[tl;dr sec] #214 – Poisoning GitHub’s Runner Images, Fuzzing AWS WAF, LLM-powered Honeypot

Recently I was rushing down the BART escalator after my musical improv class because I could hear the train arriving.

I hurried around the corner to jump on before the door closed, and… my foot slid for several inches. Immediately, my heart sank.

For context, if you’re walking in San Francisco and you slip when it hasn’t been raining, that’s not a good sign. It means you stepped in… something. Something the CDC would rate a bioterrorism risk and wear a hazmat suit around.

I made it onto the train, and wiped my foot on the car floor a few times.

A woman walked onto the train, and after a moment came up to me and said, “Oh man, something smells terrible, do you know what that is?”

I gave her my best “I don’t know anything” face and shook my head.

Lesson: Walking in San Francisco is like cybersecurity- constant vigilance is key.

Security is a key priority for any CISO of any organization with an extensive footprint in Azure.

This free cheat sheet provides actionable recommendations that can help you strengthen your Azure cloud security posture. We’ll explore detailed aspects of Azure best practices, from role-based access control (RBAC) to cloud security posture management, that you can adapt to secure your Azure subscriptions.

csdev/ezghsa
A command-line tool for summarizing and filtering vulnerability alerts on Github repositories.

usdAG/FlowMate
A Burp Suite extension that brings taint analysis to web applications, by tracking all parameters sent to a target application and matches their occurrences in the responses. You can also browse results in an integrated Neo4J browser.

See also Tracy, a similar project by Michael Roberts and Jake Heath, when we were colleagues at NCC Group.

How to introduce Semgrep to your organization
Trail of Bits’ Maciej Domanski describes a seven step plan to determine how to best integrate Semgrep into your company’s SDLC, as well as things he wished he’d known before he started using Semgrep, a writing rules cheatsheet, and useful links. This is a good overview for any SAST tool: explore, dive deep, fine tune, evangelize to devs, write custom rules, etc.

Trail of Bits is also hosting a public training webinar on Semgrep, the first part of their Testing Handbook, on January 26 at 1 pm EST. You can register here.

Access over 15 on-demand infrastructure access and security content sessions at Teleport Connect: Virtual from teams at IBM, Freshworks, Vonage, and more.

Topics include handling data center malfunctions, what truly elevates a company’s security, and insights surrounding access management best practices.

Register today and choose your own experience – follow along live or skip to your desired session.

Just tonight over drinks, actually, a senior security leader told me how much he liked Teleport 👆️ (Yes, I went home to finish this issue 😅 )

Fuzzing and Bypassing the AWS WAF
Daniele Linguaglossa describes how the Sysdig Threat Research Team discovered a specific DOM event (onbeforetoggle) that bypasses AWS WAF, via a custom WAF fuzzer (Wafer) that’s based on the PortSwigger XSS reference. Nice methodology description of finding unfiltered tags and attributes, ensuring the payload is triggered using Selenium, catching alerts and user interaction events, etc.

Deep dive into AWS CloudShell
AWS CloudShell, a browser-based, pre-authenticated shell you can launch from the Management console, in Jan 2024 gained the ability to run Docker containers. Aidan Steele walks through escaping the container and looking around to see how AWS credentials and IAM roles are working, peeking at other containers, and more.

Ronin also shared a nice AWS CloudShell deep dive in Oct 2023. Both are great examples of blackbox exploring an unknown environment and poking around and seeing how things work.

PackagingCon
A whole conference dedicated to software package management, including supply chain security. Currently at ~100 videos on YouTube.

The State of Software Supply Chain Security 2024
Detailed report by Reversing Labs covering supply chain security and malicious dependency trends, a detailed leaked secrets section, guidance from government parties, industry initiatives, and more. They’ll be discussing the report in this webinar on Jan 31.

ReversingLabs saw a 28% increase in malicious packages spread across PyPi and NPM through the first nine months of 2023 compared with all of 2022, including more than 7,000 instances of malicious PyPI packages, the vast majority of which were classified as ‘infostealers’.

One Supply Chain Attack to Rule Them All
Adnan Khan describes a vulnerability that would have allowed an attacker to tamper with the runner images code used for all GitHub and Azure Pipelines hosted runners, potentially letting them conduct a supply chain attack against every GitHub customer that used hosted runners. Yikes.

• First you fix a typo in the target repo, which when accepted makes you a “contributor.” By default GitHub allows contributors to trigger GitHub Actions workflows when submitting a PR.

• If that repo is using a persistent (non ephemeral), self-hosted runner, you get RCE on that runner via a malicious CI job.

• Then, because the runner is not discarded after your job, you can also steal secrets from other workflow runs.

• From this position, you can generally compromise repo releases, including GitHub releases, Docker containers, NPM or PyPi packages, etc. GG.

Lastly, John shares how they similarly compromised PyTorch, which is also used everywhere. The disclosure timeline from Meta at the bottom does not inspire confidence in me about PyTorch’s security.

vm32/Linux-Incident-Response
A cheatsheet for incident response and live forensics in Linux environments, with CLI commands for investigating user accounts, log entries, processes, services, network settings, and more.

msd0pe-1/cve-maker
A CLI tool that makes it quick and easy to search for CVEs and their associated exploits, based on the official NIST, ExploitDB and GitHub databases.

referefref/honeydet
By James Brine: A signature based, multi-threaded honeypot detection tool. It detects honeypots based on the premise that given a specifically crafted request, honeypots will generate a unique and identifying response to TCP/UDP packets. Supports hex, string, and regex signatures.

Basically, use the tool defenders use to understand their systems for its intended purpose. Nice. They cover a bit of osquery’s implementation details and share a tool to make the process easier

LVE Repository
A project documenting and tracking vulnerabilities and exposures of large language models (LVEs). Like CVEs but for LLMs.

0x4D31/galah
By Adel Karimi: An LLM-powered web honeypot that uses OpenAI to respond to arbitrary HTTP requests. For example, if it receives a GET request to /login.php it responds with HTML that includes PHP and a login form, and requests to /.aws/credentials will return fabricated creds. So it can mimic a wide breadth of software with 1 prompt. Clever idea, I like it!

Gen AI could make KYC effectively useless
Know Your Customer is a process used by financial institutions to verify the identify of their customers. You could use Stable Diffusion to create a fake ID, deepfake a person holding an arbitrary ID document, or even bypass liveness checks, which usually involve taking a short video.

SecGPT
My bud Jason Haddix’s personal GPT for offensive security. It’ll use up-to-date research and dive deep into technical topics. Jason uses it like he has a peer in a chair next to him, asking questions to learn and bounce ideas off of.

Also, congrats to Jason for going independent and offering training and consulting services. “The Bug Hunter’s Methodology” series has been some of my favorite talks of all time, stoked that he’s giving it as a full training now.

• Turing Complete – A game about computer science. Learn about logic gates, components, architecture, assembly, and more.

• “It is startling to see how much of the world’s R&D spending comes from (mostly American) tech giants. The R&D spending of Amazon is greater than the R&D spending of all companies and government in France. Alphabet beats Italy.”

• 🔥 top4grep by Kyle Zeng – Enables keyword search to find relevant security papers published in the top 4 academic security conferences (IEEE Security & Privacy, USENIX, CCS, NDSS). I’ve wanted something like this for a long time.

• If There Are No Stupid Questions, Then How Do You Explain Quora? What a title 😂 

Chromium Money Tree Browser
A site by Rebane that maps Chrome VRP (bug bounty) rewards to changes (fixes) in specific files in the source. Basically, which files have costed Google the most. Neat!

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏