SecPro #53: Securing Kubernetes, Fuzzing with FFUF, and Understanding Polkit

The brave new world of the second year of SecPro starts with some useful tutorials from our committed team of writers that should give you something to play with this week. Improving my fuzzing skills has been high on my priorities list this week, as well as understanding how Polkit targets Linux users.

Don’t forget to check out the Packt $10 for any book offer – the link is at the bottom of this newsletter! We’re offering special bundles as well, so make sure you keep an eye open for any of our specialist kits that serve your professional needs.

Cheers!
Austin Miller
Editor-in-Chief

Vulnerability analysis

Polkit Vulnerability – CVE-2021-4034

By Andy Pantelli

In our latest look at vulnerabilities we review another CVE aimed at the Linux Operating System. Polkit affects all major Linux Distributions running any version of Polkit.  In a Linux environment Polkit, previously known as PolicyKit is a system service the controls system-level privileges by using policies to determine if a user has the given privileges to undertake certain actions.  Relying on the pkexec executable, a SUID-root program installed by default on all major Linux Distributions. By exploiting Polkit adversaries can elevate privileges on a target system.  Red Hat list the following versions as affected in this security bulletin: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001. 

• Red Hat Enterprise Linux 6 
• Red Hat Enterprise Linux 7 
• Red Hat Enterprise Linux 8 
• Red Hat Virtualization 4 

Additionally, any Red Hat product supported on Red Hat Enterprise Linux including RHEL CoreOs is also potentially impacted.  Describing the vulnerability Red Hat explain that the pkexec program does not validate the number of arguments passed which eventually leads to environment variables being executed as commands.  When exploited this leads to arbitrary code being executed as a privileged user, granting the attacker a local privilege escalation. 

When starting a new process, the Linux Kernel will create an array with the command arguments (argv), and another with the environment variables (envp, with an integer value representing the argument count (argc).  The Linux Kernel positions both the argument array and the environment variables array in a contiguous way in memory.  A further default behaviour is how the first value of the argument array contains the executable name (pkexec for pkexec executable), with this implying any arguments sent to the process by the user are positioned after this value. 

CVE-2021-4034 

Discovered by the Qualys Research Team and publicly disclosed on 25th January 2022, due to the vulnerability allowing privilege elevation of a user on a system it was given a high CVSS score of 7.8.  To understand if a system is vulnerable the following commands should be run to check which version of Polkit is installed.  Any version below 0.120.r2 is vulnerable depending upon the Linux Distribution: 

#apt list –installed | grep policykit* 
 
#yum list installed | grep policykit* 
 
#dnf list installed | grep policykit* 
 
Example:

Mitigation

Two methods to mitigate the vulnerability risk exist, either by applying the patching via official sources or manually using instructions detailed below:

Red Hat Product Security strongly recommends affected customers update the polkit package once it is available. For customers who cannot update immediately, the issue can be mitigated by executing the following steps:

1. Install the following required systemtap packages and dependencies: https://access.redhat.com/solutions/5441.

2. Install polkit debug info:
 
debuginfo-install polkit
 
3. Create the following systemtap script, and name it pkexec-block.stp:
 
probe process(“/usr/bin/pkexec”).function(“main”) {
if (cmdline_arg(1) == “”)
raise(9);
}
 
4. Load the systemtap module into the running kernel:
 
stap -g -F -m stap_pkexec_block pkexec-block.stp
 
5. Ensure the module is loaded:

lsmod | grep -i stap_pkexec_block
stap_pkexec_block 434176 0

6. Once the polkit package is updated to the version containing the fix, remove the systemtap generated kernel module by running:

rmmod stap_pkexec_block

After using the rmmod command, a system reboot isn’t required.

Note: If the system is rebooted, the module generated by the systemtap needs to be reloaded into the kernel. To do that, navigate to the directory where the mitigation script was created and follow steps 4 and 5.

Once the mitigation above is performed, pkexec will continue to work as expected for legitimate use cases. 

1. Official Patches
   Use the following links for your Linux Distribution
   Ubuntu: https://ubuntu.com/security/notices/USN-5252-1
   Red Hat: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
   Debian: https://security-tracker.debian.org/tracker/CVE-2021-4034
   SUSE: https://www.suse.com/security/cve/CVE-2021-4034.html

Update via Command Line

1. APT

• sudo apt install policykit-1
• sudo apt update && sudo apt upgrade

1. YUM:

• sudo yum install policykit-1
• sudo yum update && sudo yum upgrade

1. DNF:

• sudo dnf install policykit-1
• sudo dnf update && sudo dnf upgrade

If it isn’t possible to apply patches or mitigate using the manual method you can also strip the pkexec of the setuid bit as a temporary measure.  To do so use the following CLI commands:

chmod 0755 /usr/bin/pkexec

Proof of Concept

Just as you would expect several Proof of Concept Repos are available publicly via GitHub if you wish learn more, or to exploit this vulnerability in a lab environment you can clone the repo below or look to find another example.

https://github.com/arthepsy/CVE-2021-4034

Disclaimer and acknowledgements

The information, guides & illustrations provided in this article is intended to provide Security Professionals or others the information to help protect their systems or any environments for which they have administrative control.  Any mitigations or code should be evaluated in a lab environment before considering applying in Production.  Any tools or techniques linked to are acknowledged to be the intellectual property of the respective author. Qualys research:

• https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
• https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

CVE-2021-4034 PoC, courtesy of arthepsy
Red Hat Security Bulletin

Container security

How to ensure Kubernetes (K8) and Container Security

By Sai Adithya Thatipalli 

Last 5 years was all about the transformation of Traditional Infrastructure and Cloud Adoption, Migration by many businesses. From traditional data centers to cloud, from cloud servers to containers, pods, from containers to functions, infrastructures have been changed in many ways. 

Before jumping into Kubernetes, we need to understand container architecture. 

If you see the above image you will understand that Traditional Deployment has Servers, Hardware appliances etc. Then the virtualization also replicates the same in a better manner, but it still consumes much resources and eventually increases the cost.
 
Then came the container deployment. Here we have the basic resources like Hardware and Operating system and then instead of having a whole virtual system in place, we will have a platform on which applications can be deployed. We call it docker, docker resembles the space on a big ship where the cargo containers will be placed with low space and more in number.
 
Docker helps us to launch our applications with low resources, high efficiency. Containers as nothing but a package contain all the files required for an application.
 

Open Source K8 Security Tools

Securing and Scanning K8 involves multiple layers from Cluster to Node to Container and then Code.

Each of the layer security is responsible for K8 security. Every layer should be implemented as per the best practices and should be up to date.

Want to read the rest of the article? Click the link below! 

Blue team

Fuzzing faster with FFUF 

By Indrajeet BhuyanContent discovery or fuzzing is an important aspect of black-box testing or bug bounty. The more endpoints we discover, the more content we discover the more is the attack surface. What exactly fuzzing you might ask. Fuzzing is an automatic process of giving random input to an application to look for any change in its behavior or to see if it gives any errors. Finding hidden files and directories also falls in the category of fuzzing.

Here in this article, I would like to introduce you to a tool that does fuzzing at a lightning speed. The tool is called FFUF (Fuzz Faster U Fool). Before using FFUF, I mostly used dirbuster but now I have fully shifted to FFUF and I’m sure after reading this article you too will do the same.

FFUF is an open-source web fuzzing tool made to discover elements and content within web applications. Why is this important? Often when we visit a website, we only see the things which the owner of the site wants us to see. We often miss out on juicy things which can be of great help to us as a penetration tester. For example, imagine getting a /backup directory that contains the backup of all the files of the website. FFUF can be used for uncovering these juicy things in speed.

If you want to read the rest, click the link below!

This Week’s Tutorials & Explainers

Another week with Gartner’s Top Twelve and now we’re focusing on Privacy-Enhancing Computation – a necessity for data management in the near future. Click the link to read the article! 

No news is good news, but we’ve rounded up the big events of the last week to send to you anyway. Check out the Costa Rican crisis and other stories by clicking the link.

Secret Knowledge: Building Your Security Arsenal

Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.

Kubernetes Security

• freach/kubernetes-security-best-practice: This document acts as a best practice guide to Kubernetes security. 
• aquasecurity/kube-hunter: Hunt for security weaknesses in Kubernetes clusters 
• Shopify/kubeaudit: kubeaudit helps you audit your Kubernetes clusters against common security controls 
• controlplaneio/kubesec: Security risk analysis for Kubernetes resources 

Detecting Phishing Attacks

• elceef/dnstwist: Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation 
• duo-labs/phinn: A toolkit to generate an offline Chrome extension to detect phishing attacks using a bespoke convolutional neural network. 
• danielstjules/blankshield: Prevent reverse tabnabbing phishing attacks caused by _blank 
• jimywork/certstreamcatcher: This tool is based on regex with effective standards for detecting phishing sites in real time using certstream and can also detect punycode (IDNA) attacks. 

Vulnerability Management  

• archerysec/archerysec: Centralize Vulnerability Assessment and Management for DevSecOps Team 
• DefectDojo/django-DefectDojo: DefectDojo is an open-source DevSecOps and vulnerability management tool. 
• Secure-Compliance-Solutions-LLC/GVM-Docker: Greenbone Vulnerability Management Docker Image with OpenVAS 
• infobyte/faraday: Collaborative Penetration Test and Vulnerability Management Platform