My CVE, bug bounty, and general cybersec relevant reading list and notes

Misc Links

  • National Vulnerability Database: here.
    • NVD CVE search: here.
    • NVD data feeds listing: here.
  • CVE details CVSS distribution listing: here.
  • Mitre CVE search: here.
  • Pentesterland list of bug bounty writeups: here.
  • JFrog security research blogroll: here.
  • vuldb listing: here.

2022

March

Title Notes CVE Key Takeaways Tags
GitLab GraphQL API User Enumeration CVE-2021-4191 Don't expose services to the internet unless you absolutely have to. Ensure all possible endpoints are subject to authentication if required gitlab, hosting practices, enumeration
Arbitrary command injection in pipenv CVE-2022-21668 Comments weren't ignored, because they were improperly parsing requirements files; if the thing you are parsing has a spec, parse it according to the spec. If it doesn't, make the people who own the thing you're parsing write one:) pipenv, python
The Impact of CVE-2022-0185 Linux Kernel Vulnerability on Popular Kubernetes Engines and CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers here CVE-2022-0185 Once again, --privileged and SECCOMP would help save the day. Don't disable them, people! Stay up to date on kernel updates. containers, escape
Can containers escape? here CVE-2022-0492 Securing containers with apparmor, selinux, or seccomp is a good idea. Also, up-to-date Linux releases are a good idea. cgroups, containers, linux
Escaping privileged containers for fun mount + gcc + /proc/sys/kernel/core_pattern + a privileged container --> arbitrary commands on container host docker, escape, privileges

Notes

March

pwning Ubuntu and escaping Google
  • Google's syzkaller looks interesting:

    syzkaller is an unsupervised coverage-guided kernel fuzzer

Can containers escape?
  • cgroups, controlled by cgroupfs, provide means to limit/account/isolate the resource usage of a set of processes.
    • further divided into subsystems, each responsible for a specific resource (e.g memory cgroup, device cgroup, etc)
      • any further nested are new cgroups under that subsystem
  • cat /proc/self/cgroup shows cgroup membership
  • Arbitrary binaries (run with highest possible, root, permissions) can be ran by the termination of a proc in a cgroup if there has been a binary assigned to the subsystem's release_agent, and the child process has notify_on_release enabled.
    • This is OK, if the system was checking that the child proc had the CAP_SYS_ADMIN perms to run it first. It was not.
    • Writing to notify_on_release still requires root within the container.
  • cgroups are RO mounts inside containers (mount | grep "cgroup (ro")
  • Utility helper/checker function: Palo Alto Networks - can container escape