[Dailydave] Webex and RCE

dave aitel dave at immunityinc.com
Tue Jan 24 15:27:44 EST 2017


Trainings tend to be about the past. They are more war stories than
distilled wisdom. Like when we teach you how to do a client-side and
then a kernel exploit
<http://infiltratecon.com/training.html#click-here-for-ring0>, that's
because that's the attack path that's been most successful for us in the
past.

But a lot of hacking is less brute force than that - a lot of it is just
knowing where to look, or gaining expertise in some strange lore than
nobody else wants to study. For example, there's a talk at INFILTRATE on
DCOM. DCOM is the devil - a dark mine of legendary horrors. But I know
there are untold bugs in it. Limitless new bug classes. Actual remote
code execution.

After enough hacking you get a nose for where to look, in theory. I
don't know how to quantify this in a way that you can put metrics on it
and maybe write something for a policy blog. But it's institutionalized,
this sense of smell. Groups evolve a consensus on targeting.

I'm annoyed because I didn't ask anyone to look at the Webex plugin for
Chrome and Tavis owned it in fifteen seconds by trusting his nose.
Immunity is a bit resource constrained, is what I tell myself, because
we are the kind of computer that is excellent at rationalization. We
can't hunt every new smell. But how can any company trust Webex again?
Isn't Cisco supposed to have a team on this sort of thing?

I guess my question is: Between this bug, and the issues on their
routers from the EQGRP leak, clearly Cisco has no "nose". What does that
mean for them?

-dave

P.S. Come to our trainings  <http://infiltratecon.com/training.html>this
April and hear our war stories and learn from our exploit writers. It's
super fun. :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170124/e0c46495/attachment.html>


More information about the Dailydave mailing list