January 2022 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.

Latest Updates in Cloud Sector

Vulnerabilities: Breaking Formation and Superglue by Orca Security

Orca Security’s researchers have been focusing on AWS service and have found two bugs around standard services offered by AWS. While Tzah Pahima found a zero-day vulnerability in AWS Cloud Formation that granted authorization to run AWS services. An XXE (XML External Entity) was triggered and further exploited by leveraging SSRF (Server-Side Request Forgery) to read files and perform HTTP requests on behalf of the server. However, the level of access with the compromised IAM role is unclear. Whereas, Yanir Tsarimi found a compromise of internal AWS Glue service to assume the glue role in any AWS account that used glue. This provided full access to the internal service API.

Attackers Guide to Terraform Instance Metadata Service

The article guides through various attacks on Terraform Enterprise, a self-hosted version of Terraform Cloud. It allows companies to maintain their own private instance of Terraform. Having numerous benefits to this particular format, there is also a default configuration that Penetration Testers and Red Teamers can possibly add to their advantage. For example, in case the Terraform Enterprise is deployed to a VM from a cloud provider, it will provide access to the instance metadata service and leverage those credentials for further attacks.

Easy Guide to Simple Cloud Security Posture Management (CSPM)

Cloud Security Posture Management (CSPM) is a new emerging area, it is an auditing security tool for Google Cloud using Google Sheets. It regularly collects useful audit data from a number of sources in Google Cloud Platform (GCP) for CSPM via running a Google App Script inside of Google Sheets. Primarily used for maximum customizability and minimum operational maintenance requirements, Google Sheets uses “serverless” Google App Scripts. It quickly finds publicly exposed buckets, functions, VMs, and more. Reduces attack surface by establishing unused service accounts, firewall rules, permissions, and even entire projects. Furthermore, it recommends Organization Policies to prevent future accidental or malicious exposure.

Latest Updates in Infrastructure

Microsoft Email Stuck in Exchange On-Premises Transport Queues

The issue was causing messages to be stuck in transport Queues of on-premises Exchange Server 2016 and 2019. The problem goes back to a date check failure with the change of the new year; it could be related to the “Y2K22” bug. The “long” type allows for values up to 2,147,483,647; Microsoft uses the first two numbers of the update version to denote the year of the update. Therefore for 2021, the first two numbers were “21” - however with 2022 the update version converted to “long” would be 2,201,01,001 which is above the maximum value of the “long” data type. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues

PwnKit a Pun Intended on the Vulnerable Application Polkit

Explained in 2013 by Ryan Mallon argv implementation in C had a corner case which can lead to the execution of application when argv[0]==NULL. Many applications, including several setuid applications, made the assumption that argv[0] is always a valid pointer. While Ryan didn’t find any potential exploits using this back then, it did allow for some amusing behavior from setuid binaries. Recently Qualys disclosed a local privilege escalation vulnerability in polkit’s pkexec (CVE-2021-4034). Qualys discovered memory corruption bug in a SUID-root program that is installed by default on every major Linux distribution. It easily exploits vulnerabilities allowing any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

Cryptography Vulnerabilities Exploited in 2020: Learning from the Past

The null community has done a look back at various TLS vulnerabilities that were discovered in 2020 which affected systems in 2021. An in-depth whitepaper is created looking back at different vulnerabilities discovered during this time frame. For each vulnerability a deep dive description and how it works along with the exploitation process is provided. Whitepaper also provides instructions on how to protect yourself against such bugs.

Latest Updates in Web Application

Developer Corrupts NPM Libraries ‘colors’ & ‘faker’ Breaking Countless Apps

The developer, named Marak Squires of ‘colors and ‘fakers’ purposely introduced an infinite loop that bricked thousands of projects. The faker received over 2.8 million weekly downloads on npm and +2,500 dependents. Whereas the colors library receives over 20 million weekly downloads on npm and has almost 19,000 projects relying on it. Marak intentionally introduced mischievous commits in them that impacted thousands of applications replying to these libraries. The reason being retaliation against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not agree to pay or give back to the community. This along with recent log4j disclosure has stirred a fresh set of debates around open source and its usage in the corporate world.

Exploiting URL Parser Confusion: The Good, Bad and Inconsistent

The detailed whitepaper on various URL parsing functions - parsing different libraries in the same URL differently often causes unexpected actions in web applications and enables denial-of-service attacks, information leaks, and even remote code execution. In total, five categories of inconsistencies in how libraries parse URLs to their basic components and eight vulnerabilities among 16 libraries were uncovered. The report explains more about parsing confusion caused by numerous parsing libraries implemented in projects, how specific incompatibility leads to inconsistencies by design and vulnerabilities that developers might be unaware of, and lastly, why bypasses for Log4j vulnerability mitigations can be traced in part to inconsistencies in URL parsing.

Websphere Portal: How to Turn a Bad SSRF to a Good SSRF

Server-Side Request Forgery (SSRF) vulnerabilities pose a crucial risk to attack surfaces as they allow threat actors to access resources on the internal network. The risk is amplified when it comes to cloud environments such as AWS, due to their ability to reach the AWS Metadata server leading to retrieval of temporary AWS credentials tied to the server making the request. The article explains how to discover a multitude of SSRF vulnerabilities in HCL Websphere and various techniques to convert a simple SSRF into a proper exploitable SSRF.


About the Expert


Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info