CI/CD systems are often used for continuous deployment so that when the right things happen in the source repo, the code magically ends up built and deployed where it needs to be. Underneath all of this is usually a “runner”, which is responsible for doing the work. An attacker who can get their malicious pipeline executing on this runner can steal information for other work executing on the same runner, and subsequently gain access to production systems. This article is going to discuss practically carrying this attack out against a GitLab CI/CD environment.
Lack of HTTP request rate limiting has been a staple low severity finding in penetration test reports for as long as I can remember. OWASP called it API4:2019 Lack of Resources & Rate Limiting in the 2019 API Top 10 and refined it to API4:2023 Unrestricted Resource Consumption in 2023. Is this still a good idea, or are we more likely to shoot ourselves in the foot with it?
Pulse Security briefly assessed the
HDF5 library (
hdf5-1.14.1-2) for memory corruption vulnerabilities as part of a client engagement where the
HDF5 library was used to parse potentially untrusted data. Multiple memory corruption issues were found in the
HDF5 library by fuzz testing the
h5dump helper utilities.
Using the vulnerability described in this advisory an attacker may take control of an encrypted Linux computer during the early boot process, manually unlock TPM-based disk encryption and either modify or read sensitive information stored on the computer’s disk. This blog post runs through how this vulnerability was identified and exploited - no tiny soldering required.
Istio can be used to control egress traffic from Istio enabled Kubernetes workloads. When combined with the
meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY flag, this can be an attractive option for restricting what outbound connections a pod can make. An attacker who has compromised an Istio enabled pod configured in this way, and can set their processes user ID to
1337, can bypass the egress control.
Dynamic analysis is the process of using tools such as a debugger and instrumentation (or, lets be honest with each other here, mad
printf statements), to understand a piece of software that we’re researching. This article will look at getting line-level debugging set up with a remote target, all without source code.
Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking
This article discusses a vulnerability with Azure DevOps that can be exploited by users able to run pipelines with user-controlled variables. The vulnerability allows malicious users with access to edit runtime parameter values to inject shell commands that execute on the pipeline runner. This can compromise the runner and allow access to sensitive information such as secrets used for deployments and Azure service principal credentials.
Multiple vulnerabilities were discovered in the ASP.NET Boilerplate (ABP) framework, including issues which allow an unauthenticated attacker to gain unauthorized administrative access to an ABP site. These issues also affect the ASP.Net Zero framework.
This article is a follow up to Part I - Practical CANBUS Reversing – Understanding the Ducati Monster. We’ll look at implementing the protocols from Part I using an aftermarket ECU, pulling some starting fuel and ignition map data out of the factory ECU through the chip debugging interface and we’ll talk about a few of the things I learned along the way.
We were recently asked to review a Tailscale deployment for one of our clients. Naturally we had to take a look under the hood at how Tailscale implement things - to satisfy our own curiosity as well as to make sure our assumptions about the details were correct. This article explains a couple of the interesting things we found during this process and presents a couple of tricks that might be useful when you next encounter a Tailscale network during a security review, or which might give you some food for thought regarding how you securely deploy Tailscale in your environment.
I’ve spent a while dwelling on how dotnet’s default
Aes.Create() behavior is to use
CBC mode with
PKCS7 padding. This means that, by default, dotnet’s
System.Security.Cryptography.AES is vulnerable to padding oracle attacks. These attacks are certainly nothing new, so let’s look at a practical example of an attack that simulates a recent real-life bug that came up during testing. We’ll explore some specifics of exploiting padding-oracle attacks against targets with hard-coded unknown IV values.
SameSite settings are not the same as
SameSite: Lax set explicitly. TLDR? A two-minute window from when a cookie is issued is open to exploit CSRF. Let’s take a closer look at how to do that…
The pandemic maxed out our work-from-home stats, we forgot to cancel our coffee subscription and ended up hoarding Havana beans by accident, we hacked many boxes and investigated an incident or two. This article is a brief, informal overview of some things that happened at Pulse in 2021, and a chance to talk about some of that Stuff ™ that happened.
An attacker may chain Zerotier root-server identity overwriting, insecure identity verification and various information leakage vulnerabilities to gain unauthorised access to private Zerotier networks.
This article takes a look at reversing the CANBUS on a Ducati Monster 696. The goal is to figure out the protocols in use and allow an aftermarket ECU to play nice with the OEM systems.
In this post I’ll show you a neat party trick that can let you easily bypass Time-Based One Time Password (TOTP) multi-factor authentication, and often within just a few hours. If your TOTP implementation doesn’t include brute-force protection, you might be in trouble. Sample code to exploit this can be found here.
This article is a look at an example SQL injection in a codebase using QueryDSL (which, inturn, uses Hibernate ORM). ORMs are good for a lot of things, but preventing SQL injection isn’t as automatic as you might think.
Network pivoting is a fancy name we use to describe sending network traffic via one or more hosts that we’ve compromised. It lets us get behind firewalls, access more stuff and is an essential component of serious malware. This is the story of a highly portable network pivot I created. It’s based on (more or less) stealing code from some malware I reverse engineered as part of an incident response engagement.
Penetration testing and vulnerability research are not the same thing. At Pulse Security, we’ve taken a different approach to certain penetration and security testing engagements. We’ve begun using a vulnerability-research based approach where we collaborate directly with client staff to understand and assess complex or heavily integrated systems. We’re calling it our “hybrid security assessment” service which can include aspects of threat modelling, attacker analysis, network testing, architecture review, application testing, reverse engineering, source code review, and more, as needed to fully understand and assess the security of large and complicated systems.
Multiple vulnerabilities were discovered within GoCD. These issues allowed for retrieval of the master secret key from a compromised agent, impersonation of arbitrary agents and remote code execution through deserialization. All vulnerabilities in this advisory are presented from the perspective of an attacker who has either compromised an existing GoCD agent (or its network traffic) or has access to view the GoCD configuration XML (either through the web ui or via a configuration backup).
The authentication platform responsible for authenticating cloud-based Jira, Bitbucket and Confluence users (id.atlassian.com) exposes a username enumeration vulnerability via the
https://id.atlassian.com/rest/marketing-consent/config API endpoint. Pulse Security has leveraged this vulnerability on multiple engagements to build a list of valid target email addresses for further attacks, such as social engineering and credential stuffing. Atlassian have elected to mitigate this vulnerability by implementing a request rate limit, and as such this vulnerability may continue to be used to enumerate users.
The AWS bastion host (https://github.com/aws-quickstart/quickstart-linux-bastion) is intended to provide command logging for all users. These command logs are stored both on the bastion host itself, and forwarded to Cloudwatch. The command auditing implementation allowed a user to bypass the logging, execute an interactive shell and issue commands that were not captured by the AWS bastion’s logging mechanisms.
The Adyen Magento 2 plugin did not securely implement authentication for the POS callback which allows an attacker to approve or cancel arbitrary orders. The only authentication required was a checksum that an attacker can recreate. Additionally, the
/adyen/process/json endpoint did not implement any authentication brute force protection and was vulnerable to timing attacks. An attacker who can successfully brute force these credentials may submit fraudulent payment notifications and fabricate payment information.
Wiki.js >2.4.17 was vulnerable to stored cross-site scripting through template injection. This vulnerability existed due to a malicious payload in a top-level text element bypassing the intended protection mechanisms.
Authentication design for websites is tricky business, and we’re finding more and more websites are falling behind the times. Let’s talk user login design and how to get decent security without stamping all over your user experience. It’ll be fun, I promise!
An SQL injection bug in an ORDER BY clause came up in a recent engagement, which lead to an interesting rabbit hole regarding exploiting SQLi against a PostgreSQL database. This post details some of that adventure. We’ll look at some useful Postgres functions to make exploiting SQLi easier, some interesting file read/write primitives and a path to command execution as the DB user. I’ve included some sample vulnerable code for those of you that want to try this stuff out first hand.
This article explains a technique we discovered for bypassing a web application firewall or blacklist to trigger an expression language injection and get remote code execution, without being able to pass certain strings.
2019 was a big year for us at Pulse. We found a lot of bugs, compromised a lot of boxes and wrote a lot of reports. This post will provide an overview of three generic things that made our lives as attackers difficult last year. We’ll cover strong password policies, multi-factor authentication and a surprisingly effective phishing control. This post explains how these security controls made a few of our engagements harder for us.
Untitled Goose Game was vulnerable to a code execution vulnerability due to unsafe deserialization in the save game loader. An attacker capable of controlling a target user’s save game can leverage this vulnerability to execute malicious code when the save game is loaded.
MicroK8s prior to v1.15.3 included a privilege escalation vulnerability, allowing a low privilege user to obtain root access to the host. MicroK8s allowed any user with access to the host to deploy a pod to the underlying Kubernetes installation. This allowed an attacker with local access to provision a privileged container and gain root access to the underlying host.
In this article I’m going to take a look at Microsoft SQL Servers
RAND() implementation. We’ll reverse the relevant parts of SQL Server using windbg and Ghidra, replicate the random number generator in C and then look at some attacks and brute forcing methods. This project stemmed from a job I worked on recently where a stored procedure which called
RAND() was used to generate session tokens within an API.
A use-after-free condition was present in the Linux 4.9 kernel TCP socket handling code, triggerable by a low privilege local user. The included POC triggers multiple read and write UAF conditions. Additionally, the POC causes a kernel crash on a vanilla Debian build.
By setting a specific socket option, an attacker can control a pointer in kernel land and cause a general protection fault, or potentially execute arbitrary code. The issue can be triggered by running the included POC as root, inside a default LXC container or with
CAP_NET_ADMIN privileges. This issue was confirmed on Debian Stretch (kernel 4.9.168), however Debian have advised that this issue also affects older kernel versions. This issue may also be triggered by a low privileged user that can unshare their user and network namespaces.
I recently had the chance to set up a few security automation bits and pieces, and figured I’d go ahead and detail some of my thoughts on a few quick wins. We’ll look at assigning code owners for security sensitive source code, extending linters to keep bugs from re-appearing in the future and automating alerting on third party library vulnerabilities. These techniques give a low-false-positive rate, and provide a simpler way to get started with security automation rather than attempting to cobble together full-fat static and dynamic security analysis right off the bat.
Containers aren’t really a thing. They’re a mishmash of Linux kernel-isms like namespaces and cgroups. I wanted to write a rootkit that would make exploiting privileged docker containers easier, and learn about how these kernel-isms are implemented along the way. This post is going to take a look at three kernel-module specific techniques to escape a privileged container, ranging from easy-peasy-lemon-squeezy to difficult-difficult-lemon-difficult.
atftpd contained multiple vulnerabilities, including stack buffer overflow, concurrency issues and heap-based read overflow.
TLDR: You can sniff BitLocker keys in the default config, from either a TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code, or with a sufficiently fancy logic analyzer. After sniffing, you can decrypt the drive. Don’t want to be vulnerable to this? Enable additional pre-boot authentication.
Kanboard 1.2.7 contains multiple vulnerabilities. The vulnerabilities include CSV account import cross site request forgery which allows an unauthenticated attacker to create a new administrative user. Cross site request forgery 2FA deactivation, allowing an unauthenticated attacker to disable an account’s 2FA configuration. A lack of integrity checking or transport layer encryption enforced on plugins enables remote code execution by a malicious admin. Other vulnerabilities include: session privilege retention, 2FA bypass, database
user_id and pre-2FA information disclosure.
Go-pandoc is vulnerable to remote code execution through a user included LUA filter. An attacker can upload a LUA file to a known location on the file system due to a predictable temporary directory being used when handling certain file type includes. The uploaded LUA file can then be used as a filter in a subsequent request, allowing for the execution of arbitrary LUA code.
An attacker may send the
rsync daemon a crafted packet, triggering an out-of-bound memory read in the argument handling code.
We’re coming across more and more instances of Office 365 accounts with suspicious activity. Unfortunately the logging defaults in Office 365 are unsatisfactory and a little additional configuration is required to improve the effectiveness of the logging, especially in regards to user activity.
A memory corruption vulnerability exists in Microsoft DirectX. The corruption happens as a result of the incorrect handling of text, while running CSS tranformations, resulting in an out-of-bounds-read. It is possible to trigger this vulnerability remotely via Internet Explorer. An attacker can use this vulnerability to disclose memory of a victim’s machine. Generally, such vulnerability is chained with a Remote Code Execution vulnerability and used to bypass common defenses.
In this article I’ll be taking a look at the CAN bus network in a 2009 Ducati 848. How to find the bus, confirm the high and low lines with a scope and analyse messages with a Linux box and socket-CAN. The aim of the game is to identify a way to get onto the bus, and then analyse the messages going across the bus. We’ll end up figuring out how to log the throttle position and RPM data, how the immobilizer is implemented and how to bypass it.
Can you tell me how to get, how to get shells on OpenCPU…
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.
Two vulnerabilities were discovered within the Oracle WebLogic SAML service provider authentication mechanism. By inserting an XML comment into the SAML
NameID tag, an attacker can coerce the SAML service provider to log in as another user. Additionally, WebLogic does not require signed SAML assertions in the default configuration. By omitting the signature portions from a SAML assertion, an attacker can craft an arbitrary SAML assertion and bypass the authentication mechanism.
Pulse Security has identified two vulnerabilities in the ManageEngine OpManager software currently being exploited in the wild, and one observational note. This document details the vulnerabilities and the indicators of compromise that may be used to identify these exploits.
A memory corruption vulnerability exists in Microsoft Internet Explorer. The corruption happens due to the destruction and reuse of an element processed by Internet Explorer. An attacker can use this vulnerability to obtain Remote Code Execution and compromise a victim’s machine. Microsoft fixed this vulnerability in the June 2018 patch cycle. Pulse Security recommends applying the latest updates to mitigate this vulnerability.
Phusion Passenger’s Nginx module is vulnerable to a privilege escalation vulnerability when run with a non-standard
passenger_instance_registry_dir configuration. A vulnerability exists when creating the
control_process.pid file, specifically when the file’s owner is changed from root. An attacker can use this behavior to escalate privileges from the www-data user to the root user when Nginx is restarted.
When it comes to offensive security, engagements can be broadly broken up into two categories: Penetration testing and red teaming. Understanding the differences between the two is essential when attempting to verify the security of an application, network or organisation.
A memory corruption vulnerability exists in Microsoft Internet Explorer. The corruption happens as a result of the destruction and reuse of an element processed by Internet Explorer. An attacker can use this vulnerability to obtain Remote Code Execution and compromise a victim’s machine.
Multiple vulnerabilities were discovered in Pi-Hole, a DNS blocker solution. Vulnerabilities included remote code execution, cross-site scripting, sql injection, privilege escalation and stack-based buffer overflow.
A memory corruption vulnerability exists in Microsoft Edge and Internet Explorer. The corruption happens as a result of incorrect handling of SVG attributes. An attacker can use this vulnerability to disclose memory of a victim’s machine. Generally, such vulnerability is chained with a Remote Code Execution vulnerability and used to bypass common defenses.