I worked with Pipes ( @mp ) for the last twenty years. Some people ask "what's Pipes up to?", but my question always is "how is Pipes up to whatever he's up to?"
He wrote a paper answering that question: https://www.distantfield.space/observatory/party-analysts
I always used to tell new pentesters
that our job was to bring facts to risk decision making. Do the research, get the hard data, present it clearly, concisely and completely, so the customer has what they need to make their security choices.
His new thing - Distant Field Labs - is basically this but for ... anything tech.
This is legit cool, and if you have a question, a hard question or a big question or an important question that needs Hard (or big?) Data, the https://www.distantfield.space/ crew is who you want.
=> More informations about this toot | More toots from metlstorm@infosec.exchange
@mp Pipes Research Power is totally a force multiplier. One of the shells I got once that really stuck with me, was for a customer who'd deployed a security product protecting a key (and I mean ... this thing was... important AF) asset, and my hacker spidey sense told me this security product was ... well, like every other security product our industry has sold.
The customer's sysadmin had also been a condescending jerk to me while i was onsite arranging my access and pre-requisites for the assessment we were doing. I really wanted to ... take him down a peg or two. (Spite hacking, its a hellovadrug!)
Of course the guy was obstructive, in the classic "no you can't have admin access to do your job" (I sold and scoped this as a 'white box' assessment because thats how you get good coverage in reasonable time) because "a rEaL hAcKeR doesn't have access". (Yes, this was in the last ten years; this kinda wrongthink is still around in risk management). So I was doubly salty. I'm wailing on this thing blind - in prod, because of course there was not test environment - with all of the constraints that brings. Trying to cause "unusual behaviour" while also not breaking prod, def the best circumstances.
Of course I had googled to see if you could just spin up an instance of this security product in AWS or get an eval version, but, of course, this was not the sort of vendor that does friendly helpful things like that.
I'm a week in, sulking about the office, with nothing much to show for myself. Pipes decides he's sick of my whiny muttering. He digs up an ancient version of this security product, cracks the license check to get it to boot, rummages inside, finds the update mechanism, figures out how it works, and then manages to get enough incremental updates to drag this version forward years in time until it approximates the one I'm targeting.
Then he messages me on IRC with a "dude i built you a test environment. shut the fuck up and start hacking".
He's got me a working, representative test environment in a VM, with a root shell and some test accounts.
A couple days later, I'm preauth-remote-root-code-exec on this thing, and boy oh boy are the cats amongst the pigeons.
This is the power of having the data you need, when you need it. A Pipes-power research team is... its what you want.
So as not to leave y'all hanging on the story:
I schedule an emergency meeting to escalate this, onsite in person. I gently explain how bad it is. Customer sysadmin guy straight up calls me a liar, and shoves a (locked down, corp windows + internet explorer) laptop in front of me, all "prove it tough guy". Idk if you've ever tried to mentally port your burpsuite PoC made out of seven repeater tabs and a vi full of cryptic cut n paste notes into something you can do on locked down IE while people glare at you. I hadn't even brought my laptop! Getting computer equipment onsite with a customer like this... is a time.
Triumphant, their nerd has bested me in nerd combat. "Besides" he adds, to really put the boot in and belittle me further "it's behind the F5, even if this so called 'bug' did work, its IP-whitelisted".
Needless to say, umbrage was my middle name at this point.
I scheduled a follow up meeting the next day, and did the paperwork to bring my dirty hacker laptop in.
I went back to the office, made a beautiful exploit.py that pops proper shell, hooked it up to a CSRF trigger so you could do it via getting HTML in front of anyone who worked there, so as to bypass the F5. Spite-hacking, remember?
The second meeting, CISO of the customer showed up too. I destroy the sysadmin and all his works in final nerd judgement day. The security product, which had been in prod for years, it turns out without having ever been really assessed, is now a major drama.
We get brought into assess the proposed replacement product (learning!) during the design phase. We ruin that too. Yay security vendors!
Coda; this was not the sort of vendor where we could go report the bug (safely; messanger-shooting is also still a thing) directly. We handed off the bug and exploit and so on to the customer to report thru their proper support channels. I ... uhhh.. I assume it got patched and fixed. I never saw a CVE issued, but again, the sort of vendor that prolly the security udpate details are behind a support contract wall anyway.
I googled to see just now and its... joined the Broadcom family.
So, you'll forgive me for not posting the exploit ha ha. Which I legit don't have of course, cause... well, thats how research jobs go. You provide the data, clear, concise, complete, and they make their choices. You move on, ever so slightly damaged by the knowledge you've gained, to the next thing.
=> More informations about this toot | More toots from metlstorm@infosec.exchange
@metlstorm @mp more epic stories about you two please :)
=> More informations about this toot | More toots from singe@chaos.social
@singe @mp
I'm thinking like, Jay & Silent Bob, except that jay has the beard, and silent pipes is the tall one.
20 years of workin together be like:
=> More informations about this toot | More toots from metlstorm@infosec.exchange
@metlstorm @mp nice work both of you.
I've never understood why people trust IT and why admins get emotionally attached to their software.
=> More informations about this toot | More toots from lloyd@mastodon.nz
@metlstorm 🔥🔥
Love how finding preauth-remote-root-code-exec on a security product is the easy part 🤣.
Saving this one next time there's push back on giving pentesters access to a test envrionment.
=> More informations about this toot | More toots from ollytheninja@infosec.exchange
@metlstorm @mp can this be a thing, "RiskyBiz War Stories"?
I'd straight up just enjoy it, but would also be good for the newbies to hear it from the OGs, going through all the same tech and non-tech challenges.
=> More informations about this toot | More toots from ConanChiles@infosec.exchange This content has been proxied by September (ba2dc).Proxy Information
text/gemini