|
cheese-cube posted:If I was Red Team and wanted to try and elevate privilege the first thing I would look for is a Scheduled Task configured to run a PowerShell script in the context of a privileged service account. Then I would see if I can edit the script referenced by the task. I'd reckon that 9/10 times the NTFS permissions on the .ps1 file would allow an unprivileged user to edit it. Depending on how privileged the service account is you can cause some serious havoc. To add to this: most software installation programs I've seen don't touch the permissions of their files. They just inherit whatever permissions are on the containing folder. If that folder isn't in Program Files, which many installers do to avoid spaces in the path, there are going to be problems, since permissions are very lenient on the drive itself. Real users can do just about anything to said files. If an installer takes the slightly more sane route of putting stuff in ProgramData, the users shouldn't be able to edit scripts. But they can add whatever files they want into the folder, including programs and DLLs. If the script calls programs without specifying the full path, and the task has set its working directory to the script's directory, then anybody can put a program with the same name as the command into the directory, and the script will run that program instead of the command it was trying to run.
|
#
?
Feb 2, 2017 19:41
|
|
|
|
| # ? Apr 28, 2024 11:51 |
|
|
So the discussion about TeamViewer came up elsewhere and I am curious what your thoughts on it. It's the only application I've ever asked for to be blocked by our application firewall due to its way of breaking access control systems.
|
|
#
?
Feb 3, 2017 16:29
|
|
|
OSI bean dip posted:So the discussion about TeamViewer came up elsewhere and I am curious what your thoughts on it. Teamviewer is terrible, we block it and everything like it. People should use SSH and tunnel poo poo over that if needed, or RDP with proper certificates (through an RDG if possible).
|
|
#
?
Feb 3, 2017 17:08
|
|
|
Doublepost but idgaf, this is a good one: https://isc.sans.edu/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+%280+Day+Exploit%29/22029 (vuln analysis) https://github.com/lgandx/PoC/blob/master/SMBv3%20Tree%20Connect/Win10.py (PoC) http://www.kb.cert.org/vuls/id/867968 https://isc.sans.edu/diaryimages/smbexploit.pcap (sample pcap, look at the bytes on packet 27) quote:Windows SMBv3 Denial of Service Proof of Concept (0 Day Exploit) quote:Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2. 
|
|
#
?
Feb 3, 2017 20:01
|
|
|
CLAM DOWN posted:Doublepost but idgaf, this is a good one:
|
|
#
?
Feb 3, 2017 20:11
|
|
|
https://twitter.com/le_keksec/status/826474519795732482 quote:HTTP server that listens to 0.0.0.0 with an undocumented API that...isn't very well coded.
|
|
#
?
Feb 4, 2017 00:25
|
|
|
This is how the YOSPOS thread got its current name.
|
|
#
?
Feb 4, 2017 01:10
|
|
|
sadbrains/venting: - Graduated college with a technical writing degree and worked as a front-end developer in ~*Silicon Valley*~ for a few years. I have not coded since 2008 and I am not an engineer. - Joined the army after contract work in California dried up. My job didn't really entail any computer work as it relates to infosec. - My last year in the army I got a job managing my unit's intelligence shop and parlayed that into leaving the army with a nice clearance. One of my nominal responsibilities was physical, personnel and information security. I even managed to weasel into an anti terrorism course which was mainly valuable in cementing risk-mitigation approaches and physical security stuff. I thought, "I like computers and I have a clearance and I can go learn stuff to become more proficient in sysadmin/developer type stuff" - Now in a MS in "Cyber Security" program that I'm paying for via the GI bill. It's good to OK. - Got a job as a cyber security consultant for the navy and just hit my first year anniversary. - I graduate in summer of 2018 with a MS and a CISSP (program uses the CISSP as a capstone). In the interim I'm thinking about getting at least a Sec+ because it ticks a necessary box for DoD jobs. Ostensibly, I was hired to help the navy transition to NIST's Risk Management Framework and push paperwork to authorize control system installation. My consulting job has been a big disappointment because I really don't do anything and my particular department shuffled its major leadership and has been pretty rudderless. My masters program is OK, I've been learning stuff that I think is important that I didn't know anything about (setting up VMs for pen testing, how to talk to the biz side about infosec and why it's important) and I participated in a forensics challenge down in DC which was good exposure to tools like Wireshark and Kali. I feel like a big fraud because I don't do much at work, everything moves at a snail's pace. Though I'm learning stuff at school my attitude is pretty "meh" and I'm worried because I still don't have what I think is functional knowledge regarding stuff like networking or software development. I do a decent job of bullshitting my way through most days and I'm pretty sure I could stay at my consulting job for at least a couple of years without incident, but I hate going to work. How the hell do I decide what the next step should be? With a year behind me at work, I can put a "cyber security" job on my resume now, which I think is important. In a year I'll have a master's, a CISSP and at least a Sec+ and will have hopefully connected with something (either through work or school) that gets me excited. I liked the project manager capacity role I played in the army and have the "soft" skills to do something like that pretty easily. However (and this was my same fear in the military) I don't want to be in a PM position and not know what the gently caress I'm talking about.
|
|
#
?
Feb 16, 2017 15:52
|
|
|
"I feel like a big fraud because I don't do much at work, everything moves at a snail's pace." Hey, I can't help you with much else, but perhaps look up imposter's syndrome and see if it resonates with you. Many people feel this way, but we can't all be frauds. Considering how chock full infosec is with actual charlatans, you're probably better than most...
|
|
#
?
Feb 17, 2017 01:27
|
|
|
It helped me tremendously to learn that everything is garbage everywhere, it's just generally a matter of degrees. No matter where you go. Just because things are moving slowly doesn't mean that the problem is you.manchego posted:I don't want to be in a PM position and not know what the gently caress I'm talking about. PMs are supposed to lean on their SMEs to tell them what the gently caress is going on, don't think for a moment that this should hold you back if being a PM is your jam. Volmarias fucked around with this message at 02:53 on Feb 17, 2017 |
|
#
?
Feb 17, 2017 02:51
|
|
|
Don't sweat it - if you have any level of interest in the things you're doing and maybe once a week Google something work-related while at home at night or spend five minutes watching some Pluralsight video, you're already ahead of most of the field. I can tell you from personal experience that several of the Fortune 500 tech giants - the companies we all think have their poo poo together - are really just collections of dumpster fires. The only reason poo poo doesn't burn down constantly is that the heavy contracts are with governments (which are just larger, slower-burning dumpster fires... like that coal town in Pennsylvania that's been burning for 50 years) and the high-visibility projects are kept under control by numerous contractors that these giants have MSA/SLA's with. I feel like a fraud all the time (and I totally think I am because I just had to google a basic SCOM thing), but then I sit in on a conference call with a stock-optioned seven-figure CTO/CIO who doesn't know what cryptolocker is or thinks that storing  eight million PDFs as blobs in a database is a neat idea...
|
|
#
?
Feb 17, 2017 14:23
|
|
|
You can always look at the risk/assurance side of the house rather than the actual nuts and bolts implementation or BAU infosec. I'm kind of pivoting my career to crosstrain in aspects of this because I'm not sure I want to jump in headfirst (I'm fairly happy with the governance and implementation side right now) but it seems like a really stable offshoot. That's assuming that most companies separate the risk/assurance aspects away from the governance/implementation teams, which I've found to be the case at least in the financial sector I've been exposed to. Can't say whether that's true everywhere.
|
|
#
?
Feb 17, 2017 16:03
|
|
|
I think it's often the case that risk/assurance Infosec reports into a Risk or Compliance function, and general system integrity rolls up to CIO or head of IT. You want to be with whoever has budget for professional development and buying tools.
|
|
#
?
Feb 20, 2017 02:52
|
|
|
Subjunctive posted:general system integrity rolls up to CIO or head of IT. IMHO this seems like a disaster waiting to happen if you don't have a head of IT with the right mindset. We were lucky enough to be report directly to our CRO, same as the r/a side of the house. It really helps when we need someone to champion an issue or light a fire.
|
|
#
?
Feb 20, 2017 15:08
|
|
|
Thanks for all the replies. Made me feel better and I'm going to mull over the stuff you guys said about project management and figuring out next steps.
|
|
#
?
Feb 20, 2017 18:00
|
|
|
Infosec needs to have a separate authority chain so they can't just be squished in the name of cost savings by a single man.
|
|
#
?
Feb 20, 2017 20:54
|
|
|
Looks like some cute fireworks blowing up around the BetterDiscord community. Haven't read into anything that's going on, my twitter feed is just getting a few people throwing red flags around.
|
|
#
?
Feb 21, 2017 20:11
|
|
|
ChubbyThePhat posted:Looks like some cute fireworks blowing up around the BetterDiscord community. Haven't read into anything that's going on, my twitter feed is just getting a few people throwing red flags around. Share these tweets?
|
|
#
?
Feb 21, 2017 20:14
|
|
|
Lol but discord is the promised land
|
|
#
?
Feb 21, 2017 20:19
|
|
|
ChubbyThePhat posted:Looks like some cute fireworks blowing up around the BetterDiscord community. Haven't read into anything that's going on, my twitter feed is just getting a few people throwing red flags around. Why would you post this but not post the content?
|
|
#
?
Feb 21, 2017 20:20
|
|
|
Not super deep digging, but there may just be no issue. BetterDiscord seems fine; people appear to be the problem (shocker). They're throwing a hissy fit about a 3rd party plugin that was stealing auth tokens and BetterDiscord is taking all the blame. I am the dumb for not spending a minute of my time to read into that before posting "oh hey this could be fun". This was the image that started the whole bush fire: 
|
|
#
?
Feb 21, 2017 20:20
|
|
|
Story for an app I use with weird authentication. I got into making retropies for friends. The problem is that when you import a game, there is no meta data for it. There is a built in meta scanner but it is slow and has real problems with correctly indentifying games titles. I looked around and found this site with their own videogame DB and a standalone client that accesses the DB quickly and with more accuracy. How it works is that you make a forum account and authenticate with that account through the application; that tells you how many "threads" you are allowed to use. Everyone starts with 1 but if you donate to support the database , you get more threads. Threads are how many download streams you can open to the DB. Within the application options there is a button to press that , I assumed, talks to the api to query how many threads you are allowed. There are some apps, web and thick client , where the client is sent a message of some kind which the app converts to know what permissions you are allowed. A thing you can do with Burp Suite is to auto replace response text which I've used to give me more access than is allowed (this is why i believe smart phone apps is the wild frontier of new findings as many people are already finding out. Badly done apis lead to severe damage). What I was looking for in the response was some type of data element (XML, JSON, etc ) that refered to my current allowed thread count (1) and replace it with the another number (2+) and see if the application will change permissions without me having to break out IDA . With Burp you can capture thick client app traffic (where you can't adjust the proxy setting like this app) by finding out what domains the app talks to and then changing your hosts file to send all of that domain's traffic to Burps proxy. You still need to know which specific domains so use Wireshark to look at the communication while using the app and identify your apps traffic. I did not run this application since Christmas so a new version was released and asked me if I wanted to update. One of the notes said to fix a "small security issue". Well... Now I don't want to update . Looking at the communication going out I saw I was sending out an HTTPS request with my username and pass to the api call whenever I told the app to get my current thread count. I would not put the creds in the get params but it's a throwaway email . What I saw was a second set of creds though that weren't mine; they were the developers. The username was the same as the forum user that made it and what was even better was the password was a timestamp of the release date of the client with two random alphanumeric characters at the end. Which means I could predict his password in the future by just looking up the last release date of the client and guess it in 32*32 attempts. I upgraded my client and that call is now gone but I hope that is somewhat instructive of how to start testing thick web clients with Burp. EVIL Gibson fucked around with this message at 03:36 on Feb 22, 2017 |
|
#
?
Feb 22, 2017 03:30
|
|
|
EVIL Gibson posted:Story for an app I use with weird authentication. Good post. You should really work it up into a blog post, I think there are probably a lot of people that would get value out of it.
|
|
#
?
Feb 22, 2017 13:39
|
|
|
Doug posted:Good post. You should really work it up into a blog post, I think there are probably a lot of people that would get value out of it. Agree with that. Also excellent story.
|
|
#
?
Feb 22, 2017 19:03
|
|
|
EVIL Gibson posted:What I saw was a second set of creds though that weren't mine; they were the developers. The username was the same as the forum user that made it and what was even better was the password was a timestamp of the release date of the client with two random alphanumeric characters at the end. Which means I could predict his password in the future by just looking up the last release date of the client and guess it in 32*32 attempts. Bets that the alphanumeric chars are a varation of 'A'+MAJORVERSION, 'A'+MINORVERSION?
|
|
#
?
Feb 23, 2017 01:13
|
|
|
Don't roll your crypto and don't use Cloudflare either.
|
|
#
?
Feb 24, 2017 01:54
|
|
|
Cloudflare? Why not?
|
|
#
?
Feb 24, 2017 02:28
|
|
|
Internet Explorer posted:Cloudflare? Why not? https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
|
|
#
?
Feb 24, 2017 02:29
|
|
|
Best part: quote:Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt. https://twitter.com/jcs/status/834922772606308352?ref_src=twsrc%5Etfw
|
|
#
?
Feb 24, 2017 03:37
|
|
|
Oof. Thanks.
|
|
#
?
Feb 24, 2017 05:55
|
|
|
That's not all. You also get some free use out of their security exploit-riddled service.
|
|
#
?
Feb 24, 2017 07:04
|
|
|
I don't understand. Where do the datasets come from? What did they fuzz?
|
|
#
?
Feb 24, 2017 11:04
|
|
|
Furism posted:I don't understand. Where do the datasets come from? What did they fuzz? Google operates a search engine that crawls an enormous number of publicly-available documents. Corpus distillation is essentially a way of taking all those documents and narrowing them down to a useful subset to use as a starting point for fuzzing a particular implementation. No idea what Tavis was looking to fuzz this time, but there's a blog post about a previous time that they've used the technique for fuzzing Flash Player. Finding this particular issue seems (at least to me) like fortunate happenstance - Tavis just happened to notice that something was a bit wonky with the documents he was seeing, and decided to dig a bit deeper.
|
|
#
?
Feb 24, 2017 11:49
|
|
|
This is madness. 4,287,625 possibly affected domains in total as of right now. here's a list of noteworthy sites, including iOS apps: https://github.com/pirate/sites-using-cloudflare
|
|
#
?
Feb 24, 2017 13:01
|
|
|
Jabor posted:Google operates a search engine that crawls an enormous number of publicly-available documents. Corpus distillation is essentially a way of taking all those documents and narrowing them down to a useful subset to use as a starting point for fuzzing a particular implementation. No idea what Tavis was looking to fuzz this time, but there's a blog post about a previous time that they've used the technique for fuzzing Flash Player. Right, thanks for the details. For your last sentence, that's usually what happens with fuzzing - you notice some weird behaviour, dig deeper and fix it. This is why fuzzing tools are only as good as the people driving them.
|
|
#
?
Feb 24, 2017 13:10
|
|
|
Furism posted:Right, thanks for the details. Right, but it's not like he was fuzzing cloudflare or anything - he just happened to notice some weird behaviour when collecting stuff to fuzz something else with.
|
|
#
?
Feb 24, 2017 14:06
|
|
|
eames posted:This is madness. We made it!  Not as a notable site, but at least to the top 10,000 on Alexa.
|
|
#
?
Feb 24, 2017 14:31
|
|
|
Jabor posted:Right, but it's not like he was fuzzing cloudflare or anything - he just happened to notice some weird behaviour when collecting stuff to fuzz something else with. Ah yes, that's indeed a key difference with typical fuzzing. What a clusterfuck.
|
|
#
?
Feb 24, 2017 15:41
|
|
|
As IT Security folk reach for their bottle of desk whiskey....
|
|
#
?
Feb 24, 2017 16:39
|
|
|
|
| # ? Apr 28, 2024 11:51 |
|
|
Internet Explorer posted:As IT Security folk reach for their bottle of desk whiskey.... I mean, it is Friday morning.
|
|
#
?
Feb 24, 2017 16:47
|
|
