John Simpson @thracky@infosec.exchange
N-day Vulnerability Researcher and team lead. Humanist. Corgi owner. CRPG addict. Drum & Bass aficionado. Late diagnosis ADHDer. My opinions are mine and not those of my employer.
Joined Aug 2019
Hey everyone! I’ve just published the introductory post for my upcoming series of blog posts on vulnerability research.
It outlines what my posts aim to accomplish and kicks things off with a light intro to the world of vulnerability research (through my eyes)
https://suchsecurity.com/introduction-to-vulnerability-research-the-prologue.html
Check out this excellent writeup on an Apache OFBiz deserialization vuln from my coworker Dusan (I just reviewed the writeup):
This is essentially what one of the core parts of our N-day research reports looks like.
The one thing I haven't checked yet is if the bad records get replicated to other DCs. If so, that's kinda scary since it would imply sending the exploit once to pwn all the DCs. Or make them all inoperable.
So here's a fun little tidbit about the Microsoft Active Directory vulns CVE-2020-0761 and CVE-2020-0718 from last week:
If someone tries to exploit it and the attempt fails in the form of a crash, that domain controller will be permanently hosed until you remove some stuff via ADSI Edit. So sort of a perma-DoS for an "unskilled" attacker.
I sorta spoke too soon on this. Wound up with the issue where Windows thinks your internet connectivity is constantly going on and off. Only solution is to completely remove Wifi adapter (and drivers) and reinstall the drivers. ¯\_(ツ)_/¯
I have now switched back to beta builds of Insider Preview, instead of dev. They're such a damn nightmare.
And there we go. Now have a working PoC for what is likely CVE-2020-0856 (the ADIDNS Info disclosure).
And by that I mean I've triggered an out of bounds read that would have been stopped by the patch. In our research we don't work towards full exploits for binary vulns, just a trigger for the precise singular vuln.
Oh my god I still have network connectivity. It’s a miracle!
Will this latest Windows Insider preview dev build completely break my networking for the 3rd build in a row? LET’S FIND OUT JUST AS I’M GOING TO START MY WORK DAY! 🤪
Grrrrrrr I am so close to triggering one of these vulns but for my own health I need to call it a day.
I'm currently working on unraveling the Active Directory Integrated DNS vulns reported by Dirk-jan Mollema, CVE-2020-0761 and CVE-2020-0718 (and the likely related CVE-2020-0856 found internally at MS) and oof are there a lot of layers involved here.
Dirk-jan mentioned he plans on doing a blog post on it at some point, but it's always fun to have it figured out before the details are public 😀
Daniel Fernandez Kuehr of Blue Frost Security has given us some solid writeups on his 3 Hyper-V vulns patched on Tuesday:
Steven Seeley's post and PoCs on the Exchange vulnerability, CVE-2020-16875, patched on Tuesday.
Much less serious than the initial MS advisory but still a solid vuln.
Went to go update a really stale pull request for the BinExport Ghidra plugin and after mucking with git for 30 mins and getting my repo in order for the update, realized the problem was solved a while back with another commit.
How the hell did I ever survive without pyenv, rubyenv, and sdkman (which I JUST discovered after working extensively on Java-based vulnerabilities for the last 4.5 years!?)
I’m a huge CRPG nut (including more “action” oriented RPGs like Witcher) but as someone with ADHD I really struggle with inventory/equipment management.
Like in a party-based game the tedious work of checking if I have picked up better gear, or should buy new stuff is often a bit overwhelming. I’m playing wasteland 3 at the moment and I have such a love/hate relationship with the unlimited inventory space.
After many many months of being patient I think I’m finally getting Ethernet wiring done in the house this weekend!
I’m only recently a first time homeowner and typically like to do as much as possible myself, but there’s just certain things I have no desire to figure out on my own and fishing wires is one of those. This is also partially because a friend of ours is an electrician and can do it on the cheap AND show me how it’s done at the same time 😄
Spending this week learning far too much about the internals of Active Directory’s LDAP server. For reasons. That may have something to do with yesterday’s patches....
Oh look it’s another “I kinda forgot about it but for reasons I’m back on Mastodon for now” post.
It’s a bit late but here’s my in depth (read: LONG) look at CVE-2020-0601 with all the details of how cert chain validation happens in CryptoAPI and where things went wrong. #curveball
N-day Vulnerability Researcher and team lead. Humanist. Corgi owner. CRPG addict. Drum & Bass aficionado. Late diagnosis ADHDer. My opinions are mine and not those of my employer.
Joined Aug 2019
