Exploit Archeology - Exploiting an old unknown Server Side Browser

I was recently hacking on a Bug Bounty target and identified an interesting API endpoint which would render user supplied HTML, and execute any included JavaScript. Exploiting Server Side Browser bugs has been a focus of mine for the past couple of years, so I set out to exploit this newly identified feature. This blog post details my journey into researching and exploiting what turned out to be a decade old Server Side Browser.

Continue reading...

Practical Security Recommendations for Start-ups with Limited Budgets

Hi, my name is Alex, I’ve been an IT security professional since 2007 and I’ve recently entered the start-up world with my project bughuntr.io. In putting together this project, security has been a primary concern for me. This is both due to my background and the nature of the project, being a training platform for security professionals and enthusiasts alike. In my security career, I’ve been hired to assess countless web applications, cloud environments and computer networks for security vulnerabilities. In these assessments, it is always clear when security is ‘bolted on’ as a compliance requirement before releasing a product, or added at a later date in response to an incident. Start-ups have a rare opportunity to ‘bake’ security in at the start of a project, but this is often seen as an expensive endeavor. In this post, I aim to ease that fear and provide practical (and cheap) advice for start-ups who want to release a more secure product right from the start.

Continue reading...

BitBucket Pipelines Kata Containers Virtual Machine Escape

Atlassian ran a project on Bugcrowd looking for bugs in their proposed implementation of Kata Containers within the BitBucket Pipelines CI/CD environment. Whilst participating in this project, I identified a vulnerability in Kata Containers which could allow processes running in the Kata VM to write to supposedly read-only volume mounts. This vulnerability was fixed by the Kata Containers team and assigned CVE-2020-28914. Within the project Pipelines environment exploiting this vulnerability allowed a malicious build job to write semi-controlled data to arbitrary files on the host system as the root user.

The following is an account of the discovery of this bug and an assessment of the impact of exploiting the bug in the project BitBucket Pipelines environment.

Note: This post originally appeared on Bugcrowd’s blog it is re-posted here as the Bugcrowd post has suffered some format mangling and has been truncated, this appears to have occured during a blogging platform migration.

Continue reading...

Daily Swig - Container security: Privilege escalation bug patched in Docker Engine

A vulnerability in a Docker Engine security feature potentially allowed attackers to escalate privileges from a remapped user to root.

“The two avenues of exploitation I found would allow writing of arbitrary files as the real root user” or seizing ownership of files previously accessible only by the root user, security researcher Alex Chapman, who unearthed the flaw, tells The Daily Swig.

Continue reading on portswigger.net...

Moby - Access to remapped root allows privilege escalation to real root

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the –userns-remap option in which access to remapped root allows privilege escalation to real root. When using “–userns-remap”, if the root user in the remapped namespace has access to the host filesystem they can modify files under “/var/lib/docker/" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

Continue reading on github.com...