My name is Joon and I’m a Security Engineer.
- I post security and other random things in this blog from time to time.
My name is Joon and I’m a Security Engineer.
I wrote a nifty Python commandline tool for looking up FQDNs and domains using various OSINT sources. It’s definitely useful to me, but I hope it is too to security researchers, incident responders and the like. Check out the project page here: pirxthepilot/wtfis It’s available in Pypi, so installation is as easy as $ pip install wtfis I wrote this because I wanted a faster way to gather information on a hostname or domain....
Let’s say you’ve deployed a static site on our AWS account using Cloudfront and S3, such as described in Automated Static Site Deployment in AWS Using Terraform. When it comes time to update its content or tweak some settings, using an all-powerful AWS admin account is bad security practice (not to mention overkill). The Terraform Module I wrote the terraform-static-site-deploy-role Terraform module to make it easier to set up a role that grants just the right amount of access to manage a site’s AWS resources....
In a prior post I described how to detection potential Log4shell (CVE-2021-44228) exploitation by looking for patterns in a Java process’ write() or sendto() buffer in LDAP and RMI connections. One limitation of this is that it matches on text in the buffer. The good news is that as of version 0.32.0, Falco now supports matching on raw bytes expressed as hexadecimal strings! This means that we can now match on any pattern in the buffer, not just “human-readable” text....
This article describes one way to detect the PwnKit (CVE-2021-4034), a privilege escalation vulnerability on polkit’s pkexec utility. As with the previous post, we are using Falco for detection and Sysdig for analysis. Resources Qualys report PoC by berdav PoC by ly4k Analysis Premise Based on the Qualys report, this exploit depends on GLib to load the privesc code: To convert messages from one charset to another, iconv_open() executes small shared libraries; normally, these triplets (“from” charset, “to” charset, and library name) are read from a default configuration file, /usr/lib/gconv/gconv-modules....
This is a write-up about detecting exploitation of the Log4Shell vulnerability (CVE-2021-44228) in Log4j by monitoring specific syscalls using Falco. This post also describes the analysis I employed to arrive at my conclusions. Note that this is not meant to be an end-all detection for Log4Shell but instead one of many that, as a whole, provide coverage across different points of visibility. UPDATE (2022-06-20): This post outlines an alternative way to detect Log4shell, this time using Falco’s brand new byte matching feature....