Weird hunting

Bug hunting, threat hunting... license hunting?

    Found myself doing some weird hunting, not finding anything special, but it was fun to keep some skills up. To start with, I was spending some time digging through some github repos using a tool called trufflehog. This is a secrets detection tool thats used specifically to determine if secrets have been leaked in code repos. It's really good for finding leaked passwords, apikeys, session tokens, etc... In my case, I was searching and stumbled across a result I wasn't too sure about. It was a .DS_Store file. These files are often left behind by Apple Mac OS when accessing specific filesystems (you can find details on why this is a thing with a quick google).  The main idea however, is that for support of specific systems, mac used a metadata caching mechanism, mostly filenames. Sometimes when finding these files, you can extract data from them in order to identify other files you should try to access. The file that prompted this is over here if you want to take a look, but just read on.

    Doing a simple wget, then renaming it, for the purpose of investigating this I decided to name it weird.store. As you can see in this hexdump, before the start of the actual file, there is a license that reads 

# Copyright 2023 IBM Inc. All rights reserved.\n# SPDX-License-Identifier: Apache2.0

    This is really weird for it to be part of a non-text file (in my opinion) but I figure, maybe it's something to do with unknown files get slapped with this license notice. First, lets dig into what this can tell us. I pulled open python and tried to take that part off of the file. I don't know if the file is broken by this or not at this point, I just wanted to see what would happen if that was done. Here's some images of that.



     I had to go back and remove a couple more unseen entities before I could get what appears to no longer be text/ascii data added to the file.

    
    Now I have a data to write back to a new file, and confirm the file is what it appears to be.


    Once validated as a structurally meaningful file (using the file command), I went and grabbed a tool that lets you see multiple versions of file names in the same directory. In this case, it showed group_vars and host_vars.

    Now, none of that is really special, but it made me think "I should really make a way to detect these" so I wrote the following yara rule:


rule LicenseIBM: IBM_License_file {
meta:
 description = "Search for IBM License identifier, from SPDX. Found odd it was in several public repos inside .DS_Store files"
 author = "ferasdour"
strings:
 $h1 = {23 0a 23 20 43 6f 70 79 72 69 67 68 74 20 32 30 ?? ?? 20 49 42 4d 20 49 6e 63 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 0a}
 $s1 = "# SPDX-License-Identifier: Apache2.0" fullword ascii
condition:
 uint16(0) == 0x0a23 and all of them
}


    So, I went back and tried to validate this within that git repo, at that branch (so, I did this as git clone, then git checkout (branch id)), but whatever:

    Its looking like a lot of files just arbitrarily had this added to it. Wonder if that's part of the licensing tool. Looking around, the other DS_Stores didn't really have anything useful.




    Looking at all the file types found, looks like mostly text files, archives, .ds_store, and scripts. Wound up using this command to look through the results and really, nothing spectacular there except some now-defunct uri endpoints. bleh.

for i in `yara ibmlicense.yar --recursive ./zmodstack-solutions/|awk '{print $2}'`; do python3 -c "open('test.file','wb').write(open('$i','rb').read()[88:])";grep -i "pass\|secret|key\|user\|cred\|api" test.file 2>/dev/null; done|sort -u|less


    I didn't really find anything on this hunt, but it gave me a clue on things to search for in simliar repos, and on open services. It seems from this experience, that the 

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

Updates

 Windows 11:  That required upgrade you can't perform     I have a lot of issues with using windows, apple, or red hat, and it's mostly because I grew up believing that people shouldn't have to pay to use a computer they already paid for. One time physical purchase, should be an all inclusive package. Sadly, thats not how the world works these days. Now days, your phone apps update every day, your phone updates every week, your computer updates every tuesday and at random, all of them enforce reboots or risk crashing the respective systems, blah. It's all pretty horrible. Now we have Windows 11 out for a while, with even high-end gaming computers that were purchased just before it's release, unable to run windows 11 on it.     If this was just a "my hardware isn't good enough" for it, I guess I could see that. ya know, service purchase with updates and all this garbage, fine. But in some cases, like mine, I have a windows 10 PC waiting to upgrade becau...
Read more

Networking Basics - Pentesting Training part 1

Image
Primer:      I want to make a tutorial that I could show my kid to help them understand hacking, methodology, basics, etc... so this is an introduction post, more will follow, and maybe I can add a video series to go along with this.     The first thing to talk about, is what and why. Technology, while ever changing, can will always fall victim to several problems.  First is the idea that use case when created, won't match use case performed. Such as, when creating a remote for a TV, it may use infrared to point to the TV, and that works fine when one TV is in the same room at a time. When more then this is added, conflicts are caused and the light used for remote is picked up by the infrared sensor on multiple TVs. Change channels on one, both go. Second is that nothing created by man, is or is capable of creating, flawlessness. Business profits drive innovation, but not perfectionism (or the attempt to become close to perfect).     With these is...
Read more