Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability
Yuval Avrahami Reference →Posted 5 Years Ago- Kubernetes is an open source container orchestration system. CVE-2020-8554 is a design flaw that allows Kubernetes Services to intercept cluster traffic to any IP address.
- This vulnerability occurs because a Kubernetes user is able to assign arbitrary IPs to their services. So, by selecting an IP that is already assigned to another endpoint, it is possible to intercept all cluster traffic to that IP.
- The most vulnerable state is multi-tenant clusters because they may have the vulnerable configuration. At the moment, there is no patch for this vulnerability.
- 3DS (not Nintendo) is a version controlled 3D modeling software used for developing satellites, rockets and many other important IP.
- By simply googling for
"chmod 777 /etc/environment"/etc/environment of the system allows for the executing of arbitrary shell scripts at reboot. So, this is just shell script code execution because of bad permissions. - Another interesting part of the article was actually trying to get this fixed. Who should you talk to? It turned out that the original creator of the software had been bought out by another company. So, all of their contact information was faulty. Eventually, the author got ahold of security people of the larger company and got the vulnerability fixed.
- For deployment-it-yourself products, viewing boot scripts and other things feels like a good way to find misconfigurations in the system.
- By including the
Request.PathInfoparameter with theSkipAuthorizationflag, all auth can be skipped on the API. With this auth bypass, arbitrary commands can be used on the remote machine to pop a shell.
- Joomla is a content management system (CMS), very similar to Wordpress. The ACL (access control lists) are what restricts who can access what.
- The ACL list could be bypassed by including a new ACL within a parameter for a request. Even though this user should have the ability to alter the permissions of a category, they can!
- In terms of exploitability, it is fairly unlikely. In order to edit the ACL, a user has to have access to the object in the first place. The exploit situation is having three having: super-user, manager1 and manager2, where the super-user controls permissions and only manager1 has access to the resource. Manager1 could alter the permissions to allow manager2 to see it.
Insecure by Design, Epic Games Peer-to-Peer Multiplayer Service
Bill Demirkapi Reference →Posted 5 Years Ago- The author decided to look at the video game Satisfactory. This game had a unique feature: peer-to-peer multiplayer sessions. Once the hacker started analyzer, they realized that this used Epic Games Online (EOS).
- EOS has two user roles: GameClient and GameServer (backend usage). The GameClient has ReadOnly permissions to the server. So, what is a peer-to-peer client then? Well, it needs to alter the state of the machine. So, it is given the GameServer role if it wants to do anything interesting. This feels like a problem.
- An intermediate issue, that the author found, was that the EOS API had a filtering mechanisms for sessions. However, if this search had no filtering, then it disclosed a significant amount of information, such the local IP of other users and user IDs.
- The major flaw that was found with the GameServer role was the ability to create arbitrary sessions. Using the EOS API, an attacker can create a set of duplicate sessions in order to force users to join their own game, instead of somebody else's game. This is then paired with the ability to find sessions for games, with the GameServer role attached.
- This attack would allow for the hijacking of all matchmaking sessions to join a attackers session instead. This essentially acts as a DoS.
- The author got a bunch of push back on the vulnerabilities from the Epic Games side of things. I assume this is because they would have been difficult to fix, from a P2P perspective. However, Epic Games did add a new user role that was specific to P2P connections but still left the IP address exposed in the communication.
- The article seems to blow this out of proportion a little bit (it is a DoS with a small information disclosure). Other than that, the article is well-written and I enjoyed the analyzing of the Security model for P2P communication that stretched from the documentation to the actual implementations.
Exploiting a Single Instruction Race Condition in Binder
Maxime Peterlin & et al - Longterm Security Reference →Posted 5 Years Ago- In Android, interprocess communication is handling by Binder. Because this is a kernel-level feature that is accessible to the user, it is a very attractive attack surface.
- The bug is a use-after-free (UAF) while the todo list elements are being processed. Essentially, another thread could come in and free this object, while it is being processed. The patch inlines the function in order to make this happen in a single step.
- In order to trigger this bug, the following things have to happen in a very specific order in a very fast timeframe:
- A call to binder_release_work from the senders thread. This is the clean up routine for when a task is done under binder.
- A binder_work structure to dequeue from the sender thread's todo list
- A free on the binder_work structure from the receiver thread
- The timeline for this vulnerability is fairly tight. But, if done properly, it is possible to replace the binder node with another object to take control of binder itself!
- Android uses the SLUB heap allocator. This is important for triggering the UAF properly. In essence, they end up spraying 128 byte objects to eventually overlap with our vulnerable binder node. This is done by a technique described in a Project Zero post.
- Once the UAF has been successfully triggered, are we done? No, a few more steps must be taken in order to actually exploit this. Using the UAF, there is only one interesting path that can be triggered: freeing the object again (double free). Using this, the SLUB allocator will have the same heap chunk available for allocation twice. After dealing with a few specifics of handling the double free, it is time to overlap some chunks.
- The technique for spraying is super interesting! They solve the how do you know when the spraying has worked? By sending a bunch of signalfd (the P0 technique above), we can KNOW if the spray worked if the value is different than before. That is pretty nifty! They even have a straight forward diagram for explaining how this works for the overlapping process.
- With two signalfd's overlapping, it can now be used to leak KASLR, when another object is tied to the signalfd. With the KASLR leak, it is time to create the arbitrary read/write primitive. On Pixel devices, the Android OS has CFI, meaning that overwriting a single pointer is not enough to take control of the kernel.
- The authors use a technique known as Kernel Space Mirroring Attack (KSMA). This attack add an entry to the kernel's page global directory to mirror kernel code at another location that is accessible from userland. Pretty damn interesting!
- To actually overwrite the page global directory a heap corruption (from the previous bug) is used. The technique overlaps a signalfd onto another freed object. Then, overwriting the free-list pointer (similar to the fd overwrite in GLibC Malloc) to point to our page global directory. Once this pointer is there, we can set this to whatever we like.
- The mirror turned on, escalating to Root and taking the over the device is claimed to be fairly trivial. There is a read/write primitive in kernel memory; so, of course it is! The main thing is to set
selinux_enforcingto 0 and set the credentials of the current process to the inits process. - Overall, this was a very good article that went into the nitty-gritty details of binder and Android. This technique used a bag of interesting tricks to eventually gain control of the device, from a single instruction race condition.
- Most of the time, buffer overflows are exploited by using memory corruption primitives. With these cases, people will report a buffer overflow in some IoT device processing but a good chunk of these are not actually exploitable. For instance, you might need to brute force a stack cookie and defeat ASLR. So, no POC ever surfaces.
- In this case, a handler of the Connection header had a heap based buffer overflow in it. But, instead of leaving this as is, they went deeper.
- It appears that some sort of authorization data is being held near the connection header. Attackers learned that by sending exactly 29 A's that all authorization for all requests on the device were bypassed! Damn, defeating authorization with ONLY A's is awesome.
- I found interesting because it was a case of a buffer overflow leading to compromise without relying on deeper binary exploitation primitives. In the future, with all of the binary protections, this may be the future.
- SerenityOS is a free and open source operating system created by Andreas Kling. It is designed to be a Unix-like operating system that draws inspiration from the graphical user interface of the 1990s.
- There is a race condition between setting up a new process and changing the UID on a SETUID binary. By using a well-timed call to the Ptrace API, it is possible to overwrite part of the executable being spawned, prior to the UID check occurring.
- In order to make the race more winnable, there was an action that happened after executing a call to
execvebut prior to the UID check being made. So, but running this action (unveil) a bunch of times, the race becomes more winnable. - With the ability to write code via Ptrace to this memory, you just write code into the process! However, it needs to be small, as the API only writes a small amount of bytes at a time. So, the author wrote shellcode that would run
setuid(0)to escalate privileges to root. Then, pop a shell by runningexecve("/bin/sh")with parameters passed in by argv. - During the actual analysis of the bug, the author of the OS claims that the issue is because the program is loaded THEN the process ID is changed in order to be a setuid program.
- In order to patch this, the
setuidof the program state is set prior to the program being loaded. At this point (of the setuid being set for the program), the original credentials are committed, making it impossible to use the ptrace API. Additionally, the loader is loaded at a random address in memory in order to force a memory leak to take place now. - It is cool to see OS issues in a less mature operating system. The issues in modern day Linux are complex and harder to understand from someone not deeply involved in the space. With this issue, it makes sense and did not take an expert to follow. A similar issue once existed in Linux with loading kernel modules!
- After the fact, several videos were released for this too.
- FreeBSD is a unix strand of OS.
chrootis a system call is that meant to restrict access to the rest of the file system. In essence, it gives the user a pseudo-root directory. This is commonly referred to as chroot jail. - The FTP daemon for FreeBSD had an option to use chroot a user into a particular part of the file system. This is where the bug exists! Who would think to find a privilege escalation in a chrooted FTP implementation!?
- The logic checks to see if the
chrdir(chroot directory) is accessible. If this fails, it jumps to some unintended code at a goto label. Now, ftpd still awaits a new login, but the connection is already locked inside the chroot jail from the previous logic. This causes incorrect behavior during the next login attempt on that connection. - An attacker can make
chdirfail by usingchmod 0. Why is having this fail useful? The ftpd itself gets trapped in chroot jail! - So, later, when authentication checks are done, they are done within the chrooted directory! This means that we can control the root credentials being used, on the next authentication login.
- Now, we can upload libraries that act as replacements to normal daemon libraries. If we add a reverse shell to one of these, we end up as the non-chrooted root user!
- To me, the interesting part was that this issue was created because of a failure in one of the commands, while the other one succeeded. Just because you catch an error, does not mean that it is handled properly!
- Bouncy Castle Crypto is a popular and common cryptography library implemented in Java. This is used at the enterprise level quite a bit.
- The bcrypt (password hashing function) had a flaw introduced into it for two versions before anybody noticed. This flaw (in Java) used the
indexOfinstead of thecharAtfunction on a string. TheindexOffunction finds the first occurrence of a character in a string. Clearly, the codenewPasswordHash.indexOf(i) == currentPasswordHash.indexOf(i)has an issue. - This bypass is not trivial to implement and does require a bunch of brute forcing. From testing, it appears that 20% of passwords were bypassed within 1000 attempts (which is not viable on a site). Regardless, this COULD be used for a bypass on some passwords.
- Even in memory safe languages, vulnerabilities still exist! :)
