[tl;dr sec] #114 - Web Security, Detecting Container Drift, Reviewing 2021's Cloud Breaches
CSRF, web cache poisoning, and SSRF, detecting/fixing container drift at runtime, and three frequent sources of cloud security breaches and vulnerabilities in 2021.
I hope you’ve been doing well!
Aaaaand We’re Back!
Phew, it’s good to be back! I’m not going to lie, it was a bit strange to not send out a newsletter over the holidays. What was I supposed to, relax? Talk to family? Madness!
I hope you also got to relax.
I made lots of food with my family, watched some superspreader events sportsball games, and did an at-home mini boxing class with my sister and her partner, who both work part time at a boxing gym. Tip: don’t ignore investing effort in physical security too 💪
I also got to meet Internet-friend now in-real-life-friend Scott Piper for the first time, which was awesome.
I’ve enjoyed Scott’s work for a long time, so it was really fun getting to hang out.
Fun fact: Scott used to write an excellent newsletter called Downclimb, that I was quite sad when he stopped. But if he hadn’t, I may not have ever started tl;dr sec.
Years later we connected because of tl;dr sec, and then we met up in person. Funny how things work out sometimes.
Psst: you should write on the Internet too!
📢 Learn how to find Log4j exploitation attempts
You've patched your applications and systems for log4j, but do you know if you were compromised during the window of vulnerability? Visit our blog to learn about common exploitation strings, obfuscation techniques, and indicators of compromise (IOCs).
📜 In this newsletter...
Fuzzing: Use ClusterFuzzLite to enable easy fuzzing in CI
Cryptography: Multi-threaded seed recovery tool for common PRNGs
Web Security: Hakluke's tips on testing for CSRF, tool to automatically find CSRF, tool for testing for web cache poisoning, turning bad SSRF to good SSRF, attacking Java RMI via SSRF
Cloud Security: Autofixing Terraform, combining multiple IAM policies/statements into their effective permissions, reviewing 2021's cloud security breaches and vulnerabilities
Container Security: Using admission controllers to detect container drift at runtime, Kubernetes isn't about containers
Red Team: Tool to hide and transfer your payload using DNS
Politics / Privacy: China censures Alibaba for reporting Log4Shell publicly instead of giving them early access, links to delete your account on >100 services, digital security for filmmakers, Palantir's user manual for cops
Bypassing Paywalls: Tools you should use for academic, legal purposes only
Misc: Research round-up by Thinkst Canary, Daniel Miessler's top 4 security podcasts/newsletters, open source front-ends for popular Internet platforms, the backstories behind your favorite Christmas songs, a masterclass in casino cheating and scams
ClusterFuzzLite: Continuous fuzzing for all
Google’s Jonathan Metzman announces ClusterFuzzLite, a tool to enable easy fuzzing in GitHub Actions, Google Cloud Build, Prow or any other CI you use. Pull request fuzzing, longer batch fuzzing, coverage reports and corpus pruning, and more.
Multi-threaded seed recovery tool for common PRNGs, by Bishop Fox’s Dan Petro et al. Currently supports Glibc’s rand(), Mersenne Twister, PHP and Ruby’s MT-variant, and Java’s Random() class.
@hakluke: “There is still SO MUCH CSRF to find in bounty programs”
Hakluke’s thread of things to try.
Turning bad SSRF to good SSRF: Websphere Portal
Over the last few years, Assetnote’s Shubham Shah and colleagues have noticed a trend in SSRF vulnerabilities where they exploit a secondary service through open URL redirects. In this post, Shubham describes how they discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how they turned a restrictive, bad SSRF to a good SSRF.
Attacking Java RMI via SSRF
Tobias Neitzel discusses the conditions when Java RMI is SSRF-able, how default RMI components can be attacked, and how to compromise a backend JMX service via SSRF. Great technical walkthrough, loved the details.
See also Tobias’ remote-method-guesser, a Java RMI vulnerability scanner that can be used to identify and verify common security vulnerabilities on Java RMI endpoints.
Programmatic Terraform config manipulation, Semgrep’s autofix, and an example of OSS contribution
HashiCorp’s Jamie Finnigan describes his process of writing a Semgrep rule to programatically check that all of his aws_instance resources have a metadata_options argument set (IMDSv2 mitigates a number of attacks), and add it if not. He also made an improvement to autofix, making it better for everyone 🙌
“PolicyGlass allows you to combine multiple AWS IAM policies/statements into their ‘effective permissions’, deduplicating permissions, and eliminating denied permissions along the way.” Playground in your browser here.
Cloud Security Breaches and Vulnerabilities: 2021 in Review
Christophe Tafani-Dereeper highlights three frequent sources of security breaches and vulnerabilities in 2021, gives a number of real world examples, and then provides recommendations on how to avoid these issues. They are: static credentials remain the major initial access vector, public S3 buckets, and stolen instance credentials through SSRF.
Using Admission Controllers to Detect Container Drift at Runtime
Box’s Saifuding Diliyaer describes a new k8s component they’re releasing, kube-exec-controller, along with its corresponding kubectl plugin, which can detect potentially mutated containers at runtime (e.g. via kubectl exec), and evicting their Pods without affecting service availability.
Kubernetes isn’t about containers
It’s about APIs, says Josh Gavant. If you are, like me, a security person who’s at times confused by why our developer friends are so joyfully embracing the massive complexity that is Kubernetes, I think this post has some useful context.
Tool by Mohammad Askar to hide and transfer your payload using DNS. DNSStager creates a malicious DNS server that handles DNS requests to your domain and returns your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding it. Blog post with more details.
Politics / Privacy
Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first
The Chinese government is mad at Alibaba for reporting Log4Shell publicly before telling them. I mean, what could be bad about the Chinese government having early access to easy RCE in thousands of systems around the world 😅
A directory of direct links to delete your account from probably over 100 web services.
Digital Security for Filmmakers
A guide by the Freedom of the Press Foundation on safely maintaining access to your footage, options for private and secure communications, keeping your phone and desktop secure, and protecting your data when traveling.
Revealed: This Is Palantir’s Top-Secret User Manual for Cops
Motherboard obtained a Palantir user manual through a public records request.
📢 JupiterOne: Cyber asset context and visibility for the cloud
As companies expand to the cloud, asset visibility worsens. The JupiterOne Cyber Asset Management Platform helps you get it back.
Answer complex security and infrastructure questions, understand the contextual relationships between assets, and build the foundation for your security program with JupiterOne.
Q4 2021: ThinkstScapes Quarterly
Another lovely quarterly summary by the folks at Thinkst Canary of interesting research pulled from over 20 conferences. Themes: making servers (over)work for fun and profit, difficulties and opportunities in network segmentation, improvements in tooling and how it allows for the measurement and verification of security properties in critical applications, AD and Azure, nifty sundries.
Comparing My Top Four Security Podcasts/Newsletters
Daniel Miessler compares and contrasts the focus, content, and tone of his four favorite security podcasts/newsletters: Darknet Diaries by Jack Rhisider, Risky Business by Patrick Gray, Daniel’s Unsupervised Learning, and… tl;dr sec, by yours truly! 🎉
An overview of alternative open source front-ends for popular internet platforms (e.g. YouTube, Twitter, Reddit, Spotify, etc.)
The Backstories Behind Your Favorite Christmas Songs
From the boozy origins of “Jingle Bells” to the melancholy roots of Mariah Carey’s “All I Want for Christmas Is You.”
Casino Cheating Expert Reviews Card Counting and Casino Scams From Movies
This was quite an enjoyable watch. “Casino game protection expert Sal Piacente reviews notorious card counting and casino game cheating scenes from films including ‘Rain Man,’ ‘Rounders,’ ‘The Sting,’ ‘Austin Powers,’ ‘Casino,’ ‘Ocean’s Thirteen,’ ‘The Cooler,’ ‘Runner Runner,’ ‘Now You See Me 2,’ ‘Shade’ and ‘21.’”
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!