WAF evasion techniques for Command Injection
Let’s talk about Command Injection; I’m going to talk about this specifically from the perspective of Web Application Firewalls (like BIG-IP Advanced WAF, BIG-IP Next WAF, F5 Distributed Cloud WAF and so on) but these concepts are generally applicable anywhere user-input is used to construct commands run on the system, directly or indirectly. So, what is Command Injection? To quote OWASP, who put it very nicely: Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. This attack differs from Code Injection, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code. Like I say, in this case I’m going to talk about command injection to web applications, but they can happen in almost any piece of software that works on untrusted user input. Perhaps the most famous example of a command injection vulnerability is Shellshock, a suite of vulnerabilities in the Unix Bash shell and if you needed any proof that they can be hard things to find as a defender, Shellshock lived, undiscovered (or at least undisclosed, we’ve no way of proving that no malicious entities knew of the bug!) for 25 years from 1989 to 2014, in one of the most widely used pieces of software in the world. The original Shellshock vulnerability involved a maliciously crafted environment variable containing (malicious) commands after a function definition, e.g. env x=’() { :;}; echo vulnerable’ bash -c “echo test” On a vulnerable system, running the above commands would display “vulnerable” because of Bash continuing to execute the (injected) commands following the function definition. Injecting a command here requires the"| use of two specific characters plus the command, the semi-colon and space characters. If you imagine a web application passing commands to bash on a vulnerable system, you’ll see that it would be possible to block this attack simply by blocking requests containing semi-colon or space (or indeed having a signature for the full function definition and trailing semi-colon of “{ :;};”) Bypassing protections Any time there is a WAF in front of a vulnerable system – and sometimes even when there isn’t – an attacker must try to evade the rules preventing them from simply injecting their chosen command. You’ll often see this when attackers or scanners are looking for SQL injection vulnerabilities in web applications, replacing characters like ‘ with %27 or the space with %20 (and many other tricks), or using chunks of existing text with the SUBSTRING() function to construct queries without having to use the actual text. Many of the same tricks work for command injection vulnerabilities, and I’d like to talk about a specific example here because it’s one I hadn’t considered until it turned up in some real life traffic.. Bypassing WAF signatures using Environment Variables Remember I just said you could construct SQL queries using sub-strings of existing text? Well, if your target system is Windows-based and you know there’s a command injection vulnerability but you’re unable to exploit it due to character blocks or similar restrictions, then good news! Windows environment variables might be what you’re looking for.. Environment variables exist in most operating systems, and Microsoft ones are no exception – they date back to DOS and were one of the enhancements Microsoft brought to the table over and above CP/M (unlike the 8.3 filenames, which came right from CP/M!); their behaviour has been pretty much the same throughout, and there have always been a number of ‘default’ environment variables like the PATH, TMP & TEMP. Current versions of Windows add a number of additional default environment variables like PROGRAMDATA, PROGRAMFILES etc. Windows also allows the shell to return just a part of the environment variable value using the following syntax: %VARIABLE:~start_pos,end_pos% How is this useful to us, you ask? Let’s say you know you can inject a command, but you need a space in your command line; you want to inject “ping 127.0.0.1” but the space is dropped or the request is blocked by a WAF looking for “ping <IP>”, well then you just need an environment variable you know will have a space in it! %PROGRAMFILES%, by default, is going to be set to C:\Program Files on most systems, which has a space right there in the middle! All we need to do to get to it is use it as %PROGRAMFILES:~10,1%, for example: ping%PROGRAMFILES:~10,1%127.0.0.1 Go ahead, fire up a command prompt, and try it out! You could even construct the whole command that way: %PROGRAMFILES:~3,1%%SYSTEMROOT:~4,2%%PROGRAMFILES:~6,1%%PROGRAMFILES:~10,1%127.0.0.1 Again, fire up a command prompt and give that a try! Protect against bypasses with BIG-IP Advanced WAF Now here’s the good news: ASM includes signatures, by default, for all of those useful Windows environment variables (and the same for many other systems, too), so if you were to try the above on a vulnerable system with the right signatures in the policy, you’d still be blocked – like this: All these signatures are part of the Predictable Resource Location Signatures signature set, so you’ll want to make sure you either have all signatures of Medium or above, or at least this set assigned to your policy: Summary Command Injection is a huge topic, much bigger than I can talk about in one blog post here, but hopefully this shows you one way an attacker might try to evade protection in front of a vulnerable Windows system, and some ways in which you can protect it — BIG-IP Advanced WAF or F5 Distributed Cloud WAF both have signatures for this kind of evasion.GitLab Vulnerability, Secure by Design Pledge, & Near Miss Supply Chain Attack
Hello, this week Jordan_Zebor is your editor looking at the notable security news for a critical GitLab Vulnerability, the CISA Secure by Design Pledge & a near miss Supply Chain Attack. GitLab Pipeline Takeover Vulnerability GitLab has recently disclosed a critical vulnerability (CVE-2024-6385) affecting its CI/CD pipeline functionality in both Community Edition (CE) and Enterprise Edition (EE) versions 15.8 to 17.1.1. This vulnerability, with a CVSS score of 9.6, allows authenticated attackers to trigger pipelines as other users under certain conditions, potentially compromising the security and integrity of CI/CD processes. The low privilege requirements prevent this vulnerability from receiving a <insert sarcasm here> "perfect 10" score in CVSS. Either way, the issue still falls under the qualitative severity of critical, meaning security teams should be assessing their risk ASAP. The flaw was identified through GitLab’s HackerOne bug bounty program and has been addressed in the latest security updates. I've not seen reports of active exploitation so hopefully defenders get some time to patch this issue before proof of concept / exploit code is released. CISA Secure by Design Pledge The CISA 'Secure by Design' initiative, launched in April 2023, aims to enhance product security by encouraging vendors to adopt measures like multi-factor authentication, reducing default passwords, and improving vulnerability management. F5 has committed to this pledge, reflecting its dedication to advancing security in its products. F5 isn't starting from scratch, as we already adhere to many of the principles outlined in the CISA pledge. We have a strong track record in CVE vulnerability disclosure, ensure transparency and effective patching through Quarterly Security Notifications and our established vulnerability disclosure policy ensures the timely identification, assessment, and remediation of vulnerabilities, with clear communication channels for public disclosure. Additionally, iHealth enhances customers' ability to gather evidence of intrusions, helping organizations detect and respond to cybersecurity threats efficiently. Python Ecosystem Near Miss Supply Chain Attack JFrog's Security Research team discovered a critical security issue involving a leaked PyPI secret token within a public Docker container. PyPI (Python Package Index) is a repository for Python packages, widely used by developers to share and distribute code. The token, found 17 minutes after its commit, could have allowed attackers to inject malicious code into Python packages or insert malicious code into PyPI’s Warehouse code, potentially granting attackers backdoor access to manipulate popular packages. PyPI's security team promptly revoked the token, preventing potential damage and according to their transparentincident report, concluded that no malicious activity was detected. This near-miss underscores the severe risk of supply chain attacks if such credentials fall into malicious hands and highlights that scanning for secrets in source code is not enough; both source code and binary data need auditing, as critical data sometimes resides only in binary form.Midnight Blizzard, Polyfill.io and cyber workforce, June 23rd – 29th - This Week In Security
Going over the security news sometimes is an overwhelming experience with security incidents all over. This edition include news from 23 rd – 29th and this week a lone there are 50 different security items across the various news, and those are the ones that make it to the news. Out of those 50, there are around 20 items that relate to actual incident response. Looking at CVE details the past week has 615 vulnerabilities with 41 critical. As a security personnel, if only one of those hits you per quarter, you are busy, very busy. One interesting point and a place for hope is that incident response is done properly and damage control evaluations are making progress. With the general security assumption of: it is a matter of time until you get hacked, the next important thing is to manage the incident properly and get back online as fast as you can to prevent money lose. Finally, research shows that the cyber security workforce is growing at large organizations as they prioritize security, which is good news. Until next time, stay safe. Lior Microsoft Alerts More Customers to Email Theft in Expanding Midnight Blizzard Hack Poper IR being proactive, embracing transparency and collecting the data on the incident response at the level I would expect MS to demonstrate. Well done. “Earlier this year, Microsoft described the incident as an “ongoing attack” According to published reports, Redmond’s incident response team is providing a secure portal for customers to view specifics of emails stolen by the Midnight Blizzard threat actor. “You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyber-attack on Microsoft,” the company said. “As part of our commitment to transparency, we are proactively sharing these emails. We have custom built a secure system to enable the approved members of your organization to review the exfiltrated emails between Microsoft and your company,” according to the notifications.“ https://www.securityweek.com/microsoft-alerts-more-customers-to-email-theft-in-expanding-midnight-blizzard-hack/ Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts Sometimes security products themselves are the hacking point. While this shouldn’t happen, things do happen. Also learned new wording “rogue administrator accounts” “Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions. “The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence security researcher Chloe Chamberland saidin a Monday alert. “In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.” It’s currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024. “ https://thehackernews.com/2024/06/multiple-wordpress-plugins-compromised.html Google Introduces Project Naptime for AI-Powered Vulnerability Research The defensive security keeps on providing more tools and research, this time for AI. “Google has developed a new framework calledProject Naptimethat it says enables a large language model (LLM) to carry out vulnerability research with an aim to improve automated discovery approaches. The approach, at its core, seeks to take advantage of advances in code comprehension and the general reasoning ability of LLMs, thus allowing them to replicate human behavior when it comes to identifying and demonstrating security vulnerabilities. It encompasses several components, such as a Code Browser tool that enables the AI agent to navigate through the target codebase. A Python tool to run Python scripts in a sandboxed environment for fuzzing; a Debugger tool to observe program behavior with different inputs; and a Reporter tool to monitor the progress of a task. https://thehackernews.com/2024/06/google-introduces-project-naptime-for.html Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites Supply chain attacks always have big impact. Hit the source and it will spread. A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for aWeb supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill.io to a Chinese organization earlier this year. Security researchers are warning that the cdn . polyfill . io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user’s browser. "This attack places an estimated +100k websites at immediate risk," he wrote. "When a once-safe domain is embedded in thousands of websites and concealed likeJavaScript threatsare, it becomes a tempting path for malicious actors." https://www.darkreading.com/remote-workforce/polyfillio-supply-chain-attack-smacks-down-100k-websites Cyber Workforce Grows 15% at Large Organizations as Security is Prioritized Two areas made progress this year: cloud security and data security. Large organizations will significantly strengthen their cyber workforce in 2024, according to cyber consultancy Wavestone. In itsCyber Benchmark 2024report, Wavestone found that, on average, companies with over $1bn in revenues have one expert dedicated to cybersecurity for 1086 employees. In 2023, the same organizations had one cyber professional for 1285 employees — a 15% increase. The best in class are financial businesses, which boast an average of one cyber expert per 267 employees, while industrial groups have an average of one cyber expert for 1390 employees. https://www.infosecurity-magazine.com/news/cyber-workforce-grows-15-large/ TeamViewer Credits Network Segmentation for Rebuffing APT29 Attack The hacking group APT29 aka Midnight Blizzard, is busy. “This week, TeamViewer said that while the Russian group APT29, aka Midnight Blizzard, managed to access its corporate network, the threat actors were limited to the company's internal IT network because of "strong segmentation" between its environments. Thus, no customers were affected. In public statementson June 27 (reiterated today), the German maker of remote desktop software said, "[W]e keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our 'defense in-depth' approach." …because of the potential mischief a bad actor with desktop access can wreak, TeamViewer users should up their security game, according to industry groups. The NCC Group, which originally issued a warning under an amber/limited classification but then changed it to green/public, advised its customers that, while awaiting final confirmation of the extent of compromise, they remove TeamViewer from their systems if possible and closely monitor hosts that had the application installed if not.” https://www.darkreading.com/cyberattacks-data-breaches/teamviewer-network-segmentation-apt29-attack
Apple Passwords, Microsoft Recall, and DJI - May 10th - 16th - This Week In Security
This edition of this week in security is brought to you byKyle_Fox from the F5 SIRT team. This time we touch on Apple's new password manager, Microsoft's attempt to AI everything in Windows, and ongoing attempts to ban DJI drones from use in the United States. Included at the end is a roundup of other news from last week. Apple to include password manager in Apple OSes Apple has announced that they will be including a password management application in their operating systems, this will allow Apple users to store their passwords securely and sync them between all of their Apple devices using iCloud as a backend. This continues Apple's general trend towards identifying use cases being filled by third-party software and creating an inhouse replacement. Hopefully this will push regular users towards more secure passwords and password storage. Microsoft Says They Will Make Security a Priority Just a few weeks ago Microsoft announced a new Windows 11 feature calledRecall. Thisfeature would allow Windows to record all your actions in the operating system and allow you to search with AI for something that happened in the past. This is essentially Microsoft's various CoPilot products, but for the entire operating system. Expects were quick to note that this could provide aneasily to tap supply of surveillance data from a compromised system, allowing attackers to siphon off any data a Windows user is working on. This comes a year after a major breach of Microsoft infrastructure by the Storm-0558 threat actor, for which Microsoft has received a lot of criticism in its handling. This criticism includes a report from the US DHSCyber Safety Review Board report detailing failures that lead to that intrusion as well as further whisleblower complaints related to Microsoft's handling of security in recent years. Microsoft has now backtracked on deploying Recall to all Windows 11 installs, and will be working to make it more secure before release. Microsoft president Brad Smith has further stated to congress that they are working tomake all of their systems and products more secure. But only time will tell if the single highest-risk target for threat groups will live up to the promise of having the most secure software and systems. Congress moves to ban DJI drones amid fears of spying. Recently, lawmakers have been acting on what has seemed to be a long tail of "what ifs" and passing legislation to ban the import and potentially use of DJI drones in the United States. Some following this legislation are not surprised by its sponsors backing, noting thatRep Stefanik is backed by US based drone maker Skydio and industry association AUVSI. I'll admit, I own a couple DJI drones, so I have an interest in them at least being supported in the future, but this recent flare up seems more like a protectionist move without evidence of any actions on the part of the allegedly guilty player. This reminds me a lot of the Supermicro allegations from Bloomberg in 2018, in which Bloomberg alleged that Supermicro server motherboards had been embedded with spying devices. After the report Supermicro worked to audit their supply chain and examine those motherboards for any implants, and found thatno such implants existed. Bloomberg would continue to insist its reporting was correct,doubling down with a new set of allegations in 2021. To date, no such implants have been identified. This same long history of allegations exists in the case of DJI, with the Department of Defense reiterating spying concerns back in 2021 amid concerns about government use of DJI drones. Just like the Huewei ban, this concern also exists in Australia,extending to the general public's use of DJI drones there. So its not surprising the concern has morphed from the military use of DJI drones, to government use, andnow to the US public using them. None of these concerns cite actual actions of DJI, nor has any malicious code been identified yet. Roundup The YouTube recommendation for this time around is Practical Engineering. If your wanting to jump right in with something related to infrastructure security, try the series on the Electric Grid. Toorcamp, literally hacker summer camp, will be happening next week on Orcas Island in Washington. Two people have been arrested in the UK for using a home built cellular base station to send SMS phishing messages. The Australian border force continues its deep inspection of people visiting and returning to Australia with over 10,000 travelers phones searched in the last two years. The French are now entering the Mess With DNS to Block Bad Stuff(TM) game. SpaceX to introduce a miniaturised Starlink terminal.Enhancing Software Security with Rust: A Solution to Common Vulnerabilities
Introduction The digital landscape is continually evolving, with cybersecurity threats growing both in sophistication and number. Among these threats, memory safety vulnerabilities stand out, contributing to a significant portion of software security issues today. Supported by guidance from CISA, NSA, and many other security minded individuals, there is an urgent need for programming practices that inherently mitigate memory safety risks. Addressing Memory Safety with Rust Rust is an open-source programming language renowned for its dedication to safety and performance. It effectively addresses common challenges related to memory safety and concurrency without sacrificing execution speed. In this article, we will explore the top three Common Weakness Enumerations (CWEs) from the 2023 Known Exploited Vulnerabilities list: Use After Free, Heap-based Buffer Overflow, and Out-of-bounds Write. All these CWEs directly relate to memory safety problems. Throughout this article, we will demonstrate how Rust’s unique capabilities serve as effective safeguards against these widespread concerns. Note: While Rust also mitigates other critical issues such as double-free, dangling pointers, and concurrency issues like race conditions, deadlocks, and improper synchronization, these will not be covered in detail in this article. CWE-416: Use After Free This vulnerability occurs when a program continues to use a memory location after it has been freed, potentially leading to application crashes or in more severe scenarios, arbitrary code execution. Languages that require manual memory management, such as C and C++, are typically vulnerable to this issue, as developers must explicitly manage memory allocation and deallocation. Rust uniquely addresses CWE-416 through itsownership, borrowing, and lifetimes systems, catching potential vulnerabilities at compile time. Ownership rules enforce that each piece of data is owned by a single entity. When this owner or piece of data goes out of scope, Rust automatically deallocates the memory associated with it, thereby eliminating the risk of accessing freed memory. Borrowingallows functions to access data via references without taking ownership, a process carefully scrutinized by the borrow checker. This component of the compiler ensures that all borrowed references adhere strictly to lifetime rules, preventing them from outliving the data they reference, thereby avoiding use-after-free vulnerabilities. Lifetimes specify the scope for which a reference is valid, enabling the compiler to track and manage the lifespan of data throughout the program. By requiring explicit lifetime annotations where necessary, Rust enforces a clear contract for how long data can be safely borrowed, further strengthening its memory safety by preventing dangling references that could lead to vulnerabilities. CWE-122: Heap-based Buffer Overflow Heap-based buffer overflows occur when data exceeds its allocated memory in the heap, potentially allowing attackers to read or write memory they shouldn't have access to. This can result in crashing the application or enabling arbitrary code execution. Such vulnerabilities are particularly prevalent in languages like C and C++, which do not automatically enforce bounds checking. Rust effectively addresses CWE-122 through multiple security measures, including a type system, the principle of immutability by default, and robust memory safety abstractions. Type systems are critical for security, and Rust's system exemplifies this by being both statically and strongly typed. Static typing ensures all data types are defined before runtime, allowing the compiler to catch type errors early and mitigate related vulnerabilities. Strong typing in Rust requires explicit type conversions, guarding against unsafe coercions that could lead to issues like buffer overflows. Additionally, Rust enforces runtime bounds checking, which actively prevents heap-based buffer overflows and out-of-bounds writes by causing errors to panic rather than fail silently or behave unpredictably. Together, these features not only enhance security by enforcing strict type safety and data integrity but also by ensuring reliable and predictable error handling. Immutability by Default ensures that all data is immutable unless explicitly declared mutable. This design significantly reduces the risk of unintended data modifications that could lead to buffer overflows. By default, this immutability prevents many common programming errors associated with memory corruption. Memory Safety Abstractions provide high-level abstractions such as Vec<T> for managing dynamic arrays and Box<T> for smart pointers. These abstractions come with built-in bounds checking, which are enforced at runtime. When data operations exceed their allocated bounds, Rust's approach ensures that these operations result in controlled runtime panics, thus preventing unsafe memory access and preserving application integrity. Additionally, Rust promotes using iterators when working with collections. Iterators are both safe and efficient because they abstract away the need for manual bounds checking. This not only simplifies the code but also eliminates a common source of errors associated with direct index access, further enhancing safety and performance. CWE-787: Out-of-bounds Write This vulnerability involves writing data past the bounds of allocated memory, which can corrupt data, crash the application, or lead to code execution. It predominantly affects languages like C and C++ where bounds checking is not enforced automatically by the language, requiring manual oversight by developers. Rust addresses CWE-787: Out-of-bounds Write through its robust memory safety protocols, including automatic bounds checking for all memory write operations. This ensures that data stays within safe operational limits at both compilation and runtime stages, preventing potential security breaches. Additionally, features like the Option enum and fearless concurrency further safeguard against out-of-bounds writes by enforcing strict data handling and thread-safe access. Automatic bounds checking for all memory write operations, effectively preventing data from being written outside allocated segments. This safety measure operates during both compilation and runtime, where Rust ensures safe failure modes through structured error handling and panics rather than allowing undefined behavior. Option enum is special in Rust and its use ensures proper management of data safely, helping developers avoid The Billion Dollar Mistake. Unlike many other languages, Rust does not have null values for any data types and using the Option enum requires developers to explicitly handle cases of Some (data present) and None (data absent), promoting deliberate and safe data access patterns. This forces developers to handle cases which may otherwise go undefined in other languages. Fearless Concurrencyis another defining feature of Rust that guarantees thread-safe data access, effectively eliminating the risk of data races that could lead to out-of-bounds writes. This is achieved through Rust’s ownership and borrowing rules (described earlier), which ensure that data is accessed by only one thread at a time unless explicitly shared in a thread-safe manner. By leveraging these strict concurrency controls, Rust allows developers to build highly concurrent applications without the typical safety compromises seen in other languages, enhancing both performance and security and avoiding difficult to detect and reproduce defects. Conclusion The future of programming, particularly in systems and kernel development, is trending towards languages that provide strong memory safety guarantees. Rust's integration into system programming and even parts of the Linux kernel highlights a significant shift in software development paradigms. While Rust represents the future of secure programming, it's crucial to recognize the enduring legacy of languages like C. The Linux kernel and widely-used software such as OpenSSL and NGINX are predominantly written in C, illustrating that an immediate wholesale transition to Rust across all development sectors isn't practical. However, as we move forward, Rust's role in fostering more secure software is poised to expand with its focus on memory safety becoming a cornerstone of modern system software. The adoption of memory-safe languages like Rust isn't just about addressing current vulnerabilities; it's about reshaping software development practices to prioritize security from the ground up. This evolution marks a future where software inherently withstands a wide range of cybersecurity threats, greatly enhancing the resilience of our digital infrastructure against new challenges.
