Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of this post was evaluating the LogPoint SIEM/SOAR to replace their existing one. Before doing this, they decided to review it for vulnerabilities and immediately found three serious issues. Months later, they returned to look into deeper issues. Upon reviewing the source code, they found an interesting quirk: half of it ran natively while the other half ran in un-network-constrained Docker containers. This was because it was initially ONLY a SIEM but had to transition into a SOAR. The SOAR code runs in a Dockerized setup while the SIEM runs natively.

This led to two Nginx configurations: an external one for routing traffic and a Dockerized setup for routing traffic to the various microservices. Using the rewrite rules in the internal Nginx configuration, it's possible to hit some internal routes. This dramatically increases the attack surface.

The JWT verification on the SOAR backend has a hard-coded JWT secret. After using this JWT to login, an API key is returned. This is sometimes used for authentication between microservices. Upon review, there is a single API key being returned for the user secbi. This is a high-privilege SOAR account that comes bundled with the installation. Perfect! This allows for an anonymous user to call any of the SOAR endpoints on the LogPoint backend.

The new goal was to jump from the containerized application to the legacy backend. They found an endpoint that returned a separate secret key for the SOAR endpoint interacting with the legacy Python backend. If they could make a request to this, they could interact with the Python backend. Naturally, they found a GET-based SSRF on a configuration test. This could be used to find the secrets described above.

On the Python-backend code, the found a simply eval() being done on the rules engine. This is only possible if they can create an alert with a payload for evaluation within the trigger_value. They need to find a way to create a rule that can specifically do this now. Luckily for them, there's a rule importer that bypasses most validation.

A pretty solid chain of issues that were mostly authentication-related. It was a fun read for six bugs to eventually find RCE.