<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>So much of BJJ is about transitions from one position to another.
For example, when you have one kind of bugclass, and you apply a
methodology to transform that into another bugclass. For example,
recently I saw a talk during our INFILTRATE dry runs, where
someone (not even hacking a browser or using a scripting language
of any kind!) used a "Write Once" primitive to modify a particular
structure such that it assumed the size was 0xffffffff, which
allowed them to read all of memory, which then they wrote a
ROPchain into and then overwrote a called function pointer to
finalize their exploit.</p>
<p>With an audience at OTHER UNNAMED CONFERENCE you may have to go
into all those steps, but for INFILTRATE you can just say "They
exploited this exactly like a browser exploit" and move on because
we've all done it a thousand times, in Flash, on browers, on
attack surfaces nobody thinks are attack surfaces, whatever.</p>
<p>The same thing is true for turning arbitrary READ primitives into
RCE. This is an interesting problem set, but it's not "0day" or
even "exploitation" so much as "transition". For example, we
recently released our SPECTRE exploit, which does some really
bizarre stuff to read memory on Linux. But then the question is
"What would you read?" You've already seen so many ways to solve
it - one for every meltdown/spectre coder and they each have
interesting trade-offs. (Hashtag get CANVAS so you can see our
one! :) <br>
</p>
<p>And we also released a "If you can read arbitrary files on an IIS
box, how do you get RCE from that?" <a moz-do-not-send="true"
href="https://vimeo.com/260982761">exploit</a> last week. Again,
what would you read, if you had five minutes on a box?<br>
</p>
<p>Also worth a view is this <a moz-do-not-send="true"
href="https://vimeo.com/261547570">IDRAC 8 exploit.</a> This is
for a product that generally runs on management networks and
receives little attention. Last time I saw it exploited on a
customer network it allowed direct access to their domain
controller because hacking is all about transitions between
positions and while defenders are all very excited about their <a
moz-do-not-send="true"
href="https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/">new
graph views</a> and "lateral movement" we all know that nothing
is truly lateral in this massively multidimensional world. </p>
<p>-dave</p>
<p><br>
</p>
</body>
</html>