Aggregator
Discord? Discard!
UNLISTED POST; DO NOT SHARE
Image by K4YT3X, adapted from Alexander Shatov; Unsplash License
Online multiplayer games often feature voice chat functionalities within the game so players can chat with each other during the game. For example, Rainbow Six Siege, a popular online FPS (first-person shooting) game, integrates TeamSpeak, a third-party VoIP (voice over internet protocol) solution, as their in-game voice chat system. These in-game voice chat solutions often have very little features, which lead to the birth of Discord.
Figure 1: A gamer using Discord for voice chat (ELLA DON; Unsplash License)
Discord’s name shouldn’t be unfamiliar to any video gamers. It is one of the most popular voice chat platforms. Discord allows players to join servers and voice/text channels to communicate with each other during game sessions. It also provides fancy features like noise cancellation with Krisp and automation with Discord bots. The elegantly designed user interface made it popular beyond gamers. Although most of Discord’s users are still gamers (31.3% by 2021, according to a user survey), a lot of non-gamers and organizations also use Discord as their preferred platform for communications. A lot of users use Discord as an instant messaging (IM) app in replacement of traditional IMs like WhatsApp and Signal. However, you’ll see why this might not be a good idea after digging into their privacy policy and terms of service.
Discord, a Data HoarderA lot of people have heard about the names of privacy-respecting apps like Signal and Telegram, especially after WhatsApp’s new terms of service change in March 2021. However, not everyone knows exactly how these apps are more private.
One of the most commonly evaluated criteria is how much data the app collects. Thanks to Apple’s new policy, all apps published on AppStore must now display the categories of data this app collects. We can do a simple comparison between Discord and Signal to see the differences. Discord’s AppStore page shows that its mobile app collects the following categories of data:
Figure 2: AppStore showing the data which Discord collects (source)
We can see that discord is collecting seven categories of data, a lot of which could be private and sensitive. For instance, it collects the photos, videos, and all other contents you send over the platform, which means that none of your conversations on Discord are truly private.
Figure 3: AppStore showing the detailed information about the information Discord collects (source)
In fact, Discord’s privacy policy has reserved it the right to collect almost everything generated from your use of their platform or sent over their platform. Discord could be silently collecting more categories of data unlisted on their AppStore page. Their desktop app might also be silently collecting more types of data than their iOS counterpart. For this reason, you should consider all of the activities you perform and data you share on Discord public. I would personally also consider Discord a semi-spyware.
Figure 4: Discord’s privacy policy reserving them the right to collect any data generated or transferred over their platform (source)
In contrast, Signal’s iOS app collects almost nothing. The only piece of information Signal collects is your phone number, which is required for the app to function since your phone number is your account ID. From this comparison, it is not all too difficult to see how Discord is not very respectful of its users’ privacy: it collects too much private information about you.
Figure 5: AppStore showing the data which Signal collects (source)
Discord claims that they don’t sell the users’ data, but they legally can. There is no clause in their privacy policy nor terms of service that legally prevents them doing so. Even if they strictly keep it to themselves, data breaches can still happen. Equifax’s massive data breach didn’t happen that long ago.
Discord may also share your data with law enforcements. FBI scraped the chat history of the leader of a protest in Charlottesville named “United The Right” in 2018, and the chat history were found to be admissible evidence in court. Some chat history were also published online by news medias. Discord’s transparency report also shows that they comply with most of the requests they receive from law enforcements:
Figure 6: Discord’s compliance history with law enforcement requests in H1 2021 (source)
The horror story doesn’t end there. There are more caveats in Discord’s privacy policy and terms of services. In 2018, Discord modified their terms of service and revoked the users’ rights to sue the company or join a class-action lawsuit. The new dispute resolution provision forces users to enter an arbitration with the company and prevents them from going to a court trial, which means no jury will be involved in the process – potentially a huge disadvantage for the user.
Figure: 7: A section of Discord’s dispute resolution provision (source)
Furthermore, a class waiver clause prevents the user from entering any class-action lawsuits. Combined with the dispute resolution provision, Discord has forced the users to only be able to enter an arbitration alone with the company should there be a dispute, which put the user at a very uncomfortable position to hold the company accountable for anything that it does.
Figure 8: The class waiver in Discord’s terms of service (source)
There are many more caveats with Discord’s privacy policy and terms of service. It is both time-consuming and difficult for an average user with untrained eyes to pick out all of these legal tricks Discord pulled off in its documents. Luckily, an open-source, volunteer-powered project called ToS;DR could help. Many volunteers, including professional lawyers, translate and summarize the complicate legal languages in different platforms’ terms of service documents into plain English to help average users better understand what they’re up against. You can view their page for Discord to see exactly what else is Discord hiding in their documents:
Figure 9: Caveats in Discord’s privacy policy and terms of service listed by ToS;DR
If the reasons above still aren’t enough for you to quit Discord, here are some more. Richard Matthew Stallman has also written a post to discourage people from using Discord. You can also see a more technical analysis here for why Discord is very close to being spyware.
What if I Have to Use ItWhile Discord might not be the ideal platform for anything private or sensitive, it may still be a compelling or the only option for communications in a lot scenarios. For instance, a conference might entirely be organized on Discord, or the game party that you play with only uses Discord. If you absolutely have to keep using Discord for some reason, here are some tips to minimize Discord’s privacy impact on you:
1. Don’t Send Private/Sensitive MessagesAs the previous sections have discussed, Discord isn’t the best place to send private/sensitive messages because Discord can see all your messages and has the power and will to share them to law enforcements. Minimize your conversations and activities on Discord to minimize Discord’s impact on your privacy.
2. Mark Your Chats NSFWBy default, Discord’s explicit content filter reads through all of the messages you send to flag explicit materials NSFW. If you don’t wish this automated service to read all of your chat messages, you can mark your channel NSFW. The explicit content filter will not filter through messages sent in channels labeled NSFW.
3. Use the Web AppUse the web version of Discord in your browser instead of the desktop app. A native desktop application can access a lot of information on your computer, such as what other apps you’re running, how long has your computer been on, and so on. Even if Discord isn’t collecting some information for now, Discord can easily update their app to silently start collecting them in the future. In contrast, modern browsers like Chrome are highly sandboxed so malicious web pages cannot harm your computer. Discord’s web app can access a lot less of your information than its desktop counterpart. Try to run Discord in your browser unless you truly need its desktop-only features.
Figure 10: Login into Discord on your browser (source)
If you have to use Discord’s desktop app – perhaps becuase you need a feature that’s only available in the desktop version, consider putting your Discord in a sandbox like Sandboxie or Firejail. These sandboxes will limit Discord’s access to your computer and minimize its footprint on the system.
5. Tweak Discord’s Privacy SettingsThere are several settings you can tweak within Discord’s privacy settings to protect your privacy. By default, Discord scans all of your direct chats for explicit content, which means their bot will read all of your messages. You can disable this feature so the bots don’t read your chats:
Figure 11: Discord’s safe direct messaging setting
You can also minimize what Discord can use your data for in the settings. It is also a good idea to periodically request your data from Discord to see how much Discord knows about you.
Figure 12: Discord’s data usage settings
Another thing that you should be mindful of is how using Discord could impact your digital identity. Discord is a strongly gamer-flavored platform. Preferring it as your default method of communication might leave the others with the impression that you’re somewhat “unprofessional.” By default, Discord also shows the game that you’re playing or the app that you’re using to other users. The kind of games that you play or apps that you use may also tell the other users things about you.
Figure 13: Discord’s status panel showing what other users are doing
In both Signal and Telegram, you could set self-destruct timers for messages. You can even delete both yours and the other person’s messages in a private chat for both parties. Unlike Signal and Telegram, it is much harder to delete your past messages and conversations in Discord. What you said a long time ago could be easily dug out, so you’ll need to be extra careful about what you say on Discord. They might be used against you someday and ruin your image.
Why Privacy MattersAlmost the entirety of this article is explaining how Discord is undermining your privacy, but a problem I often come across is, “so what?” To answer this question for the viewers that are wondering the same, below are some great resources explaining exactly why privacy is important:
- Privacy Is a Human Right: This article by Tor Project, the organization that built the famous Tor Browser, started a campaign explaining why privacy matters: because it’s a human right. Tor Project’s argument is simple: privacy is important because it’s declared as a human right in the Universal Declaration of Human Rights in 1948, and that is enough reason for people to respect and protect their and other people’s privacy.
- The terrifying now of big data and surveillance: A conversation with Jennifer Granick: One of the issues Discord has is the will to aid law enforcements. In this interview with TED, Jennifer Granick, an American attorney, says “if you care about any political issue – whether it’s tax reform or Black Lives Matter – we need to ensure these people can operate freely in the political world.” When platforms like Discord deprives people’s privacy and toss their data carelessly to authorities, it affects much more than an individual’s comfort. The lack of privacy in a society threatens this society’s free will.
Aside from the resources listed above, a slightly older presentation from 2014 by Glenn Greenwald named Why Privacy Matters also does a fantastic job at explaining the importance of privacy.
- https://k4yt3x.com/discord-discard/ - 2019-2024 K4YT3X. All rights reserved.《美国联邦政府零信任战略》正式版发布
CodeQL 数据流分析/污点分析 笔记(上篇)
Ransomware as a Service Innovation Curve
域持久化 - Machine Account - zha0gongz1
[复现]CVE-2021-4034 ubuntu提权
[已結束] DEVCORE 2022 實習生計畫
DEVCORE 自 2012 成立以來已邁向第十年,我們很重視台灣的資安,也專注找出最嚴重的弱點以保護世界。雖然公司規模擴張不快,但在漸漸站穩腳步的同時,我們仍不忘初衷:從 2020 開始在輔大、台科大成立資安獎學金;在 2021 年末擴大徵才,想找尋有著相同理念的人才一起奮鬥;而現在,我們開始嘗試舉辦實習生計畫,希望培育人才、增強新世代的資安技能,如果您對這個計畫有興趣,歡迎來信報名!
實習內容本次實習分為 Binary 及 Web 兩個組別,主要內容如下:
- Binary
以研究為主,在與導師確定研究標的後,分析目標架構、進行逆向工程或程式碼審查。藉由這個過程訓練自己的思路,找出可能的攻擊面與潛在的弱點。另外也會讓大家嘗試寫過往漏洞的 Exploit,體驗真實世界的漏洞都是如何利用。
- 漏洞挖掘及研究 70 %
- 1-day 開發 (Exploitation) 30 %
- Web
主要內容為在導師指引與輔佐下研究過往漏洞與近年常見新型態漏洞、攻擊手法,需要製作投影片介紹成果並建置可供他人重現弱點的模擬測試環境 (Lab),另可能需要撰寫或修改可利用攻擊程式進行弱點驗證。
- 漏洞及攻擊手法研究 70%
- 建置 Lab 30%
台北市松山區八德路三段 32 號 13 樓
實習時間- 2022 年 4 月開始到 7 月底,共 4 個月。
- 每週工作兩天,工作時間為 10:00 – 18:00
- 每週固定一天下午 14:00 - 18:00 必須到公司討論進度
- 其餘時間皆為遠端作業
大專院校大三(含)以上具有一定程度資安背景的學生
預計招收名額- Binary 組:2 人
- Web 組:2~3 人
每月新台幣 16,000 元
招募條件資格與流程 實習條件要求 Binary- 基本逆向工程及除錯能力
- 能看懂組合語言並瞭解基本 Debugger 使用技巧
- 基本漏洞利用能力
- 須知道 ROP、Heap Exploitation 等相關利用技巧
- 基本 Scripting Language 開發能力
- Python、Ruby
- 具備分析大型 Open Source 專案能力
- 以 C/C++ 為主
- 具備基礎作業系統知識
- 例如知道 Virtual Address 與 Physical Address 的概念
- Code Auditing
- 知道怎樣寫的程式碼會有問題
- Buffer Overflow
- Use After free
- Race Condition
- …
- 知道怎樣寫的程式碼會有問題
- 具備研究熱誠,習慣了解技術本質
- 加分但非必要條件
- CTF 比賽經驗
- pwnable.tw 成績
- 有公開的技術 blog/slide 或 Write-ups
- 精通 IDA Pro 或 Ghidra
- 有寫過 1-day 利用程式
- 具備下列經驗
- Kernel Exploit
- Windows Exploit
- Browser Exploit
- Bug Bounty
- 熟悉 OWASP Web Top 10。
- 理解 PortSwigger Web Security Academy 中所有的安全議題或已完成所有 Lab。
- 參考連結:https://portswigger.net/web-security/all-materials
- 理解計算機網路的基本概念。
- 熟悉 Command Line 操作,包含 Unix-like 和 Windows 作業系統的常見或內建系統指令工具。
- 熟悉任一種網頁程式語言(如:PHP、ASP.NET、JSP),具備可以建立完整網頁服務的能力。
- 熟悉任一種 Scripting Language(如:Shell Script、Python、Ruby),並能使用腳本輔以研究。
- 具備除錯能力,能善用 Debugger 追蹤程式流程、能重現並收斂問題。
- 具備可以建置、設定常見網頁伺服器(如:Nginx、Apache)及作業系統(如:Linux)的能力。
- 具備追根究柢的精神。
- 加分但非必要條件
- 曾經獨立挖掘過 0-day 漏洞。
- 曾經獨立分析過已知漏洞並能撰寫 1-day exploit。
- 曾經於 CTF 比賽中擔任出題者並建置過題目。
- 擁有 OSCP 證照或同等能力之證照。
本次甄選一共分為三個階段:
第一階段:書面審查第一階段為書面審查,會需要審查下列兩個項目
- 書面審查
- 簡答題測驗(2 題,詳見下方報名方式)
我們會根據您的履歷及簡答題所回答的內容來決定是否有通過第一階段,我們會在七個工作天內回覆是否有通過第一階段,並且視情況附上第二階段的題目。
第二階段:能力測驗- Binary
- 第二階段會根據您的履歷或是任何可以證明具備 Binary Exploit 相關技能的資料來決定是否需要另外做題目,如果未達標準則會另外準備 Binary Exploitation 相關題目,原則上這個階段會給大家約兩週時間解題,解完後請務必寫下解題過程(Write-up),待我們收到解題過程後,將會根據您的狀況決定是否可以進入第三階段。
- Web
- 無
此階段為 1~2 小時的面試,會有 2~3 位資深夥伴參與,評估您是否具備本次實習所需的技術能力與人格特質。
報名方式- 請將您的履歷及簡答題答案做成一份 PDF 檔寄到 [email protected]
- 信件標題格式:[應徵] 職位 您的姓名(範例:[應徵] Web 組實習生 王小美)
- 履歷內容請務必控制在兩頁以內,至少需包含以下內容:
- 基本資料
- 學歷
- 實習經歷
- 社群活動經歷
- 特殊事蹟
- 過去對於資安的相關研究
- 對於這份實習的期望
- MBTI 職業性格測試結果(測試網頁)
- 簡答題題目如下,請依照欲申請之組別回答,答案頁數不限,可自由發揮
- Binary
- 假設你今天要分析一個 C/C++ 寫的 web server,在程式執行過程中,你覺得有哪些地方可能會發生問題導致程式流程被劫持?為什麼?
- 在 Linux 機器上,當我們在對 CGI 進行分析時,由於 CGI 是由 apache 所呼叫並傳遞 input,且在執行後會立即結束,這種程式你會如何 debug ?
- Web
- 當你在網頁瀏覽器的網址列上輸入一串網址(例如:http://site.fake.devco.re/index.php?foo=bar),隨後按下 Enter 鍵到出現網頁畫面為止,請問中間發生了什麼事情?請根據你所知的知識背景,以文字盡可能說明。
- 依據前述問題的答案,允許隨意設想任何一個情境,並以文字盡可能說明在情境的各個環節中可能發生的任何安全議題或者攻擊目標、攻擊面向。
- Binary
若有應徵相關問題,請一律使用 Email 聯繫,如造成您的不便請見諒,我們感謝您的來信,並期待您的加入!
Combat Piracy with Akamai Managed Content Protection
CobaltStrike Runtime Dll Double Patch
SonicWall Critical RCE Vulnerability
Deploying Zero Trust Network Access for Secure Application Access? Don?t Forget to Secure Your Employees
Introducing Scanning Made Easy
RWCTF-4th TrustZone challenge Writeup
第十七周/20220124 红队推送
We think Cyber Essentials is, well, still essential ...
喜马拉雅SRC 2021年度奖励公告
Elkeid v1.7 更新说明
坚持长期主义,就是做眼前没有很大收益、可能很难但是正确的事情。
复现基于eBPF实现的Docker逃逸
在实现的过程中,ScUpax0s给了我许多指点,让我少走了很多弯路,感谢他!
0x01 eBPF为什么能帮助Docker逃逸 eBPF技术允许用户在用户态编写代码,被verifier扫描鉴定无问题后,送入内核执行。 eBPF可以在Linux系统的各个地方插桩,在执行到指定位置时,执行用户自定的代码,实现数据搜集和修改。 因此eBPF使得用户可以在用户态高效安全地监控Linux的方方面面。 能看,还能改,黑客自然也可以拿它来使坏。更妙的是,在Docker环境中,容器和宿主机共享同一个内核,因此如果容器被赋予了CAP_SYS_ADMIN能力,成功在容器中加载了eBPF程序的话,eBPF程序将能够直接在系统的内核中运行,无视容器的各类隔离机制。因此在宿主机环境中作恶的eBPF,在容器中照作不误,它能在宿主机环境里面干上面,那就能在容器里干什么,突破隔离一步到位。
0x02 通过BPF劫持cron进行逃逸 尽管看起来很容易,但真正实现逃逸还需要一番周折。eBPF的代码仅能在触发插桩点的时候执行,它能够读参数,对指定地址的用户内存读写,但无法直接发起一个系统调用,弹一个shell回来。 seebug上基于eBPF的逃逸给出了一种思路,即利用cron进行逃逸。 cron服务在Linux系统上实现了计划任务,它每隔一段时间检查配置文件是否被更改过,如果更改了就读取配置文件,根据配置文件的描述设定定时的命令执行。因此通过劫持cron对配置文件的访问,篡改文件的更改时间和读取内容,即可欺骗cron执行我们预定的命令,而cron是运行在宿主机上的,因此欺骗cron执行了命令相当于在宿主机中执行了命令,也就是逃逸。
0x03 程序整体结构 在我的实现中,我只监听raw_tracepoint/sys_exit这个点(即系统调用返回的时候)。我看到其它的实现中由于需要获取传入的参数,所以得监听raw_tracepoint/sys_enter(即系统调用进入时)。但是在我实际测试的过程中,发现在返回的时候也能拿到这些信息,所以在我的实现中就只监听sys_exit。 如代码所示,首先通过bpf_get_current_comm获取到使用了这个系统调用的进程名,匹配到如果不是目标进程名(在我们这儿就是cron),那就返回,防止干扰到不该干扰的程序。 这里体现了通过raw_tracepoint/sys_exit这个点拦截所有系统调用统一处理,而非通过tp/syscalls/sys_exit_read这样的点单个单个地拦截系统调用的好处--对于是否是目标进程的判断,只需要做一次就好了,可以省去很多精力。 在判断了通过后,对于通过BPF_CORE_READ(regs,orig_ax)获取到的系统调用号,做一个switch case,对于不同的系统调用号,用不同的函数去分门别类地处理,这样想要处理别的调用,只需要增加case语句然后再实现一个函数即可,扩展性较好。
0x04 劫持cron的读取 我们的目标是劫持cron程序对/etc/crontab的读取,修改它的读取内容。为了实现这一点,首先我们来看看它是怎么读的。
如图所示,编辑/etc/crontab(以刷新最后编辑时间),通过strace -p <pid>追踪其系统调用,可以看到cron在读取/etc/crontab的时候,首先用openat打开然后用read读取。需要注意的是,从图的上面可以看到,cron也read了别的文件,因此我们不能一股脑地劫持所有的read然后插入我们命令,而需要针对性地劫持。
想要针对性的劫持,就需要在Hook read调用的时候,知道系统调用号对应的文件,这没法在read调用结束时直接从相关的寄存器中获取。因此需要在oenat调用的时候,读取文件名,在map中做记录。map是bpf提供的一种存放键值对数据的存储方式,我们可以用它来更持久地保存read读出来的东西
如图所示,当openat被调用的时候,代码首先匹配是否是我们感兴趣的文件(在这里是/etc/crontab),如果是的话,就将进程的pid和文件描述符fd打包在结构体中作为键,存入map里,将值设为1。
结构体是我们自己定义的,之所以要用这个结构体把pid和fd打包到一起,是因为pid和fd的组合是唯一确定的,如果我们只记录fd的话,假设有多个进程同时启动将会造成记录的混乱。因此以上的代码实现的功能,用人话来讲就是“当看到/etc/crontab被打开的时候,记录好打开者的pid和它拿到的fd”。
当然,文件会开也会关,所以假设我们感兴趣的文件读完后关闭了,结果程序再打开别的文件时拿着相同的文件描述符fd号,我们的eBPF程序就会错误地认为这是我们感兴趣的文件并予以篡改,这样就会造成各种错误,所以我们也需要在关闭文件的系统调用close返回的时候,记录被关闭的文件,方式和上面的handle_exit_openat大同小异,感兴趣的读者可以去看Github上handle_exit_close实现。 在记录好了后,我们就可以去放心大胆地劫持read调用,篡改返回结果了。
如代码所示,在read返回的时候,先用bpf_map_lookup_elem检查键是否存在,如果存在且对应的值为1(也就是是我们感兴趣的文件,并且没有被关闭),那么判断返回结果(即读出的长度)是否长于我们即将写入的PAYLOAD,如果是的话,就用bpf_probe_write_user写入用户空间,也就是read函数读出去的地址,最终实现修改读出来的值。
0x05 劫持cron对文件修改时间的判断 依然是这张strace的结果,它展示了cron是如何判断文件是否被修改的。它通过newfstatat调用判断了两次,一次filename就是/etc/crontab,另一次filename为空但是dfd是/etc/crontab的文件描述符,经过实际测试,必须要两个都骗过去才能让它重新读/etc/crontab(然后被我们骗)。
于是代码首先对比文件fd,再对比文件名,如果有一个表名是/etc/crontab文件,那就对把返回的结构体中的修改时间设置为一个随机数。
(写这篇blog的时候发现代码忘了加if(thisistarget)了,紧急修复了下,计算器还能弹出来,但是可能还有别的bug,不过总之大体思路是不会错的)
0x06 Docker逃逸&弹计算器 最激动人心的环节就是最后的逃逸&计算器弹出的环节,想要实现这个事情,还有一些小细节要处理。
首先在makefile的CFLAGS选项中加入-static,这个是静态编译选项,要求在编译的时候把各种库都打包进来,之所以要这么做是因为Docker上面往往库不够全,直接编译无法在上面正确运行。 接着就是弹计算器的问题。毕竟执行是用root权限执行的,首先得切换成当前登录的用户,而且得设置DISPLAY变量让GUI程序能够正确显示已登录的会话上。于是在Crontab里面可以弹计算器的命令是sudo -i -u <用户名> "/bin/bash" -c "DISPLAY=:0 gnome-calculator"& 解决了这些问题后,编译出二进制文件
用docker run -ti --cap-add SYS_ADMIN ubuntu:latest /bin/bash 命令启动一个具有CAP_SYS_ADMIN能力的Docker,把文件拷进去后执行,等待一分钟,就能看到计算器弹出