• tl;dr sec
  • Posts
  • [tl;dr sec] #68 - Securing Lambda, Recon Tool Primer, Blind SSRF Chains

[tl;dr sec] #68 - Securing Lambda, Recon Tool Primer, Blind SSRF Chains

How AWS secures Lambda, Daniel Miessler's overview of @TomNomNom's recon tools, how to demonstrate high impact when you can't see the SSRF response.

Hey there,

I hope you’ve been doing well!

A bunch of people signed up this week, so I just wanted to say hi 👋

Welcome, I’m glad you’re here! You’re among friends.

Srsly Risky Biz

You’ve probably already heard of the widely popular Risky Biz podcast, but did you know there’s also a Risky Biz newsletter written by Brett Winterford?! 🤯

I like how it often takes a topic or theme and then nicely collects a broad swathe of relevant supporting links into one place for easy review, and then ties it together with Brett’s analysis and some jokes and wordplay. Example: Ransom payouts spell trouble for insurers.

If you enjoy long form content about security and privacy-related current events, check it out!

Over 5,000 Subscribers, Giving Back

Recently tl;dr sec surpassed 5,000 subscribers, which is crazy! 🚀

I’ve been reflecting on how lucky I feel to get to do something I love (read too much security content) and share it.

I’m in such a fortunate position, so I want to give back.

I know there are a lot of people in the U.S. right now who are food insecure, so I posted on LinkedIn and Twitter that I’ll donate $1 to Feeding America’s Coronavirus Response fund for every like, re-tweet, or share over the next week.

If you’d like to contribute as well, you can do so here.

Here’s to a better 2021!

Sponsor

📢 RASP that works.

Sqreen helps security leaders protect their applications, APIs and microservices from data breaches. As opposed to traditional solutions that monitor requests at the network level, Sqreen's next-gen RASP analyzes how each request is executed at the application level to identify and block malicious user behavior, not just malicious IPs. Join the 800+ organizations who have deployed Sqreen's RASP in Production.

📜 In this newsletter...

🔗 Links:

  • AppSec: Bypassing signature checks with Electron, SANS Virtual Summits are free, writing custom static analysis rules in Brakeman and Semgrep

  • Web Security: Bypassing JavaScript encryption walkthrough and lab, glossary of blind SSRF chains

  • Cloud Security: How AWS Lambda manages security, creating least privilege custom roles in GCP, OpenID proxy for static sites hosted in S3

  • Container Security: Worst case scenarios when creating overly permissioned Kubernetes pods

  • Politics / Privacy: North Korea is targeting security researchers

  • OSINT / Recon: Automating internal threat intelligence and inventory, primer for @TomNomNom's recon tools

  • Misc: Fauci in slow motion in all his glory, fraud reports are higher without shared beers and can SEC rules tackle a range of problems?

  • Twitter: Scott Piper has strong opinions on cast irons, InfoSec awareness sea shanty by Rachel Tobac

AppSec

A ‘Novel’ Way to Bypass Executable Signature Checks with Electron
Parsia Hakimian gives an overview of analyzing the attack surface of app update mechanisms on Windows, including 6 relevant bugs. He then demonstrates how to bypass signature checks using signed Electron binaries and backdoored app.asars.

SANS Virtual Summits FREE in 2021
Nice, usually SANS stuff is $$$.

Custom Static Analysis Rules Showdown: Brakeman vs. Semgrep
So you’re doing a code review and you find some code base-specific pattern that likely indicates a bug (e.g. authn/authz). You’d like to search for this code pattern across thousands of files, but because this pattern is unique to this code base, no SAST tool is going to have a rule for it out of the box. This is the perfect opportunity for writing a custom rule.

Include Security’s Jason Kielpinski walks through his experiences writing custom rules in both Brakeman and Semgrep.

Web Security

Client Side Encryption Bypass Part-1
This article by Sameer Bhatt gives a nice example of why you can never trust client side code (e.g. JavaScript). If you’re testing an app that’s trying to obscure its parameters and server responses:

  1. First find where the logic is implemented.

    1. You can do this via the Developer tools and Ctrl+f-ing for potentially relevant function names, or inspecting DOM elements and looking for onClick or other registered callbacks.

  2. Then set breakpoints, step through the code, and modify it as necessary; after all, it’s running in your browser 😉

Sameer also includes a Docker image practice lab.

A Glossary of Blind SSRF Chains
Blind SSRF is when you can cause a server to make a request to an arbitrary URL but you can’t see the result. Assetnote co-founder Shubham Shah presents a cheatsheet of high impact blind SSRF targets including Elasticsearch, Weblogic, Hashicorp Consul, Structs, Confluence, Jira, Jenkins, Docker, and many more. Other tips include “SSRF canaries,” using DNS and AltDNS to find internal hosts, and side channel leaks. (GitHub repo)

Cloud Security

Security Overview of AWS Lambda
20 page PDF by Amazon on how Lambda manages security: process sandboxes, microkernel, hypervisors, how to monitor and audit Lambda functions, and more. H/T Mark Manning for sharing.

Google Cloud IAM Custom Role and Permissions Debugging Tricks
Darkbit’s Brad Geesaman describes the process of creating a custom GCP IAM role to follow least privilege, including using the IAM Policy Troubleshooter.

wolfeidau/website-openid-proxy
By Mark Wolfe: “This service provides OpenID authenticated access to a static website hosted in an S3 bucket,” using AWS API Gateway HTTP APIs, powered by AWS Lambda.

Container Security

Bad Pods: Kubernetes Pod Privilege Escalation
What are the risks associated with overly permissive pod creation in Kubernetes? Bishop Fox’s Seth Art describes eight insecure pod configurations and the corresponding methods to perform privilege escalation:

  • Allowing everything;

  • Privileged and hostPid;

  • Privileged, hostPath, HostPid, hostNetwork, or hostIPC only

  • Nothing allowed

See this repo for a collection of manifests that map to these configs.

Politics / Privacy

New campaign targeting security researchers
Google’s Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations, likely a government-backed entity based in North Korea. They set up fake social media accounts and security research blogs to build trust, and then compromise targets via sharing a backdoored Visual Studio Project or just from visiting the threat actor’s blog (on a fully patched and up-to-date Windows 10 + Chrome browser). Yikes!

WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded https://t.co/dvdCWsZyne

— Richard Johnson (@richinseattle) January 26, 2021

OSINT / Recon

cloud-sniper/dagobah
An open source tool to automate the internal threat intelligence generation, inventory collection and compliance check from different AWS resources.

A @TomNomNom Recon Tools Primer
Great overview by Daniel Miessler of useful tools by Tom Hudson that follow the Unix philosophy of doing one thing well. See my summary of Daniel’s Mechanizing the Methodology talk for more details on the power of this approach.

  • gf - Easily grep for security-sensitive things

  • httprobe - Given a list of domains, finds the ones listening on web ports

  • unfurl - Easily break down URLs into discrete pieces (e.g. domain, path, URL paraters, etc.) for further processing

  • meg - Quickly checks a list of interesting paths across a set of domains

  • anew - Adds the contents of an input stream to the output, but only if it’s new

  • waybackurls - Finds archived URLs for a domain

Misc

Fauci steps up to the podium
In slow motion, with some hyped up entrance music. I couldn’t help but laugh.

Fraud Is No Fun Without Friends
H/T Jon Oberheide for sending me this link. Apparently the SEC has received 31% more tips alleging white-collar malfeasance this year, potentially due to remote work removing the office culture glue that might normalize bending the rules.

Separately, the article also makes the interesting argument that SEC rules that mandate more disclosure could have a positive impact on areas ranging from global warming and corporate diversity to political donations. I don’t have enough context to know if this is possible or a good idea, but it’s interesting.

If you want to stop global warming, you make fossil-fuel companies disclose much more about the risks of global warming, you sue coal and oil companies for being too blasé (in their securities disclosure!) about climate change, you make rules requiring banks and mutual funds to consider long-term climate risks in their investing and financing decisions…

Twitter

I've reached 10K followers 🎉

I can afford to lose some, so I finally gotta say it, some of you baby your cast iron too much. Seasoning doesn't matter. Just cook with more butter. I don't clean with soap, but I would or even an angle grinder if needed. It's made to take abuse.

— Scott Piper (@0xdabbad00) January 20, 2021

I treat my cast iron like a t2.micro with no privileges I just spun up in an empty personal sandbox account: sudo pip install anything. You treat yours like a privileged EC2 in prod that hasn't been rebooted in years with no backups. :P

— Scott Piper (@0xdabbad00) January 20, 2021

I did not expect to see an InfoSec sea shanty from my friend Rachel Tobac, but I did, and it made my day 🤣

To reach the ~youth~ we're going to have to make infosec sea shanties, aren't we? Guess so!

Behold the tale of kid who reuses their passwords & ends up pwn'd, then learns how to stay safe. We're on a mission to encourage unique passwords stored in a password manager with MFA on. pic.twitter.com/QDL9cjUOiC

— Rachel Tobac (@RachelTobac) January 22, 2021

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint