Security Issue Found in US Gov CISA Tool?
Key Takeaways
Discovers a security issue in the US Gov CISA Tool using GraphQL
Full Transcript
like I mean I like to over hype it because it's like a US government uh tool right maybe I will clickbait with like uh finding vulnerability in U.S government tool or something like this then of course in the end in the video be actually honest about it so maybe I use it for clickbait [Music] a few days ago I wanted to check out code ql because I was working on a project for a client that was a a node.js application that used Apollo server for a graphql endpoint okay details don't matter now to work on this I obviously needed an example I couldn't use the work example so I went on on GitHub and I just searched for GitHub for projects that use Apollo server and basically use also like an authorized decorator and that's when I found this software by chance which is called red eye it's from the U.S government and it's um a visual Analytics tool for supporting red and blue team operations so you know it was kind of cool that it even like had a security relevance in in that sense so we decided to pull this GitHub repository and then we also like quickly set up a Dev environment to launch it was not that important but was cooled for proof of concept later and then we started to look into code ql and we actually we came up with a query to ask about this and this led actually to a bug so let me show you the the the the query that we wrote We are looking at all decorators used by the program and then we checked is that decorator basically a mutation or a query it basically finds like all these queries so it finds this decorator but then it has to match a second condition and the second condition is so if it's a mutation or a query then get the parent and then get all the children's of that parent or the decorate the children and make sure that none of those children are an authorized decorator I don't know that's maybe a nicer way to write this query like this you know this was literally the first time using Code QR but this is what the query then does it finds all queries then goes to the parent basically looking at all of this and now checking that looking at all the other decorators on that function and make sure it's not authorized because there is a child that is authorized it would not select this query but doing that we actually found um endpoints the progress resolver and the operator resolver that had this uh decorator missing then we tested it out and we figured out we can write this graphql query to query all Global operators without requiring a cookie so after we found this out and we we did an example there that even turns out to be a mutator that we can use so we can even do like changes so using the create Global operator mutation we can even create new Global operators um and that's pretty cool however you know it's not super critical okay like it was even clear in the Stream like I said it it it's kind of nice like it's probably a bug like it's kind of a bug but it's also pretty lame right like every we found this on stream and I reported it in a public uh issue because this is not something critical okay we don't need to exaggerate the severity of this okay this is a lame back okay like it's it's lame it's nothing special um I couldn't maybe you know theoretically you you can come up with a scenario where you are infiltrating a company using that tool and then you can use the API to query all the different like operator names that are using this tool but then again like what are you using it for okay maybe now you have usernames that you can use then in another step for enumeration of brute forcing I don't know it's really a lame vulnerability either way we reported because like you know it was a nice end to the story of using codeql the reason why I want to mention this because we got a response so somebody looked at the issue and so let's look at what what the developers responded to our back report this is awesome thank you for digging into this and writing such a detailed ticket the query's name is a bit confusing on our part the global operators query and mutations are only called on the login page a single password protects the red eye server we saw this like it was really confusing like there was one password and there was a default login username Def and I was thinking okay like At first I got excited and I thought oh crap with this mutation we maybe can add arbitrary users and then we can login into the page like an authentication bypass basically I didn't really understand like what these operator names are even used for like it made already sense that it's not something critical so red eye server uses a single password and they use this endpoint to populate the user field with operators from the campaign as a way to match red eye users with operators using the tool they intended this to be public they decided this to be public because I guess how it's used is there's like one Central password and then they kind of want to have like different operators names attached to it but it's not that important it's just an internal tool used for the internal team and they can automatically this way add operator names to it by maybe some external tool that's maybe spinning up uh this this thing automatically or something like this I don't know first of all they want to get all the operators maybe to show it in the login menu so you can select your username that you want to use and then you supply the password right to actually use the application you still need the password and within that like small team that is using this application uh you know everybody kind of like like it's a trusted environment everybody wants to select like their username that they want to use when they then open this that's kind of like the intention and that's why it was intentionally public now they are saying they add to it we should rename that to Global users instead uh I'm not sure is that not our Global operators Global users whatever I don't know if the name makes a big difference is it just a list of usernames to log in with and pre-populate based on campaign data we could make this make this secure and still be available for populating the login page so you know it's just a little feature of the application to make maybe the login process you know a bit like nicer for the way how this tool is used and now they think about how they maybe can change it a little bit I do feel like personally even now understanding like their context a little bit I feel like put that mutation behind authorization because you know to create operators I feel like there's a default developer Global operator you know why don't put that behind authorization so nobody can like fill up your day database with auto authorization and create you know the users that you need and then listing the global operators keep that public whatever um that's kind of how I probably would address address this but I think this is also a great lesson uh just because you know we were realistic about this not being like something serious or crazy or critical we do not need to like I mean I like to over hype it because it's like a US government uh tool right maybe I will clickbait with like finding vulnerability in U.S government tool or something like this then of course in the end in the video be actually honest about it so maybe I use it for clickbait but you know it's not a serious thing and then also like talking like the developer inside even like with a little bit of vulnerability that I kind of thought it might be now it's kind of even like taken out even a bit more of the severity out of it based on understanding like what it's used for so um yeah I think that that's a good um I feel like there's a good lesson there because on Twitter when people report like bugs to back Bounty programs and they are and the tickets get rejected like I can tell you if this were back in a buck Bounty program uh and somebody else found it they might like start arguing now but yeah no authentication a mutation should never be authentication and they are technically right but then at the same time like it's really not a like a serious bug or something like I don't know what you shouldn't care so much about it but then the money incentives come in and you fight over this and um all that kind of stuff while in reality it's just you know you know chill it's nothing bad so I thought that there um that is like uh like a cool like end kind of to the story or like a small addition to it um they haven't changed they haven't added some code yet they they added it to the milestone for you know the the next release or something I should I comment on it again I I don't know because I don't feel like they necessarily need yeah I don't know whatever it's their decision they are the developers um in the end you know what matters to us is we used it as a great example for code ql right in the end it was not a crazy back but that's how bug hunting or research works you know uh not everything is like crazy bug or something but still a useful example and now we come to kind of like the main purpose um uh what I want to get into next and that is using yearn I want to replicate what we did with code ql using yearn I have not used [Music]
Original Description
Shop (advertisement): https://shop.liveoverflow.com/
While looking for an open source app using ApolloServer with GraphQL, we stumbled over RedEye from CISA. After reporting the issue we got a response from the developers.
The Report: https://github.com/cisagov/RedEye/issues/55
→ Twitch Subscription: https://www.twitch.tv/products/liveoverflow
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
Chapters:
00:00 - Intro
00:23 - Research Question
01:33 - CodeQL Query
02:48 - Proof of Concept
03:17 - Impact of Issue
06:53 - Fix Recommendations
08:15 - Discussing Bug Bounty Culture
09:42 - Outlook Next Video: joern
=[ 📄 Info. ]=
Main Channel: https://youtube.com/LiveOverflowCTF
Twitch: https://twitch.tv/LiveOverflow
=[ 🐕 Social ]=
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
=[ 📄 P.S. ]=
#liveoverflow
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveUnderflow · LiveUnderflow · 28 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
▶
29
30
31
32
33
34
35
36
37
38
39
40
41
42
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
Hacking Skills Perspective
LiveUnderflow
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
Password Cracking Explained | ReHacked
LiveUnderflow
HTTP Desync Attack Explained With Paper
LiveUnderflow
Better than Stack Overflow for Development
LiveUnderflow
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
How To Exploit a Heap Overflow
LiveUnderflow
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
Analytics from 7 Years on YouTube...
LiveUnderflow
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
"Remove the video as soon as possible"
LiveOverflow
Arm®-based Video
LiveOverflow
How to make good HACKING videos
LiveOverflow
LEEROY fällt auf HACKER rein?
LiveOverflow
Hacking for an Intelligence Agency
LiveOverflow
Tier List of My Worst Tweets
LiveOverflow
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
Hacker Reacts to 23andme Data Leak
LiveOverflow
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
A lightweight workflow for keeping up with AI conference papers
Dev.to · Daniel
Why CitedEvidence Believes Great Researchers Read Less Than You Think
Medium · AI
How to Write a Literature Review That Actually Argues Something
Medium · Machine Learning
I Built a Personal Paper Engine to Stop Losing Research Papers
Dev.to · Ethan
Chapters (8)
Intro
0:23
Research Question
1:33
CodeQL Query
2:48
Proof of Concept
3:17
Impact of Issue
6:53
Fix Recommendations
8:15
Discussing Bug Bounty Culture
9:42
Outlook Next Video: joern
🎓
Tutor Explanation
DeepCamp AI