Posts Tagged ‘KTH’
[DefCon32] DEF CON 32: Exploiting the Unexploitable: Insights from the Kibana Bug Bounty
Mikhail Shcherbakov, a PhD candidate at KTH Royal Institute of Technology in Stockholm, captivated the DEF CON 32 audience with his deep dive into exploiting seemingly unexploitable vulnerabilities in modern JavaScript and TypeScript applications. Drawing from his participation in the Kibana Bug Bounty Program, Mikhail shared case studies that reveal how persistence and creative exploitation can transform low-impact vulnerabilities into critical remote code execution (RCE) chains. His presentation, rooted in his research on code reuse attacks, offered actionable techniques for security researchers and robust mitigation strategies for defenders.
Navigating the Kibana Bug Bounty
Mikhail began by outlining his journey in the Kibana Bug Bounty Program, where he encountered vulnerabilities initially deemed “by design” or unexploitable by triage teams. His work at KTH, focusing on static and dynamic program analysis, equipped him to challenge these assumptions. Mikhail explained how he identified prototype pollution vulnerabilities in Kibana, a popular data visualization platform, that could crash applications in seconds. By combining these with novel exploitation primitives, he achieved RCE, demonstrating the hidden potential of overlooked flaws.
Unlocking Prototype Pollution Exploits
Delving into technical specifics, Mikhail detailed his approach to exploiting prototype pollution, a common JavaScript vulnerability. He showcased how merge functions in popular libraries like Lodash could be manipulated to pollute object prototypes, enabling attackers to inject malicious properties. Mikhail’s innovative chain involved polluting a runner object and triggering a backup handler, resulting in RCE. He emphasized that even fixed prototype pollution cases could be combined with unfixed ones across unrelated application features, amplifying their impact and bypassing conventional defenses.
Advanced Exploitation Techniques
Mikhail introduced new primitives and gadgets that elevate prototype pollution beyond denial-of-service (DoS) attacks. He demonstrated how carefully crafted payloads could exploit Kibana’s internal structures, leveraging tools like Node.js and Deno to execute arbitrary code. His research also touched on network-based attacks, such as ARP spoofing in Kubernetes environments, highlighting the complexity of securing modern applications. Mikhail’s findings, documented in papers like “Silence Print” and “Dust,” provide a roadmap for researchers to uncover similar vulnerabilities in other JavaScript ecosystems.
Mitigating and Defending Against RCE
Concluding, Mikhail offered practical recommendations for mitigating these threats, urging developers to adopt secure coding practices and validate inputs rigorously. He encouraged researchers to persist in exploring seemingly unexploitable bugs, sharing resources like his collection of server-side prototype pollution gadgets. His work, accessible via his blog posts and Twitter updates, inspires the cybersecurity community to push boundaries in vulnerability research while equipping defenders with tools to fortify JavaScript applications against sophisticated attacks.