September 2021 Edition

Welcome to Nullcon’s Newsletter! With so much going on in the infosec industry, it’s often difficult to keep up with everything. Subscribe to our #MonthlyNewsletter to stay updated with current happenings.

by Anant Shrivastava

Latest Updates in Cloud Sector


Azure Bugs: OMIgod and Azurescape

Last month or two have seen a massive number of bug disclosures around the Azure ecosystem. Paloalto team identified that Azure container environment was running a vulnerable runC environment released in 2016 and since this is a Container as a Service set up the onus of keeping the runC component up to date was with Azure where they failed. Wiz team discovered multiple bugs including the most severe one dubbed as OMIgod a vulnerability in the OMS platform that Azure uses for back end operations. Wiz team was also responsible for finding ChaosDB vulnerability which affected Azure Cosmos DB and allowed unauthenticated access to Cosmos DB across the Azure environment.




An AWS IAM Privilege Escalation Playground

Always being a client’s responsibility and never a vendor’s - Identity and Access Management (IAM) helps assess the security of the AWS environment, one of the major portions of the cloud. The recreational step-by-step details allow users to gain a better understanding of IAM issues. For instance, lack of Multi-Factor Authentication (MFA) and other misconfigurations leading to administrative access to AWS account.




Latest Updates in Infrastructure


NSO Group iMessage Zero Click Exploit Captured

“Processing a maliciously crafted PDF may lead to arbitrary code execution.” A zero-day zero-click wild exploitation bug was found by Citizen Lab via a Saudi activist device. It was infected with NSO Group’s Pegasus spyware, the exploit called FORCEDENTRY aims at Apple’s image rendering library and is effective against Apple iOS, macOS, and WatchOS devices. Fortunately, Apple has released a fix for the same on 13th September 2021. Ensure your Apple devices are updated.




Latest Updates in Web Application


Remote Code Execution on Confluence Server

A post-authentication vulnerability that turns out to be a pre-authentication one! Confluence is a team workspace environment by Atlassians for collaborative purposes. An Object-Graph Navigation Language (OGNL) vulnerability was spotted parsing expression and is still under active exploitation. The vulnerability was disclosed by Benny Jacob (SnowyOwl) via Atlassian public bug bounty program. PoC’s started surfacing by various entities including iamnoooob and rootxharsh. PeterJson worked a PoC which could perform the attack in a pre-authenticated environment increasing the severity by many folds and submitted it to VMWare to claim a bounty on a VMware infrastructure. However, within 17 hours of their first report to VMWare, Dhiyaneshwaran released a PoC of the same publicly identical to the specifically crafted exploit payload leading to a massive leak of pre-authentication Remote Control Execution (RCE) exploit payload for Atlassian Confluence.




Pwnspoof: Simulate Web Attack Scenarios

Ever wondered how to create CTF scenarios and Training Series? PwnSpoof from Punk Security got you covered. PwnSpoof is a custom log file spoofer to simulate web attack scenarios. It is constructed to produce authentic web attack logs applicable in the real world. Software is in its early days but is a promising toolset.




AppSec Village 2021 Playlist at Defcon 29

August every year brings with itself Defcon and a plethora of village sessions along with it. This year was no exception. We saw AppSec Village 2021 laser-focused on application security vulnerabilities and the good part is that the videos are out already so everyone can learn from the awesome presentations. Check out the Appsec Village 2021 Playlist of talk that happened at Defcon 29.




OWASP Top 10 Web Application Security Risks

With the release of the much-needed Open Web Application Security Project (OWASP) Top 10, OWASP is shifting its focus to major systemic issues in the applications. Where the primary aim is fixing the root cause rather than instances. What's new? The Top 10’s are not solely specific vulnerabilities like in most cases, rather they are vulnerability classes comprising numerous Common Weakness Enumeration’s (CWE) per entry. By accepting a matured approach they are displaying that the Application Security Verification Standard (ASVS) should be the standard rather than OWASP Top 10.




Share



About the Expert

Author

Anant Shrivastava

Anant Shrivastava is an information security professional with 12+ yrs of corporate experience with expertise in Network, Mobile, Application, and Linux Security. During his career, he has been a speaker and a trainer at various international conferences (Black Hat -USA, ASIA, EU, Nullcon, c0c0n, and many more). Anant also leads Open Source projects such as Android Tamer and CodeVigilant. In his free time, he likes to participate in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info