=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
When you report on Russian cybercrime so long that it starts to rub off on you…
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
what i wanna know is, what are the web stats on the webserver at Oracle that serves the java6 JRE, for people who are only now discovering that using the console on the ILOM web interface to press on their windows during boot requires a Java6 runtime in IE6....
And if that webserver at Oracle ran windows... welllllp, that'd be computers over and done with.
(which maybe, might just be for the best...)
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
Did you guys know that tomatoes contain seeds that you can use to make other tomatoes?! This shit is WIIIILD, yo. You can just PIRATE tomatoes!?
I grew this! In my lounge! From a seed!?! I totally would download a tomato.
And i thought COMPUTERS were crazy. :mind_blown:
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
=> More informations about this toot | View the thread
@mp Pipes Research Power is totally a force multiplier. One of the shells I got once that really stuck with me, was for a customer who'd deployed a security product protecting a key (and I mean ... this thing was... important AF) asset, and my hacker spidey sense told me this security product was ... well, like every other security product our industry has sold.
The customer's sysadmin had also been a condescending jerk to me while i was onsite arranging my access and pre-requisites for the assessment we were doing. I really wanted to ... take him down a peg or two. (Spite hacking, its a hellovadrug!)
Of course the guy was obstructive, in the classic "no you can't have admin access to do your job" (I sold and scoped this as a 'white box' assessment because thats how you get good coverage in reasonable time) because "a rEaL hAcKeR doesn't have access". (Yes, this was in the last ten years; this kinda wrongthink is still around in risk management). So I was doubly salty. I'm wailing on this thing blind - in prod, because of course there was not test environment - with all of the constraints that brings. Trying to cause "unusual behaviour" while also not breaking prod, def the best circumstances.
Of course I had googled to see if you could just spin up an instance of this security product in AWS or get an eval version, but, of course, this was not the sort of vendor that does friendly helpful things like that.
I'm a week in, sulking about the office, with nothing much to show for myself. Pipes decides he's sick of my whiny muttering. He digs up an ancient version of this security product, cracks the license check to get it to boot, rummages inside, finds the update mechanism, figures out how it works, and then manages to get enough incremental updates to drag this version forward years in time until it approximates the one I'm targeting.
Then he messages me on IRC with a "dude i built you a test environment. shut the fuck up and start hacking".
He's got me a working, representative test environment in a VM, with a root shell and some test accounts.
A couple days later, I'm preauth-remote-root-code-exec on this thing, and boy oh boy are the cats amongst the pigeons.
This is the power of having the data you need, when you need it. A Pipes-power research team is... its what you want.
So as not to leave y'all hanging on the story:
I schedule an emergency meeting to escalate this, onsite in person. I gently explain how bad it is. Customer sysadmin guy straight up calls me a liar, and shoves a (locked down, corp windows + internet explorer) laptop in front of me, all "prove it tough guy". Idk if you've ever tried to mentally port your burpsuite PoC made out of seven repeater tabs and a vi full of cryptic cut n paste notes into something you can do on locked down IE while people glare at you. I hadn't even brought my laptop! Getting computer equipment onsite with a customer like this... is a time.
Triumphant, their nerd has bested me in nerd combat. "Besides" he adds, to really put the boot in and belittle me further "it's behind the F5, even if this so called 'bug' did work, its IP-whitelisted".
Needless to say, umbrage was my middle name at this point.
I scheduled a follow up meeting the next day, and did the paperwork to bring my dirty hacker laptop in.
I went back to the office, made a beautiful exploit.py that pops proper shell, hooked it up to a CSRF trigger so you could do it via getting HTML in front of anyone who worked there, so as to bypass the F5. Spite-hacking, remember?
The second meeting, CISO of the customer showed up too. I destroy the sysadmin and all his works in final nerd judgement day. The security product, which had been in prod for years, it turns out without having ever been really assessed, is now a major drama.
We get brought into assess the proposed replacement product (learning!) during the design phase. We ruin that too. Yay security vendors!
Coda; this was not the sort of vendor where we could go report the bug (safely; messanger-shooting is also still a thing) directly. We handed off the bug and exploit and so on to the customer to report thru their proper support channels. I ... uhhh.. I assume it got patched and fixed. I never saw a CVE issued, but again, the sort of vendor that prolly the security udpate details are behind a support contract wall anyway.
I googled to see just now and its... joined the Broadcom family.
So, you'll forgive me for not posting the exploit ha ha. Which I legit don't have of course, cause... well, thats how research jobs go. You provide the data, clear, concise, complete, and they make their choices. You move on, ever so slightly damaged by the knowledge you've gained, to the next thing.
=> More informations about this toot | View the thread
=> This profile without reblog | Go to metlstorm@infosec.exchange account This content has been proxied by September (ba2dc).Proxy Information
text/gemini