about me
play

About me Whos me? Ezequiel ZequiV azquez Backend Developer - PowerPoint PPT Presentation

Oct 03, 2022 •614 likes •985 views

About me Whos me? Ezequiel ZequiV azquez Backend Developer Sysadmin & DevOps Hacking & Security @RabbitLair About me Index Introduction 1 Analysis of Vulnerabilities 2 What if I dont patch? 3 Index Introduction

  3. About me Who’s me? Ezequiel ”Zequi”V´ azquez Backend Developer Sysadmin & DevOps Hacking & Security @RabbitLair

  4. About me

  5. Index Introduction 1 Analysis of Vulnerabilities 2 What if I don’t patch? 3

  6. Index Introduction 1 Analysis of Vulnerabilities 2 What if I don’t patch? 3

  7. Life cycle of a patch General steps 1 Discovery of a vulnerability → security team 2 Implementation of a patch, new release is published 3 Hackers study patch using reverse engineering → POC 4 POC published → massive attacks

  8. Ok! I will patch my system, but . . .

  9. Ok! I will patch my system, but . . .

  10. Index Introduction 1 Analysis of Vulnerabilities 2 What if I don’t patch? 3

  11. Drupalgeddon SA-CORE-2014-005 CVE-2014-3704 Patch released on October 15th, 2014 SQL injection as anonymous user All Drupal 7.x prior to 7.32 affected 25/25 score on NIST index

  12. Drupalgeddon Arrays on HTTP POST method Method POST submits form values to server application Usually, integers or strings, but arrays are allowed

  13. Drupalgeddon Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )”

  14. Drupalgeddon Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )”

  15. Drupalgeddon Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )”

  16. Drupalgeddon The vulnerability Array index is not sanitized properly Poisoned variable is passed to database Result: Arbitrary SQL queries can be executed

  17. Drupalgeddon The vulnerability Array index is not sanitized properly Poisoned variable is passed to database Result: Arbitrary SQL queries can be executed

  18. Drupalgeddon Let’s see it

  19. Highly Critical RCE SA-CORE-2018-002 CVE-2018-7600 Patch released on March 28th, 2018 Remote code execution as anonymous user All versions affected prior to 7.58 and 8.5.1 24/25 score on NIST index

  20. Highly Critical RCE Renderable Arrays Forms API introduced in Drupal 4.7 Arrays whose keys start with “#” Drupal 7 generalized this mechanism to render everything Recursive behavior Callbacks: post render , pre render , value callback , . . .

  21. Highly Critical RCE Submitting forms Submitted value is stored in #value HTTP POST method allows to submit array as value

  22. Highly Critical RCE The vulnerability Use POSTMAN or similar to bypass the form Submit an array value in a field where Drupal expects a string Submitted array contains indexes starting with “#”

  23. Highly Critical RCE The vulnerability Use Ajax API to trick Drupal to renderize again mail field element parents determines part of form to be renderized Field is renderized, and post render callback is executed

  24. Highly Critical RCE Let’s see it

  25. Highly Critical RCE follow up SA-CORE-2018-004 CVE-2018-7602 Patch released on April 25th, 2018 Remote code execution as authenticated user All versions affected prior to 7.59 and 8.5.3 20/25 score on NIST index

  26. Highly Critical RCE follow up Destination parameter GET parameter used to redirect to an URL after execution It’s passed to stripDangerousValues to sanitize it Double encoding not detected: “#” → “ %23” → “ %2523”

  27. Highly Critical RCE follow up Destination parameter GET parameter used to redirect to an URL after execution It’s passed to stripDangerousValues to sanitize it Double encoding not detected: “#” → “ %23” → “ %2523” Option trigering element name File includes/ajax.inc Identifies the element used for submission Sets a form element to be renderized again

  28. Highly Critical RCE follow up The vulnerability: First step Perform a POST call to URL of a confirmation form trigering element name with value form id Destination contains a field with post render callback POST call redirects to confirmation form again → All set Payload must be URL encoded

  29. Highly Critical RCE follow up The vulnerability: First step Perform a POST call to URL of a confirmation form trigering element name with value form id Destination contains a field with post render callback POST call redirects to confirmation form again → All set Payload must be URL encoded

  30. Highly Critical RCE follow up The vulnerability: Second step Execute form cancel action as AJAX POST call /file/ajax/actions/cancel/ %23options/path/[form build id] Ajax API processes the form and executes poisoned post render

  31. Highly Critical RCE follow up Let’s see it

  32. Index Introduction 1 Analysis of Vulnerabilities 2 What if I don’t patch? 3

  33. Attacks in the wild Don’t do this at home Full database dump Execute cryptocurrency mining malware Server used as malicious proxy Infect site users Defacement / Black SEO ???

  34. In summary . . .

  35. That’s all, folks! Thank you! @RabbitLair zequi[at]lullabot[dot]com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime Who are they? STEVE

Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime Who are they? STEVE

Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime Who are they? STEVE DAVIS PETER SILBERMAN STEVE DAVIS PETER SILBERMAN Security Consultant / Engineer / Researcher Security Consultant / Engineer / Researcher

795 views • 54 slides
Managing Your Learning During BST - Outcome Based Education Keith Farrington Education

Managing Your Learning During BST - Outcome Based Education Keith Farrington Education

Managing Your Learning During BST - Outcome Based Education Keith Farrington Education Specialist 17 July 2019 OBE For Histopathology, BST, 2019 What is OBE? Curriculum comprised of goals, and goals broken down into outcomes

168 views • 13 slides
Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL & Friends Devroom To err is human To really foul things up requires a computer [1] (or a script) [1]:

478 views • 30 slides
Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash,

Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash,

Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash, MD, Duke - Planning Committee Co-Chair Riki Merrick, MPH Vernetzt, LLC - Planning Committee Co-Chair Agenda o Intro to IHE Pathology and

710 views • 33 slides
Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH

Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH

National Center for Emerging and Zoonotic Infectious Diseases Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH Viral Special Pathogens Branch Centers for Disease Control and Prevention Advisory

369 views • 19 slides
Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide

Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide

Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide Prevention Coordinator Kansas City VAMC 1 Disclosure I have no actual or potential conflict of interest in relation to this

715 views • 50 slides
MMRIA ABSTRACTOR OFFICE HOURS ENHANCING REVIEWS AND SURVEILLANCE TO ELIMINATE MATERNAL MORTALITY

MMRIA ABSTRACTOR OFFICE HOURS ENHANCING REVIEWS AND SURVEILLANCE TO ELIMINATE MATERNAL MORTALITY

MMRIA ABSTRACTOR OFFICE HOURS ENHANCING REVIEWS AND SURVEILLANCE TO ELIMINATE MATERNAL MORTALITY (ERASE MM) NOVEMBER 21, 2019 Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division

288 views • 7 slides
E ffi cient and Incentive-Compatible Liver Exchange Haluk Ergin Tayfun Snmez M. Utku nver U

E ffi cient and Incentive-Compatible Liver Exchange Haluk Ergin Tayfun Snmez M. Utku nver U

E ffi cient and Incentive-Compatible Liver Exchange Haluk Ergin Tayfun Snmez M. Utku nver U C Berkeley Boston College Boston College Introduction Kidney Exchange became a wide-spread modality of transplantation within the last

556 views • 42 slides
Autopsy of Vulnerabilities E z e q u i e l Z e q u i V z q u e z

Autopsy of Vulnerabilities E z e q u i e l Z e q u i V z q u e z

Autopsy of Vulnerabilities E z e q u i e l Z e q u i V z q u e z Who Am I? B a c k e n d d e v e l o p e r D e v O p s S e c u r i t y & H a c k i n g F r o m J e r

509 views • 28 slides
Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Learning Dapeng Liu

Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Learning Dapeng Liu

Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Learning Dapeng Liu , Youjian Zhao, Haowen Xu, Yongqian Sun, Dan Pei, Jiao Luo, Xiaowei Jing, Mei Feng 2015/12/3 Dapeng Liu (liudp10@mails.tsinghua.edu.cn) KPIs and

545 views • 42 slides
Digital Witness Remote Method for Volunteering Digital Evidence on Mobile Devices Nigel Campbell

Digital Witness Remote Method for Volunteering Digital Evidence on Mobile Devices Nigel Campbell

Digital Witness Remote Method for Volunteering Digital Evidence on Mobile Devices Nigel Campbell , Evan Stuart, Trevor Goodyear, Winston Messer, and James Fairbanks $ whoami Research Scientist @ GTRI Software Developer MSCS Student

435 views • 30 slides
Is FGFR an Effective Target in Cholangiocarcinoma? Disclosures Consultant DebioPharm

Is FGFR an Effective Target in Cholangiocarcinoma? Disclosures Consultant DebioPharm

Chabner Symposium October 30, 2017 Lipika Goyal, MD, MPhil Massachusetts General Hospital Cancer Center Instructor, Harvard Medical School Is FGFR an Effective Target in Cholangiocarcinoma? Disclosures Consultant DebioPharm

685 views • 49 slides
Using Social Determinants of Health to Inform Fatality Review June 7, 2017 2:00 3:00 p.m. ET

Using Social Determinants of Health to Inform Fatality Review June 7, 2017 2:00 3:00 p.m. ET

Using Social Determinants of Health to Inform Fatality Review June 7, 2017 2:00 3:00 p.m. ET Housekeeping Webinar is being recorded and will be available with slides in a few days on our website: www.ncfrp.org. The Center will notify

788 views • 61 slides
No relevant financial disclosures Gilden D, et al Neurol. Neuroimmunol Neuroinflamm. 2016

No relevant financial disclosures Gilden D, et al Neurol. Neuroimmunol Neuroinflamm. 2016

Is VZV the cause of GCA? AAS = CON NANOS March 5, 2018 ALFREDO A. SADUN, MD, PhD Flora Thornton Chair Doheny Eye Institute Vice-Chair of Ophthalmology, UCLA No relevant financial disclosures Gilden D, et al Neurol. Neuroimmunol Neuroinflamm.

409 views • 21 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
The INDEPTH Network www.indepth-network.org Please use the slides as you deem fit INDEPTH

The INDEPTH Network www.indepth-network.org Please use the slides as you deem fit INDEPTH

The INDEPTH Network www.indepth-network.org Please use the slides as you deem fit INDEPTH Governance Structure 2 Governance & M&E INDEPTH Board meetings o regular newsletters to the Board INDEPTH-Funder teleconferences; visits

528 views • 30 slides
Emerging Drugs of Abuse Julie Kmiec, DO and Bill Morrone, DO, MS Disclosures Julie Kmiec, DO

Emerging Drugs of Abuse Julie Kmiec, DO and Bill Morrone, DO, MS Disclosures Julie Kmiec, DO

Emerging Drugs of Abuse Julie Kmiec, DO and Bill Morrone, DO, MS Disclosures Julie Kmiec, DO I have no financial conflicts of interest William Morrone, DO I have no financial conflicts of interest 2 Objectives At the end of

524 views • 40 slides
Public Health Law in Correctional Facilities Leila Barraza, JD, MPH Deputy Director, Network for

Public Health Law in Correctional Facilities Leila Barraza, JD, MPH Deputy Director, Network for

Public Health Law in Correctional Facilities Leila Barraza, JD, MPH Deputy Director, Network for Public Health Law- Western Region Veda Collmer, JD Visiting Attorney, Network for Public Health Law - Western Region Principles & Objectives

1.08k views • 54 slides
Patient 1 Zinc Phosphide 23 y/o male ingested rodent pellets: Zn 3 P 2 Awake but intubated

Patient 1 Zinc Phosphide 23 y/o male ingested rodent pellets: Zn 3 P 2 Awake but intubated

Patient 1 Zinc Phosphide 23 y/o male ingested rodent pellets: Zn 3 P 2 Awake but intubated for airway protection Using the Poison Center as a Lavage and WBI Hazmat Resource Rectal tube ICU bed Susan Smolinske MD, PharmD,

106 views • 8 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
Reporting Carbon Monoxide Poisoning Jon Meiman, MD Chief Medical Officer Jenny Camponeschi, MS

Reporting Carbon Monoxide Poisoning Jon Meiman, MD Chief Medical Officer Jenny Camponeschi, MS

Reporting Carbon Monoxide Poisoning Jon Meiman, MD Chief Medical Officer Jenny Camponeschi, MS Program Manager Wisconsin Environmental Public Health Tracking July 10, 2018 Wisconsin Department of Health Services Wisconsin Division of Health

682 views • 37 slides
Using Dashboards to Make Human Services Data Human ICPH Beyond Housing 2020 Session 2.12

Using Dashboards to Make Human Services Data Human ICPH Beyond Housing 2020 Session 2.12

Using Dashboards to Make Human Services Data Human ICPH Beyond Housing 2020 Session 2.12 Presented by: Lisa Kessler Courtney Lewis Data Analyst Transition Age Youth System Coordinator Allegheny County Department Allegheny County

646 views • 42 slides
Processing Dialogue-Based Data in the UIMA Framework Milan Gnjatovi , Manuela Kunze, Dietmar

Processing Dialogue-Based Data in the UIMA Framework Milan Gnjatovi , Manuela Kunze, Dietmar

Processing Dialogue-Based Data in the UIMA Framework Milan Gnjatovi , Manuela Kunze, Dietmar Rsner University of Magdeburg Overview Background Processing dialogue-based Data Conclusion Gnjatovi , Kunze, Rsner 2 Background

600 views • 21 slides
1 UNCLASSIFIED UNCLASSIFIED Military Mortuary Affairs Responsibilities In DoD, mortuary

1 UNCLASSIFIED UNCLASSIFIED Military Mortuary Affairs Responsibilities In DoD, mortuary

UNCLASSIFIED Agenda Defense Support of Civil Authorities for Mortuary Affairs NORAD-USNORTHCOM Quick Overview North American Aerospace Defense Command (NORAD) Military Mortuary Affairs Roles, Missions, Forces and United States

328 views • 5 slides

More recommend