[tl;dr sec] #114 - Web Security, Detecting Container Drift, Reviewing 2021's Cloud Breaches

Hey there,

I hope you’ve been doing well!

Aaaaand We’re Back!

Phew, it’s good to be back! I’m not going to lie, it was a bit strange to not send out a newsletter over the holidays. What was I supposed to, relax? Talk to family? Madness!

I hope you also got to relax.

I made lots of food with my family, watched some superspreader events sportsball games, and did an at-home mini boxing class with my sister and her partner, who both work part time at a boxing gym. Tip: don’t ignore investing effort in physical security too 💪

I also got to meet Internet-friend now in-real-life-friend Scott Piper for the first time, which was awesome.

I’ve enjoyed Scott’s work for a long time, so it was really fun getting to hang out.

Fun fact: Scott used to write an excellent newsletter called Downclimb, that I was quite sad when he stopped. But if he hadn’t, I may not have ever started tl;dr sec.

Years later we connected because of tl;dr sec, and then we met up in person. Funny how things work out sometimes.

Psst: you should write on the Internet too!

Fuzzing

ClusterFuzzLite: Continuous fuzzing for all
Google’s Jonathan Metzman announces ClusterFuzzLite, a tool to enable easy fuzzing in GitHub Actions, Google Cloud Build, Prow or any other CI you use. Pull request fuzzing, longer batch fuzzing, coverage reports and corpus pruning, and more.

Cryptography

altf4/untwister
Multi-threaded seed recovery tool for common PRNGs, by Bishop Fox’s Dan Petro et al. Currently supports Glibc’s rand(), Mersenne Twister, PHP and Ruby’s MT-variant, and Java’s Random() class.

Web Security

@hakluke: “There is still SO MUCH CSRF to find in bounty programs”
Hakluke’s thread of things to try.

0xInfection/XSRFProbe
A CSRF audit and exploitation toolkit by Pinaki, that can crawl sites, perform a variety of checks, and generate PoCs when a vulnerability is found.

Hackmanit/Web-Cache-Vulnerability-Scanner
A Go-based CLI tool for testing for web cache poisoning, by Hackmanit’s Maximilian Hildebrand. Currently supports 9 different web cache poisoning techniques.

Turning bad SSRF to good SSRF: Websphere Portal
Over the last few years, Assetnote’s Shubham Shah and colleagues have noticed a trend in SSRF vulnerabilities where they exploit a secondary service through open URL redirects. In this post, Shubham describes how they discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how they turned a restrictive, bad SSRF to a good SSRF.

Attacking Java RMI via SSRF
Tobias Neitzel discusses the conditions when Java RMI is SSRF-able, how default RMI components can be attacked, and how to compromise a backend JMX service via SSRF. Great technical walkthrough, loved the details.

See also Tobias’ remote-method-guesser, a Java RMI vulnerability scanner that can be used to identify and verify common security vulnerabilities on Java RMI endpoints.

Cloud Security

Programmatic Terraform config manipulation, Semgrep’s autofix, and an example of OSS contribution
HashiCorp’s Jamie Finnigan describes his process of writing a Semgrep rule to programatically check that all of his aws_instance resources have a metadata_options argument set (IMDSv2 mitigates a number of attacks), and add it if not. He also made an improvement to autofix, making it better for everyone 🙌 

CloudWanderer-io/PolicyGlassBy CloudWanderer:
“PolicyGlass allows you to combine multiple AWS IAM policies/statements into their ‘effective permissions’, deduplicating permissions, and eliminating denied permissions along the way.” Playground in your browser here.

Cloud Security Breaches and Vulnerabilities: 2021 in Review
Christophe Tafani-Dereeper highlights three frequent sources of security breaches and vulnerabilities in 2021, gives a number of real world examples, and then provides recommendations on how to avoid these issues. They are: static credentials remain the major initial access vector, public S3 buckets, and stolen instance credentials through SSRF.

Container Security

Using Admission Controllers to Detect Container Drift at Runtime
Box’s Saifuding Diliyaer describes a new k8s component they’re releasing, kube-exec-controller, along with its corresponding kubectl plugin, which can detect potentially mutated containers at runtime (e.g. via kubectl exec), and evicting their Pods without affecting service availability.

Kubernetes isn’t about containers
It’s about APIs, says Josh Gavant. If you are, like me, a security person who’s at times confused by why our developer friends are so joyfully embracing the massive complexity that is Kubernetes, I think this post has some useful context.

Red Team

mhaskar/DNSStager
Tool by Mohammad Askar to hide and transfer your payload using DNS. DNSStager creates a malicious DNS server that handles DNS requests to your domain and returns your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding it. Blog post with more details.

Politics / Privacy

Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first
The Chinese government is mad at Alibaba for reporting Log4Shell publicly before telling them. I mean, what could be bad about the Chinese government having early access to easy RCE in thousands of systems around the world 😅 

JustDelete.Me
A directory of direct links to delete your account from probably over 100 web services.

Digital Security for Filmmakers
A guide by the Freedom of the Press Foundation on safely maintaining access to your footage, options for private and secure communications, keeping your phone and desktop secure, and protecting your data when traveling.

Revealed: This Is Palantir’s Top-Secret User Manual for Cops
Motherboard obtained a Palantir user manual through a public records request.

Bypassing Paywalls

iamadamdev/bypass-paywalls-chrome
A web browser extension for Chrome and Firefox that helps bypass paywalls for 50+ sites, by @iamadamdev.

12ft Ladder
“Prepend 12ft.io/ to the URL of any paywalled page, and we’ll try our best to remove the paywall and get you access to the article.” By Thomas Millar.

Misc

Q4 2021: ThinkstScapes Quarterly
Another lovely quarterly summary by the folks at Thinkst Canary of interesting research pulled from over 20 conferences. Themes: making servers (over)work for fun and profit, difficulties and opportunities in network segmentation, improvements in tooling and how it allows for the measurement and verification of security properties in critical applications, AD and Azure, nifty sundries.

Comparing My Top Four Security Podcasts/Newsletters
Daniel Miessler compares and contrasts the focus, content, and tone of his four favorite security podcasts/newsletters: Darknet Diaries by Jack Rhisider, Risky Business by Patrick Gray, Daniel’s Unsupervised Learning, and… tl;dr sec, by yours truly! 🎉 

mendel5/alternative-front-ends
An overview of alternative open source front-ends for popular internet platforms (e.g. YouTube, Twitter, Reddit, Spotify, etc.)

The Backstories Behind Your Favorite Christmas Songs
From the boozy origins of “Jingle Bells” to the melancholy roots of Mariah Carey’s “All I Want for Christmas Is You.”

Casino Cheating Expert Reviews Card Counting and Casino Scams From Movies
This was quite an enjoyable watch. “Casino game protection expert Sal Piacente reviews notorious card counting and casino game cheating scenes from films including ‘Rain Man,’ ‘Rounders,’ ‘The Sting,’ ‘Austin Powers,’ ‘Casino,’ ‘Ocean’s Thirteen,’ ‘The Cooler,’ ‘Runner Runner,’ ‘Now You See Me 2,’ ‘Shade’ and ‘21.’”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint