- tl;dr sec
- Posts
- [tl;dr sec] #114 - Web Security, Detecting Container Drift, Reviewing 2021's Cloud Breaches
[tl;dr sec] #114 - Web Security, Detecting Container Drift, Reviewing 2021's Cloud Breaches
CSRF, web cache poisoning, and SSRF, detecting/fixing container drift at runtime, and three frequent sources of cloud security breaches and vulnerabilities in 2021.
Hey there,
I hope you’ve been doing well!
Aaaaand We’re Back!
Phew, it’s good to be back! I’m not going to lie, it was a bit strange to not send out a newsletter over the holidays. What was I supposed to, relax? Talk to family? Madness!
I hope you also got to relax.
I made lots of food with my family, watched some superspreader events sportsball games, and did an at-home mini boxing class with my sister and her partner, who both work part time at a boxing gym. Tip: don’t ignore investing effort in physical security too 💪
I also got to meet Internet-friend now in-real-life-friend Scott Piper for the first time, which was awesome.
I’ve enjoyed Scott’s work for a long time, so it was really fun getting to hang out.
Fun fact: Scott used to write an excellent newsletter called Downclimb, that I was quite sad when he stopped. But if he hadn’t, I may not have ever started tl;dr sec.
Years later we connected because of tl;dr sec, and then we met up in person. Funny how things work out sometimes.
Psst: you should write on the Internet too!
Sponsor
📢 Learn how to find Log4j exploitation attempts
You've patched your applications and systems for log4j, but do you know if you were compromised during the window of vulnerability? Visit our blog to learn about common exploitation strings, obfuscation techniques, and indicators of compromise (IOCs).
📜 In this newsletter...
Fuzzing: Use ClusterFuzzLite to enable easy fuzzing in CI
Cryptography: Multi-threaded seed recovery tool for common PRNGs
Web Security: Hakluke's tips on testing for CSRF, tool to automatically find CSRF, tool for testing for web cache poisoning, turning bad SSRF to good SSRF, attacking Java RMI via SSRF
Cloud Security: Autofixing Terraform, combining multiple IAM policies/statements into their effective permissions, reviewing 2021's cloud security breaches and vulnerabilities
Container Security: Using admission controllers to detect container drift at runtime, Kubernetes isn't about containers
Red Team: Tool to hide and transfer your payload using DNS
Politics / Privacy: China censures Alibaba for reporting Log4Shell publicly instead of giving them early access, links to delete your account on >100 services, digital security for filmmakers, Palantir's user manual for cops
Bypassing Paywalls: Tools you should use for academic, legal purposes only
Misc: Research round-up by Thinkst Canary, Daniel Miessler's top 4 security podcasts/newsletters, open source front-ends for popular Internet platforms, the backstories behind your favorite Christmas songs, a masterclass in casino cheating and scams
Fuzzing
ClusterFuzzLite: Continuous fuzzing for all
Google’s Jonathan Metzman announces ClusterFuzzLite, a tool to enable easy fuzzing in GitHub Actions, Google Cloud Build, Prow or any other CI you use. Pull request fuzzing, longer batch fuzzing, coverage reports and corpus pruning, and more.
Cryptography
altf4/untwister
Multi-threaded seed recovery tool for common PRNGs, by Bishop Fox’s Dan Petro et al. Currently supports Glibc’s rand(), Mersenne Twister, PHP and Ruby’s MT-variant, and Java’s Random() class.
Web Security
@hakluke: “There is still SO MUCH CSRF to find in bounty programs”
Hakluke’s thread of things to try.
0xInfection/XSRFProbe
A CSRF audit and exploitation toolkit by Pinaki, that can crawl sites, perform a variety of checks, and generate PoCs when a vulnerability is found.
Hackmanit/Web-Cache-Vulnerability-Scanner
A Go-based CLI tool for testing for web cache poisoning, by Hackmanit’s Maximilian Hildebrand. Currently supports 9 different web cache poisoning techniques.
Turning bad SSRF to good SSRF: Websphere Portal
Over the last few years, Assetnote’s Shubham Shah and colleagues have noticed a trend in SSRF vulnerabilities where they exploit a secondary service through open URL redirects. In this post, Shubham describes how they discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how they turned a restrictive, bad SSRF to a good SSRF.
The core concept of turning a bad SSRF to a good SSRF, relies on a few things:
1. Analyzing the HTTP client being used and the capabilities (i.e. can it follow redirects?)
2. Discovering a redirect gadget (i.e. an endpoint which allows you to redirect the request to an arbitrary URL)
3. Smuggling the redirect gadget in your original SSRF payload (i.e. can your SSRF payload reach the redirection endpoint in a meaningful way?)
Attacking Java RMI via SSRF
Tobias Neitzel discusses the conditions when Java RMI is SSRF-able, how default RMI components can be attacked, and how to compromise a backend JMX service via SSRF. Great technical walkthrough, loved the details.
See also Tobias’ remote-method-guesser, a Java RMI vulnerability scanner that can be used to identify and verify common security vulnerabilities on Java RMI endpoints.
Cloud Security
Programmatic Terraform config manipulation, Semgrep’s autofix, and an example of OSS contribution
HashiCorp’s Jamie Finnigan describes his process of writing a Semgrep rule to programatically check that all of his aws_instance resources have a metadata_options argument set (IMDSv2 mitigates a number of attacks), and add it if not. He also made an improvement to autofix, making it better for everyone 🙌
CloudWanderer-io/PolicyGlassBy CloudWanderer:
“PolicyGlass allows you to combine multiple AWS IAM policies/statements into their ‘effective permissions’, deduplicating permissions, and eliminating denied permissions along the way.” Playground in your browser here.
Cloud Security Breaches and Vulnerabilities: 2021 in Review
Christophe Tafani-Dereeper highlights three frequent sources of security breaches and vulnerabilities in 2021, gives a number of real world examples, and then provides recommendations on how to avoid these issues. They are: static credentials remain the major initial access vector, public S3 buckets, and stolen instance credentials through SSRF.
Container Security
Using Admission Controllers to Detect Container Drift at Runtime
Box’s Saifuding Diliyaer describes a new k8s component they’re releasing, kube-exec-controller, along with its corresponding kubectl plugin, which can detect potentially mutated containers at runtime (e.g. via kubectl exec), and evicting their Pods without affecting service availability.
Kubernetes isn’t about containers
It’s about APIs, says Josh Gavant. If you are, like me, a security person who’s at times confused by why our developer friends are so joyfully embracing the massive complexity that is Kubernetes, I think this post has some useful context.
With the spread of the Kubernetes resource model it’s already possible to describe an entire software-defined computing environment as a collection of Kubernetes resources. And unlike the custom formats and tools offered by individual cloud service providers, the Kubernetes’ descriptors are much more likely to run in many different provider and datacenter environments, because they all implement the same APIs.
Red Team
mhaskar/DNSStager
Tool by Mohammad Askar to hide and transfer your payload using DNS. DNSStager creates a malicious DNS server that handles DNS requests to your domain and returns your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding it. Blog post with more details.
Politics / Privacy
Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first
The Chinese government is mad at Alibaba for reporting Log4Shell publicly before telling them. I mean, what could be bad about the Chinese government having early access to easy RCE in thousands of systems around the world 😅
JustDelete.Me
A directory of direct links to delete your account from probably over 100 web services.
Digital Security for Filmmakers
A guide by the Freedom of the Press Foundation on safely maintaining access to your footage, options for private and secure communications, keeping your phone and desktop secure, and protecting your data when traveling.
Revealed: This Is Palantir’s Top-Secret User Manual for Cops
Motherboard obtained a Palantir user manual through a public records request.
• If police have a name that’s associated with a license plate, they can use automatic license plate reader data to find out where they’ve been, and when they’ve been there. This can give a complete account of where someone has driven over any time period.
• With a name, police can also find a person’s email address, phone numbers, current and previous addresses, bank accounts, social security number(s), business relationships, family relationships, and license information like height, weight, and eye color, as long as it’s in the agency’s database.
• The software can map out a person’s family members and business associates of a suspect, and theoretically, find the above information about them, too.
Sponsor
📢 JupiterOne: Cyber asset context and visibility for the cloud
As companies expand to the cloud, asset visibility worsens. The JupiterOne Cyber Asset Management Platform helps you get it back.
Answer complex security and infrastructure questions, understand the contextual relationships between assets, and build the foundation for your security program with JupiterOne.
Bypassing Paywalls
I didn’t get into infosec so I can play by your damn rules.
-Everyone in infosec
iamadamdev/bypass-paywalls-chrome
A web browser extension for Chrome and Firefox that helps bypass paywalls for 50+ sites, by @iamadamdev.
12ft Ladder
“Prepend 12ft.io/ to the URL of any paywalled page, and we’ll try our best to remove the paywall and get you access to the article.” By Thomas Millar.
Misc
Q4 2021: ThinkstScapes Quarterly
Another lovely quarterly summary by the folks at Thinkst Canary of interesting research pulled from over 20 conferences. Themes: making servers (over)work for fun and profit, difficulties and opportunities in network segmentation, improvements in tooling and how it allows for the measurement and verification of security properties in critical applications, AD and Azure, nifty sundries.
Comparing My Top Four Security Podcasts/Newsletters
Daniel Miessler compares and contrasts the focus, content, and tone of his four favorite security podcasts/newsletters: Darknet Diaries by Jack Rhisider, Risky Business by Patrick Gray, Daniel’s Unsupervised Learning, and… tl;dr sec, by yours truly! 🎉
mendel5/alternative-front-ends
An overview of alternative open source front-ends for popular internet platforms (e.g. YouTube, Twitter, Reddit, Spotify, etc.)
The Backstories Behind Your Favorite Christmas Songs
From the boozy origins of “Jingle Bells” to the melancholy roots of Mariah Carey’s “All I Want for Christmas Is You.”
Casino Cheating Expert Reviews Card Counting and Casino Scams From Movies
This was quite an enjoyable watch. “Casino game protection expert Sal Piacente reviews notorious card counting and casino game cheating scenes from films including ‘Rain Man,’ ‘Rounders,’ ‘The Sting,’ ‘Austin Powers,’ ‘Casino,’ ‘Ocean’s Thirteen,’ ‘The Cooler,’ ‘Runner Runner,’ ‘Now You See Me 2,’ ‘Shade’ and ‘21.’”
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint