• tl;dr sec
  • Posts
  • [tl;dr sec] #131 - Compromising Read-Only Containers, Finding 0days in Enterprise Software, Evading Industry Leading EDR

[tl;dr sec] #131 - Compromising Read-Only Containers, Finding 0days in Enterprise Software, Evading Industry Leading EDR

A walkthrough of how to attack read-only containers, Shubham Shah on taking apart complex proprietary software, how your shellcode can evade top EDR products.

Hey there,

I hope you’ve been doing well!

Upcoming Speaking

I’ve very excited to be speaking at a few events over the next few months. Feel free to come say hi! I’ll be carrying bountiful stickers to share 😀

First, I’m giving a workshop at BSidesSF on June 4th on Finding Bugs and Scaling Your Security Program with Semgrep. Unfortunately I think it’s already sold out, but I’m seeing if I can get more space.

My colleagues Colleen and Grayson are also speaking at BSidesSF on The power of guardrails: How to slash your risk of XSS in half on some really cool research we did on actually measuring quantitatively, in practice what many of us intuitively believe: that secure defaults / secure “guardrails” / “paved road” practices are very high leverage security team pursuits.

Second, I’m speaking at LocoMocoSec on June 29th on a methodology for embracing and rolling out secure guardrails in your company to kill bug classes.

I’ve gotten a sign from the universe that these are all going to be good.

How do I know? I was walking around Lake Merritt recently, wearing one of my BSidesSF t-shirts, and a random guy I passed started freestyle rapping about it, “Yo check it, it’s the- the- B-B-B-BSides, BSides, …” True story 🤣

Sponsor

📢 Datadog On-Demand Webinar: DevSecOps Maturity Model - How to Benchmark your Organization

In this on-demand webinar, join Datadog and special guest Tanya Janca from We Hack Purple in discussion on best practices for addressing the increasing need to infuse Security practices throughout the SDLC and embrace a DevSecOps culture.

Learn the answers to:

  • Where is my organization now?

  • Where do I want my organization to be?

  • What are some of the ways to improve your organization's DevSecOps maturity?

You can also read Datadog’s DevSecOps whitepaper to learn more about the blueprint for assessing and advancing your organization's DevSecOps practices.

📜 In this newsletter...

  • Conferences: fwd:cloudsec, Diana Initiative, DEF CON Skytalks

  • Cryptography: Summaries of RWC from Trail of Bits and NCC Group

  • Java Decompilers: 3 useful tools

  • AppSec: SSH with no open ports, finding 0days in enterprise software

  • Web Security: Extracting GWT RPC method info using Semgrep

  • Cloud Security: CloudGoat vulnerable Lambda walkthrough, control AWS access based on account/OU/org, cloud governance as code with Cloud Custodian

  • Container Security: Check your Kubernetes cluster for use of deprecated APIs, compromising read-only containers with fileless malware

  • Politics / Privacy: Tool to enumerate Telegram Bot secret messages, mental health apps have bad privacy protections, Google now lets you request removal of personal contact info from search results, Facebook doesn't know what it does with your data or where it goes, industry <> NCSC collaboration

  • Red Team: Combining different defense evasion techniques for better red team payloads, how to evade industry leading endpoint protection in 2022

  • Misc: ByteChek is moving to a 4-day work week, comic history, guess redacted Wikipedia pages, fighting off junk mail, NASA's design for a warp drive ship

Conferences

fwd:cloudsec CFP
fwd:cloudsec is probably the best cloud security conference, well worth submitting and/or attending. Round One closes April 22nd, Round 2 closes May 22nd.

Diana Initiative: CFP
The Diana Initiative is a great con that emphasizes having a diverse speaker line-up. First round closes April 25th, second round closes May 30th. They’re also hosting a CTF. H/T Nicole Schwartz.

DEF CON Skytalks CFP
Closes May 31, rolling acceptances starting the first week of May.

Cryptography

I love conference roundups!

Themes from Real World Crypto 2022
Trail of Bits’s William Woodruff summarizes several talks and their key takeaways. Major themes:

  1. Trusted hardware isn’t so trustworthy

  2. Security tooling is still too difficult to use

  3. Side channels everywhere

  4. LANGSEC in cryptographic contexts

Real World Cryptography Conference 2022
NCC Group’s Marie-Sarah Lacharite et al share summaries of 9 RWC talks. One that seems particularly interesting to me is “An Evaluation of the Risks of Client-Side Scanning.” As more systems begin using end-to-end encryption, the law enforcement community is concerned about their lack of visibility. How can we balance privacy/not backdooring everything with catching criminals?

Java Decompilers

Useful if you don’t have Java source code, only the .jar. You can also do Android .apk -> dex2jar -> Java decompiler to examine Android apps.

AppSec

atsign-foundation/sshnoports
By The @ Company: A way to SSH to a remote Linux host/device without that device having any open ports (not even 22) on external interfaces. All network connectivity is outbound and you don’t need to know the target’s IP address.

Finding 0days in Enterprise Software
Slides from Assetnote’s Shubham Shah’s NahamCon talk. Nice walkthrough of taking apart proprietary software, auditing complex code bases, mapping attack surface, chaining vulnerabilities, finding variants, and more.

Web Security

silentsignal/SemGWT
Extracting GWT RPC method information from generated JavaScript using Semgrep, by Silent Signal.

Cloud Security

CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions
A walkthrough by Rhino Security Labs of the new vulnerable_lambda scenario in the CloudGoat pentest training tool.

How to control access to AWS resources based on AWS account, OU, or organization
New IAM condition keys to make it simpler to control access across org boundaries: aws:ResourceOrgID, aws:ResourceOrgPaths, and aws:ResourceAccount.

Implementing Cloud Governance as a Code using Cloud Custodian
InfraCloud’s Alok Maurya describes how to use Cloud Custodian auto-detect and remediate noncompliant resources. For example, deleting old EBS snapshots, stopping EC2 instances that aren’t running approved AMIs, changing any allowing of ALL on port 22 to just the VPN IP, and a few Kubernetes-related examples.

Container Security

doitintl/kube-no-trouble
Easily check your Kubernetes clusters for use of deprecated APIs, by DoiT International.

Compromising Read-Only Containers with Fileless Malware
Sysdig’s Nicholas Lang describes how to attack a container with a read-only root filesystem, and gives an example of attacking an in-memory data store (Redis) with fileless malware that executes in-memory.

Basically the trick is to use shm / tmpfs which lets you create a mounted file system that uses virtual memory instead of a persistent storage device. You can download your malware or shellcode to tmpfs and then execute it from there.

Politics / Privacy

DODC/turncoat
A tool for or enumerating Telegram Bot secret messages.

Mental Health Apps | Privacy & security guide
Mozilla did a study and found mental health apps have worse privacy protections than most other types of apps. Prayer apps also had poor privacy standards, the team found. Overview of the findings by The Verge.

Google now lets you request the removal of personal contact information from search results
You can now request the removal of personal contact information, such as a phone number, email address or physical address. Prior to this expansion, the policy mainly covered information that would let other people steal your identity or money, such as banking and credit card details.

“We do not have an adequate level of control and explainability over how our systems use data,” Facebook engineers say in leaked document.

 

Inside Industry 100 - the on-loan CTO
NCC Group’s Ollie Whitehouse shares his experiences on i100, a program that brings industry staff into NCSC teams on a part-time basis to enhance collaboration between UK government and industry on cyber security. I think public/private partnerships for the purpose of keeping everyone safer is great.

I had the privilege of working with Ollie for a few years at NCC Group, and we’ve hung out a few times in person. He’s one of the sharpest security professionals I’ve ever met, and I highly recommend checking out anything he’s involved with. Also, if you want a weekly APT/malware-focused detailed summary, check out his Blue Purple newsletter.

Sponsor

📢 Faraday: Agile security for an agile world

In today’s agile world, cybersecurity is no longer about fortifying fixed walls. It’s about keeping watch and securing change.

Faraday platform allows you to do this. Get full visibility of your security posture, manage vulnerabilities efficiently, and automate the key steps of the process.

Red Team

pwn1sher/frostbyte
By Sudheer Varma: A POC project that combines different defense evasion techniques to build better red team payloads. “The idea is to embed an encrypted shellcode stub into a known signed executable and still manage to keep it signed like how the Zloader malware did.”

A blueprint for evading industry leading endpoint protection in 2022
Vincent Van Mieghem shares 12 techniques that can allow you to execute malicious shellcode without getting flagged by industry leading EDR tools, like CrowdStrike and Microsoft Defender for Endpoint.

Misc

ByteChek is moving to a 4-day work week!
ByteChek’s AJ Yawn describes how by focusing on deep work and removing distractions, he’s found ByteChek can both be a better place to work for employees and more productive.

Research suggests that in an eight-hour day, the average worker is only productive for two hours and 53 minutes due to distractions from instant messaging, eating, socializing and other things.

I believe that focus is a superpower and enables you to drive more outcomes in less time.

I’ll take a focused 32 hours over a scattered 40 hours every time.

The codes of comic books
Technically a “comic” is a set of pictures in sequence that tells a story. This virtual “exhibit” by Google Arts & Culture walks through the history of comics, going back to 1842. Learn about the origin of why comic book pages are divided into boxes and more.

Redactle
A daily browser game where the user tries to determine the subject of a random obfuscated Wikipedia article, chosen from Wikipedia’s 10,000 Vital Articles. H/T Maya Kaczorowski.

The Complete Guide to Warding Off Junk Mail
How to stop receiving the junk mail you probably don’t care about: redit card, loan, mortgage and insurance junk mail, catalogs, coupons and marketing offers, etc.

Impossible Physics: Meet NASA’s Design for a Warp Drive Ship
“A number of scientists are currently researching the feasibility of warp drive (and EMdrive and a number of other modes of faster than light travel); however, most think that such forms of space travel simply aren’t viable, thanks to the fundamental physics of our universe.” Here’s a model of a ship that moves faster than light by deforming spacetime around it:

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint