Infosec on $ pirx^H^H^H^H https://pirx.io/categories/infosec/ Recent content in Infosec on $ pirx^H^H^H^H $ pirx^H^H^H^H https://pirx.io/papermod-cover.png https://pirx.io/papermod-cover.png Hugo -- 0.139.2 en Sat, 13 Aug 2022 00:00:00 +0000 wtfis: Passive FQDN and Domain Lookup Tool https://pirx.io/posts/2022-08-13-wtfis-passive-fqdn-and-domain-lookup-tool/ Sat, 13 Aug 2022 00:00:00 +0000 https://pirx.io/posts/2022-08-13-wtfis-passive-fqdn-and-domain-lookup-tool/ <p>I wrote a nifty Python commandline tool for looking up FQDNs and domains using various OSINT sources. It&rsquo;s definitely useful to me, but I hope it is too to security researchers, incident responders and the like. Check out the project page here:</p> <blockquote> <p><strong><a href="https://github.com/pirxthepilot/wtfis">pirxthepilot/wtfis</a></strong></p> </blockquote> <p>It&rsquo;s available in <a href="https://pypi.org/project/wtfis/">Pypi</a>, so installation is as easy as</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">$ pip install wtfis </span></span></code></pre></div><p>I wrote this because I wanted a faster way to gather information on a hostname or domain. Most of the time, it is the same set of data that I look for, but spread out across different websites.</p> Update to Log4shell Detection With Falco https://pirx.io/posts/2022-06-20-update-to-log4shell-detection-with-falco/ Mon, 20 Jun 2022 00:00:00 +0000 https://pirx.io/posts/2022-06-20-update-to-log4shell-detection-with-falco/ <p>In a <a href="https://pirx.io/posts/2022-05-20-syscall-based-detection-of-log4shell-cve-2021-44228-on-linux/">prior post</a> I described how to detection potential Log4shell (<a href="https://www.lunasec.io/docs/blog/log4j-zero-day/">CVE-2021-44228</a>) exploitation by looking for patterns in a Java process&rsquo; <code>write()</code> or <code>sendto()</code> buffer in LDAP and RMI connections. One limitation of this is that it matches on text in the buffer.</p> <p>The good news is that as of version <a href="https://github.com/falcosecurity/falco/releases/tag/0.32.0">0.32.0</a>, Falco now supports matching on raw bytes expressed as hexadecimal strings! This means that we can now match on any pattern in the buffer, not just &ldquo;human-readable&rdquo; text.</p> PwnKit Privilege Escalation Detection https://pirx.io/posts/2022-06-07-pwnkit-privilege-escalation-detection/ Tue, 07 Jun 2022 00:00:00 +0000 https://pirx.io/posts/2022-06-07-pwnkit-privilege-escalation-detection/ <p>This article describes one way to detect the <strong>PwnKit</strong> (<a href="https://www.cve.org/CVERecord?id=CVE-2021-4034">CVE-2021-4034</a>), a privilege escalation vulnerability on polkit&rsquo;s <code>pkexec</code> utility.</p> <p>As with the <a href="https://pirx.io/posts/2022-05-20-syscall-based-detection-of-log4shell-cve-2021-44228-on-linux/">previous post</a>, we are using <a href="https://github.com/falcosecurity/falco">Falco</a> for detection and <a href="https://github.com/draios/sysdig">Sysdig</a> for analysis.</p> <h2 id="resources">Resources</h2> <ul> <li><a href="https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt">Qualys report</a></li> <li><a href="https://github.com/berdav/CVE-2021-4034">PoC by berdav</a></li> <li><a href="https://github.com/ly4k/PwnKit">PoC by ly4k</a></li> </ul> <h2 id="analysis">Analysis</h2> <h3 id="premise">Premise</h3> <p>Based on the Qualys report, this exploit depends on GLib to load the privesc code:</p> <blockquote> <p>To convert messages from one charset to another, <code>iconv_open()</code> executes small shared libraries; normally, these triplets (&ldquo;from&rdquo; charset, &ldquo;to&rdquo; charset, and library name) are read from a default configuration file, <code>/usr/lib/gconv/gconv-modules</code>. Alternatively, the environment variable <code>GCONV_PATH</code> can force <code>iconv_open()</code> to read another configuration file; naturally, <code>GCONV_PATH</code> is one of the &ldquo;unsecure&rdquo; environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed by <code>ld.so</code> from the environment of SUID programs.</p> Syscall-Based Log4Shell Detection on Linux https://pirx.io/posts/2022-05-20-syscall-based-detection-of-log4shell-cve-2021-44228-on-linux/ Fri, 20 May 2022 00:00:00 +0000 https://pirx.io/posts/2022-05-20-syscall-based-detection-of-log4shell-cve-2021-44228-on-linux/ <p>This is a write-up about detecting exploitation of the <strong>Log4Shell</strong> vulnerability (<a href="https://www.lunasec.io/docs/blog/log4j-zero-day/">CVE-2021-44228</a>) in <a href="https://logging.apache.org/log4j/2.x/">Log4j</a> by monitoring specific syscalls using <a href="https://github.com/falcosecurity/falco">Falco</a>. This post also describes the analysis I employed to arrive at my conclusions.</p> <p>Note that this is not meant to be an end-all detection for Log4Shell but instead one of many that, as a whole, provide coverage across different points of visibility.</p> <p><em><strong>UPDATE (2022-06-20): <a href="https://pirx.io/posts/2022-06-20-update-to-log4shell-detection-with-falco/">This post</a> outlines an alternative way to detect Log4shell, this time using Falco&rsquo;s brand new byte matching feature.</strong></em></p>