Yandex rewards. ONsec experience

•

1 like•2,178 views

The document summarizes the history of Yandex's bug bounty program and ONsec Lab's experience finding vulnerabilities in Yandex systems between 2011-2013. It describes several vulnerabilities ONsec Lab reported to Yandex, including an XXE issue, an authentication bypass, and a CSRF/XSS collection vulnerability. It provides details on a current "Memcached injection through SSRF" bug and an attempted but failed remote code execution exploit of Yandex's internal Zabbix monitoring system via an SSRF vulnerability.

Technology

Yandex reward program
ONsec experience

DEFCON Russia, DCG-7812
21/02/2013 Saint-Petersburg, Yandex

History of Yandex rewards
● 2011, October - November: Yandex's Month
of Security Bugs
● Prizes:
○ 1-st @d0znpp (@ONsec_Lab)
○ 2-nd @ASintsov
○ 3-rd @kyprizel (now in Yandex team)

History of Yandex rewards
● 2011, October - November: Yandex's Month
of Security Bugs
● Bugs:
○ 1-st Massive XXE
○ 2-nd Auth bypass at mail service
○ 3-rd CSRF/XSS collection at auth system

What about now?

● Bug bounty program every time
● http://company.yandex.com/security/
● From $100 (A06,10) to $1000 (A01) per bug
● OWASP Top-10 based rating

@ONsec_Lab bugs stats
Only server-side - only hardcode!!!
● 20 bugs accepted
● 1 reject as a double
● 11 qualified bugs
● 9 bugs at progress
● 240'000 rub approved, 80'000 paid rewards
● 21'818 rub per bug average ($715)

What about bugs?

All our bugs are server-side:
● XXE against - nothing interesting
● Memcached injections through SSRF
● Nice "RCE" story
● Great SSRFs for HITB2013AMS (not now)

Memcached injection
through SSRF
● All theory described at our ZeroNights
report: www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-
vulnerabilities

● Find possibility to write in sockets:
ANYPREFIXnyoudatanANYPOSTFIX
● Write it to localhost 11211 port - easy!

Nice "RCE" story: stages
● Determine target
● Find information leaks
● Find vulns
● Find SSRF to exploit vulns
● Exploit vuln through SSRF

Determine target

● Have connections from anywhere in
infrastructure
● Have information about all infrastructure
● Monitoring system!

Find information leaks
● Use Yandex to hack Yandex:

● This presentation contain info about Zabbix

Find information leaks
● Use Google to hack Yandex:

● This ticket contained intranet
host of Zabbix in Yandex

Find vulns in Zabbix
● Zabbix RCE vulnerability were found
● Presented at ZeroNights 0day show

Find SSRF and exploit it!
● SSRF attack from host which can establish
connections to Zabbix host
● SSRF restrictions to make exploitation
possible
● And...

Not this time ;(
● Our Zabbix RCE exploit doesn't work at
Debian systems
● Yandex's zabbix was based on Debian or
manually configured
● But we have come a long way and it is
worth a look!

We did not give up!

● More exploits and
vulns later
● Follow us at
HITB2013AMS

???
@ONsec_Lab [http://lab.ONsec.ru]
@d0znpp

d0znpp@onsec.ru

Denis Kolegov, Oleg Broslavsky, Power of Community 2018, Seoul, Korea Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020. In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.

NodeWay in my project & sails.jsDmytro Ovcharenko

Hacklu2011 tricaud

stricaud

Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...

Codemotion

Once you start working with Big Data systems, you discover a whole bunch of problems you won’t find in monolithic systems. Monitoring all of the components becomes a big data problem itself. In the talk, we’ll mention all of the aspects that you should take into consideration when monitoring a distributed system using tools like Web Services, Spark, Cassandra, MongoDB, AWS. Not only the tools, what should you monitor about the actual data that flows in the system? We’ll cover the simplest solution with your day to day open source tools, the surprising thing, that it comes not from an Ops Guy.

Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...

Demi Ben-Ari

Once you start working with distributed Big Data systems, you start discovering a whole bunch of problems you won’t find in monolithic systems. All of a sudden to monitor all of the components becomes a big data problem itself. In the talk we’ll mention all of the aspects that you should take in consideration when monitoring a distributed system once you’re using tools like: Web Services, Apache Spark, Cassandra, MongoDB, Amazon Web Services. Not only the tools, what should you monitor about the actual data that flows in the system? And we’ll cover the simplest solution with your day to day open source tools, the surprising thing, that it comes not from an Ops Guy.

Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017

Demi Ben-Ari

Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.

Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"

Dakiry

Surge2012

davidapacheco

When Node.js Goes Wrong: Debugging Node in Production The event-oriented approach underlying Node.js enables significant concurrency using a deceptively simple programming model, which has been an important factor in Node's growing popularity for building large scale web services. But what happens when these programs go sideways? Even in the best cases, when such issues are fatal, developers have historically been left with just a stack trace. Subtler issues, including latency spikes (which are just as bad as correctness bugs in the real-time domain where Node is especially popular) and other buggy behavior often leave even fewer clues to aid understanding. In this talk, we will discuss the issues we encountered in debugging Node.js in production, focusing upon the seemingly intractable challenge of extracting runtime state from the black hole that is a modern JIT'd VM. We will describe the tools we've developed for examining this state, which operate on running programs (via DTrace), as well as VM core dumps (via a postmortem debugger). Finally, we will describe several nasty bugs we encountered in our own production environment: we were unable to understand these using existing tools, but we successfully root-caused them using these new found abilities to introspect the JavaScript VM.

Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...

Demi Ben-Ari

Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...

Codemotion

Once you start working with Big Data systems, you discover a whole bunch of problems you won’t find in monolithic systems. Monitoring all of the components becomes a big data problem itself. In the talk we’ll mention all of the aspects that you should take in consideration when monitoring a distributed system using tools like: Web Services,Spark,Cassandra,MongoDB,AWS. Not only the tools, what should you monitor about the actual data that flows in the system? We’ll cover the simplest solution with your day to day open source tools, the surprising thing, that it comes not from an Ops Guy.

The art of android hacking

Abhinav Mishra

The art of android hacking by Abhinav Mishra (0ctac0der)

OWASP Delhi

Hacklu2012 v07F _

New paradigmsBorja A. Espejo García

2020 OWASP Thailand - ZAP intro

Simon Bennetts

Bsidesvienna sentinel v0.4

nibod

Web Exploitation

UTD Computer Security Group

Visiting the Bear Den

ESET

MySQL Monitoring with ZabbixFromDual GmbH

Доклад Михаила Егорова на PHDays

ru_Parallels

Hacking Adobe Experience Manager sites

Mikhail Egorov

HTTP(S)-Based Clustering for Assisted Cybercrime Investigations

Marco Balduzzi

Over the past several years there has been a noticeable rise in the number of reported targeted attacks, which are also commonly referred to as advanced persistent threats (APTs). This is seen by security experts as a landscape shift from a world dominated by widespread malware that infect indiscriminately, to a more selectively targeted approach with higher gain. One thing that is clear about targeted attacks is that they are difficult to detect, and not much research has been conducted so far in detecting these attacks. In this paper, we propose a novel system called SPuNge that processes threat information collected on the users' side to detect potential targeted attacks for further investigation. We use a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with respect to the malicious resources they access and the industry in which they operate (e.g., oil & gas). We evaluated our system against real data collected by an antivirus vendor from over 20 million customers installations worldwide. Our results show that our approach works well in practice and is helpful in assisting security analysts in cybercrime investigations.

HITB2013AMS Defenting the enterprise, a russian way!

F _

Meteor Day Athens (2014-11-07)

svub

Solr @ eBay Kleinanzeigen

Lucidworks (Archived)

How to hack. Cyprus meetup

Ivan Novikov

Where is my silver bullet?!

Ivan Novikov

In the past two years, companies all over the world spent $157 billion on information security products. For comparison, the total expenses of the state government of New York amounted to $150.7 billion in 2016. Just for our amusement, let's imagine a silver bullet with a cost comparable to information security expenses. It would weigh 302.5 tons since silver costs $515.70 per kilogram (actual price on the day this article was written)! Therefore, it is either a really heavy bullet the size of a 10-story building, or it isn't made of silver. I could continue hypothesizing about potential raw materials for such a bullet, but I'd rather discuss the reasons behind such a state of affairs. In short, it is unclear what needs to be protected and from what. I will elaborate on these two problems below.

Similar to Yandex rewards. ONsec experience

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

DefconRussia

Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"

Dakiry

Surge2012

davidapacheco

Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...

Demi Ben-Ari

Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...

Codemotion

Once you start working with Big Data systems, you discover a whole bunch of problems you won’t find in monolithic systems. Monitoring all of the components becomes a big data problem itself. In the talk we’ll mention all of the aspects that you should take in consideration when monitoring a distributed system using tools like: Web Services,Spark,Cassandra,MongoDB,AWS. Not only the tools, what should you monitor about the actual data that flows in the system? We’ll cover the simplest solution with your day to day open source tools, the surprising thing, that it comes not from an Ops Guy.

The art of android hacking

Abhinav Mishra

The art of android hacking by Abhinav Mishra (0ctac0der)

OWASP Delhi

Hacklu2012 v07F _

New paradigmsBorja A. Espejo García

2020 OWASP Thailand - ZAP intro

Simon Bennetts

Bsidesvienna sentinel v0.4

nibod

Web Exploitation

UTD Computer Security Group

Visiting the Bear Den

ESET

MySQL Monitoring with ZabbixFromDual GmbH

Доклад Михаила Егорова на PHDays

ru_Parallels

Hacking Adobe Experience Manager sites

Mikhail Egorov

HTTP(S)-Based Clustering for Assisted Cybercrime Investigations

Marco Balduzzi

HITB2013AMS Defenting the enterprise, a russian way!

F _

Meteor Day Athens (2014-11-07)

svub

Solr @ eBay Kleinanzeigen

Lucidworks (Archived)

Similar to Yandex rewards. ONsec experience (20)

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"

Surge2012

Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...

Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...

The art of android hacking

The art of android hacking by Abhinav Mishra (0ctac0der)

Hacklu2012 v07

New paradigms

2020 OWASP Thailand - ZAP intro

Bsidesvienna sentinel v0.4

Web Exploitation

Visiting the Bear Den

MySQL Monitoring with Zabbix

Доклад Михаила Егорова на PHDays

Hacking Adobe Experience Manager sites

HTTP(S)-Based Clustering for Assisted Cybercrime Investigations

HITB2013AMS Defenting the enterprise, a russian way!

Meteor Day Athens (2014-11-07)

Solr @ eBay Kleinanzeigen

Recently uploaded

Accelerate your Kubernetes clusters with Varnish Caching

Thijs Feryn

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Neuro-symbolic is not enough, we need neuro-*semantic*

Frank van Harmelen

Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”. All of this illustrated with link prediction over knowledge graphs, but the argument is general.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

The Future of Platform Engineering

Jemma Hussein Allen

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

Recently uploaded (20)

Accelerate your Kubernetes clusters with Varnish Caching

GraphRAG is All You need? LLM & Knowledge Graph

FIDO Alliance Osaka Seminar: Overview.pdf

UiPath Test Automation using UiPath Test Suite series, part 3

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Bits & Pixels using AI for Good.........

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

Neuro-symbolic is not enough, we need neuro-*semantic*

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Monitoring Java Application Security with JDK Tools and JFR Events

PCI PIN Basics Webinar from the Controlcase Team

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

The Future of Platform Engineering

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Assuring Contact Center Experiences for Your Customers With ThousandEyes

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Essentials of Automations: Optimizing FME Workflows with Parameters

Yandex rewards. ONsec experience

1. Yandex reward program ONsec experience DEFCON Russia, DCG-7812 21/02/2013 Saint-Petersburg, Yandex

2. History of Yandex rewards ● 2011, October - November: Yandex's Month of Security Bugs ● Prizes: ○ 1-st @d0znpp (@ONsec_Lab) ○ 2-nd @ASintsov ○ 3-rd @kyprizel (now in Yandex team)

3. History of Yandex rewards ● 2011, October - November: Yandex's Month of Security Bugs ● Bugs: ○ 1-st Massive XXE ○ 2-nd Auth bypass at mail service ○ 3-rd CSRF/XSS collection at auth system

4. What about now? ● Bug bounty program every time ● http://company.yandex.com/security/ ● From $100 (A06,10) to $1000 (A01) per bug ● OWASP Top-10 based rating

5. @ONsec_Lab bugs stats Only server-side - only hardcode!!! ● 20 bugs accepted ● 1 reject as a double ● 11 qualified bugs ● 9 bugs at progress ● 240'000 rub approved, 80'000 paid rewards ● 21'818 rub per bug average ($715)

6. What about bugs? All our bugs are server-side: ● XXE against - nothing interesting ● Memcached injections through SSRF ● Nice "RCE" story ● Great SSRFs for HITB2013AMS (not now)

7. Memcached injection through SSRF ● All theory described at our ZeroNights report: www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of- vulnerabilities ● Find possibility to write in sockets: ANYPREFIXnyoudatanANYPOSTFIX ● Write it to localhost 11211 port - easy!

8. Memcached injection through SSRF

9. Nice "RCE" story: stages ● Determine target ● Find information leaks ● Find vulns ● Find SSRF to exploit vulns ● Exploit vuln through SSRF

10. Determine target ● Have connections from anywhere in infrastructure ● Have information about all infrastructure ● Monitoring system!

11. Find information leaks ● Use Yandex to hack Yandex: ● This presentation contain info about Zabbix

12. Find information leaks ● Use Google to hack Yandex: ● This ticket contained intranet host of Zabbix in Yandex

13. Find vulns in Zabbix ● Zabbix RCE vulnerability were found ● Presented at ZeroNights 0day show

14. Find SSRF and exploit it! ● SSRF attack from host which can establish connections to Zabbix host ● SSRF restrictions to make exploitation possible ● And...

15. Fail!

16. Not this time ;( ● Our Zabbix RCE exploit doesn't work at Debian systems ● Yandex's zabbix was based on Debian or manually configured ● But we have come a long way and it is worth a look!

17. We did not give up! ● More exploits and vulns later ● Follow us at HITB2013AMS

18. ??? @ONsec_Lab [http://lab.ONsec.ru] @d0znpp d0znpp@onsec.ru

Yandex rewards. ONsec experience

Recommended

Recommended

More Related Content

Similar to Yandex rewards. ONsec experience

Similar to Yandex rewards. ONsec experience (20)

More from Ivan Novikov

More from Ivan Novikov (7)

Recently uploaded

Recently uploaded (20)

Yandex rewards. ONsec experience