sagitz
@sagitz_
Followers
4,307
Following
736
Media
46
Statuses
199
Cloud Security Researcher at @wiz_io • Microsoft Most Valuable Researcher 21/22/23 • Black Hat Speaker
Joined March 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Telegram
• 1337018 Tweets
#FREEDUROV
• 294996 Tweets
Hezbollah
• 144063 Tweets
#ดาราล้อกันเล่นxชาล็อต
• 98093 Tweets
Lebanon
• 86228 Tweets
嫌いボタン
• 67615 Tweets
#MarkTuanxVALORANT
• 42229 Tweets
Mark Tuan Superpower Stage
• 26670 Tweets
FortPeat FanParty
• 26135 Tweets
新潟2歳
• 25389 Tweets
GULF DHEVAPROM FANCON
• 20894 Tweets
アルコス
• 15876 Tweets
サトノレーヴ
• 15165 Tweets
ビシエド
• 14418 Tweets
#SFormula
• 12863 Tweets
キーンランドカップ
• 11510 Tweets
Pinned Tweet
We found a Remote Code Execution (RCE) vulnerability in
@Ollama
- one of the most popular AI inference projects on GitHub. Here is everything you need to know about
#Probllama
(CVE-2024-37032) 🧵👇
23
355
2K
We found two 0-day vulnerabilities in
@Ubuntu
kernel and it all started by reading descriptions of old CVEs 📖
Thread about the discovery of
#GameOverlay
🧵👇🏼
17
462
2K
We uploaded a backdoored AI model to
@HuggingFace
which we could use to potentially access other customers’ data✨
Here is how we did it - and collaborated with Hugging Face to fix it 🧵⬇️
17
249
2K
Today Wiz Research (
@shirtamari
,
@nirohfeld
,
@ronenshh
and myself) published details on
#ExtraReplica
, a severe vulnerability that allowed anyone to access the databases of other
#Azure
customers.
Here’s how we did it: 🧵 (1/n)
5
106
258
I'm excited to share information about our research, in which we (+
@nirohfeld
) found a critical vulnerability in Azure Cosmos DB itself - effectively allowing malicious actors to fully compromise databases of thousands of customers.
@wiz_io
#ChaosDB
8
122
234
Recently
@nirohfeld
and I started looking at
#Azure
. Perhaps the most severe vulnerability I have ever reported. Stay tuned🤩
#MSRC
#BugBounty
13
37
210
We discovered that by uploading a malicious AI model to
@Replicate
, a leading AI-as-a-Service platform, we could read and modify prompts of other customers 🤯
Here is exactly how we did it 🧵⬇️
7
63
211
The issue is a simple Path Traversal vulnerability which can be exploited by pulling a model from a private registry. By specifying a malicious digest field, it is possible to overwrite any file on the system!
3
18
166
Moral of the story: read technical blogs - find bugs 🤓
For more technical details about these vulnerabilities, check out our blog 👉
2
17
153
CVE-2020-1350: A cool Windows DNS Server vulnerability (2003->2019) we found at
@_CPResearch_
and got patched today
#PatchTuesday
5
55
128
Kudos to
@HuggingFace
security and infrastructure team who fixed these issues in record time, and implemented additional security measures to prevent this from happening in the future🤗🙌
1
0
117
Interested in the technical details of this research? Check out our blog in which we detail the issues we found and how they can be mitigated 🔗⬇️
1
6
101
This behavior is a common pattern we see in AI tooling: an immature codebase with simple vulnerabilities, no common security mechanism out-of-the-box. Infrastructure security is one of the most challenging aspects of AI security.
1
6
102
After establishing a foothold inside HF’s infrastructure, we quickly noticed that we were running inside a Kubernetes pod hosted on AWS.
A couple of EKS tricks later, we were able to escalate our privileges in the cluster and potentially take over the service💥
2
4
99
I typically try to exclusively discuss security research on Twitter and especially refrain from discussing politics. But I will not stay indifferent to this situation.
I live in Israel, and in the last week, my country has been forced into a blood-soaked war.
On October 7th,
1
21
99
For more technical details about this issue, check out our blog:
2
8
90
We exploited the vulnerability by overwriting /etc/ld.so.preload to load our malicious shared library. This escalated our Arbitrary File Write into a Remote Code Execution 😎
5
0
88
It's a bad idea to expose your Ollama instance anyway. Attackers can leak models, modify prompts, and use compute resources even without exploiting a vulnerability.
It literally takes one cURL command to inject a malicious prompt into existing Ollama models. It's a feature.
2
5
85
Although a patch for this issue (0.1.34) has been available for over a month, most publicly exposed instances found on Censys are still vulnerable🤯
1
1
79
Both of these vulnerabilities were very easy to exploit, in fact, our exploit code is mostly bash 🙈
We wrote our PoCs and reported everything to the Ubuntu team, who were quick to fix the issues and assigned themCVE-2023-2640 and CVE-2023-32629
1
5
74
AI Models can come in different formats, based on the framework they were developed in. Some formats are safe, while others (like Pickle) allow Remote Code Execution as a feature!
2
2
64
Hugging Face, one of the best-known AI-as-a-Service providers, conveniently lets users interact with the AI models hosted on their platform using their own inference infrastructure. This feature is called Inference API.
1
0
60
What's written: "PHP 8 introduces two JIT compilation engines"
What I read: "PHP 8 introduces new attack surface"
1
8
53
Our journey started when our team at
@wiz_io
read the advisory about CVE-2023-0386, a local privilege escalation in the Linux kernel. The vulnerability exploited OverlayFS to copy SUID files from a nosuid mount to outside directories, enabling privilege escalation to root.
2
2
51
We were wondering: What would happen if we uploaded a malicious (pickle) model to Hugging Face and interacted with it using Inference API? Would our code be executed? Would our model share the same infrastructure as other Hugging Face users? 🤔
1
0
46
We (+
@nirohfeld
) just released the full technical blogpost regarding
#ChaosDB
- which we also presented today at
#BlackHatEurope
2
13
46
Our (+
@nirohfeld
)
#BlackHat
session about
#ChaosDB
(Cosmos DB Account Takeover Vulnerability in Azure) is out!🤩
@wiz_io
#BugBounty
1
13
45
We took a legitimate model (gpt2) and modified it to execute shell commands when encountering the word ‘Backdoor’ in the prompt.
1
0
43
Barely made it to MSRC 2021 Q3 Security Researcher Leaderboard😅 Congrats to all other researchers on the list!
#bugbounty
#msrc
6
2
41
What’s the difference? Each of us was running on a different kernel version. Apparently, Ubuntu made changes to OverlayFS a while back. In certain kernel versions, file capabilities are copied as-is, and in some, they are correctly converted relative to the current user namespace
1
2
42
To bypass the patch, we tried to reproduce the same vulnerability, but using file capabilities instead of SUIDs. IT WORKED!🤯
Well, on my machine. But when we tried the same exploit on
@shirtamari
's machine, it failed. Weird🤔
1
0
40
This should perfectly mitigate the SUID exploit, as SUIDs must be owned by root to be effective. However, SUIDs are not the only way to elevate privileges. There's also file capabilities - a way to grant root-like capabilities to a file without needing it to be owned by root.
1
1
38
To mitigate the issue, an additional check was added to verify that the owner of the modified file is present in the current user namespace:
1
0
36
I will be in Vegas for Black Hat and Defcon, if you see me, come say hi!
Changed my profile pic so you'll know what I look like :)
0
0
34
Excited to be featured on MSRC 2022 Q1 Security Researcher Leaderboard! Got
#15
overall and
#5
in Azure 🤩
Thank you
@msftsecresponse
and congratulations to everyone else on the list :)
Congratulations to all the researchers recognized in this quarter’s MSRC 2022 Q1 Security Researcher Leaderboard! For more information, check out our blog post:
#cybersecurity
#bluehat
#msrc
0
9
45
1
1
30
Had an amazing time presenting
@fwdcloudsec
🥰
Looking for an inside look at cloud security research and cross-tenant vulnerabilities? Check out the recording!
1
8
30
If you are at
@BlackHatEvents
tomorrow, come check out our (+
@nirohfeld
) talk: "ChaosDB: How We Hacked Databases of Thousands of Azure Customers." 11:20am-12:00pm (Room BC, ICC Capital Suite 12, Level 3)
1
1
28
Who knew that Bing is such an attractive target for research? 🧐
AAD Misconfiguration ➡️ XSS in Bing ➡️ O365 Tokens 🤯
I hacked into a
@Bing
CMS that allowed me to alter search results and take over millions of
@Office365
accounts.
How did I do it? Well, it all started with a simple click in
@Azure
… 👀
This is the story of
#BingBang
🧵⬇️
267
3K
16K
0
1
27
We (+
@nirohfeld
) will be presenting our research about
#ChaosDB
at
#BlackHatEU
- See you there!🤩
@BlackHatEvents
0
2
27
Beautiful research and amazing vulnerabilities🔥
If you've ever wondered what a real life adversarial attack on Kubernetes looks like - this is a must read💯
Today we share our Alibaba Cloud research for the first time, where we gained unauthorized access to other customers' databases in two different services 🚨
This complex research involved RCE, PE, Container escape, K8s lateral movement, and supply chain attack. Check it out 🧵
13
415
1K
0
3
22
It's scary how easy it is to make this mistake and accidentally expose a storage account, even in 2023 🫣
We found a public AI repo on GitHub, exposing over 38TB of private files – including personal computer backups of
@Microsoft
employees 👨💻
How did it happen? 👀
A single misconfigured token in
@Azure
Storage is all it takes 🧵⬇️
59
633
3K
1
0
19
Very interesting campaign that is still affecting many well-known vendors.
Two things I can’t figure out:
1. where did the attackers obtain the credentials from?
2. with such a powerful capability, why did they choose to redirect to adult sites instead of keeping it covert?
Yesterday we published a report on a curious website hijacking campaign we've been monitoring since last October. Our investigation turned up ~10K hacked websites, a few loose ends, and IOCs and samples to check for signs of infection and research further.
0
10
25
0
1
18
A detailed blog post regarding the supply-chain vulnerability we discovered in IBM Cloud Databases for PostgreSQL. Don’t miss it!🔥
#cloud
#security
#HellsKeychain
Excited to share
#HellsKeychain
, a supply-chain attack affecting IBM Cloud Databases for PostgreSQL. Read about how we chained multiple vulnerabilities in IBM Cloud’s environment to intervene in their internal image-building process
3
10
59
0
2
17
Incredible to see how quickly Azure adapted their threat model to address cloud vulnerabilities, particularly cross-tenant vulnerabilities. Our research is making a real impact! 😊
The first of a blog series on how we approach Azure cloud service security: "Microsoft Azure's defense in depth approach to cloud vulnerabilities"
3
79
228
1
2
17
This CTF is a great intro to IAM misconfigurations in particular and cloud security in general.
Challenge
#6
is my favorite🤭
Try it yourself ➡️
Think you are an AWS IAM expert? 🤖
Put on your attacker hat and play our new CTF: The Big IAM Challenge! 🎉
1
20
88
0
1
16
This is the regex that we found in pg_ident.conf that our CN must match to successfully authenticate. Can you spot the bug?
The regex ends with a wildcard! will match regex and therefore will let us authenticate! (9/n)
1
6
16
We will be talking about this issue (and other AI vulnerabilities we discovered) in our upcoming
@BlackHatEvents
session - make sure to check it out!
1
0
16
At DEFCON playing an infosec card game. Hit me up if you want to play :)
0
1
14
I have seen the exploit and it is beautiful 😍
Love working with
@msftsecresponse
. Another critical Azure vulnerability. This time an RCE 🤩
#BugBounty
#Azure
@wiz_io
14
46
318
0
0
13
Interested in the technical details of this research? Check out our blog in which we detail the issues we found and how they can be mitigated 🔗 ⬇️
1
1
12
We used rshijack to inject a raw TCP packet into the existing (already-authenticated) TCP connection. It worked!😎
We used this to gather information about the Redis instance and we learned that it stores the prompts and results of other Replicate's customers! 🤯
2
0
10
Absolutely brilliant blog post by
@chompie1337
Thrilled to share my new blog post: Put an io_uring on it: Exploiting the Linux kernel. Follow me while I learn a new kernel subsystem + its attack surface, find an 0day, build an exploit, + come up with some new tricks. I go deep and demystify the process
47
637
2K
1
0
11
And an SQLi. The future looks bright :)
Copilot writing an authentication page in PHP using MD5. Great
142
224
2K
0
0
11
We wrapped everything up and reported the issue to Replicate. It was immediately clear how seriously they take security matters. We scheduled a call to discuss possible mitigations for the issue and the full mitigation was deployed the next day 👑
1
0
10
After playing around with Replicate's AI model format (called Cog), we managed to craft a model that can execute arbitrary shell commands on request.
We uploaded it to Replicate and got Remote Code Execution!💥
2
0
10
At Black Hat Europe 2021, we presented our research of
#ChaosDB
- a major cross-account issue in Azure Cosmos DB. Here’s the research as a refresher ()
Following Black Hat, we wondered – could we reproduce a similar issue in other Azure services? (2/n)
1
1
9
Finally, we injected a Lua script into the centralized Redis that modified the inputs and outputs of another one of our accounts, which proved that we could interfere with other customers' prompts and predictions!
1
0
8
What if I told you that you could be productive by watching YouTube at work?
Can't wait for the next episode!
🎧 New "Crying Out Cloud" ep!
Discover cloud security news with Eden &
@AmitaiCo
🌩️ In this episode: Mysterious redirections, fake ads, gaming breaches & DoD leaks 🎮🔓
Watch now: 🍿📺
#cloudsecurity
#podcast
0
2
14
1
0
9
This thread is jam-packed with valuable information🔥
💡 Two key takeaways from this thread:
1. When attacking K8s, target imagePullSecrets for access to container registry credentials.
2. Always scan container images (including layers and metadata files) for secrets.
#cybersecurity
#k8s
#containers
#securitytips
1
7
33
0
2
9
Microsoft fixed this issue in three days. Thanks to Microsoft’s outstanding collaboration with researchers, vulnerabilities like these are responsibly disclosed and fixed instead of being exploited by malicious actors. They even awarded us a $40K
#BugBounty
(11/n)
1
1
9
This blows my mind.
@xenovacom
's work on Transformers.js is truly revolutionary. Utilize AI models directly in your browser, on a commodity CPU, without the requirement of a GPU 🤯
Distil-Whisper small is finally here! 🔥 Over 10x smaller, 5x faster, and within 3% WER of large-v2. 🤯
Since it's only 166M params, it can even run locally in your browser with 🤗 Transformers.js!
Check it out!
👉
9
62
354
0
1
8
quality content
My keynote from SSTIC is now up on YouTube! Enjoy, had a lot of fun animating and editing this!
7
33
145
0
0
8
We investigated the network and noticed an already-established TCP connection handled by a process in a sidecar container. We used tcpdump to examine the contents of this TCP connection, and realized it was a plaintext Redis protocol
1
0
7
Another great find by
@nirohfeld
. Beautiful and easy-to-exploit vulnerability with CVSS 9.8/10.
"...strange 'Enhanced Security' commit was introduced on August 12th 2021 ... Microsoft’s official patch (v1.6.8-1) was only released on September 8th 2021" 🤔
Microsoft just patched 4 vulnerabilities we (
@wiz_io
) recently reported, including a CVSS 9.8 RCE. These vulnerabilities affect countless machines as the OMI agent is silently installed when enabling many Azure services.
#PatchTuesday
5
129
276
0
0
8
0
0
7
Luckily for us, Azure PostgreSQL Flexible Server does not run stock PostgreSQL. After researching the modifications Azure introduced to the engine, we found a way to elevate our privileges to superuser.
This was sufficient for us to invoke a reverse-shell! (5/n)
2
0
7
Chaining these two vulnerabilities together effectively allowed us to gain read access to the PostgreSQL (Flexible) databases of other Azure customers. Just imagine a scenario where a malicious actor exploits this issue to access the databases of Fortune 500 companies. (10/n)
1
0
6
Having RCE as root within our own container on Replicate's infra, we noticed that we were running inside a K8s cluster hosted on GCP. But our pod was not privileged and we did not have any service account attached, limiting our possibilities for escaping the container 🥲
1
0
5
Now we were running in a dockerized environment with a recent kernel. No easy docker escape this time.
But we did have a couple of interesting network interfaces. More interestingly, we could connect to other hosts in our subnet on port 5432 (PostgreSQL port). (6/n)
1
1
5
@steventseeley
Great initiative! 🔥
Recent: Unauthenticated Database Takeover + RCE in Azure Cosmos DB -
All time proud: Windows DNS Server RCE (Memory Corruption) -
Excited to read everything on this thread🤩
0
0
5
Our criteria for the research target were the following:
1. Service must be managed and provide customers with a dedicated instance
2. We need to execute arbitrary code, either as a feature or through vulnerability
3. Popular service that contains sensitive data
(3/n)
1
0
5
We tried connecting to this Redis instance, but it required authentication 🧐. However, we already had an authenticated, plaintext, active session within our network namespace. And we had all the network capabilities! What if we inject raw packets into that TCP stream? 👀
1
0
5
We continued our recon and examined the PostgreSQL configuration files. We found that the replication user of the database is allowed to connect from 10.0.0.0/8. Maybe we can connect to other customers using the replication user? (7/n)
1
0
5
@0xdea
Another example :)
CVE-2020-1350: A cool Windows DNS Server vulnerability (2003->2019) we found at
@_CPResearch_
and got patched today
#PatchTuesday
5
55
128
0
1
3
@TalBeerySec
Found a remote code execution issue, decided not to report because the exploitation scenario is so unlikely it would ultimately be just a waste of dev time.
0
0
3
What are the username and password for the replication user? Turns out that there are none. To use the replication user, you must authenticate with Client Certificate Authentication. (8/n)
1
0
3
Azure PostgreSQL Flexible Server fits our criteria perfectly. It is popular, contains sensitive data and offers functionality to execute OS-level commands.
But when we attempted to run shell commands, we lacked privileges. (4/n)
1
0
3
@EyalItkin
@_CPResearch_
@ynvb
It was a pleasure working with you! Good luck on your new adventure :)
1
0
2
Huge props for that!
This is a significant step towards better security for Office
Next step: bounties :)
Hope everyone enjoys tomorrow's Office symbol release. Thanks to everyone inside of Microsoft for making this happen. It was a bit of work. We look forward to enabling high quality Office research. 😀
9
76
296
0
0
2