Dailydave mailing list archives
Transitions
From: David Aitel <dave () immunityinc com>
Date: Mon, 26 Mar 2018 14:56:31 -0400
So much of BJJ is about transitions from one position to another. For example, when you have one kind of bugclass, and you apply a methodology to transform that into another bugclass. For example, recently I saw a talk during our INFILTRATE dry runs, where someone (not even hacking a browser or using a scripting language of any kind!) used a "Write Once" primitive to modify a particular structure such that it assumed the size was 0xffffffff, which allowed them to read all of memory, which then they wrote a ROPchain into and then overwrote a called function pointer to finalize their exploit. With an audience at OTHER UNNAMED CONFERENCE you may have to go into all those steps, but for INFILTRATE you can just say "They exploited this exactly like a browser exploit" and move on because we've all done it a thousand times, in Flash, on browers, on attack surfaces nobody thinks are attack surfaces, whatever. The same thing is true for turning arbitrary READ primitives into RCE. This is an interesting problem set, but it's not "0day" or even "exploitation" so much as "transition". For example, we recently released our SPECTRE exploit, which does some really bizarre stuff to read memory on Linux. But then the question is "What would you read?" You've already seen so many ways to solve it - one for every meltdown/spectre coder and they each have interesting trade-offs. (Hashtag get CANVAS so you can see our one! :) And we also released a "If you can read arbitrary files on an IIS box, how do you get RCE from that?" exploit <https://vimeo.com/260982761> last week. Again, what would you read, if you had five minutes on a box? Also worth a view is this IDRAC 8 exploit. <https://vimeo.com/261547570> This is for a product that generally runs on management networks and receives little attention. Last time I saw it exploited on a customer network it allowed direct access to their domain controller because hacking is all about transitions between positions and while defenders are all very excited about their new graph views <https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/> and "lateral movement" we all know that nothing is truly lateral in this massively multidimensional world. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Transitions David Aitel (Mar 26)