Gafnit Amiga

  • LinkedIn
  • Twitter
  • AWS ECR Public Vulnerability

    AWS ECR Public Vulnerability
    December 13, 2022

    gafnit

    I discovered a critical AWS Elastic Container Registry Public (ECR Public) vulnerability that allowed external actors to delete, update, and create ECR Public images, layers, and tags in registries and repositories that belong to other AWS Accounts, by abusing undocumented internal ECR Public API actions.

    Read More

  • Azure Cloud Shell Command Injection Stealing User’s Access Tokens

    Azure Cloud Shell Command Injection Stealing User’s Access Tokens
    September 20, 2022

    gafnit

    Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. This post describes how I took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users’ terminals. Using the executed code, I accessed the Metadata service attached to the terminal and obtained the user’s access token. This access token provides an attacker the Azure permissions of the victim user and enables them to perform operations on its behalf.

    Read More

  • Exploiting Authentication in AWS IAM Authenticator for Kubernetes

    Exploiting Authentication in AWS IAM Authenticator for Kubernetes
    July 11, 2022

    gafnit

    During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. In this blog post I will explain about three vulnerabilities detected in the AWS IAM Authenticator where all of them were caused by the same code line.

    Read More

  • New Vulnerabilities in Kubernetes NGINX Ingress Controller

    New Vulnerabilities in Kubernetes NGINX Ingress Controller
    July 6, 2022

    gafnit

    Starting in October 2021, the NGINX’s Kubernetes Ingress Controller started to come under siege from security researchers and the open salvo was delivered in the form of CVE-2021-25742 which allowed attackers to gain access to secrets stored across all namespaces in a Kubernetes cluster. In this post I will provide background and details for following vulnerabilities caused by the same root cause, CVE-2021-25745 and CVE-2021-25748.

    Read More

  • AWS RDS Vulnerability Leads to AWS Internal Service Credentials

    AWS RDS Vulnerability Leads to AWS Internal Service Credentials
    April 11, 2022

    gafnit

    In this post I will tell on how I obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension. The internal AWS service was connected to AWS internal account, related to the RDS service.

    Read More

  • AWS SageMaker Jupyter Notebook Instance Takeover

    AWS SageMaker Jupyter Notebook Instance Takeover
    December 2, 2021

    gafnit

    I found that an attacker can run any code on a victim’s SageMaker JupyterLab Notebook Instance across accounts. This means that an attacker can access the Notebook Instance metadata endpoint and steal the access token for the attached role.

    Read More