Finding 0day in Apache APISIX During CTF (CVE-2022-24112)

LiveOverflow · Beginner ·🔐 Cybersecurity ·4y ago
In this video we perform a code audit of Api6 and discover a default configuration that can be escalated to remote code execution. CVE-2022-24112: https://seclists.org/oss-sec/2022/q1/133 GitLab: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ Challenge files: https://github.com/chaitin/Real-World-CTF-4th-Challenge-Attachments/tree/master/API6 Chapters: 00:00 - Intro 01:09 - Initial Application Overview 02:15 - Discussing Approaches 03:56 - Reading Documentation 04:57 - Initial Attack Idea 06:15 - Identifying Attack Surface 08:46 - Discovering Batch Request…
Watch on YouTube ↗ (saves to browser)

Chapters (11)

Intro
1:09 Initial Application Overview
2:15 Discussing Approaches
3:56 Reading Documentation
4:57 Initial Attack Idea
6:15 Identifying Attack Surface
8:46 Discovering Batch Requests
9:18 Bypassing X-Real-IP Header
10:15 Testing the Exploit
11:11 Reporting the Issue
12:16 Outro

Playlist

Uploads from LiveOverflow · LiveOverflow · 0 of 60

← Previous Next →
1 LiveOverflow - Trailer
LiveOverflow - Trailer
LiveOverflow
 2 LiveOverflow Channel Introduction and Backstory - bin 0x00
LiveOverflow Channel Introduction and Backstory - bin 0x00
LiveOverflow
 3 Introduction to Linux - Installation and the Terminal - bin 0x01
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
 4 Writing a simple Program in C
Writing a simple Program in C
LiveOverflow
 5 Writing a simple Program in Python - bin 0x03
Writing a simple Program in Python - bin 0x03
LiveOverflow
 6 Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
 7 How a CPU works and Introduction to Assembler - bin 0x04
How a CPU works and Introduction to Assembler - bin 0x04
LiveOverflow
 8 Reversing and Cracking first simple Program - bin 0x05
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
 9 Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
 10 ROP with a very small stack - 32C3CTF teufel (pwnable 200)
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
 11 Simple Tools and Techniques for Reversing a binary - bin 0x06
Simple Tools and Techniques for Reversing a binary - bin 0x06
LiveOverflow
 12 Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
 13 Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
 14 Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
 15 The deal with numbers: hexadecimal, binary and decimals - bin 0x0A
The deal with numbers: hexadecimal, binary and decimals - bin 0x0A
LiveOverflow
 16 Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
 17 Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
 18 First Stack Buffer Overflow to modify Variable - bin 0x0C
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
 19 First Exploit! Buffer Overflow with Shellcode - bin 0x0E
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
 20 Buffer Overflows can Redirect Program Execution - bin 0x0D
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
 21 Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
 22 Reverse engineering C programs (64bit vs 32bit) - bin 0x10
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
 23 pwnable.kr - Levels: fd, collision, bof, flag
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
 24 Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
 25 Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
 26 Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
 27 Live Hacking - Internetwache CTF 2016 - web50, web60, web80
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
 28 Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
 29 A simple Format String exploit example - bin 0x11
A simple Format String exploit example - bin 0x11
LiveOverflow
 30 Global Offset Table (GOT) and Procedure Linkage Table (PLT) - bin 0x12
Global Offset Table (GOT) and Procedure Linkage Table (PLT) - bin 0x12
LiveOverflow
 31 NEW VIDEOS ARE COMING - loopback 0x00
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
 32 Format String Exploit and overwrite the Global Offset Table - bin 0x13
Format String Exploit and overwrite the Global Offset Table - bin 0x13
LiveOverflow
 33 HTML + CSS + JavaScript introduction - web 0x00
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
 34 The HTTP Protocol: GET /test.html - web 0x01
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
 35 Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
 36 What is PHP and why is XSS so common there? - web 0x02
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
 37 Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
 38 Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
 39 Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
 40 XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
 41 Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
 42 New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
 43 CSRF Introduction and what is the Same-Origin Policy? - web 0x04
CSRF Introduction and what is the Same-Origin Policy? - web 0x04
LiveOverflow
 44 The Heap: what does malloc() do? - bin 0x14
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
 45 The Heap: How to exploit a Heap Overflow - bin 0x15
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
 46 Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
 47 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
 48 Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
 49 Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
 50 Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
 51 Explaining Dirty COW local root exploit - CVE-2016-5195
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
 52 What is CTF? An introduction to security Capture The Flag competitions
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
 53 The Heap: How do use-after-free exploits work? - bin 0x16
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
 54 The Browser is a very Confused Deputy - web 0x05
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
 55 The Heap: Once upon a free() - bin 0x17
The Heap: Once upon a free() - bin 0x17
LiveOverflow
 56 Simple reversing challenge and gaming the system - BruCON CTF part 1
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
 57 int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
 58 The Heap: dlmalloc unlink() exploit - bin 0x18
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
 59 Making-of LiveOverflow videos
Making-of LiveOverflow videos
LiveOverflow
 60 MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
the WORST hack of 2026
Next Up
the WORST hack of 2026
NetworkChuck