Alexandre Argeris - Vulnerability Detected: Busted! Analyzing the Impact of a Screw-Up

Is my mic on?

And my slide on there yet either. Everyone can hear me now. Perfect. Thank you very much. And thank you Chris. Thank you. Thanks to the organization of the Bside as well. Um so first question, how many of you is your first time at Bside? So I guess everyone else has a chance over the last couple of years to see one of at least one of my presentation I guess right. Um so this this year is going to be a little bit different. Um I'm going to talk about a real story um a real story about one of the session that I have delivered to an international conference in Amsterdam where I have totally fail. Okay. Um

uh as usual I have pigs to throw to the the room um for every good question um and I have also t-shirt uh from Splunk um company that we acquired a couple of uh months ago. So if you guys are willing to participate within my session feel free to comments ask question raise your hands or whatever. Okay. Um so here you go. Oops. There you go. A little bit about myself for those of you who don't know me. My name is Alexander. As you can see with my French accent, I'm from Quebec and I usually speak French. Um, so I've been a proud speaker at Bside for the last couple of years. I will say

almost for a decade now. Um, I've been talking about multiple different subject that are pretty cool in my mind. Maybe not in yours, but whatever. Um I've been uh in touch with computer at very young age. I was fortunate to be able to get a hands on a very old IBM I guess at that time. Um I was able to uh start digging into the internet as well with Gopher. How many of you remember Gopher? Yeah. Um and um I started to code and I here I will say like an amateur um like uh probably in 19 95 or building my own web page or whatever like many of of you as well at that time. Um I have over 25

years of IT security experience working for multiple different organization but mostly with Bell Canada and Cisco for the last 10 years as well as a cyber security expert. Um I have three kids a wonderful wife um and if you're looking for me during winter I usually on a ski hill. Uh if you're looking for me during summer then I'm on my road bag bike or on my mountain bike as well. So a couple of warning here. Um I usually do do those warning. Um the first one make sure to um to be aware that that presentation typically contain information that may actually cause you to think. Right? That's one of my goal all the time. um

all all that presentation it's all about me right and the story as well that I have that I've been through um and it's not the opinion the opinion of my employer which is Cisco it's my own and and please ask question you guys are familiar with that ask question otherwise it's going to be boring just listening and me um and and I'm going to go over that as well please comment so bside is an uh typically an event that is there to share um experience and all that. So if you guys think that you're an expert in the area that I'm going to present, raise your hand and and say to everyone that I'm wrong, um if you have any other

comment question as well, raise your hand and and if you want to share your experience with other that's that's the best thing to do. So let's let's dive into the subject here. Um, so any of you have your tried to build an API in in a couple of minutes? Let's say the time it takes to microwave a popcorn. No. Okay. Okay. Fair enough. That's what I have to write. Okay. Um, and and on top of that, for those of you who know me, I'm not a coder like per se. I'm not an expert either, right? I'm a cyber security um expert um that are dealing with multiple different product. That's what I'm doing for life. Um but I have tried to show to in

to show at an international conference which is called Cisco live um in Amsterdam the first time um how to build an API in 15 minutes. Okay. Um so unfortunately so unfortunately it didn't go well. Um I'm going to tell you the story of course uh but before going to the story itself I think uh I want to make sure that everyone get advantage of my story which is going to be pretty short don't worry about that and and we hopefully we will be able to learn from that mistake as well everyone make sense so um just to make sure that we set the stage here I'm going to spend a couple of minutes on API okay how many

of you are familiar with API or think that they Okay, that's nice. Um, so, uh, for for those of you are not really familiar with API, I'm going to try to focus on REST API, okay, which is the the type of API that is mostly used these days. Um, and REST API is based on the HTTP protocol almost, right? It's it's look very similar. um it's leverage the um the verbs or action as well that were we're familiar with HTTP whether it's for the request or the error code as well for the return there's multiple different uh multiple different verbs that are used uh the first one is post um which give you the ability to create something get

um typically the one that is most used as well so when you guys use your browser or any apps within your phone and whatever other stuff as well. You're mostly going to do a get to get information from a service, but there's other as well like put delete and and patch as well. So the delete one is of course if you want to delete a record or something else on a distance resource. Um if we dig into the the way API requests work, right? Um, and that's pretty important to understand for the rest of the presentation as well. So the first part everyone is familiar with is the destination or the server that we're targeting, right? Or the service that

we're targeting to. And then there's the uh something called resource as well or resource. Sorry, my French is coming back here. Um, so typically it's where the resource is is located within that service and then there's the query parameter at the end. Okay, for those of you are not familiar with the query parameter is is everything after the question mark typically. So you can see this in the line of your browser as well. Um it it's something that could be dynamic. It could be changed as well but is on the request that you're initiating to the destination uh service. Make sense? Any questions so far? I have t-shirt. Um rest. Yeah. Yeah. Go ahead. Can I

have a t-shirt? That's That's a good one. Of course you can get one. Um REST API response. Um Curtis, Python, what's your favorite color? Wrong. Um no, you can get the snort big. Um REST API uh response. Um so there's multiple different response within the HTTP protocol itself that is built into it. Um the one that is most um known uh it's 404 right how many of you have received or see 404 error within their browser a lot of you guys. Uh but when you're dealing with API you want to get a successful response which is 200 or 202 which is not listed over there. um that typically say yeah the request was good or the

request has been successful and I have been able to create something in the back end let's say with 202 um and but there's many more as well as a coder or let's say someone is building a script the one that you want to look for as well is the 500 which mean um that there's something wrong within your code that's been trying to be execute in the backend itself. Okay, rest API typically use um JSON um and and typically people expect to receive a JSON response as well. There's other type of response of course but the one that is mostly uses JSON. So in this case over here um I'm just building making of an API and ask for all title

um from author called alexan let's say and the response of course it's 200 with the JSON pat within it that's just an example here right so let's try to design and create an API then okay um so first of all when you create an API it's quite important to click clearly define the purpose and the goal of the API. Okay, so that's the first thing. Um, and then you want to determine the functionality of the API itself. Of course, you want to identify the use case and the scenario where those API will be used and you need to identify the needs and the requirement of the developer as well. So they can know be aware of how to leverage that

API. Um, define the scope of the API. That's quite important as well. So it can identify to the developer again all these different boundary and limits as well of the API itself. Um naming convention quite important as well. Um so for example if you want to um if you're hosting a a database of user let's say right and you want to get access to data from those user um you better use user with a s instead of user without s because it's definitely going to host multiple different user um and maybe you want to use something like a user ID instead of their name because it could have multiple person that has the same name

as Well, and then under that um path then you should have something like their name, last name, dates or whatever other stuff as well that may be important um in that path or that database. No question you guys are so I will not say boring but I would say quiet. Um so a documentation is quite important as well. documentation an example um it's it's it's very relevant for those one that will leverage your API or use your API um so there's multiple different way to do documentation there's commercial product there's open source product as well the one that is mostly used is swagger it's an open-source tool um that literally give the ability to developers to almost

test the API through a simple HTML u interface or portal as well All right. So let's dive into what I like creating your own API. Um so I have choose to leverage something called flask. It's a module within Python right to create my API remember in 15 minutes. Okay. So how many of you familiar with flask? Wow. Nice. Um, it's a quite easy module, very light that typically give you the ability to create your web server, but also a very nice service when you want to host an API. Okay, it's just a matter of installing the module itself within your environment of Python. And then you um identify the path of your API with very simple things

like an app. Route decorator. Okay, in that case, remember that was an example while I was presenting this at Cisco live. Um, so I said the first one will be to be able to test it. Okay, through a regular browser. So the output of the request which is the uh the path the the primary path of the service was hello Cisco live. Okay. And then the API itself was under slash API session. And remember this was just a very simple API. So the respond was prean and the respond was just um a very simple JSON um with a uh with the the message 200. So here's the 10 lines API script, right? Quite easy to build. Uh very easy

to read as well. Does it use does this thing is useful? No, not at all. Okay, but just an example here. Um, so let's try to push, deploy, and run this API now. Okay, I'm getting to the story, guys. Don't worry. Um, so there's multiple different way to push an API. Um, I in this example have choose to use serverless um from different cloud provider uh to be able to push that API easily. Um, and I have choose AWS. Chris, you're going to be happy with that. Thank you. Um, so short. Um so I have choose to use AWS Lambda function for that was quite easy for me to leverage a module within Python which

is called um Zappa or Zap or whatever in English uh which is a very light module as well that allow you to deploy serverless or your your code within a serverless environment. Um, and then it's just a matter of a couple of commands and then your script is deployed literally within um the uh the AWS Lambda function um services. Um so if you look at that it's it's it's been like just a couple of minutes literally to deploy my my API and that was the beginning of the story down here. Okay. Um so initial the deployment and then you get the URL of your API within the serverless service. You can test it as well. So in this case I have choose to

test it prior to that within my own on my own laptop. Um there's multiple different way to to do that. For those of you are familiar with Python, it's just a matter of running it locally on one of your environment or there's different other tool as well that you can leverage. Um, if you want to go a little bit deeper than this, you can change the IP, you can change the port as well, but that's not the part of the story here. I'm getting there. Um, and then I want to test my API as well, right? So, remember the first part was just to test it to a browser, say, okay, work. And then if I look at the logs,

everything seems to be okay as well. Okay. Um, I can test it through Postman as well. How many of you guys are familiar with Postman? Yeah, nice. Um, so the the the HTTP method or action or verb that I was talking about, the URL itself and then the response status response code and the output as well or the the JSON response from the service. And then for fun, here's the thing. Things are getting crunchy here. Okay. Um so for fun after the presentation or well at the end of presentation I have choose to create a um a script that was able to do something a little bit different here. Okay. Um instead of just pushing a response with a with a

static information into it I have choose to create an API which is not here a second here. So if you have found something don't tell me right now. Okay, I'm getting there. Um, so, um, I have choose to create an API just to show to people how to manipulate input, okay, with an API request. Um, so I said, okay, what I can do that is very easy for all kind of customer across all kind of area of it to understand a ping, right? Everyone know what's a ping is. So I said okay let's create an API that if I give the API an IP the service itself will try to ping that host and response with um something like

yeah it worked no it didn't work and the result or whatever right so um within that script that was a little bit different than the other one there's the app route is said set to API ping and then I'm looking for the input, right, which is the IP. Um, and then I'm taking that variable and create that ping command within the server that holds the API itself. And then I create the response, right? What was the response? Then I create the the uh the JSON response and send it back to the requester itself. So if you test that to to um postman it's look like that right as you can see the URL has changed

a little bit now there's a question mark within the API uh followed by the IP um and the response is yeah IP whatever true means that that the IP was uh reachable um if you look at the logs within the script that was executing that um that function it worked as well and then right for those of you are are not familiar with um with Cisco live um it's kind of a very very big conference where there's thousand and thousand and thousands of people that are showing up um there's people that has a specialty in networking but also in all other area including coding as Okay. Um, for a speaker like me that speak at Cisco Live, usually what we're

after it's notes, right? We want to be great because every every speaker get a survey by eight individual people as um uh that came to your session and they grade you from one to five. Okay? So, everyone is after the five because you want to be able to be identified as a distinguished speaker. Um unfortunately right after my session like not even a second I would say someone has post a comment on my survey that said that I have something wrong with my code right and that guy marked me as give me a note of one like right I said what right what the heck I have within my code um so it told me that I have a remote execution

vulnerability within my code. So I said, "What?" Like, so I spend literally the entire night looking at those 25 lines of codes, right, trying to figure out what I did wrong. Um, were you able to find the Okay, so let let's let's let's talk a little bit about that. So there is only 25 lines of codes within my code, right? Remember guys, I'm not an expert in coding, right? I do this for fun. Um, I'm scre kitties if you want to say, right? I copy and I think I said that many times here over here. I copy and paste things that I found on Google most of the time, right? Um, so that's how I

code typically. This is only 25 lines of lo of of of code. Are you guys have been able to find the the problem here, right? Um so of course it's require an hacker mindset here, right? It's it's always that issue here. So I do have a couple of people has raised their hand over there. One back here, Alex. You raise your hand. Yeah. input standardization. So if you look at the um the first and I'm going to repeat that later on, right? Um so if you look at the first function over here, I was literally just looking at something called IP which is the option or the parameter input within the API request. And I was

li taking that IP variable and injecting that variable directly into the ping command within the host that was running the API itself. Okay. Um so if we look at the API request itself as you can see there's a question mark which is state for the input and say IP equal 8.8.8 whatever right. Um but if we look at that and if we're are are familiar with something called command daisy chaining on mostly on Linux or Mac or or Unix as well there is a way to add extra command. Um so I said okay here's my issue right because I remember that guy didn't tell me what was the vulnerability within my code right and I had the day after that to

present that session again yeah so that's why I have spent the entire night at looking at it right trying to figure out the issue um so I said okay let's try this if I go into a CLI or shell of Linux and try let's say ping minus2.8.8.8.8 and then semicolon whatever other command like if config or whatever other stuff as well. Does it work? Yeah, it work. Okay. So here's the issue. So if you want to look at one way how to exploit this, it's to craft your own API requests with all these extra command after the ping or after the IP. Right? So if you look at over here, you're going to see that I've I was able

to say, you know what, um default API, which is 8.8.8. That was the original parameter that the script was looking for. But I I was not really looking for anything else but the script was executing everything else. Right? So in this case I say okay can you grab something that is called malicious orcode.sh on that remote server and can you execute that code after that and it worked right? It worked. Um, so here's the example of the attacker side. If you look at the at attacker side, it's just like a flat file. So this is just an example here, right? It's not really relevant to really compromising a server over here, right? That it's just an example. Um

it's just a plain text and at the end of the script it's it's leverage a command wall which send a message to all terminal on the uh that is all open let's say SSH and CLI and all that is open on the remote server and I say can you just um uh send that text message uh to all those terminals. So if you look on the compromised side server which is the server that owes that API what you end up having is this you have been hacked right. Um so I just prove through my API that was vulnerable that is that I was able to compromise that server. Okay. Um here's another example that will that is very more

useful. So in this case for those of you are familiar with is there anyone that is familiar with netcat let's say right couple of folks here you go so for those of you familiar with netcat um it gives you the ability to run execute multiple different things on uh and and exploit something that is really like is to be able to run a reverse shell on something else. So in this case I have leveraged that vulnerability again from my API to execute that netcat command and and send all that to the attacker side and say okay now you know you now have full access of the compromised server without having to log in right of course right just by by

executing or sending that that um that API request to the compromise. So of course someone mentioned it in the back right it's all about rest API validation that was the issue right um so when when you're creating a code you better look at all input that you're requesting from either another machine or from a human as well right unfortunately I'm a junior coder like many of you guys as well probably if you're not doing for work or for life coding and you're more like a CIS admin or like you're security analyst or whatever and you're doing DevOps or SEC DevOps on on your parttime then you may be a junior coder like myself as well and and unfortunately

even if I'm working in cyber security I have totally forgot about security best practice that's why I said I failed right um so the vulnerability could have been easily controlled by adding extra layer of checking and multiple level stuff as well. So in this case the easiest part was to add something called IP address function that literally look at the input um parameter and validate that it's only an IP and nothing else. Okay. Um so here's the how it's work. I have changed a little bit my script over here for my second session the day after. Um and say and say okay now when you get that IP um from the API request make sure to pass this to the other

function called IP address IP address to validate that this this is very this is an IP and nothing else. And if it's not an IP then just a response with something like not a valid IP to the requester. Um so there's many other way that I have been able to find those type of vulnerability within code. Um so there's commercial and opensource tool that are available of course. Um if you're leveraging an open source one although or a public uh tool as well because there's even public available tool on the internet as well. Um please be careful not to share any confidential information right um or our our intellectual property as well. Any questions so far? No. Okay. Yeah. How

was the rating the next day? That's uh 4.6 I think or something like that. Yeah. Um so in Yep. I'm curious.

Yeah. question. I I I I'm curious if uh if you would have put your code through an AI would have picked it up. Look at them. Look at the slide. Getting there. Look at the slide. This is a good question. Um be careful. Um so um for in my case since it was just um a personal code very e simple code as well um I have choose to leverage my internal or internal AI system at Cisco and and just ask the AI itself is there something wrong with my code right and here the answer right away the AI said you have a command injection vulnerability and the last one is slack of input validation. So I have literally spent a couple of

hours missing good food in Amsterdam and all that having fun with colleagues and customer for a five minutes search on AI. Um, so there is a couple of lessons learned, right? I I'm at the end of the session, guys. Um, and I still have two pigs and a t-shirt. Um, so there is a lesson learned, of course. Um, please use tool. Uh, we are all human, but please use tool to, uh, to doublech check your script. Uh, even if it's a very very small script or code or whatever, right? Uh if tools are not available or if you're not or if you're in a wrong team let's say right because sometime the devops team have access to

those tool but you as a security admin or or whatever a system admin you don't know that those tool exist ask your colleagues right that's all the the purpose of my my session as well um and notes to myself right do not show up at an international conference with a script full of vulnerability anymore, right? Any question, guys? Yep. What if you're working on code that's really highly confidential and you don't want to pump it into an AI tool? Yeah. So, there's there's um Can you repeat the question? So, the question was and I I did touch a little bit on that. The question is um what about if you have a code that is very

highly sensitive in term of information maybe about customer or international properties as well. Um typically what you want to do is to deal with commercial product right that guarantee the confidentiality of all these information. Okay. Any other question? Yeah. Go ahead. I think instead of using input sanitization you could instead um exclude the shell equals true parameter. Yeah sure. I think in instead of using the shell equals true parameter in the command and using uh input sanitization like there's always potential for that to be bypassed if you if it's not you know a fully solid solution but with the uh subprocess pop uh method you can pass a list instead of a concatenated string and that has a lot less potential for

command injection. Yeah, probably I guess you're probably a better expert than me on this, right? Um everything is probably true what you're saying for sure, right? Um there's like in coding there's always multiple different way to achieve what you're looking for. Um there is better way to to do things sometimes or optimized um function as well that can be leveraged instead of other uh for sure. Chris, you had a question. Yeah. Oh, here you go. Did you get five out of five on the second session? No, the question was already asked. I I I think I overall I get I got four.6 or 46 something and I didn't get the distinguished speaker mark unfortunately. Yeah. Yeah. Maple syrup.

So I brought maple syrup. Yeah, that's a that's a good point. So my question was did you ever talk to the person? So the question is did I ever talk to the person who made that comment or that that that finding? Um no because those those survey are anonymous. Um so I was not able to to talk to that person and frankly like I at that time I didn't know what I was going to tell him. Right. Yep. So your next presentation say blame it on the API. I'll know who you are. Yep. Oh, question over there. Sal, Alexandra, um, I'm curious in the vein of API AI, did you ask AI to write you this

code to see if it would write it correctly or if it would have the vulnerability as well? So, that's a good question. I didn't use I didn't use API to build that initial script. If that was a question, I didn't use it. If you if you were to just ask it to build it for you, I was if you tested it because I'm wondering if it would actually write something with the vulnerability. Yeah. Or if it would write No, since Yeah, that's a that's a good question. My in my mind, the API will probably don't give you the error, right? Because I was poorly coding the example here, right? And the API is typically not doing this

type of AR, I'm pretty sure. But if you were to say ask chat GPT to write this for you instead of you looking it up. I'm wondering because like a lot of times people do that they say give me this and they run it. Would it write it securely or not? Yeah that could be the the next subject of my topic next week next year. Thank you. Guys was fun again to be in front of you guys. Um if you have any question feel free to reach me on on LinkedIn. Um, I would be happy to share any content with you again.