Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes

Vendor: OpenJDK Project Vendor URL: https://openjdk.java.net Versions affected: 8-17+ (and likely earlier versions) Systems Affected: All supported systems Author: Jeff Dileo <jeff.dileo[at]nccgroup[dot]com> Advisory URL / CVE Identifier: TBD Risk: Low (implicit data validation bypass) Summary The private static InetAddress::getAllByName(String,InetAddress) method is used internally and by the public static InetAddress::getAllByName(String) to resolve host or IP strings … Continue reading Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes

Tool Release – insject: A Linux Namespace Injector

tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. While … Continue reading Tool Release – insject: A Linux Namespace Injector

Tool Update – ruby-trace: A Low-Level Tracer for Ruby

We released ruby-trace back in August to coincide with my DEF CON 29 talk on it and parasitic tracing in general. Back then, it supported (c)Ruby 2.6 through 3.0. A few days ago, Ruby 3.1 was released. We have updated ruby-trace to add support for Ruby 3.1 and reorganized our test suite to validate our … Continue reading Tool Update – ruby-trace: A Low-Level Tracer for Ruby

Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches

Background Java Virtual Machines (JVMs) provide a number of mechanisms to inspect and modify the Java applications and the runtime they stand on. These include Java agents, JARs that are capable of modifying Java class files at runtime; and JVMTI agents, native libraries that can perform deep hooking into the innards of the JVM itself. … Continue reading Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches

log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228

tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the "Log4Shell" vulnerability and gaining remote code execution on your systems. . In this post, we first offer some context on the vulnerability, the … Continue reading log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228

An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful

Recently, I was working on weaponizing a particular bug with a colleague. For reasons unfathomable to me, we've been implementing our exploit in Ruby. As part of this, we wrote a rinky-dink port scanner that attempts to find instances of the service on a given host because it has a propensity to pick random ports … Continue reading An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful

ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again

This post is a technical discussion of the underlying vulnerability of CVE-2020-15257, and how it can be exploited. Our technical advisory on this issue is available here, but this post goes much further into the process that led to finding the issue, the practicalities of exploiting the vulnerability itself, various complications around fixing the issue, … Continue reading ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again

Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)

Vendor: containerd Project Vendor URL: https://containerd.io/ Versions affected: 1.3.x, 1.2.x, 1.4.x, others likely Systems Affected: Linux Author: Jeff Dileo CVE Identifier: CVE-2020-15257 Advisory URL: https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4 Risk: High (full root container escape for a common container configuration) Summary containerd is a container runtime underpinning Docker and common Kubernetes configurations. It handles abstractions related to containerization and … Continue reading Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)

eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets

tl;dr eBPF (extended Berkeley Packet Filter) is slowly taking over as a programmatic way for (generally privileged) users to invoke Linux kernel APIs and performantly execute semi-arbitrary code without having to load it from a custom kernel module. eBPF is a general means to load memory safe restricted code that reduces the risk of crashes, … Continue reading eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets