February 2022 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.

Latest Updates in Cloud Sector

Stealing Sensitive Information Using Helm Charts from Argo CD Deployments

Helm charts are used as a key component to build Kubernetes clusters. Cheers to Apiiro’s Security Research team for uncovering a severe software supply chain 0-day vulnerability (CVE-2022-24348) in Argo CD that enabled threat actors to access sensitive information such as secrets, API keys, and passwords. The impact of this vulnerability are in two folds - direct implications of contents read from other files present on the reposerver that may hold sensitive information affecting an whole organization. Secondly, the application files consist of an assortment of transitive values of tokens, secrets and environmental settings allowing hackers to move laterally through numerous services and escalating their privileges to access system and target organization’s resources.

PurplePanda for Purple Teamers

PurplePanda is a tool that fetches resources from various cloud or SAAS applications, it searches both privileges and escalation paths within and across platforms. It primarily focuses on permissions in order to identify privilege escalation paths and dangerous permissions in cloud/SAAS configurations. As the name suggests, the PurplePanda tool is beneficial for both the Red Team and the Blue Team. It has two essential analysis modes, the main one being to gather data and analyze it; whereas the second one to perform a quick analysis of the given credentials. The article covers a step-by-step guide for Red Teamers and Blue Teamers along with a video tutorial.

Latest Updates in Infrastructure

Relaying Kerberos over DNS using krbrelayx and mitm6

The article focuses on alternate abusive paths relaying DNS authentication. It is highly relevant if one has the ability to spoof a DNS server via DHCPv6 spoofing with mitm6. In this scenario, one gets victim machines to reliably authenticate using Kerberos and the machine account. The concept of the flow is fairly simple but the implementation is not. The client uses kerberos to authenticate and securely exchange a session key; and then uses that session key to sign further update queries. The server can store the key and the authenticated user/computer along with processing the updates in an authenticated manner without having to tie an authentication to a specific TCP socket as later queries may be sent over UDP.

Terraform: Supply Chain Attack as Code

Terraform is a tool used by many organizations to deploy infrastructure as code solutions. It allows operations engineers to describe infrastructure in a domain specific language. A lot of complex infrastructure is repeatable and often users will break these down into what Terraform calls “modules.” Often these modules are shared online through GitHub repositories and the Terraform Registry. The article outlines an hypothetical example of using Terraform modules as attack vectors and how consumers of these modules should be cautious about using them. The victim does get a chance to notice if something is wrong, however, in a complex project the update message will be either ignored or lost in the noise.

Attacking an Ethereum L2 with Unbridled Optimism

A massive web3 / blockchain based attack was discovered by Saurik a.k.a Jay Freeman of cydia fame and was rewarded by multiple blockchains which were affected. He reported a critical security issue to Optimism which is an “L2 scaling solution” for Ethereum that would allow an attacker to replicate money on any chain using their “OVM 2.0” fork of go-ethereum. The reward payout is one of the biggest bug bounty payouts ever given. Optimism currently uses a centralized “sequencer” to both fix the bug on their nodes and infrastructure, along with arranging for downstream projects that use their codebase - Boba and Metis to get it patched.

Latest Updates in Web Application

Zap Introduces All New Networking

A new networking layer in ZAP proxy allows them to provide faster support for newer tech stack such as HTTP 2.0. Earlier ZAP used written code for Paros Proxy on top of an old and outdated version of the Apache Commons HTTP client library. Since the ZAP code base makes very heavy use of networking this has been a very crucial change in terms of supporting new protocols. Few observable changes would be the Options / Local Proxies screen has been replaced by an Options / Network / Local Servers / Proxies Screen. The Options / Dynamic SSL Certificates screen is taken over by an Options / Network / Server Certificates Screen. Lastly, the Options / Network / Local Servers / Proxies screen has a new tab “Pass-through” allowing the authorities to configure passing through ZAP.

Discovering new vulnerabilities in WordPress Plugins Semi-Automatically

The article by Kazet / wpgarlic is an interesting approach to Fuzzing WordPress Plugins and finding vulnerabilities. The author has also made a PoC publicly available for Fuzzer. Generally, the WordPress Plugins expose a number of interfaces such as REST routes, PHP files, Admin menu pages, AJAX endpoint and many more. These interfaces have a consistent trust boundary - we are aware where the untrusted input goes and can detect what operations are executed on that input. The mentioned method in the article is transferable to other CMS Plugin ecosystems but not directly; for instance to Python packages. Many of the vulnerabilities found are easily preventable by modern software engineering practices.


About the Expert


Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info