Security Issue Found in US Gov CISA Tool?

LiveUnderflow · Advanced ·📄 Research Papers Explained ·3y ago

Key Takeaways

Discovers a security issue in the US Gov CISA Tool using GraphQL

Full Transcript

like I mean I like to over hype it because it's like a US government uh tool right maybe I will clickbait with like uh finding vulnerability in U.S government tool or something like this then of course in the end in the video be actually honest about it so maybe I use it for clickbait [Music] a few days ago I wanted to check out code ql because I was working on a project for a client that was a a node.js application that used Apollo server for a graphql endpoint okay details don't matter now to work on this I obviously needed an example I couldn't use the work example so I went on on GitHub and I just searched for GitHub for projects that use Apollo server and basically use also like an authorized decorator and that's when I found this software by chance which is called red eye it's from the U.S government and it's um a visual Analytics tool for supporting red and blue team operations so you know it was kind of cool that it even like had a security relevance in in that sense so we decided to pull this GitHub repository and then we also like quickly set up a Dev environment to launch it was not that important but was cooled for proof of concept later and then we started to look into code ql and we actually we came up with a query to ask about this and this led actually to a bug so let me show you the the the the query that we wrote We are looking at all decorators used by the program and then we checked is that decorator basically a mutation or a query it basically finds like all these queries so it finds this decorator but then it has to match a second condition and the second condition is so if it's a mutation or a query then get the parent and then get all the children's of that parent or the decorate the children and make sure that none of those children are an authorized decorator I don't know that's maybe a nicer way to write this query like this you know this was literally the first time using Code QR but this is what the query then does it finds all queries then goes to the parent basically looking at all of this and now checking that looking at all the other decorators on that function and make sure it's not authorized because there is a child that is authorized it would not select this query but doing that we actually found um endpoints the progress resolver and the operator resolver that had this uh decorator missing then we tested it out and we figured out we can write this graphql query to query all Global operators without requiring a cookie so after we found this out and we we did an example there that even turns out to be a mutator that we can use so we can even do like changes so using the create Global operator mutation we can even create new Global operators um and that's pretty cool however you know it's not super critical okay like it was even clear in the Stream like I said it it it's kind of nice like it's probably a bug like it's kind of a bug but it's also pretty lame right like every we found this on stream and I reported it in a public uh issue because this is not something critical okay we don't need to exaggerate the severity of this okay this is a lame back okay like it's it's lame it's nothing special um I couldn't maybe you know theoretically you you can come up with a scenario where you are infiltrating a company using that tool and then you can use the API to query all the different like operator names that are using this tool but then again like what are you using it for okay maybe now you have usernames that you can use then in another step for enumeration of brute forcing I don't know it's really a lame vulnerability either way we reported because like you know it was a nice end to the story of using codeql the reason why I want to mention this because we got a response so somebody looked at the issue and so let's look at what what the developers responded to our back report this is awesome thank you for digging into this and writing such a detailed ticket the query's name is a bit confusing on our part the global operators query and mutations are only called on the login page a single password protects the red eye server we saw this like it was really confusing like there was one password and there was a default login username Def and I was thinking okay like At first I got excited and I thought oh crap with this mutation we maybe can add arbitrary users and then we can login into the page like an authentication bypass basically I didn't really understand like what these operator names are even used for like it made already sense that it's not something critical so red eye server uses a single password and they use this endpoint to populate the user field with operators from the campaign as a way to match red eye users with operators using the tool they intended this to be public they decided this to be public because I guess how it's used is there's like one Central password and then they kind of want to have like different operators names attached to it but it's not that important it's just an internal tool used for the internal team and they can automatically this way add operator names to it by maybe some external tool that's maybe spinning up uh this this thing automatically or something like this I don't know first of all they want to get all the operators maybe to show it in the login menu so you can select your username that you want to use and then you supply the password right to actually use the application you still need the password and within that like small team that is using this application uh you know everybody kind of like like it's a trusted environment everybody wants to select like their username that they want to use when they then open this that's kind of like the intention and that's why it was intentionally public now they are saying they add to it we should rename that to Global users instead uh I'm not sure is that not our Global operators Global users whatever I don't know if the name makes a big difference is it just a list of usernames to log in with and pre-populate based on campaign data we could make this make this secure and still be available for populating the login page so you know it's just a little feature of the application to make maybe the login process you know a bit like nicer for the way how this tool is used and now they think about how they maybe can change it a little bit I do feel like personally even now understanding like their context a little bit I feel like put that mutation behind authorization because you know to create operators I feel like there's a default developer Global operator you know why don't put that behind authorization so nobody can like fill up your day database with auto authorization and create you know the users that you need and then listing the global operators keep that public whatever um that's kind of how I probably would address address this but I think this is also a great lesson uh just because you know we were realistic about this not being like something serious or crazy or critical we do not need to like I mean I like to over hype it because it's like a US government uh tool right maybe I will clickbait with like finding vulnerability in U.S government tool or something like this then of course in the end in the video be actually honest about it so maybe I use it for clickbait but you know it's not a serious thing and then also like talking like the developer inside even like with a little bit of vulnerability that I kind of thought it might be now it's kind of even like taken out even a bit more of the severity out of it based on understanding like what it's used for so um yeah I think that that's a good um I feel like there's a good lesson there because on Twitter when people report like bugs to back Bounty programs and they are and the tickets get rejected like I can tell you if this were back in a buck Bounty program uh and somebody else found it they might like start arguing now but yeah no authentication a mutation should never be authentication and they are technically right but then at the same time like it's really not a like a serious bug or something like I don't know what you shouldn't care so much about it but then the money incentives come in and you fight over this and um all that kind of stuff while in reality it's just you know you know chill it's nothing bad so I thought that there um that is like uh like a cool like end kind of to the story or like a small addition to it um they haven't changed they haven't added some code yet they they added it to the milestone for you know the the next release or something I should I comment on it again I I don't know because I don't feel like they necessarily need yeah I don't know whatever it's their decision they are the developers um in the end you know what matters to us is we used it as a great example for code ql right in the end it was not a crazy back but that's how bug hunting or research works you know uh not everything is like crazy bug or something but still a useful example and now we come to kind of like the main purpose um uh what I want to get into next and that is using yearn I want to replicate what we did with code ql using yearn I have not used [Music]

Original Description

Shop (advertisement): https://shop.liveoverflow.com/ While looking for an open source app using ApolloServer with GraphQL, we stumbled over RedEye from CISA. After reporting the issue we got a response from the developers. The Report: https://github.com/cisagov/RedEye/issues/55 → Twitch Subscription: https://www.twitch.tv/products/liveoverflow → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join Chapters: 00:00 - Intro 00:23 - Research Question 01:33 - CodeQL Query 02:48 - Proof of Concept 03:17 - Impact of Issue 06:53 - Fix Recommendations 08:15 - Discussing Bug Bounty Culture 09:42 - Outlook Next Video: joern =[ 📄 Info. ]= Main Channel: https://youtube.com/LiveOverflowCTF Twitch: https://twitch.tv/LiveOverflow =[ 🐕 Social ]= → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ =[ 📄 P.S. ]= #liveoverflow
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveUnderflow · LiveUnderflow · 28 of 42

1 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
2 LiveOverflow's Makeup Tutorial #1
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
3 MakeUp Tutorial for Streaming and YouTube
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
4 MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
5 Google CTF 2019 Chat - Looking at Writeups
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
6 Discussing Hacking Videos - Community Guidelines YouTube
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
7 Hacking Skills Perspective
Hacking Skills Perspective
LiveUnderflow
8 Chatting about Cryptography and Exploit Regulations
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
9 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
10 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
11 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
12 Studying Cybersecurity in USA vs. Germany | ReHacked
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
13 Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
14 Reading SECRET U.S. Air Force HACKING Document!!
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
15 Why Don't Use alert(1) for XSS? | Watch Together + Q&A
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
16 Escaping from JavaScript Sandbox (AngularJS)
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
17 Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
18 Password Cracking Explained | ReHacked
Password Cracking Explained | ReHacked
LiveUnderflow
19 HTTP Desync Attack Explained With Paper
HTTP Desync Attack Explained With Paper
LiveUnderflow
20 Better than Stack Overflow for Development
Better than Stack Overflow for Development
LiveUnderflow
21 Thumbnail A/B Test Experiment for CTR
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
22 How To Exploit a Heap Overflow
How To Exploit a Heap Overflow
LiveUnderflow
23 Log4Shell | Bug Bounty Public Service Announcement #shorts
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
24 New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
25 Can AI Hack Websites with XSS? #ChatGPT
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
26 ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
27 Using CodeQL to Investigate GraphQL Resolvers
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
Security Issue Found in US Gov CISA Tool?
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
29 Using joern to Find GraphQL Authorization Issue
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
30 Analytics from 7 Years on YouTube...
Analytics from 7 Years on YouTube...
LiveUnderflow
31 3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
32 Attacking VSCode Extension from Browser? - Live Security Research
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
33 I Don't Trust Websites! - The Everything API with ChatGPT
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
34 Do Hackers Need To Know Algorithms and Data Structures?
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
35 "Remove the video as soon as possible"
"Remove the video as soon as possible"
LiveOverflow
36 Arm®-based Video
Arm®-based Video
LiveOverflow
37 How to make good HACKING videos
How to make good HACKING videos
LiveOverflow
38 LEEROY fällt auf HACKER rein?
LEEROY fällt auf HACKER rein?
LiveOverflow
39 Hacking for an Intelligence Agency
Hacking for an Intelligence Agency
LiveOverflow
40 Tier List of My Worst Tweets
Tier List of My Worst Tweets
LiveOverflow
41 Step by Step Phishing Setup Tutorials are Unethical!
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
42 Hacker Reacts to 23andme Data Leak
Hacker Reacts to 23andme Data Leak
LiveOverflow

Related Reads

Chapters (8)

Intro
0:23 Research Question
1:33 CodeQL Query
2:48 Proof of Concept
3:17 Impact of Issue
6:53 Fix Recommendations
8:15 Discussing Bug Bounty Culture
9:42 Outlook Next Video: joern
Up next
Thunderbit Review: AI Web Scraping in Just 2 Clicks 🔥
DroidCrunch
Watch →