Skip to main content

Posts

Responsible Disclosure : Security Misconfiguration leading to HPE's Jenkins exposed to internet without authentication

Recent posts

Pwning PaaS Cloud Managed Services - From Breaking Isolation to Identifying Abuse

Introduction Highly inspired by the work done by the guys at Wiz ( https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities ),  I decided to do some research on the applications that provide PaaS managed services. The areas which I focused on are Coding Platforms Managed Service Platforms Every service provider did their best to ensure the isolation of user data. Some tried via roles and permission, while others tried VM level isolation. While there can be reasons of costs and other valid opinions for choosing options, it should not be forgotten that trial user accounts can be operated by malicious users and they will try to misuse the services for fun or profit. Here we will discuss such few cases Some of these risks are by design and vendors are aware of them. To ensure they are not abused, I will try not to name them. In this blog, I will discuss various classes of exploitations that I was able to perform.  It is very important to note each of the accoun

Attacking Jenkins with Shared Libraries

What is Jenkins Shared Library ? Jenkins shared library is popular where large number of jenkins jobs or pipelines uses a repeated code in pipeline script. The developers creates certain modular functions containing the repetitive code and then reuses across various projects/pipelines/jobs. It is commonly seen in enterprise or organizations where teams work on multiple projects that shares common patterns in every pipelines. Imagine a function to send notifications to Slack about a build passed/failed can be used by many jobs. These shared functions are often kept in some SCM like github and may or maynot be publicly accessible. As they are helper functions and does not carry any customer data/code, the scm repository is usually not private sometimes.  What does the project structure of Jenkins Shared Library looks like? As copied from ( https://www.jenkins.io/doc/book/pipeline/shared-libraries/ ) (root) +- src # Groovy source files | +- org | +- foo |

Attacking with Command Injection on Containers created using Google's Distroless Images

 As mentioned in Github, "Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution." (https://github.com/GoogleContainerTools/distroless) There are multiple reasons why distroless images are getting popular minimal size  does not include excessive binaries ( there is only sh and bash in /bin folder ) more secured ( due to presence of less binaries ) However there has been a wrong perceptions ( as per few blog posts ) that we cannot do command injection attacks in the containers made of distroless images. While this is partly true that we cannot try the usual attacks of command injection but it will be wrong to say that it is impossible. This blog post is about attacking them.  Here is my base code and the Dockerfile app.py from flask import Flask,request import os import subprocess app = Flask(__name__) @app.route("/&q

Threats of leaked Github Personal Access Tokens : Private Github Enumeration, Backdooring Apps and Stealing Secrets from CICD systems

We have seen scenarios and real world impacts of secrets / api keys in public version control systems like github , gitlab. They have contributed to serious breaches, leaked personal information and so on. The risks of a leaked token is already serious but it is even worse incase it is a Github Personal Access Token. I will demonstrate in this post about the impacts of a leaked github personal access token.  As leaked Github Personal Access Tokens are on rise in public repos in github, this post is to educate about the threats and risks it poses if they are leaked.  Personal access tokens are an alternative to using passwords for authentication via commandline or github API. Github personal access tokens are popularly found in configuration files where a developer may need to clone some private repositories. Private repositories are not visible to users who don't have right authorization to view. Take for example this url https://github.com/hellctflife/myapp . It will throw a 404. 

Solving Ropemporium - ret2win - 32 bit , 64 bit

There are plenty of great tutorials / writeups out there in the internet on these topics. As pwning is not my regular job I am documenting the topics I have learnt by reading other blogs/writeups and learning few topics in hard way. This also helps me to warmup the same topics from time to time and document some topics that I encountered and that which didn't go as smooth as the writeup. Also I will be updating the same topic from time to time with anything new I learnt. Like improving the exploit , finding new ways to solve the same topic by reading other blogs etc., some impressive methods of solving from other authors The challenge is from https://ropemporium.com/ . I will be solving both 32 bit and 64 bit versions of the binary Solving ret2win - 32 bit Steps : Create a unique pattern Send the pattern Find the pattern offset after the crash from the EIP Find the address we wish to jump The create the final payload with the offset we wish to jump Creating a pattern of 100 bytes a

Using CodeQL variant analysis to find format string vulnerabilities - Part 2 ( Taint Analysis )

In our previous post we have seen examples on how we can perform simple analysis with codeql to detect format string vulnerabilities. There are couple of issues with the previous queries we wrote. Le us take an example where the data that is passed to a printf() call is hardcoded, hence the attacker has no control over it. In that case we would end up with too much of false positives. So this is where taint analysis will come useful. Here is the code that we are going to analyze here.    Also let us try to exploit and see which are the scenarios in which they are vulnerable So as per my input %08x.%08x , there are 3 cases where my input will cause a format string attack. So my model should be able to find these 3 paths that are potentially exploitable.   Next let us try to model taint flow of source to sink in which my source will be the user's input variable and my sink will be a flow where the user's input variable will be passed as the first parameter to the printf(user