[Dailydave] Transitions

David Aitel dave at immunityinc.com
Mon Mar 26 18:56:31 UTC 2018 

So much of BJJ is about transitions from one position to another. For
example, when you have one kind of bugclass, and you apply a methodology
to transform that into another bugclass. For example, recently I saw a
talk during our INFILTRATE dry runs, where someone (not even hacking a
browser or using a scripting language of any kind!) used a "Write Once"
primitive to modify a particular structure such that it assumed the size
was 0xffffffff, which allowed them to read all of memory, which then
they wrote a ROPchain into and then overwrote a called function pointer
to finalize their exploit.

With an audience at OTHER UNNAMED CONFERENCE you may have to go into all
those steps, but for INFILTRATE you can just say "They exploited this
exactly like a browser exploit" and move on because we've all done it a
thousand times, in Flash, on browers, on attack surfaces nobody thinks
are attack surfaces, whatever.

The same thing is true for turning arbitrary READ primitives into RCE.
This is an interesting problem set, but it's not "0day" or even
"exploitation" so much as "transition". For example, we recently
released our SPECTRE exploit, which does some really bizarre stuff to
read memory on Linux. But then the question is "What would you read?"
You've already seen so many ways to solve it - one for every
meltdown/spectre coder and they each have interesting trade-offs.
(Hashtag get CANVAS so you can see our one! :)

And we also released a "If you can read arbitrary files on an IIS box,
how do you get RCE from that?" exploit <https://vimeo.com/260982761>
last week. Again, what would you read, if you had five minutes on a box?

Also worth a view is this IDRAC 8 exploit. <https://vimeo.com/261547570>
This is for a product that generally runs on management networks and
receives little attention. Last time I saw it exploited on a customer
network it allowed direct access to their domain controller because
hacking is all about transitions between positions and while defenders
are all very excited about their new graph views
<https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/>
and "lateral movement" we all know that nothing is truly lateral in this
massively multidimensional world. 

-dave


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20180326/ba025e60/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20180326/ba025e60/attachment.sig>

More information about the Dailydave mailing list