1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. Exploiting the Unexploitable: Insights from the Kibana Bug Bounty

Exploiting the Unexploitable: Insights from the Kibana Bug Bounty

Presented at DEF CON 32 (2024), Aug. 10, 2024, 3 p.m. (45 minutes).

aWe explore case studies of exploiting vulnerabilities in modern JavaScript and TypeScript applications, drawing on experiences from participating in the Kibana Bug Bounty Program. It's not uncommon to encounter a vulnerability that appears unexploitable at first glance, or to be told by a triage team that the behavior is "by design." So, what options does a security researcher have in such situations? And what primitives can be utilized to construct an exploitation chain with significant impact? Our study involves breaking out of properly isolated containers in scenarios where there is RCE-by-design. We will examine several Prototype Pollutions that crash an application in less than one second after exploitation and explore how these vulnerabilities can ultimately lead to critical RCEs. Furthermore, we introduce new primitives and gadgets that enable the achievement of RCE from Prototype Pollutions previously deemed unexploitable beyond DoS attacks. By highlighting these methods, the talk aims to equip attendees with advanced techniques for exploiting complex vulnerability chains in JavaScript applications, as well as recommendations for proper defense and mitigations against them. 1. Mikhail Shcherbakov, Musard Balliu and Cristian-Alexandru Staicu "Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js" 2. "Collection of Server-Side Prototype Pollution gadgets" [link](https://github.com/KTH-LangSec/server-side-prototype-pollution) 3. Olivier Arteau "JavaScript prototype pollution attack in NodeJS" 4. Nir Chako "Attacking Kubernetes Clusters Through Your Network Plumbing" [link](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1)

Presenters:

  • Mikhail Shcherbakov
    Mikhail Shcherbakov came to security from enterprise app development. The tendency is to push it as far as you can… He is now doing a Ph.D. in Language-Based Security after 10+ years of experience in the industry. He participated in Microsoft, GitHub, and open-source bug bounty programs, found vulnerabilities in popular products, and helped to fix them. Before starting a Ph.D. program, he focused on .NET and web security, gave talks at conferences, organized IT meetups, and got the Microsoft MVP Award in 2016 – 2018. Mikhail is an author of commercial static analysis tools and continues research in program analysis.

Similar Presentations: