Hacking OSS

things now our next speaker is actually going to take us down a different direction he's going to take us into the world of open source software and the security vulnerabilities and problems that can be found in open source software so as they get ready i'm going to tell you a little bit about our next speaker his name is rotem and rotem is a very cool cat yeah join me right here autumn let's give him a hand we've got

is a very cool cat with more than a decade of experience in cyber security and all kinds of things from penetration testing to vulnerability analysis and today is going to take us through this rabbit hole of open source software and one of the fun things that rotten has done is actually take a year to travel around the world while doing bug bounty programs which i absolutely love the stage is yours wrote them let's give it up for him hey so it's great to be here and they'll be talking in live last time i was talking in a conference it was a virtual in my in my room and it's so fun to see all the feedback and everybody over here

so thank you for coming i'll be talking about hacking the open source software so i started like a year ago or two years ago playing with different stuff and found myself every time going into open source and i will explain different clicking okay the clicker is yeah so i will start explaining a bit about who am i why why do what i do how i hack stuff this is super secret knowledge that i will share with everybody well not so secret um i will tell you two stories one about a traversal attack that we did together with danny robinson he's from apps flyer and and another one that i did in playing with ssrfs [Music]

just by mistake so i'll talk about a bit about myself so i'm a cyber paladin this is who i am in the last couple of years i work in a super cool startup it's a new startup half a year old um i created a bug bounty il meetup so everybody that wants to join uh we had the first event last like two three weeks ago and it was amazing lots of good feedback and i'm sure there will be much more events um soon and i'm a father for a seven year old [Music] girl i passed the cover deal with him so it's it was tough but interesting and banded as the garden and this is me um i'll get to the point

and the point is how i hack stuff so this is a bit about my super secret sauce and what i do but actually when i see a system any system at all i start playing with it and i'm i'm saying playing it's not like testing it or checking it out it's it's a game it's a game i want to start playing start to see all the stuff over in the system and when i play with it then i start understanding more and more stuff over there but then sometimes something doesn't feel right and this is a main point in all pen testing and hacking and what we do is we have these feelings and i want to

in the next slide i will talk about what is this feeling and the how how i get them but before the feeling after i we felt something is wrong then i need to understand exactly to the bit level what's happening why is it happening and [Music] why the developer did this mistake in order to get me more to be able to hack the system clickable yeah so a bit about what is this feeling and this feeling is first of all is prediction i have lots of experience playing with lots of different systems and i expect them to work in a specific way so when i access the home directory of your website it needs to give me a 200

okay when i access something that doesn't exist it needs to give me a 404 i have these feelings and then if something doesn't happen like i predict it like i get into a yoga and gives me a 500 error or something else this triggers my feeling my spider sense that i want to go and dig deep into it the other areas is i've seen that every time i play with a system and then sometimes i see a php or other areas i'm not i'm not against php but php is a very good sign or that there may be something wrong over here but other technologies i've looked in the way and i see okay this is something

i know it happens this will probably lead to these areas and then there's the what the moment that these this doesn't need to happen i'm accessing a url and some like sometimes a new environments those different types of responses i access one time it's one response the other time it's another response these are the most interesting areas because you see there's inconsistency of the system and let's play with that so i'll start with my stories and what i'm doing and this is access to one of to a normal system and i always try to get to something that doesn't exist and i got from uh from over here uh responsible for response that there was

a server named cowboy and gave me it doesn't happen and this is okay this is the the proper way of what should happen but then a bit playing with fuzzing and playing with it and trying to traverse to do path reversal we got this answer and this answer is interesting i've actually seen it in different areas and but i see also the server over here it's not a cowboy anymore it's a aws clb so why is elb sending me responses to something else because i asked the server i didn't ask the elb and so i figured out there's a alb or elb in the middle and it is giving me a bad request but i in this specific case it's something

that i knew and i saw that i i did have a traversal injection i knew it because i saw it in the source code but nothing it didn't happen it wasn't i wasn't able to exploit it because elb did something and this is something is very interesting to understand what what is this something so i added different slashes start playing and then adding multiple slashes in front of the url gave me an okay from the original server and i'm looking like why why did i add multiple slashes in the beginning and it worked and when i didn't add them it didn't work like there's something very weird happening over here and i need to understand it

so i know this message over here and [Music] i saw this message over here with a bad request with the bt color equals white and i started looking for it and looking for more instances that give me who is giving me this answer and i know this is elb but i'm starting the investigation i'm starting to understand why why is this happening how how can i hack this or what how can i go to my goal so the first thing is let me github this for you because most people go to google i go to github github has lots of information lots of stuff there's code i can see source code that is happening over there

and i saw lots of different references to nginx so we have nginx and nginx gives me the same response but this is alb so is this nginx maybe alb is using some kind of customized nginx in the background so you try to go more further and they saw that in the git commits because you have all the commit history and you can look in the comments then you see there was a bg column and they removed it but you can see in the code that it is nginx and [Music] like this specific page is probably nginx so i was looking into the nginx documentation and they saw a very nice configuration file uh the configuration option that has

merged slashes and metal slashes has it's actually creates all discussions and takes them together so if you if you put in slashes like wherever there are multiple slashes it merges them together and this can be why multiple slashes made the mistake of of passing it through so i want i want to understand it deeply i want to understand exactly what what's happening i have the code i have everything but first of all i want to show about how i'm uh how i'm working so this was until now black box testing i didn't have access to the code i didn't have access to nothing but i like i'm good at black box testing i like to

have access to everything i need so i need access to the source code i need access to run the programs i need access to even talk with developers and this is why i love open source it's so easy to go and find the slack of the open source uh community or some other forum and just talk with the guys asking why did you do this why did you do that yeah i can see the code i can compile it i can it's not black box it's not like a frustrating black box that i don't have any thing that i need to have hours of debugging and fuzzing and understanding what they do so this is

i in the past i did lots of black box testing and now today i'm doing more white box and understanding exactly because it's easier it's easier it's beneficial for my clients and beneficial for me it's just i like it so i went to the source code and i com i found the http pulsing area of how how it's passing the url so nginx is passing the url in a specific way and i downloaded this this line of code and i actually created a smart program that simulates what i want to do and i sent slash dot dot slash hello world to it and i see exactly i put in debugging comments so i can see what it's doing and i saw that it's

okay it's not okay it's actually returning 11. and 11 is a problem with the state machine that it's crashing in some place and then if i add the multiple slashes then i can see it's a looking for a charitable slash it's a merging them and then it's going okay so the number of slashes needs to be more than the amount of direct reversals over here and this is what i found from digging into the source code and seeing everything over here so this is happening in nginx and they want to continue and this is a bit what's what happened and when does the mail slash off in the nginx it can it actually nginx can by mistake protect

you from traversal attacks and you just need to add slashes in the front so i talked to amazon about this and i talked to friend genex about it both told me this is intended behavior this is what's supposed to happen and we try to discuss different areas this alb is not a protection mechanism but you should know as a pen tester that it sometimes does protect you by mistake but there's a very easy bypass to bypass this behavior uh because everybody uses alb or not everybody but lots of lots of companies they use a lb they can't change it they're not able to change this behavior and also talking with nginx we looked up about the rfc of the http

request itself and how you should pause http and they said yeah it's not in the lfc it doesn't say what you should expectly do this is not a mistake this is maybe a feature request but we don't have we don't want to do nothing with it it will break lots of stuff so we decided not to do nothing but just know about it but then if it blocks you you can add a slash to it and this is this is my my conclusions from this small research i have here a blog you can go into it into an extra versa it's something i did with danny we looked at different different payloads and you can just read

about all the investigation of wooden so we wrote a blog about this we were the blog was blowing up on twitter we had even people from i don't know which like a persia or other yahid namini talked about it and the people in the bug bounty used this vulnerability to earn money from this vulnerability open security gave it even stock talked about it a bit stock is a very well known bug bounty leader um so this is a this is a different references from this blog and they what we did so a bit about a bit about this this was a very fun experiment but i wanted to talk also about uh different different areas a different

open source attack that we did and this attack was actually started by the most boring prime test in the world and i took a job and we had a i had a pen test and i went with all my passion to go and start hacking into the system and then they told me the system is just like a lot of different open source programs that are connected together so we have this open source load balancer let's say elb or lv i would say open source syntaxes in this case it was elastic there's a database there's open source cms there's an open source a lot of different open source services and all created in a mesh so

they give a solution to a specific client and then the mission was you have x excels to find something interesting and i'm saying okay what can i found find interesting

so my options was i first like the most basic is find configuration problems this is easy it's just like going through all the places looking at the configuration saying yeah this doesn't have ssl this doesn't have this recommendation we have different like types of problems and just telling them but it's not a fun pentest it's not like something that it's fun for me to do i can go infrastructure go nmap and start finding different vulnerabilities but also i did a bit about this with kubernetes because it's fun but then i had much more hours to play with and i wanted to find some blood and i wanted to look more so finding a vulnerability inside one of

these open-source programs so i played with the system as i said before i'm playing with the different systems and i found a hint what's this hint i saw over here in elastic there's a alerting model and actually this is elastic but it's not elastic because this is an open distro plug-in for elastic and i will get to it why it's important that it's not elastic but then i see this web hook and this is it gives me my final sense if there's a web hook probably there will be a ssrf vulnerability over here so i just like 110 put in the default service cluster of registry of a cover of kubernetes this will exploit if you have also aws

metadata apis this is also a way localhost y12701 there are different ways to start understanding if there's a local ssrf over here or just go to your server outside so i put it up sent a request and great success i i was able to send a payload the most interesting area here is it's not only a payload i can control the whole body of the payload i can create a post payload and i can create even i see the response back inside my browser when i'm sending it because i'm testing it and it sends me back the response so i can really start communicating with internal services i can ask the kubernetes api over here

and this specific case also the commodities api wasn't configured properly and i was able to take over the whole part environment the the node this is a specific kubernetes node by creating a privileged pod and then escalating my privileges to have more [Music] to have access to the whole node but this is not a story the question over here that i ask myself is who is responsible so i know the client has all these open source environments and he just put it over there and it's not it's not like he can do something about it he can add maybe protections add firewall rules know that make sure to isolate the environment and this is also stuff that i told him

but then maybe someone else is also responsible over here so we had elastic elastic it's actually it's the elastic the framework itself but it's not theirs the they have the problem was inside the open disco plug-in and there's the open distal that they developed the plug-in and maybe it's them they are actually they already did a fork and they the whole distance and there's lots of talks about why and how of the gpl of the agpl and gpl and all these problems of the licensing but then the question is who is responsible so i started talking with opendistal and i want actually to search on why this happens or where to ask them and i asked i went to the github open

discord for elasticsearching and to understand who should i submit to and over there it says if you find a vulnerability tell aws because this is aws responsibility so it's interesting this is an open source project but aws is in charge of it so i said okay let's send a message to aws i send a message to aws and aws tells me no this is not our responsibility try checking the open disco so i'm in a loop here now i'm uh okay i will go to the open distro again so instead of going into the loop and trying to understand i just told them it says that you i should contact you check with other people or

do whatever you need to understand if this is your responsibility and then they started talking with me and i got a hold of the security team and they we had a zoom we had a lot multiple conversations about exactly what's uh how to solve it and and what is the problem they added uh updates that you can create new uh you can block you can create blocks for the servers that are allowed or disallowed to access so it kind of helps with the mitigation but then i also told them but i want to tell the client so we created a process of giving getting this a cv and do carrier cv and open open distort for elasticsearch we got

in the cvs s3 7.1 and see if this is two actually it's less so this is why i put only the 7.1 i like the high uh but then we have if you want you can see in my blog over here about exactly what what happened and how we handled it and this is uh more about the cv and how we how how it happened um i think this is this is all about this area i had much more to say but we had a time limit of 25 minutes and i think we're already we're over there so thank you very much [Music] [Applause] and if you want you can come talk to me and we can talk about

later stuff any questions anybody nope all right