March 2022 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.

Latest Updates in Cloud Sector

Want to Casually Escape Privileged Containers?

Despite the fact that it is not a ‘real’ vulnerability it is always fun to Escape Privileged Docker Containers. Jordy Zomer went on a search after a recent discovery of the cgroup_release_agent escape trick (CVE-2022-0492) for call—to the call_usermodehelpher_* family and attempted to determine which ones are easily accessible within a container environment. Not a lot of people know this, but a call_usermodehelper runs a program in user mode which is a convenient feature for security researchers. The article walks us through how Jordy discovered that Kernel’s coredump, handling code included a call to a particular function.

AutoWarp: The AZure Automation Security Flaw

A critical vulnerability named AutoWarp was found by Yanir Tsarimi in the Azure Automation service that provided unauthorized access to other Azure user accounts. It was recently fixed by Microsoft and all the customers were notified about the same. However, this attack could mean full control over resources and data belonging to the targeted account depending on the permission assigned by the customer. The default enabled setting of azure automation service which allows managed identity features means any account which has not changed the settings were vulnerable.

Azure: Advancing from Logic App Contributor to Root Owner

While playing around with the subscription roles access Josh Magri realized, some additional subscriptions were visible. This led to research around API calls where it was identified that having Contributor access to an Azure Resource Manager (ARM) API Connection allows creating arbitrary role assignments as the connected user. Assumed to be a limited action at the Resource Group level—an attacker could escape to the Subscription or Root level with a path traversal payload. It was the primary cause of the conduct that would meet the Swagger API definition, and the payload would be resolved by the server, resulting in a request to an unintended scope.

Latest Updates in Infrastructure

Threat Actor DEV-0537 Targeting Organizations for Data Exfiltration and Destruction

DEV-0537 aka LAPSUS$ is known for using a pure extortion and destruction model without deploying ransomware payloads. Initially targeting the United Kingdom and South America the hacker is now expanding to global targets including organizations in government, IT, healthcare sectors, and much more. Intentionally not covering its tracks, DEV-0537 advertises its intent via social media. Few of their tactics include phone-based social engineering, accessing personal email accounts of employees, paying employees, suppliers, or business partners of the targeted organization for access to credentials, and MFA approval. The article compiles all the techniques, tactics, and procedures observed across multiple attacks caused by DEV-0537.

What Defenders Need To Look Out For In Terms Of The Dirty Pipe Vulnerability

The Dirty Pipe Vulnerability (CVE-2022-0847) was found in Linux Kernel since 5.8 allowing overwriting of data in arbitrary read-only files. It was causing privilege escalation as unprivileged processes could inject code into root processes. Something that usually shouldn’t happen, it allowed hosts using containerization software such as Docker to modify files from container images on the host from inside a container. However, to exploit this issue, it was necessary to meet two conditions - the first being the Kernel version of the host must be vulnerable that is +5.8, and hackers need access to interact with a container on the host.

Latest Updates in Web Application

Dompdf: HTML to PDF Rendering Vulnerability leading from XSS to RCE

“After reviewing the vulnerability details the next release (1.2.1) will include a patch,” said Sweeney, the project maintainer of dompdf. However, as per Positive Security’s findings, the vulnerability has not been patched yet possessing a threat to a Remote Code Execution (RCE). The vulnerability gives room to potential hackers to upload font files with a .php extension to the web server reflecting a Cross-Site Scripting (XSS) issue. Furthermore, it can be abused to navigate towards an uploaded .php script offering a way for hackers to achieve RCE of vulnerable systems. Although unpatched, the vulnerability can be resolved by ensuring the software is not in a web-accessible directory.

Resolved: Parse Server Through Prototype Pollution via Command Injection

The root cause of the Parse Server vulnerability is Prototype Pollution which occurs when threat actors abuse the rules of the JavaScript programming language; opening doors to exploits such as Remote Code Execution (RCE), SQL injections, many forms of Cross-Site Scripting (XSS) and more. However, in this‌ case, the exploitation requires a gadget to get arbitrary code execution and a type of race condition to execute the gadget in the required order. They ranked the vulnerability 10 on GitHub which is the highest. This is the default configuration with MongoDB and has been confirmed in Ubuntu and Windows versions of software.

Other Updates

Attack Flow: Center For Threat Informed Defense

The project seeks to demonstrate how Attack Flow can explain defensive posture to executives, aid defenders to understand lessons learned from an incident, and support red-teamers to easily compose realistic adversary emulation scenarios. At a high level, Attack Flow is a machine-readable representation of a sequence - composed of 5 main objects which are the flow itself, a list of actions, a list of assets, a list of knowledge properties, and a list of casual relationships between the actions and assets. The project helps defenders move from tracking adversary behaviors individually to the sequence of techniques adversaries use to achieve their goals.

A Community-Driven Insider Threat Knowledge Base

Modern enterprise networks are frequently designed to defend against external threats while implicitly trusting their internal user base. Thus. the detection and mitigation of the “Insider threat” have become one of the standing challenges within the realm of cybersecurity. Our initial publication is based on an analysis of insider threat case data contributed by our participants and identified 54 techniques that have been used by insiders. The draft Knowledge is an evidence-based examination of detected, documented insider threat actions on IT systems across organizations and industries. From this data set, which is small in relation to the case data present across the security community, they deduced patterns of Insider actions.


About the Expert


Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null ( His work can be found at