S01-E08-FR | CodeQL PoC on Jolokia/Java & pd-simpleserver/golang with @hugow_vincent part 2/3

Aug 15, 2023

S01-E08-FR | CodeQL PoC on Jolokia/Java & pd-simpleserver/golang with @hugow_vincent part 2/3

S01-E08-FR | CodeQL PoC on Jolokia/Java \u0026 pd-simpleserver/golang with @hugow_vincent part 2/3

Content

0 -> It's interesting, and we can still try to take the underlying code and look a little bit, for example, we could try to find the GNDI of the OPAC, there is a code that is quite minimalist.

22 -> In the exploits, we have a part, there is one that was quite well known to be exploited before the others, it is the OPAC GNDI, it is a partial file, an XML file that can do GNDI.

41 -> It's annoying, it's very annoying to catch.

47 -> Otherwise, there is the Tomcat GNDI mbinfactory, right?

52 -> Yes, we have the source code of Tomcat, we can go and get it, and that's in a mbin too.

61 -> Otherwise, there is the JVMTI agent load, which can be quite straightforward.

78 -> No, not at all, for me it was not at all the one I was talking about.

82 -> I was thinking of the JFR for Java Flight Recorder, but in fact it is so reminiscent of low-level things in Java that are nested 15,000 times.

105 -> Although it is mbinfactory in Catalina.

109 -> Yes, the JFR was a little heavier to look for.

123 -> It's not the right target for that.

126 -> After the GNDI lockback, there is a place where it will say parse this XML file from a distance.

137 -> Here you see what we give, we give a URL.

140 -> So in itself, we can catch K.O. lockback and just try to trace all the calls that lead to reloadByURL.

150 -> And maybe we'll find others.

157 -> Let's hope that K.O. lockback compiles well.

160 -> Is there a version where the view doesn't work anymore?

166 -> Normally yes, it has clearly been patched.

170 -> I'll find that.

181 -> I'll find that again.

182 -> I'll find that.

197 -> It relays on Spring, but it doesn't give the lockback version.

202 -> Cool.

208 -> Lockback.xxe.cve

212 -> Lockback.xxe.cv

228 -> They obviously put a comm after the Lock4Shell.

231 -> It was necessary.

243 -> Lockback.xxe.cv

253 -> For the RCE on lockback, it speaks on the SNIC side up to 1.1.11, which comes back to take versions from 2017.

267 -> And this one, lockback, lockback.core.

271 -> No, RCE.

277 -> Infernal doesn't give which CVE.

286 -> Viewers want to search with us.

291 -> I think that's it, it still speaks of a 2017 CVE.

297 -> Lockback.xxe.cv

305 -> Payload...

308 -> It's going to be even worse than the one before.

313 -> Lockback.xxe.cv

326 -> What the hell?

328 -> They do something where they just connect to a hostname port.

333 -> They send the payload and BAM, it becomes RCE.

335 -> It's almost like T3 at this level.

340 -> So it's not exactly the one we're looking for.

344 -> We'll get there.

349 -> URL.

356 -> Lockback.xxe.cv

368 -> From Streambook to Jolokia 1.6.0, OK.

371 -> But it doesn't depend on Jolokia, but on Lockback.

380 -> It depends on Lockback.xxe.cv, JMX Configurator, Reload by URL.

384 -> I think the Reload by URL will still be present in Lockback.

389 -> Maybe the rest has been patched, but it's still a feature we'll need.

394 -> Yeah, we're going to do a quick save.

397 -> This is where we put back something that was dead for a while.

401 -> People thought it was dead.

403 -> Classic Lockback.

405 -> Reload by URL.

407 -> Ah.

412 -> Yeah, I don't have it either.

414 -> Yeah, but we know the GitHub search features.

419 -> Oh yeah?

420 -> I thought that was it.

422 -> No, it's an infernal.

423 -> Searches by keywords in GitHub.

428 -> It's just horrible.

437 -> OK.

441 -> So no, indeed, it seems to be clearly removed.

443 -> But you see, it should only appear in a commit.

445 -> So maybe it's...

447 -> Lockback calls libraries that use this, but it's not present as a base.

456 -> It's infernal.

457 -> You have views, you don't even know where they are present.

461 -> Ouch.

467 -> OK.

478 -> Otherwise, you didn't tell me you had a little project with the possibility of relaunching queries on it.

485 -> If so, it can be nice, I think, to launch them in asynchronous,

488 -> start looking a little bit at what can come out.

491 -> And take advantage of the fact that I'm brushing up on source codes to...

496 -> So now you're launching queries on Jolokia, but it's very slow.

502 -> Because they have to build all the queries, it's going to take time.

506 -> Otherwise, we can keep the same...

511 -> The same method, but on the JNDI injection in the Tomcat.

516 -> Do you think it's being done?

519 -> It's not going to be too much of a hassle.

522 -> I have the DB, and when you look at the code on your Jet repo,

527 -> there's a call to create JNDI Realm, and then connection URL, and there's an RMI.

533 -> OK, it'll probably be nicer to do.

538 -> I'll try to do it too.

540 -> What are you doing?

542 -> If I had to follow...

543 -> You can launch the queries, but if I wanted to do the process,

546 -> it's going to get the source code from Tomcat.

550 -> Yeah.

553 -> And then try to load the QL code.

556 -> Yeah.

557 -> Is there a particular version, or do you just pick it up?

560 -> I don't think so.

562 -> I think the VUL...

563 -> It's not really a VUL, but it's just the exposition of the method.

568 -> I don't know if it's been patched in any particular way.

571 -> OK.

572 -> Wow, they have so many version tags too.

577 -> Let's have a look.

583 -> No, I don't want to scan this.

593 -> Keep.

594 -> Keep.

597 -> OK.

598 -> OK.

602 -> .zip

604 -> Tomcat

607 -> Let's get rid of what we already had here.

612 -> OK.

614 -> So you said we were looking for something VNDI?

617 -> VNDI

622 -> So I took the .py you have on your Jet repo.

631 -> And so we said Tomcat...

644 -> Which .py?

645 -> Ah, Bing Factory.

646 -> OK.

648 -> Tomcat

650 -> Tomcat

651 -> Tomcat, createJNDRealm

652 -> This one instead?

657 -> Let's go to the future.

662 -> OK, we have the public string createJNDRealm

665 -> And so now we need to know how we can reach it.

668 -> Yeah.

669 -> I think it's going to be nice again because we have descriptors of Mbin in JMX, but I'm

680 -> absolutely not sure that it is understood by the current part.

684.48 -> I don't think so.

685.48 -> You don't think so?

686.48 -> I was so lost Hugo.

687.48 -> Goodbye.

688.48 -> We'll have to take a general sample of Java Project because clearly it's ...

702.32 -> Do you think it can be done with the AST?

706.32 -> What do you want to do?

709.32 -> It's terrible, as soon as you compile from the QL code, it doesn't work at all.

715.76 -> I was saying, I think the XML part won't be managed by QL code, I would be very pleasantly

724.24 -> surprised if that were the case.

725.76 -> So I think it's a bit of a chaos in advance for this flaw.

729.24 -> We can launch it on Tomcat and see what it comes out of it, but I think we'd rather

733.36 -> take an old, broken software and see what it looks like.

736.96 -> Lightweight and modular web console for managing Java applications, that could be nice, but

760.96 -> I feel like it's still going to be hell.

762.44 -> And didn't you just launch a basic JDK, already pre-parsed?

782.44 -> Yes, I have a compiled JDK 11.

787.44 -> Do you have any rules that have already been launched, already run a little bit on it to see what we can do with it?

795.44 -> No, I haven't launched the basic rules yet, but it's still going to take a long time to launch the queries.

802.44 -> Since it's a big codebase, it's going to be quite long.

808.44 -> Otherwise, we can just find a guide that contains a basic SpringBoot thing.

813.44 -> We put a view and see if we can find it at this point.

830.44 -> The hell of Java, I complain so much about Java devs.

838.44 -> You see, there is a lablog4shell, at any time, we can also drop this.

855.44 -> It can be nice, since you pass it on the header, we can try to see how we can reach the log function from the headers.

880.44 -> It's sad.

888.44 -> SpringHack RCE Vulnerable Application.

891.44 -> Yes, I want that.

893.44 -> Build Vulnerable App, ok, cool.

905.44 -> It's crazy the number of people who have done things just for Log4j.

907.44 -> There were bugs in Log4j, people.

931.44 -> I'm going to start doing sample queries in there, just to see what it looks like.

937.44 -> Ok, I'm looking at sample 4.

947.44 -> So, we have that, we have a Dockerfile.

953.44 -> How do they say what to launch?

955.44 -> Dockerbuild, Spring4shell.

958.44 -> Dockerfile, ADSRC.

974.44 -> With just the SRC in Java, do you think it can be queried easily in CodeShell?

980.44 -> I don't understand.

982.44 -> The fact that she just loaded a git, I don't realize how boring the compile can be.

988.44 -> Because the compile is done with a bit of Maven.

991.44 -> Yes, in my opinion, a clean package will do it.

996.44 -> If you try to create the database directly, it will do pretty well.

1010.44 -> I say, I'll make a folder and I'll give it the sources, that's it.

1013.44 -> Yes, you can give me the command if you want.

1016.44 -> I would like to, yes.

1017.44 -> Does not contain a dataset yet.

1019.44 -> What?

1021.44 -> Where can I send this?

1026.44 -> Because I have the extension, but I haven't done the part at all.

1030.44 -> Yes.

1038.44 -> The part is in the station.

1040.44 -> Yes.

1042.44 -> In theory, I can have it ultra fast.

1047.44 -> SDF.

1049.44 -> Plugin.

1050.44 -> List.

1051.44 -> All.

1052.44 -> QL.

1055.44 -> Yes.

1062.44 -> QL code compilation via SDF.

1064.44 -> If you don't know, SDF.

1066.44 -> It's incredible.

1068.44 -> The possibility of having literally all the binaries at hand.

1071.44 -> Functional.

1072.44 -> When you need it.

1073.44 -> It's in FIA.

1082.44 -> Yes.

1083.44 -> I'm installing it.

1084.44 -> OK.

1085.44 -> It's there.

1086.44 -> SDF.

1087.44 -> Regime.

1098.44 -> Can I ask for the binary?

1099.44 -> Your QL code?

1104.44 -> QL code.

1105.44 -> Ah.

1112.44 -> I didn't do it.

1113.44 -> I have QL code.

1114.44 -> Query.

1115.44 -> BRQ.

1116.44 -> Database.

1117.44 -> Dataset.

1118.44 -> Test.

1119.44 -> Resolve.

1120.44 -> Execute.

1121.44 -> How do you build with that?

1122.44 -> You have the command on the chat.

1124.44 -> Ninja.

1125.44 -> We have a chat.

1126.44 -> Ninja.

1127.44 -> Wow.

1128.44 -> I'm going to use it.

1130.44 -> OK.

1134.44 -> QL database create.

1136.44 -> The first one is the pass.

1138.44 -> I assume.

1140.44 -> It's the pass where you're going to save your DB.

1144.44 -> OK.

1145.44 -> It's going to be my...

1148.44 -> Go ahead.

1149.44 -> My vuln.

1150.44 -> DB.

1151.44 -> Cool.

1152.44 -> Maybe a .slash.

1153.44 -> Java language.

1154.44 -> Source.

1158.44 -> It's the pass to your .xml.

1161.44 -> It's going to be hello world.

1164.44 -> SRC.

1170.44 -> QL code.

1171.44 -> Wait.

1178.44 -> OK.

1183.44 -> OK.

1187.44 -> Something.

1188.44 -> L.

1189.44 -> OK.

1192.44 -> I'm going to do a little thing anyway.

1193.44 -> To not have to move Terminal 15 times.

1196.44 -> We're going to close that.

1197.44 -> We're going to close that.

1199.44 -> Let it go to the right place.

1201.44 -> We redo a Temux.

1203.44 -> We're good.

1204.44 -> We re-say a little Docker build.

1206.44 -> Which runs.

1207.44 -> And we re-said.

1208.44 -> QL code.

1210.44 -> Something.

1213.44 -> My vuln.

1214.44 -> And there, we're going to have auto-complexity.

1215.44 -> Maybe.

1216.44 -> Yeah.

1217.44 -> Incredible.

1218.44 -> On the right.

1219.44 -> OK.

1220.44 -> It computes.

1221.44 -> And it dies.

1222.44 -> Yay.

1226.44 -> OK.

1229.44 -> Wait for me.

1230.44 -> It's in the Docker.

1233.44 -> In the Docker, what does it say?

1234.44 -> Add SRC to hello.

1235.44 -> Hello world.

1236.44 -> Add POM.

1237.44 -> Ah, because the POM.

1238.44 -> So if I mv the POM.

1240.44 -> Ah yes.

1242.44 -> Wait.

1247.44 -> The POM is not in the SRC.

1248.44 -> If you don't have the POM.

1249.44 -> It's going to work less well.

1250.44 -> But I don't know.

1251.44 -> He's afraid I'm going to kill him.

1252.44 -> I think what he wants.

1253.44 -> Is that we do something like.

1256.44 -> For this point.

1258.44 -> Because we have the POM that is here.

1260.44 -> We have the SRC that is in SRC.

1262.44 -> For me, it's going to work.

1264.44 -> It's better.

1265.44 -> It's better.

1267.44 -> We have fatal error.

1268.44 -> Make package.

1269.44 -> POM.

1270.44 -> Hero executing.

1271.44 -> Clean.

1272.44 -> POM.

1273.44 -> It's a shame.

1274.44 -> Why?

1276.44 -> What is the Java version?

1279.44 -> SDF.

1281.44 -> Java.

1282.44 -> No.

1284.44 -> The version.

1285.44 -> In real life.

1287.44 -> Yes.

1290.44 -> Ah yes.

1291.44 -> It's the project.

1292.44 -> It compiles in Java 18.

1294.44 -> I looked.

1295.44 -> He was in Java.

1296.44 -> What?

1297.44 -> Lunasec.

1298.44 -> JDK 11.

1299.44 -> So.

1300.44 -> So.

1302.44 -> JDK 11.

1303.44 -> I think it's clearly not Java 18.

1305.44 -> You can try maven clean package.

1306.44 -> See what he says.

1309.44 -> Yes.

1310.44 -> I have maven.

1311.44 -> If there is no maven.

1312.44 -> Maybe that's why it doesn't work.

1313.44 -> Yes.

1314.44 -> There is a way.

1318.44 -> Java.

1319.44 -> MVND.

1321.44 -> Yes.

1326.44 -> It's good.

1327.44 -> Yes.

1328.44 -> It's good.

1329.44 -> MVND.

1330.44 -> Yes.

1331.44 -> So.

1332.44 -> Here we go again.

1336.44 -> It was fast.

1342.44 -> It's good.

1343.44 -> We rehash.

1344.44 -> And MVND.

1345.44 -> We have MVND.

1346.44 -> Incredible.

1348.44 -> OK.

1349.44 -> So there you said a little MVND clean.

1351.44 -> We try MVND clean.

1352.44 -> C.

1353.44 -> C.

1354.44 -> C.

1355.44 -> C.

1356.44 -> C.

1357.44 -> It's a win.

1358.44 -> MVND.

1359.44 -> We launch.

1360.44 -> Package.

1363.44 -> Package.

1364.44 -> Yes.

1365.44 -> He's going to do everything.

1366.44 -> Yes.

1367.44 -> It's not like a package clean.

1368.44 -> It's maven which will run clean.

1369.44 -> And then make package.

1370.44 -> Roughly.

1373.44 -> Yes.

1375.44 -> It's funny that it's cumulative.

1376.44 -> And not parametric.

1379.44 -> Why not?

1381.44 -> Why not?

1382.44 -> Why not?

1385.44 -> Very good.

1387.44 -> And so there you said.

1388.44 -> We relaunch the magic command in CodeQL.

1390.44 -> Database.

1391.44 -> Create.

1392.44 -> The right.

1393.44 -> We believe in it, we believe in it, we believe in it, it still looks like it's going to be better.

1406.44 -> So there he managed to create your base.

1408.44 -> It's clearly better.

1414.44 -> If you import it into base.cloud, you will be able to launch it.

1417.44 -> SQL from an archive?

1419.44 -> Yes.

1421.44 -> Folder.

1423.44 -> Folder, indeed.

1425.44 -> Yes.

1427.44 -> Folder, myvulnb.

1429.44 -> Well, I think the S...

1431.44 -> Yeah, I don't know.

1433.44 -> So.

1435.44 -> Incredible.

1439.44 -> Click on Set Current Database.

1441.44 -> Yes.

1443.44 -> We don't have a query yet.

1445.44 -> We can do View AST.

1447.44 -> Select a valid source file.

1449.44 -> Okay.

1453.44 -> What does it say?

1455.44 -> Choose database.

1457.44 -> Okay.

1459.44 -> You can try to run a query.

1461.44 -> You can try to run a query.

1463.44 -> Resource is not a code.ql file.

1465.44 -> Yes, you have to create a .ql file.

1467.44 -> Smart.

1469.44 -> Open query result.

1471.44 -> It's so not intuitive as an extension.

1476.44 -> The part on the left is not very useful.

1481.44 -> Simple.ql.

1483.44 -> Right.

1485.44 -> And...

1487.44 -> Database.

1492.44 -> So, import here.

1494.44 -> Sure.

1496.44 -> Okay.

1504.44 -> And you can...

1514.44 -> And select M.

1516.44 -> Entry space.

1518.44 -> Entry.

1520.44 -> No.

1522.44 -> Entry.

1524.44 -> Okay.

1530.44 -> Paste me a code in the chat if you want.

1532.44 -> Otherwise, I try to find something.

1534.44 -> We can try to do a first poke to see if we have a functional thing.

1540.44 -> But clearly, to dictate code, it's not going to work.

1544.44 -> Open query.

1546.44 -> Resolve.

1548.44 -> Java module.

1550.44 -> Ah.

1552.44 -> Okay.

1574.44 -> I have a problem.

1578.44 -> I have a Java port that doesn't seem to work.

1582.44 -> Yeah.

1584.44 -> How can I find your Facebook account?

1586.44 -> I have Discord next to it.

1588.44 -> It's via Discord.

1590.44 -> It can be done...

1592.44 -> It can be done via the chat that you used.

1596.44 -> Yes.

1598.44 -> Thank you, Manzax.

1600.44 -> I'm going to zoom in a bit.

1602.44 -> We were wondering why...

1608.44 -> We have the DB, but we get kicked out when we try to do something with Jovo.

1614.44 -> Yeah, that's true.

1616.44 -> Wow, on Messenger, man.

1620.44 -> Yeah, that's true. I don't have a Discord account.

1622.44 -> And you know we always have...

1624.44 -> In fact, you have to tell him where to find Java.

1628.44 -> Java, and you have to create a file called qlpack.yml.

1632.44 -> ql...

1634.44 -> This one looks a lot like the error I had.

1636.44 -> It makes sense.

1640.44 -> Did you give the filename?

1642.44 -> qlpack.yml.

1646.44 -> qlpack.yml.

1648.44 -> Yes.

1650.44 -> qlpack.yml.

1652.44 -> Yes.

1656.44 -> Yes.

1658.44 -> Okay, let's try again.

1660.44 -> And there, if you put the import Java again, it should take a little longer to find.

1666.44 -> It still doesn't look very happy.

1668.44 -> qlpack.yml.

1670.44 -> Yes.

1672.44 -> So, copy, paste.

1674.44 -> And we remove the A.

1678.44 -> Let's try again.

1680.44 -> Hop.

1686.44 -> No, it doesn't like it.

1688.44 -> But it doesn't like it too much.

1690.44 -> Let's ask if we need a prefix.

1692.44 -> In any case, it doesn't seem to like it too much either.

1694.44 -> Packet, resolve, library, pass.

1696.44 -> Did you give the qlcode?

1698.44 -> Java, all.

1700.44 -> Library, pass.

1702.44 -> No, in fact, it's a...

1704.44 -> qlcode, resolve,

1706.44 -> qlpacks.

1710.44 -> qlpacks.

1712.44 -> qlpacks.

1714.44 -> Yes, qlpacks.

1716.44 -> Yes, that's it.

1720.44 -> Yes, I'm missing...

1722.44 -> I'm missing things.

1724.44 -> Ah.

1730.44 -> I admit, I don't know how to install qlcode in rsdf.

1734.44 -> Install basic commands.

1736.44 -> Basic.

1738.44 -> I'm going to ask him to do it.

1740.44 -> I don't have cheat.

1748.44 -> Ah, the dummy doesn't know qlcode.

1750.44 -> Terrible.

1756.44 -> qlcode, sdf, setup.

1758.44 -> We can test.

1760.44 -> If you like, you could launch the queries.

1762.44 -> Why not?

1764.44 -> It's already what we need.

1766.44 -> Install.

1768.44 -> qlcode, help.

1770.44 -> Isn't there a qlcode

1772.44 -> initialization?

1776.44 -> For?

1778.44 -> I don't know.

1780.44 -> Just the qlcode.

1782.44 -> No, otherwise we can go to the qlcode source

1784.44 -> and launch the query

1786.44 -> from the source code.

1788.44 -> Yes.

1790.44 -> Yes.

1792.44 -> Heavy.

1796.44 -> sdf prepackages things well.

1798.44 -> I hear there was a little step

1800.44 -> that could have been missed.

1812.44 -> You can try to compile it if you want.

1814.44 -> I'll take it.

1816.44 -> Go ahead.

1818.44 -> I see the link on messenger.

1826.44 -> qlcli zip.

1828.44 -> Clearly, what sdf did is that it just recovered the zip.

1832.44 -> Behind.

1834.44 -> qlcode, qlcli setup.

1836.44 -> Good.

1838.44 -> I don't know when I could have come across

1840.44 -> this place right in the dock.

1842.44 -> But I think

1844.44 -> it's what we want.

1846.44 -> So, it manages well,

1848.44 -> java, etc.

1850.44 -> And you, what did we put in the file?

1852.44 -> What was it?

1854.44 -> qljavaall.

1856.44 -> It's like that.

1858.44 -> It's not bad.

1860.44 -> javaall.

1864.44 -> Behind.

1872.44 -> What does it represent?

1874.44 -> The javaall at your place?

1878.44 -> Sorry?

1880.44 -> I don't know if it represented the javaall

1882.44 -> directory at your place.

1884.44 -> If I ask for a ql code...

1886.44 -> It's going to be all the java queries.

1888.44 -> In the depot.

1892.44 -> It resolves the languages, but what we want

1894.44 -> are the packs.

1896.44 -> It's definitely the qlpacks.

1898.44 -> Maybe it didn't get them.

1900.44 -> By the way, isn't there something to say

1902.44 -> valedl?

1904.44 -> Yeah, there's something

1906.44 -> ql code.

1912.44 -> So, resolve language,

1914.44 -> qlpacks,

1916.44 -> say can find,

1918.44 -> display qlpacks,

1920.44 -> if all include.

1922.44 -> Clearly, we don't have the qlpacks.

1924.44 -> A priori.

1926.44 -> Not the legacy upgrade, but in there...

1928.44 -> qlpacks,

1930.44 -> upgrades,

1932.44 -> I don't think

1934.44 -> it's that.

1940.44 -> Are you sure?

1942.44 -> It's not an addon you got?

1944.44 -> In ql code, we already have the java part,

1946.44 -> we already have a lot of things.

1948.44 -> If we give it the pass

1950.44 -> I gave for java,

1952.44 -> the name that looks

1954.44 -> full buggy,

1957.44 -> query,

1961.44 -> a package name,

1983.44 -> a valid pack name,

1985.44 -> a package must contain only

1987.44 -> lowercase,

1989.44 -> lowercase, ASCII letters,

1991.44 -> ASCII digits,

1993.44 -> coolnotes, resolve,

1995.44 -> library, pass.

2011.44 -> It looks like the file is having a hard time

2013.44 -> searching in the wrong places.

2019.44 -> Pack name, only contain.

2021.44 -> Clearly, it doesn't like my name.

2023.44 -> Go ahead, I can try to

2025.44 -> reinstall it.

2029.44 -> ql code, cli, zip.

2031.44 -> Very good.

2033.44 -> Installing ql code in your system.

2037.44 -> No, not that.

2039.44 -> Yes.

2041.44 -> Linux 10.64, let's go.

2043.44 -> ql code, pub.

2047.44 -> ASTF, remove.

2049.44 -> No, what is it?

2051.44 -> Install.

2053.44 -> ql code, salvage.

2055.44 -> Which ql code?

2059.44 -> Jim.

2063.44 -> ql, ok.

2067.44 -> No more ql code.

2071.44 -> Pulse version.

2073.44 -> No more, ql code.

2075.44 -> Very good, now I have ql code.

2077.44 -> Wow, it's 400 megadb.

2079.44 -> Very good.

2081.44 -> Alright.

2085.44 -> Extract, very good.

2087.44 -> Launch.

2091.44 -> Very good.

2095.44 -> Executing,

2097.44 -> wadding to the pass, very good.

2101.44 -> Very good.

2103.44 -> So, we have the zip.

2105.44 -> We're going to

2107.44 -> mv, no, dl.

2109.44 -> We're going to mv zip

2111.44 -> this enormity.

2117.44 -> Yeah, it's crazy.

2119.44 -> A pleasure, Enzax.

2121.44 -> A pleasure, it's great.

2123.44 -> So, sudo mv code ql

2125.44 -> into opt.

2127.44 -> Outpass,

2129.44 -> we don't choke, we clearly choke.

2133.44 -> Ok, sudo

2135.44 -> ln-sf

2137.44 -> opt code

2139.44 -> ql code ql

2141.44 -> into user local

2143.44 -> bin code ql.

2145.44 -> Yeah, rehash code ql-h.

2147.44 -> Woo!

2149.44 -> Uh, ghostwriting, what?

2151.44 -> No.

2153.44 -> No, no, no.

2155.44 -> Reshim and rehash.

2159.44 -> Sdf.

2163.44 -> Sdf.

2181.44 -> Ok.

2183.44 -> It's good.

2185.44 -> Is it running?

2189.44 -> I have the build, the db.

2191.44 -> Yes.

2193.44 -> And I add...

2195.44 -> I cut the build,

2197.44 -> the queries, too bad, I'll launch it later.

2199.44 -> And...

2201.44 -> I did the

2203.44 -> installation legit again, and I don't have

2205.44 -> your java all. I think it's something

2207.44 -> you set up some time ago.

2209.44 -> I have

2211.44 -> java code ql.

2213.44 -> So...

2215.44 -> I do it again,

2217.44 -> the java queries.

2219.44 -> I have legacy upgrade, java.

2223.44 -> What are you doing, resolve?

2227.44 -> Resolve qlpacks.

2229.44 -> I only have the legacy,

2231.44 -> unless I need to... You see, I only have the legacy.

2233.44 -> Ql-downloads on qlcats.

2235.44 -> Aha!

2237.44 -> Dude, qlpack download code,

2239.44 -> and then the thing's name.

2241.44 -> Let's see a list,

2243.44 -> maybe.

2247.44 -> Add, init, download,

2249.44 -> install, publish, create bundle,

2251.44 -> pack list, compute the set of list...

2253.44 -> No...

2255.44 -> Ls.

2257.44 -> Ls.

2259.44 -> I only have those.

2267.44 -> Can't you download a java-all,

2269.44 -> something like that?

2273.44 -> For me, it's in the downloads,

2275.44 -> so I don't know what you're doing.

2279.44 -> Did you download the ql code?

2281.44 -> No,

2283.44 -> I went to the official install,

2285.44 -> retrieved the zip.

2287.44 -> Yeah, and scroll down a bit.

2289.44 -> Verify your ql code,

2291.44 -> resolve language, I have what I need.

2293.44 -> Checking out the ql source code directly.

2295.44 -> Yeah, that's it.

2297.44 -> Step one.

2299.44 -> Okay, and...

2301.44 -> I want to try to do that.

2303.44 -> A little clone.

2311.44 -> Clone.

2313.44 -> Okay, it already exists.

2317.44 -> There are two, so there's a ql code.

2319.44 -> Yeah, that's it.

2321.44 -> Yeah.

2323.44 -> We'll need both.

2325.44 -> Did you look at the other one?

2327.44 -> Yeah.

2329.44 -> So, normally, the qlpack should be there.

2333.44 -> When do you use it to give the lock?

2335.44 -> I browse it

2337.44 -> recursively, I think.

2339.44 -> Okay.

2341.44 -> If I ask for the qlpacks

2343.44 -> in my current directory, while it executes

2345.44 -> the one in opt, it's no.

2349.44 -> No?

2351.44 -> No, but we'll have to figure it out.

2353.44 -> I think.

2355.44 -> It's clearly...

2357.44 -> You see, I don't have a directory called java-all,

2359.44 -> so I don't know where you get it from.

2361.44 -> For me, it's a directory

2363.44 -> that you get from...

2365.44 -> Yeah, it's in an ml file.

2369.44 -> That's not

2371.44 -> what I wanted to say.

2373.44 -> There you go.

2375.44 -> The ql codes slash java-all.

2377.44 -> And that, you agree that it represents a directory?

2379.44 -> Do it.

2381.44 -> No, it's not a directory.

2383.44 -> It's a name in a

2385.44 -> qls3 file.

2387.44 -> Okay.

2391.44 -> All right.

2393.44 -> Anyway.

2395.44 -> Can I see your screen?

2399.44 -> Yes.

2403.44 -> It's a truth.

2405.44 -> And it's no.

2413.44 -> We have your screen on the right.

2415.44 -> Yeah.

2417.44 -> Hello, controllers.

2421.44 -> And so...

2425.44 -> What is it doing?

2427.44 -> Hello world application.

2431.44 -> It's just a Spring app.

2437.44 -> It's just doing a log here.

2441.44 -> Yeah, it just needs to sync

2443.44 -> in the log function.

2447.44 -> You resolve the dependency.

2449.44 -> You can do a patch expression.

2457.44 -> Okay.

2459.44 -> Wait, I'll go back to it.

2463.44 -> So, if we go back to the sources,

2465.44 -> in the main,

2467.44 -> in the java, we have the greeting.

2469.44 -> The controller,

2471.44 -> which does the add attribute greetings.

2475.44 -> And the

2477.44 -> hello world application.

2495.44 -> Who is class greeting?

2507.44 -> Interesting.

2521.44 -> I think being automated logs

2523.44 -> in the server, for me,

2525.44 -> it's not in the source code we have in front,

2527.44 -> but in the dependencies that are resolved

2529.44 -> when you compile.

2531.44 -> If there is a side effect,

2533.44 -> or when you do an add attribute,

2535.44 -> it's what it says

2537.44 -> in the redmi.

2539.44 -> So, details.

2541.44 -> Yes.

2543.44 -> Details on the site.

2547.44 -> It's true that I'm shaking my hand

2549.44 -> to see a little bit...

2553.44 -> We started in compilation, I assume.

2557.44 -> No.

2559.44 -> No, I don't know if you started in your thoughts

2561.44 -> or started crawling

2563.44 -> in compilation each time.

2565.44 -> No, I'm here.

2569.44 -> We need a very good support.

2593.44 -> Wow.

2605.44 -> I don't know if it's the vulnerability

2607.44 -> that we wanted to test,

2609.44 -> but clearly, it's incredible.

2613.44 -> What are they doing?

2615.44 -> They are doing add attribute greetings.

2623.44 -> It's crazy.

2639.44 -> It's crazy.

2641.44 -> Concretely, it seems to be

2643.44 -> not even protopollution,

2645.44 -> but arbitrary method invocation.

2649.44 -> What they say in the article...

2651.44 -> I'm going to click the screen for a moment.

2655.44 -> What they say in the article is that...

2657.44 -> I don't have it for the moment.

2659.44 -> It's that where they do

2661.44 -> greetings id equals test,

2663.44 -> and where it sets the parameter,

2665.44 -> the attribute id to the value test,

2667.44 -> by putting SpringForeshell

2669.44 -> and by putting class.module

2671.44 -> for classLoader something equals test,

2673.44 -> it's going to overwrite

2675.44 -> the method that's behind.

2677.44 -> Ok.

2681.44 -> I don't know the link.

2687.44 -> They talk about it because there are similarities

2689.44 -> with the other Foreshell.

2703.44 -> It's just with a body

2705.44 -> that has...

2723.44 -> Isn't there something shocking?

2725.44 -> Are you on my screen?

2727.44 -> Yes.

2729.44 -> I'm very skeptical

2731.44 -> because...

2735.44 -> If that's the case...

2741.44 -> What shocks me is that

2743.44 -> they do a curl on postBody

2745.44 -> with the echoFooBar data.

2747.44 -> And they show that it just shows

2749.44 -> hello of FooBar as if

2751.44 -> the command execution was passed.

2753.44 -> Except that we agree that if you execute

2755.44 -> that in your shell, the command execution is at your place.

2757.44 -> Yes.

2759.44 -> Ok, very good.

2761.44 -> Normally we do it up and running via the blocker.

2765.44 -> Yes,

2767.44 -> topekfk,

2769.44 -> there will be a replay after,

2771.44 -> given the efficiency we had tonight.

2773.44 -> Maybe.

2775.44 -> Because clearly,

2777.44 -> it will show that

2779.44 -> the approach we had was not adapted to this problem.

2781.44 -> We'll see.

2783.44 -> Maybe we'll make a cleaner version.

2787.44 -> Maybe a bit more prepared.

2789.44 -> Their lab exploded.

2791.44 -> The idea was to show

2793.44 -> the struggle in live.

2795.44 -> So it can happen with a full press.

2809.44 -> I feel like I'm not on the right app at all.

2813.44 -> Ah, kill me.

2819.44 -> Kill me, damn it.

2823.44 -> So,

2825.44 -> here,

2827.44 -> what are they doing?

2829.44 -> They are doing well

2831.44 -> the thing with the class,

2833.44 -> module, class loader

2835.44 -> and other parameters to encode

2837.44 -> things that are executed by reflection.

2839.44 -> The pattern,

2841.44 -> just extract everything.

2843.44 -> It seems to be a horror,

2845.44 -> this file.

2847.44 -> It seems to be a horror,

2849.44 -> this file.

2851.44 -> It seems to be a horror,

2853.44 -> this file.

2855.44 -> The basic concept of

2857.44 -> reflecting something

2859.44 -> if you do it eval, it's nice,

2861.44 -> but in detail...

2867.44 -> Damn cancer.

2881.44 -> Damn cancer.

2905.44 -> Clearly, I think we'll

2907.44 -> give a second try with a bit more

2909.44 -> preparation, because there are clearly things to say

2911.44 -> about the QL code, but

2913.44 -> between the setup that refuses...

2917.44 -> Yeah, we can try

2919.44 -> to identify...

2921.44 -> Is it in the addAttribute

2923.44 -> that the view is?

2925.44 -> Yeah, in my opinion, yes.

2931.44 -> So, for example,

2933.44 -> to remove all annotations

2935.44 -> of type controller

2937.44 -> with this query

2939.44 -> and then we can try to find...

2943.44 -> I think we can find...

2947.44 -> And in fact, it's not even in the

2949.44 -> setAttribute that the view is,

2951.44 -> it's the fact of using this function

2953.44 -> that will allow to crush

2955.44 -> a...

2957.44 -> How to say?

2959.44 -> To, by reflection,

2961.44 -> manage to crush

2963.44 -> more interesting values and

2965.44 -> have instantiation.

2967.44 -> But basically,

2969.44 -> the interesting primitive

2971.44 -> is to crush an interesting attribute

2973.44 -> and call it in front of our eyes.

2975.44 -> So we won't be able to trace it any further.

2977.44 -> No, we won't be able to trace it any further.

2979.44 -> It's so annoying.

2981.44 -> What's in the language support?

2985.44 -> Reason Languages.

2987.44 -> We said I had...

2989.44 -> xml.

2991.44 -> Interesting.

2995.44 -> It supports Go,

2997.44 -> there would be something nice to do.

3001.44 -> If it's done out of the box,

3003.44 -> there was a tool of Project Discovery,

3005.44 -> their simple server,

3007.44 -> which was viewed

3009.44 -> when it runs on Windows

3011.44 -> to an arbitrary file rate

3013.44 -> a little bit where you want.

3015.44 -> Clearly where you want on the system.

3017.44 -> I think it can be...

3019.44 -> When it runs on Windows

3021.44 -> in addition.

3025.44 -> We can look at what leads to...

3027.44 -> What?

3029.44 -> Are you on my screen?

3031.44 -> I'm repeating the screen.

3033.44 -> I think it can be that.

3035.44 -> Project

3037.44 -> Discovery

3039.44 -> Simple

3041.44 -> Server

3043.44 -> So

3045.44 -> this thing, if we go to the Issues,

3047.44 -> if we look at the Closed,

3049.44 -> there is a moment where we had

3051.44 -> file rate RCE

3053.44 -> Security Windows

3055.44 -> So, we had the following problem,

3057.44 -> it's that

3059.44 -> for the writing of a file,

3061.44 -> the web server,

3063.44 -> to know where

3065.44 -> it was going to write the file,

3067.44 -> it did a path.base

3069.44 -> in order to get

3071.44 -> all the content following the last slash.

3073.44 -> So toto slash tata

3075.44 -> on your URL, it's going to get you your data.

3077.44 -> Except that Windows, you put backslash

3079.44 -> and suddenly, you can write what you want

3081.44 -> on an UNC, trigger

3083.44 -> of the auth,

3085.44 -> you can even write a little bit everywhere

3087.44 -> you want on the file system.

3089.44 -> Long story short, it was patched

3091.44 -> by putting a flag

3093.44 -> to say...

3095.44 -> A flag that allows to harden,

3097.44 -> but there was still a file rate everywhere on the file system.

3099.44 -> Currently,

3101.44 -> there is a flag

3103.44 -> sandbox

3105.44 -> that we can add, but it is not present as a base.

3107.44 -> So I think it's still there,

3109.44 -> but we can already do a test just by launching the tool with Linux

3111.44 -> with the right upload flag.

3113.44 -> Normally, we still have

3115.44 -> a file upload with the name

3117.44 -> partially controlled

3119.44 -> because it's a feature.

3121.44 -> Does it speak to you so far?

3123.44 -> Yes.

3125.44 -> So so.

3127.44 -> Get

3129.44 -> demo soon because that's something

3131.44 -> that I master more.

3133.44 -> So it's simple servers,

3135.44 -> go run

3137.44 -> slash cmd

3139.44 -> simple server

3143.44 -> I don't know why I have it twice.

3145.44 -> Ok.

3147.44 -> Ok.

3149.44 -> It works.

3151.44 -> We will be able to put a little

3153.44 -> file upload.

3155.44 -> Put.

3157.44 -> Ok.

3159.44 -> And so there, normally,

3161.44 -> let's get rid of our Java thing

3163.44 -> and do that.

3165.44 -> And so if we copy

3167.44 -> and paste, we make a curl

3169.44 -> upload

3171.44 -> private

3173.44 -> sas

3175.44 -> slash foo

3177.44 -> and we take, for example,

3179.44 -> I have files

3185.44 -> Ok.

3187.44 -> No autocompletion.

3189.44 -> I love it.

3191.44 -> RID

3193.44 -> foo.txt

3197.44 -> So upload file

3201.44 -> foo.txt

3203.44 -> We believe in it.

3207.44 -> I didn't get to the right place.

3209.44 -> So far it's legit.

3213.44 -> Ok.

3215.44 -> So there, you see, it caught the foo put

3217.44 -> and normally it wrote

3219.44 -> for example, I launched it.

3221.44 -> cd

3223.44 -> simple

3225.44 -> http server ls

3237.44 -> Indeed, it wrote the foo file correctly.

3239.44 -> You see, we upload

3241.44 -> the foo.txt

3243.44 -> It was there.

3245.44 -> We just asked for the foo pass

3247.44 -> and it wrote where we wanted to know

3249.44 -> So it took the base pass

3251.44 -> just the prefix we have at the end

3253.44 -> and it wrote it.

3255.44 -> So if we arrive, normally we even have the code

3257.44 -> roughly

3259.44 -> we said it was

3263.44 -> too fast

3265.44 -> if windows abuses

3267.44 -> it will upload

3269.44 -> and we said we had it

3271.44 -> I will give the code

3273.44 -> loglayer

3275.44 -> and upload

3279.44 -> You can watch everything that goes in the

3281.44 -> sync io-utils writefile

3283.44 -> starting from

3285.44 -> a function that is the entry point

3287.44 -> of the server

3291.44 -> We watch the syncs

3293.44 -> We watch everything that comes from

3295.44 -> pass and that

3297.44 -> syncs in io-utils writefile

3299.44 -> It's not bad.

3301.44 -> It sounds feasible

3303.44 -> I will send it

3307.44 -> Yes, but you have to

3311.44 -> I don't have

3313.44 -> your network

3315.44 -> and the pdc

3319.44 -> Yes, yes, yes

3321.44 -> You have to be able to do

3323.44 -> qlgo

3325.44 -> But already

3327.44 -> the test case seems much more

3329.44 -> applicable than

3331.44 -> nginx

3335.44 -> Like, clearly

3339.44 -> There are also qlgo queries

3341.44 -> I don't know why

3343.44 -> it's on another repo

3345.44 -> There is probably

3353.44 -> Go ahead, query for go code

3355.44 -> Why not?

3357.44 -> Abstract syntax tree, no

3359.44 -> qlgo

3361.44 -> archived movie to

3363.44 -> ql

3365.44 -> location

3373.44 -> So

3375.44 -> extractor written in go

3377.44 -> static analysis and queries

3379.44 -> in ql

3385.44 -> database

3389.44 -> I didn't say anything

3391.44 -> It has been integrated in the basic repo

3397.44 -> And so, I give you back the hand

3399.44 -> if you want, because you have something that must be

3401.44 -> a bit more functional than me

3403.44 -> Yes, but I don't have

3405.44 -> If I can try to compile

3407.44 -> what is the alu

3409.44 -> I sent it by

3411.44 -> messenger already

3419.44 -> And so

3425.44 -> Debugging

3427.44 -> in port go

3433.44 -> It would be nice

3449.44 -> Ok

3471.44 -> What is the vsix file?

3473.44 -> Does it speak to you?

3475.44 -> The what?

3479.44 -> For vscode and codeql

3481.44 -> it speaks of vsix file

3483.44 -> No idea what it is

3485.44 -> It's the extension format

3487.44 -> of vscode

3489.44 -> I used the CLI to install it

3491.44 -> I had never seen the

3493.44 -> package-exported side

3497.44 -> Why not?

3505.44 -> So

3509.44 -> Let's see

3529.44 -> And what is our input?

3531.44 -> It's a

3533.44 -> It's a pass

3537.44 -> It's a put

3539.44 -> It's just a put http on it

3553.44 -> I think I know

3555.44 -> what was done

3557.44 -> for the setup

3559.44 -> Clone the repository

3561.44 -> vscode-ql-vscode-starter-machin

3563.44 -> Ok

3565.44 -> Make sure you include submodules

3573.44 -> Yeah

3591.44 -> Ok

3605.44 -> It doesn't seem to have

3607.44 -> a query for the findwrite

3609.44 -> by default

3611.44 -> What are the

3613.44 -> available queries?

3615.44 -> I'm just checking what exists

3617.44 -> You can go to

3619.44 -> vscode-ql-src

3621.44 -> There are two files

3623.44 -> with security queries

3625.44 -> in security

3627.44 -> and in experimental

3629.44 -> security

3631.44 -> I thought OBS

3633.44 -> had decided to commit suicide

3639.44 -> Ok

3641.44 -> I'll play it on your screen

3643.44 -> Tell me again

3645.44 -> You said experimental

3647.44 -> vscode-ql-repo-ghost

3649.44 -> vscode-ql-src

3651.44 -> and then in experimental

3653.44 -> or in security

3655.44 -> Ok

3659.44 -> Yeah

3661.44 -> So here you already have

3663.44 -> Ah, ssrfql, interesting

3667.44 -> For example, a query

3669.44 -> has its name, its type

3671.44 -> and we can filter

3673.44 -> and launch all the security type queries

3675.44 -> So here

3677.44 -> it's the basic format

3679.44 -> Basically, what does it say?

3681.44 -> It says

3683.44 -> we're going to try to find

3685.44 -> a flow path

3687.44 -> between our source and our sink

3693.44 -> So the source will be defined

3697.44 -> These are the sources

3699.44 -> and from

3701.44 -> the configuration

3703.44 -> which is server-side request for

3705.44 -> our source and our sink

3707.44 -> So

3709.44 -> instance of

3711.44 -> source

3713.44 -> So by default, ql code comes with

3715.44 -> predefined sources

3719.44 -> Like what I said earlier

3721.44 -> HTTP header, all that is by request

3723.44 -> A bit of everything you can imagine

3727.44 -> But here, sink

3729.44 -> it's up to us to define it

3735.44 -> For me, sink is the

3737.44 -> UUtil, right?

3739.44 -> Yeah, so that's the

3741.44 -> equivalent of UUtil

3743.44 -> And then we can add sanitizers

3745.44 -> where we know that if it goes through

3747.44 -> this or that method, it's no use propagating

3749.44 -> because it's going to be something that will prevent

3751.44 -> the operation of an R8

3753.44 -> We can launch it like that

3755.44 -> to see what happens

3757.44 -> Launch what?

3759.44 -> Patch for UUtil

3761.44 -> We can put sanitizers and just say whoosh

3763.44 -> Yeah, so

3765.44 -> it's going to be a bit more complicated than that

3767.44 -> I think, but we can try

3769.44 -> to compile

3771.44 -> He managed to compile

3773.44 -> So

3775.44 -> it's simple to use

3777.44 -> the server

3779.44 -> Fuck, the qlpacks

3781.44 -> still don't want to, even with the

3785.44 -> The pain

3787.44 -> So

3791.44 -> Okay, the qlpack

3807.44 -> Let's do this

3817.44 -> Shit

3847.44 -> So the main branch of codeql already has this file

3863.44 -> Haha

3867.44 -> Okay

3869.44 -> We have

3871.44 -> We don't have the crossref

3873.44 -> Why?

3877.44 -> We don't have the crossref

3883.44 -> Let's launch a rocket

3885.44 -> That says something

3887.44 -> Wouldn't it be a variant

3889.44 -> if it had a purple color?

3895.44 -> It's terrible

3897.44 -> On my side, I made a qlpack

3899.44 -> I got the repo that is supposed to contain the qlpacks

3901.44 -> and it crashes me

3907.44 -> Codeql extract where is go

3909.44 -> Yes

3911.44 -> Codeql go

3913.44 -> Dude, it doesn't have the same

3915.44 -> layout as yours

3917.44 -> on the other hand

3923.44 -> I don't know

Source: https://www.youtube.com/watch?v=nCksqPrBiJI