States have seen record levels of unemployment, over-burdened food banks, over-populated prisons rocked by the pandemic, disenfranchised voters waiting half a day to vote, hospitals over capacity and turning away patients, freezer trucks used as temporary morgues due to overflow, and record levels of eviction and unhoused families. I can’t think of a book or movie that portrays it, but the “homeless sweeps” enacted in many cities are straight out of a dystopian nightmare.

The rapidly growing ad-hoc homeless encampments we see in cities are growing steadily which can increase risk to residents and businesses. Home-owners perceive their risk of becoming a victim of crime increasing and lobby to have them removed from their neighborhood. As the homeless are forced to live in tents set up in the right-of-way in front of half a million dollar homes, resentment grows. If this continues we will see a boiling point happen and there might be a homeless uprising. What do they have to lose? Jail or prison isn’t ideal by any means but it does give them shelter and food which are jeopardized every day.

Protests rocked the United States leading many cities to have government buildings and businesses boarding up windows, hiring security, while many are going out of business as the uncontrolled pandemic ravages communities. We’ve seen more fences going up in protest areas, around public space, and even around police stations.

The central element to dystopian literature and film is the tyrannical government that looks out for the upper class and has little to no concern for the rest of society. That can certainly be increasingly seen in U.S. politics the last decade and even now, congress is arguing about giving citizens a $2000 stimulus after struggling to pass a $600 payment. Meanwhile the bills are bundled with other legislation and proposals that do everything but help citizens. As certain elements of the government seek to consolidate power the level of resentment and protest increases significantly, as we saw. This has led to stand-offs and clashes between angry tax-payers and disreputable police.

This becomes cyclical as protesters become more organized and police become more militarized. The methods of law enforcement began blending with military tactics long ago and in many cases local police have become almost indistinguishable from soldiers. Police departments have been purchasing military equipment for years, giving them both offensive and defensive gear including vehicles that are overkill.

Even without gear that is considerably overpowered, police departments have the outward appearance of not taking their oaths to heart. Thousands of videos of incidents in which police used excessive force on protesters and journalists flooded Twitter in 2020. The disproportionate and indiscriminate killing of minorities have added a level of anger and contempt we haven’t seen before. Demands range from simple reform to accountability changes to the total abolition of police departments.

Think about your favorite dystopian book or movie and what aspects of that society make it dystopian in the first place. Compare those same attributes to what we have seen in the United States in the last twelve months. When you do, you might reach the same conclusion that our society has crossed the line and we live in the dystopia we have paid to enjoy through fiction until now.

So again, I think dystopia has arrived.

Box of Shit: The Kat Variance

For those who know about the sordid history of the Box of Shit, you know where the name comes from. While some may have thoughtful touches and some personalized items, they are generally fun junk. Behold, the Kat variance! After sending a true box of shit to her, a couple months pass and I get an epic, wonderfully prepared, designer box of greatness that surprised me several times over. Timing worked out so I opened it on Christmas and voilà, I had my own celebration in a box. But first, I had to taunt her, to make sure I was giving back as much as she gave me, even before I knew what that was. Given the pandemic, I of course had to let it stew for a bit before I could open it… for safety.

When I did, boy was I surprised. It was just like something you get wrapped at one of those tables in the mall before Christmas day, staffed by four elderly ladies that know how to wrap shit.

Four individually wrapped presents, a cloth sack, and four hidden candy canes surrounded by little strands of tissue ribbon worms that kind of haunt my dreams now. I found two going through my desk drawers this morning. The lush squirrels toasting the holidays were a nice touch but I think they are controlling the worms now. Do they look innocent to you?!

Anyway, if you look closely you may notice that they have orders dictating the order to be opened. But nothing about that little cloth sack. Do I open it first? Last? Dealer’s choice? This of course drove me crazy because you can’t violate the spirt of a box of shit, thems the rules dammit. Technically, I should open it after the third since that would not beak any rules, if you think about it. But I opened it first because I didn’t think about that until writing this blog. #fail

As a collector of squirrel currency (yes, it’s a thing!) and tokens, but not challenge coins, this was a great surprise. While I don’t collect them, I see a lot with my morning mails telling me what “squirrel coins” were put up for auction. “Squirrel challenge coin“, see? Despite that, I had never seen this variation of a secret squirrel challenge coin! Win! On to the first box…

A box of squirrel paper clips. Brilliant! Because what animal is more known for organizing than squirrels! Not only had I never seen these, I am actually running low on paper clips. The next time I print out emails and hand them to someone, beautifully bound with these, they will be impressed. Box #2…

Squirrels, the game! Collect Nuts, Cause Mayhem, Make Terrible Squirrel puns! Yes, yes, and more yes! At squirrel nutworking events I am known for cracking a good joke before I leaf for the night. The best part… never seen this game before. Three for three! Box #3…

The nanoblock NBC_178, aka the Squirrel! If you are looking at it thinking it is a Chipmunk, you are wrong (notice the tail). And even if you were right they are in the Sciuridae family! Now, I have seen this and even built one before, that completed pic is from last year. But, I asked if I should re-gift or build again and put on my second desk and I was told the second desk it is. So I have another lego project in my future. The hidden bonus? Nanoblock kits come with quite a few extra pieces; enough to make two extra acorns even. =) Box #4…

This one was a two-fer! First, an amazing squirrel puzzle box that I have never seen! Once opened, it came with some breath mints or the largest Quaaludes you’ve ever seen. TBD. Along with those was this great necklace that features a 1 Øre coin from Norway, known for it’s prominent squirrel featured. Most people who have received a box or envelope of shit from me have received one of these coins, but never in such great condition and never as part of a necklace. Some people wear patron saint necklaces and now I have my own.

So there you go, an absolutely incredible box that ascends past the title of ‘Box of Shit’. This was a box of brilliance.

Sitting on Undisclosed Vulnerabilities (e.g. SolarWinds Stragglers)

The company SolarWinds is in the news, victims of an attack that compromised their Orion Platform software by inserting a backdoor into it, allowing for remote code execution. Like most big breaches, we hear the term “sophisticated” used for the attack. And like many breaches, we quickly learn that it might not have been so sophisticated after all. There is plenty of commentary on this and the wave of attribution experts are out in full force on Twitter. You can read about all of that elsewhere as I cover a different aspect of vulnerability disclosures here.

For anyone who has done penetration testing, they have found vulnerabilities of course. Since those tests are done under non-disclosure agreements (NDA), the vulnerabilities are reported to the customer. One long-standing problem with process is that a vulnerability found during that test may be in commercial off-the-shelf (COTS) software that affects many other organizations in the world. But that NDA often says you cannot disclose them elsewhere, including to the vendor. Even if it does, most penetration testing shops don’t have someone designated to handle coordinated disclosure with the vendor. When it does happen, it is often in the tester’s spare time or if the company uses security advisories for advertising, may task them to write it up.

For more than 25 years, this means that a lot of vulnerabilities are discovered in COTS that die in customer reports. The customers may sometimes report them to a vendor themselves looking for a fix. But surprisingly, that often does not happen. How do we know? Many testers have seen the exact same vulnerability during a test of the same customer a year or more after the original. There are times where a tester will disclose those vulnerabilities long after the fact, without coordinating with the vendor. This can happen after they leave the company they did the testing for or when they think sufficient time has passed.

I think we saw this yesterday with SolarWinds with the publication of CVE-2018-16243. First, while MITRE is not consistent about the assignment year, CVE is intended to use the year to denote when the vulnerability was discovered, not disclosed. A 2018 ID assigned to an issue that was published yesterday strongly suggests the researcher requested the ID back in 2018 but waited until now to publish. The exact date is likely 8/30/2018 per the disclosure itself. But looking at the disclosure, done via gist.github.com, we can see via the revisions that it was published 12/14/2020. So the researcher appears to have sat on these SolarWinds Database Performance Analyzer vulnerabilities for 837 days. Based on the disclosure, there was no coordination with the vendor and no fix currently available. On the upside, seven distinct XSS vulnerabilities were disclosed but the CVE only covers six of them.

Why now? Because SolarWinds was in the news albeit for a vulnerability in a different product (SolarWinds Orion Platform). Looking at prior vulnerability disclosures, it is easy to tell where the researcher works. A quick LinkedIn search verifies that bit of information and brings us to the fun question; did they find these SolarWinds vulnerabilities at their prior job, the downtime between jobs, or at Optiv? All three have interesting implications if you think about it. =)

Jumping back to the point, I will renew the call I have made in the past; penetration testing shops should use an NDA that allows them to report vulnerabilities in COTS to the vendors on behalf of the customer. They should manage the coordinated disclosure process and publish an advisory after a fix has been made available and they verified their customer has mitigated the vulnerabilities. Yes, it is a little extra work! Yes, it also is a value add to your customer, value to any organization that uses the software, and the advisories become advertising of sorts. That little extra work will go a long way for the greater good.

Review Player Two

TL;DR

Ready Player Two is an enjoyable read that keeps the spirit and overall feel of the first book, with a few chapters in the middle that are a bit difficult to slog through. Worth a read though.

Summary

Ready Player Two is the aptly named sequel to Ready Player One. It picks up shortly after the end of the first book with four heroes ‘enjoying’ their lives to varying degrees, now as owners of the corporation that controls the OASIS. Similar to the first book, the sequel takes us on a new journey through an epic quest with even higher stakes. Instead of three gates now we’re faced with finding seven shards, each tied to a planet within the OASIS.

The main character and hero of the first book, Wade Watts, can’t find the first of seven shards and ends up paying someone a billion dollars for instructions to find it. The second comes after playing the ‘Sega Ninja’ arcade game in a specific place and completing the entire game. That takes us to the planet Shermer, a tribute to all things John Hughes. For this shard, rather than feeling like I was reading a well-written book, it felt more like reading a Wikipedia page with a vague plot instead. Factoid after factoid about John Hughes, his movies, characters in the movies, alternate scripts to the movies, and a lot of other pedantic details was poorly conceived.

The third shard takes us to Halcydonia, a planet designed to provide free education to any child in the world. After a lot of words for perhaps the easiest quest, the fourth shard bears the symbol of Prince and leads us to a planet ‘named’ in the same fashion. This becomes yet another Wikipedia page thinly disguised as a book chapter and bogs down the flow of the book. Even worse, the Prince quest drags on for several chapters. After an interesting battle with seven iterations of Prince, the next quest takes us into the world of Tolkien but not the more mainstream literature like the Hobbit or Lord of the Rings. With six shards in hand, Wade uses them to create the seventh shard and the actual plot continues. From here the rest of the story unfolds rapidly and is considerably more enjoyable.

Criticism

The books are set in the year 2045 and focused heavily on ‘retro’ culture, meaning us readers are well versed on many of the cultural aspects of the story like John Hughes, arcade games, Prince, and Tolkein. Since the story is set more than 20 years in the future, we’re given a good description of the technology that makes it possible and the state of the world. What is completely missing is any notion of anything cultural between the death of Prince and the time of the story. While I wouldn’t necessarily want to get distracted with a shard quest centered on a fictional piece of culture, I think the author has the writing chops to do exactly that and make it interesting, but does not.

Cline has been praised for his depiction of gender and sexuality in the book, and he deserves some credit for sure. During that bit, Wade tells us that with the new technology he had experienced sex as and with different genders and orientations. Cline should have made Wade decide to realize he is pansexual after his admitted experiences having sex with and as different genders. But that little bit about the technology’s ability to let one experience sex differently is mostly relegated to one page of one chapter and ultimately, the book falls on some common stereotypes in my eyes. The white girls knows all about John Hughes movies. The black girl knows all about Prince. The white boy and white girl know all about Tolkien. The Japanese boy knows the Japanese video game. Every main character has a hetero orientation except Aech, a lesbian. The only other character that suggests a different orientation, L0hengrin, is quickly glossed over. Even worse, she is potentially the most interesting new character of the entire book but is quickly put out of mind and used as a plot advancement point later with little fanfare.

Finally, while I really enjoy most of Cline’s writing style, there are small parts of the book that seem to break from the style of the first book and instead, are written as if they are lines from a movie script. In the board room when the four heroes meet the Low Five, they “run over to” greet them. In a board room with 10 people in it, there isn’t room to ‘run’. The main characters are treated as gods in the OASIS essentially, yet act like starry-eyed fans of someone that has already been written as a starry-eyed fan of them. This single scene had so many disconnects in my mind it stood out and made me wonder if Cline got distracted with notions of what the movie will look like.

Reference: Ready Player Two on Wikipedia.