This Week in Security: The AI Hacker, FortMajeure, and Project Zero

One of the hot topics currently in the security community is the use of Large Language Models (LLMs) for security research. While some LLMs have been known to produce poor-quality reports on vulnerabilities, there are also efforts underway to put these models to work on actually useful research.

The AI Hacker: A Failure of Creativity and Analysis

One such story is Romy Haik at ULTRARED, who was attempting to build an AI-powered "hacker" using LLMs. The goal was to create a multi-LLM orchestra that could analyze vulnerabilities and generate commands for tools to exploit them.

Romy's approach involved training multiple LLMs on various types of attacks, with the top LLM acting as the "controller" that maintained state throughout the process. However, the results were less than spectacular. Despite finding several real vulnerabilities, including Remote Code Execution (RCE), SQL injection, and Cross-Site Scripting (XSS) flaws, the AI stack also generated numerous false positives.

So what went wrong? Romy attributes the failure to two main issues: the LLM's inability to accurately analyze the results of its attacks, and a fundamental flaw in the design of the system itself. Specifically, the controller LLM struggled to understand the context of the vulnerability it had discovered, leading to incorrect conclusions.

Despite these challenges, Romy's experiment highlights the potential of LLMs for security research, particularly when combined with more traditional approaches like fuzzing and manual analysis. The key takeaway is that while AI can be a powerful tool in this space, it requires careful design and fine-tuning to achieve meaningful results.

FortMajeure: A Tale of Unvalidated Certificates

In another fascinating story, 0x_shaq discovered a vulnerability in FortiWeb, which allows an attacker to bypass authentication using a simple session cookie validation issue. The problem lies in the fact that the Era field in the cookie is not properly validated, allowing an attacker to inject arbitrary data.

The Attack

The attack works by crafting a session cookie with an invalid Era value, which allows the attacker to access uninitialized memory containing the encryption and signing key for the session. By exploiting this vulnerability, an attacker can gain control of the session and potentially escalate privileges.

Patches Available

Fortunately, patches are available for FortiWeb, and 0x_shaq has provided detailed instructions on how to apply them. It's essential for anyone running FortiWeb to update their software as soon as possible to prevent exploitation of this vulnerability.

Project Zero: New Disclosure Timelines and a Vulnerability in Linux

Google's Project Zero team recently announced a new trial change to disclosure timelines, which aims to reduce the window for vendors to patch vulnerabilities before they are publicly disclosed. The new policy includes a one-week pre-disclosure period, during which the vulnerability is added to a list of upcoming releases.

The Linux Vulnerability

Another recent discovery from Project Zero involves a vulnerability in the Linux kernel that could be triggered from within the Chrome renderer sandbox using Unix Sockets. The issue arises when the kernel logic for this feature becomes confused, leading to free memory being accessed and potentially allowing an attacker to execute arbitrary code.

The Exploit

The exploit involves constructing a fake object in user-controlled memory, triggering the increment of a byte into the freed data structure, and then using the socket again to coerce the kernel into using the fake object. While this is a challenging exploit to achieve, it highlights the importance of proper memory management in Linux.

Patches Available

Patches are available for the affected version of the Linux kernel, and developers should apply them as soon as possible to prevent exploitation of this vulnerability.

DARPA Challenge: Buttercup AI Cyber REasoning System (CRS)

The US DARPA-sponsored competition recently took place at DEF CON, where security professionals were challenged to find vulnerabilities in a C or Java codebase using various AI-powered tools. The winner of the challenge was Team Atlanta, who used an AI-guided fuzzing approach to identify and exploit several vulnerabilities.

The Challenge

Team Atlanta faced a unique set of challenges during the competition, including the need to avoid modifying the provided fuzzing harnesses and instead write patches to fix the issues they found. This required a high degree of creativity and problem-solving skills.

The Results

Despite an initial setback due to a path checking rule, Team Atlanta successfully completed the challenge and was awarded first place. Their approach highlights the potential of AI-powered tools for security research and vulnerability discovery.

Xerox FreeFlow Core: A Pair of Exploits

Cymulate recently reported on a pair of exploits targeting Xerox FreeFlow Core, which could enable an unauthenticated Remote Code Execution (RCE) attack. The first exploit involves an XML External Entity (XXE) injection issue, while the second exploit uses a simple file upload with path traversal to create a webshell dropper.

The Exploits

Both exploits rely on exploiting vulnerabilities in the Axis Communications protocol for controlling security cameras. The more serious of the two exploits could allow an attacker to execute arbitrary code on the camera's system, potentially leading to further exploitation.

Patches Available

Patches are available for Xerox FreeFlow Core, and users should apply them as soon as possible to prevent exploitation of these vulnerabilities.