October 2021 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.

Latest Updates in Cloud Sector

Permissions.cloud for your Aid and Assistance

Identity and Access Management (IAM) permissions are clear as mud! They are the single most important yet confusing thing in the Amazon Web Services (AWS) environment. However, permissions.cloud project is here for the rescue. It was built to provide an alternate, community-driven source of truth for AWS identity. The permissions.cloud website utilizes a variety of information accumulated with the IAM Dataset and exposes that information in an easy-to-read and clean format.

Undetected Azure Active Brute Force Attacks

The Azure Active Directory (Azure AD) Seamless Single Sign-On (SSO) is known to improve the client experience of services using the Azure AD identity platform, for example, Microsoft 365. At the point when Seamless SSO is configured, clients signed in to their domain-joined PC are automatically logged into Azure AD. Secureworks® Counter Threat Unit™ (CTU) researchers in late June 2021 found a defect in the protocol utilized by the Azure AD SSO feature. The flaw permits hackers to perform single-factor brute force attacks against Azure AD without generating sign-in events in the target organization’s tenant. CTU researchers checked that the Azure AD sign-ins log records successful and failed attempts to leverage the flaw. CTU investigation affirmed that Smart Lockout forestalls most brute-force attacks, yet password spray attacks may still evade Smart Lockout.

Travis-ci Leaked Repository Secrets for about 7 Days for Anyone to Read

As indicated by a received report, a Public Repository forked from another one could document a pull request (standard functionality, for example in GitHub, BitBucket, Assembla) and in-process obtain unauthorized access to secret from the original Public Repository with a condition of printing some of the files. In the given case, secrets were encrypted in the Travis CI database. They carried out a progression of safety patches beginning on 3rd September that settles this issue. The issue is legitimate just for public vaults, not Private archives.

Latest Updates in Infrastructure

Twitch Confirmed a Leak

Twitch an American video live streaming service that primarily focuses on video game live streaming, and broadcast of esports competitions confirmed a leak in their system. The entirety of Twitch along with its code as well as earning stats and threat mapping was made open by 4chan forum users. Twitch accepted the hack and has reset everyone’s stream keys. It is interesting as amongst the leak was details about Twitch’s information security practices including the threat models in place.

Let’s Encrypt (ECME) Electronic Countermeasures Environment News

All good things come to an end! With a life span of 20-25 years, all Certificate Authority is powered by Root Certification installed on the device, and every Root Certificate eventually expires. New Root Certificates are made to replace the expiring ones and are distributed through updates to clients, years in advance. However, the catch is - not all client devices are being updated and few dont even have updates available. Let’s Encrypt has finally retired its first root CA. Although this event was a few years in making; Let’s Encrypt delayed this a few times already but the world was still not ready for it. The article covers an interesting post mortem of this.

Apache 2.4.49 - 50 - 51

Apache HTTP is among the top used web servers; its latest version 2.4.49 suffered from a path traversal issue which allowed an attacker in a specific non-default configuration to download arbitrary files. A fix was issued with 2.4.50 but it was incomplete and a new fix had to be issued in 2.4.51. It should be noted that this is a very recent version and only these two versions 2.4.49 and 2.4.50 are affected and nothing before or after as of now.

Latest Updates in Web Application

5 Remote Code Executions in Node Package Manager for $15,000

Intricacy breeds vulnerability; optimization demands compensation. It is shocking how many people use lines of code, which we merely assume to be secure. A popular dependency - node-tar had 25 million weekly downloads but unfortunately, nobody checked the code considering the vastness of Internet Infrastructure. The article by Robert Chen outlines various bugs found in the Node Package Manager (npm) environment by researchers as well as discusses the root cause of these vulnerabilities and briefly explains the exploitation process. We run incalculable lines of code consistently, yet never consider who’s answerable for reviewing them.

Improving the Artifact Integrity Across the Supply Chain

With supply chain vulnerabilities getting prime time coverage SLSA is also getting much-needed attention. SLSA is Supply Chain Levels for Software Artifacts, a framework that allows you to map your maturity against its levels and as usual higher level means better maturity. The means that make up the SLSA structure enable software consumers and developers to efficiently and automatically inspect the integrity of software artifacts, developed in direct response to known supply chain attacks. Its levels are a way of knowing your present security posture, protecting yourself from possible threats as well as planning for what’s to come.

“A Tale of Making Internet Pollution Free”

Prototype Pollution is a fascinating vulnerability, exploitable both at server-side or client-side. From Remote Code Execution (RCE) to Structured Query Language (SQL), any vulnerability is possible with the Prototype Pollution in the Javascript application. The research focus was simple, to scan all the vulnerability disclosure programs and find script gadgets to achieve Cross-Site Scripting (XSS). The first case found 80% of nested parameter parsers were vulnerable when checking if an application is parsing query/hash and checking its Prototype Polluting process. And in the second case, they found one application where user-controlled JSON is merged with another one leading to Prototype Pollution and scored a nice bounty for an XSS.


About the Expert


Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info