Hacker News new | comments | ask | show | jobs | submit login
Zero-Day Vulnerability in Microsoft Windows Leaked on Twitter (twitter.com)
332 points by tzury 5 months ago | hide | past | web | favorite | 123 comments



Here's the exploit description from the writeup .doc file that is included in the .rar file that's hosted on GitHub:

  The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”.
  The prototype looks like this:

	long _SchRpcSetSecurity(
		[in][string] wchar_t* arg_1, //Task name
		[in][string] wchar_t* arg_2, //Security Descriptor string
		[in]long arg_3);

  Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. 
  This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating.
 
  However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL 
  while not impersonating. 

  Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create 
  a hardlink to another file (all we need is read access). 
  Because of the hardlink, we can let the task scheduler write an arbitrary DACL 
  (see second parameter of SchRpcSetSecurity) to a file of our choosing.

  So any file that we have read access over as a user and that system has the write DACL permission for, 
  we can pivot into full control and overwrite it.


Please don't quote text with code blocks:

> The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”. The prototype looks like this:

    long _SchRpcSetSecurity(
        [in][string] wchar_t* arg_1, //Task name
        [in][string] wchar_t* arg_2, //Security Descriptor string
        [in]long arg_3);
> Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating.

> However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating.

> Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.

> So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.


On a laptop, the code block is much easier to read than the "correct" way. I can see it being harder on a phone


I too am on a laptop and the code block requires me to scroll for every single line.

EDIT: Maybe I should mention that I'm zoomed in 150% because I find the default font size unreadable. But I guess accessibility doesn't matter.


If you find the default font size too small, I know at least Chrome and Firefox support a minimum font size in their settings.

I personally set my minimum font size to 9. While I can't easily read font that small, I can at least notice it is there and zoom or otherwise compensate if I care what it says while still mostly preserving the aesthetic of the web page (assuming the font is purposefully small for a reason).


Increasing the minimum font size makes the “code” block issue he’s talking about worse, though. Same as zooming.


Thanks!


Please don’t repost other user’s posts, because you have a formatting preference.


He didn’t post the other user post again, but rather posted the original text from the writeup again.


Please don’t make up rules.


Thank you for the description, I was hesitant to download a .rar just to read something...

> So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.

Doesn't this imply we can use guest access to install any kind of backdoor, since we'll have "read access" to a bunch of programs that start on boot? Seems really bad, maybe I'm misinterpreting (I haven't been on Windows for a while).


Yeah, the docs files in the archive seems to be clean based on the multiscan results. Some AVs are already flagging the hash of the rar as an exploit.

Metadefender: https://metadefender.opswat.com/results#!/file/YTE4MDgyOHJrW...

VT: https://www.virustotal.com/#/file/0c2cbb5eba3ae0765b16748912...

Edit: Fixing grammar


which just shows what a huge scam AVs are nowadays


true that. Not even mentioning the insane amount of telemetry data they are "sending home" on regular basis. You think social network is bad? Well take a look on your AV...


Quote from blog post[1] dated 14th June:

    I really did not get anything for this bug, and I know I'm probably forfeiting an acknowledgement 
    too right now. But I wasted alot of time on this bug, and nobody but me should be able to decide 
    what to do with it. People who criticize this type of behavior I find frankly annoying. 
    I used to be one of those self-righteous types, but I'm also pretty annoying, so perhaps there is a correlation.

    Besides, this bug is way to silly in its complexity to be of any use to anyone. 
    I would not drop a full 0day exploit, which I can assure you, 
    I have totally sitting on my hard drive (not referring to this bug :).

For the people wondering why she released the exploit instead of claiming bounty on it, in the blog post[1] dated 14th June, she said she would not drop a full 0day exploit. I guess that changed when she did not get credit for her last bug (cve-2018-8314) according to her another blog post[2] from Aug 17th.

[1] https://sandboxescaper.blogspot.com/2018/06/using-filepicker...

[2] https://sandboxescaper.blogspot.com/2018/08/all-good-things-...


Fixed:

> I really did not get anything for this bug, and I know I'm probably forfeiting an acknowledgement too right now. But I wasted alot of time on this bug, and nobody but me should be able to decide what to do with it. People who criticize this type of behavior I find frankly annoying. I used to be one of those self-righteous types, but I'm also pretty annoying, so perhaps there is a correlation.

> Besides, this bug is way to silly in its complexity to be of any use to anyone. I would not drop a full 0day exploit, which I can assure you, I have totally sitting on my hard drive (not referring to this bug :).


Man, code blocks are insufferable to read on a phone.


"Here is the alpc bug as 0day: https://github.com/SandboxEscaper/randomrepo/blob/master/PoC... … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit."

So is this person upset because Microsoft wouldn't patch the bug? Or that they didn't want to pay for the information?

Comments seem to reference Apple pays 25k for this type of info.

Can anyone with background give some context here?


Reading through the author's blog (links found further below) it would seem that on more than one occasion the author didn't receive credit, which presumably makes it harder to find new jobs.

The author's blog is also full of anti-social comments, which would sound awfully melodramatic if I didn't have personal experience with depression. Regardless, it is a public expression that she's going to be a fairly toxic person to work with, which is almost certainly working against her in the job hunt.


Earlier tweets from this account seem to indicate they believe MS intentionally sabotaged the process so that they could sell the bugs, including to oppressive governments:

https://twitter.com/SandboxEscaper/status/103411618937352192...

https://twitter.com/SandboxEscaper/status/103411292604562227...

EDIT as @dixie_land points out, it appears the author is open to selling indiscriminately.


I don't know how you reached that conclusion. The tweets read to me that the author is willing to sell to the highest bidder.


Yeah, fair point. I think the thread that tweet is part of reads better the way you read it. Will edit my comment.


I'm not understanding. Is this lady mad because she wants to get out of bug hunting, so she found a major MSFT bug and tried to sell it, and they patched it and thwarted her attempt at that?


Definitely not that. Microsoft has not patched the issue. That's why its a big deal that she is posting it on Twitter.


Please see https://news.ycombinator.com/item?id=17860480 before downvoting.

From her website - http://sandboxescaper.blogspot.com:

> I'm also transgender. But my transition so far has been really difficult (social isolation, lack of support.. etc), my voice is still really manly and I don't really pass at all (which probably weirds people out.. so I would rather say it upfront so I don't need to have anxiety about it, I have alot of anxiety issues). I also have not been able to change my name yet, legally its still "Thomas".

- - -

w.r.t. the 0-day release: Well that's some seriously irresponsible stuff right there.

I think she has a tough time (she's transgender and doesn't have support from her peers). It's sad that she hasn't found a way to live a happy life although she clearly has serious skills. I hope she'll be fine.

It's just annoying that a lot of users are now at risk, I hope the patches will be installed ASAP.


It's honestly extremely difficult to get by in the first world as a white hat security researcher. Bug bounties payouts look big, but unless you're hitting a 10K bug a month you're better off with a Rails gig. And that will be very hit-or-miss, because who the hell knows if $COMPANY will play ball this time or not? Or if you're the first person to find the bug you spent weeks searching for?

Exploit development security research is something that there's a surprisingly small market for... unless you're selling vulns. And buyers are usually either government intelligence services or organized crime (skipping right past "what's the difference hyuk hyuk hyuk").


Isn't the way to make money to find contracts from companies that want you to look into their security?

Doing the work first and selling it later is always inherently risky, be it writing a novel or bug hunting.


You're right! Penetration testing is one way to make money!

It sometimes can be perhaps slightly less lucrative than you might expect, with your average pen tester paid significantly less than your average SWE. And often somewhat different than the kind of specialty skills someone focused on (say) Windows Internals might have. Compare with selling exploits, where a month's worth of highly enjoyable work might turn into mid-five-figures. Or higher.

You're absolutely right. Penetration testing and code auditing are ways to make money. It's possible that there may be some relevant differences in both subject and compensation is all.


Finding exploits and performing a security audit are often very different tasks. A person that can do one is not always able to do the other.

Companies, such as companies that sell surveillance software to governments, do hire people to just find exploits, but judging by leaked emails that can be a stressful job as you are expected to regularly deliver new exploits.


Full disclosure is not "irresponsible", and plenty of researchers do it even in the absence of armchair psychoanalysis by the Internet.


Most of them follow specific timelines for those disclosures which are communicated with the affected vendor.


And also don't follow up a disclosure with an offer to sell exploits to the highest bidder.

Is selling an exploit to a foreign government even 100% legal? (Serious question; that seems like the sort of thing that could get one in trouble.)


If you sold to a country with standing sanctions, that could be an issue. 0-day's can also be considered munitions in some interpretations of law, though I am not a lawyer nor a weapons dealer.


I see, downvotes incoming. Maybe I should explain:

> I think she has a tough time (she's transgender and doesn't have support from her peers)

This is from her website, I don't like armchair-psychoanalysis, either:

> I'm also transgender. But my transition so far has been really difficult (social isolation, lack of support.. etc), my voice is still really manly and I don't really pass at all (which probably weirds people out.. so I would rather say it upfront so I don't need to have anxiety about it, I have alot of anxiety issues). I also have not been able to change my name yet, legally its still "Thomas".

from http://sandboxescaper.blogspot.com

Seems I was the only one who clicked on her website. The first question I've had in my mind: "What does this person feel? It's weird to publish 0-days on Twitter with a little bit of rant"

For the downvoters: Would love to know why you downvoted me. Maybe I can clarify some aspects.


I think you got downvoted for saying that full-disclosure is irresponsible.

Many people I've talked are in favor of full-disclosure and think that coordinated disclosure is long term dangerous as large companies with the resources to actually develop secure software are not sufficiently incentivized to do so under coordinated disclosure.

Edit: I've also noticed on HN that sometimes I will get downvoted really hard for no clear reason and then two weeks later HN will magically transform my downvotes into upvotes. Not really sure why that happens, maybe a wave of bot banning?


> Edit: I've also noticed on HN that sometimes I will get downvoted really hard for no clear reason and then two weeks later HN will magically transform my downvotes into upvotes. Not really sure why that happens, maybe a wave of bot banning?

Yup, I've seen this more recently but now the cycle is faster. My comments regularly get downvotes but then later in the evening they turned into upvotes.

Also back in Dec 2017, there was a huge wave of people shilling on reddit for ICOs and subreddits would regularly post what "HN users think" and "how to correct them".


You're being downvoted because it looks like your bringing in irrelevant information about her being transgender. Edit your comment putting the actual explanation first. The fact that shes transgender is only secondary, if that.


It absolutely is relevant. Imagine being born into a body of your opposite sex and having to deal with a society that isn't advanced enough to realize the binary genders arose out of industrial revolution for productivity efficiency to benefit the few. It still is this way but we don't have factory with prison like buildings to work in but we are all still feudal subjects.

I'd like to also point out that there is a very real cabal of HN nicks that is actively doing drive by downvotes on specific topics centring around LGBTQ+, immigration and ICOs.

I started seeing this back in 2014 and it correlated with the rise of r/the_donald. There are even amino groups that specifically coordinates such attacks. For instance, the Damore threads were really interesting. Within the first few hours of posting there were a lot of comments seemed off for HN userbase, defending trump and Damore's manifesto. Counter comments were flagged and downvoted.

We know reddit is under the influence of shills and HN is not exempt.


Both tweets were deleted - but Google still had them cached! \o/

1st link -> http://archive.is/8xh4z

2nd link -> http://archive.is/KGyCf


Are you saying that MSFT wanted to be sure to maintain MSFT's prerogative to sell the exploit to oppressive governments?

If this is the case, which I can see how it could be, then this is the bigger story for those outside of Tech circles to understand.


> I don't want to work in IT security anymore. All the industry bullshit ruined it for me. I can't even motivate myself anymore to bug hunt. But I have no other skills to make money with, I'm so screwed.

and

> Will sell to people in the eastern hemisphere too. I just want money so I can travel.


It seems that anyone who knows enough to find this level of 0day vulnerability has skills that people would pay for.


Yes but not many companies will put up with someone who does this shit.


I can sympathize with her strife, but she is on the path to seriously burn bridges. I can't imagine many security focused companies would touch her with a 10 foot pole now that she publicly admitted that she is willing to sell a 0day for profit. Sure she is going through a rough time, but even when angry, you have to not say things you regret, especially online.

EDIT: Did not realize selling bugs outside of bug bounty programs and related bug programs was a normal thing. Now I know.


>I can't imagine many security focused companies would touch her with a 10 foot pole now that she publicly admitted that she is willing to sell a 0day for profit.

Selling 0days for profit isn't the issue. The more pressing issue, considering she seems to be desperately looking for an employer, is that she has aired her life openly, honestly, and unfiltered through the same channels as her professional work. Sorry, but any serious employer isn't going to hire somebody who is openly unstable, especially not the "suicidal/disappearing for months at a time" unstable.

I'd recommend reading the rest of her twitter posts, plus the content she has published on her website, to get a better idea of her character. While she has a moderate amount of technical ability in her specific niche, it's nowhere near the level that would justify hiring past all of the red flags.

It's unfortunate, but she really needs to re-invent her online presence by decoupling her severe emotional issues from her showcased professional work.


In the security industry, selling a 0day for profit is not taboo at all. Some of the most well known researchers openly do this, and they are very employable.

Some companies have policies that don’t allow you to sell them while employed there (it’s awkward when your employee sells a bug in software sold by a client/partner/competitor/supplier), but they wouldn’t generally blacklist anyone who had sold bugs in the past.


Is that legal under US law?


I think it's a grey area, and the seller has to do research into the buyer. It's kind of like if you're an authorized firearms dealer. There's no issue selling to the general population, but if you knowingly sell to someone who intends to use it for a crime, then you can get arrested. That's what the researcher who stopped the WannaCry worm was arrested for; the FBI had logs showing that he'd helped build a tool to spy on Android devices, and that he knew the buyer was going to use it to commit crimes.

Not all 0 day vendors are shady either. At an old employer, we were authorized to purchase 0 days with company money to use during penetration tests because they wanted us to emulate state-sponsored attacks. The vendor had a website for their company and customer support as well. Immunity Canvas also has an optional subscription for 0 days you can purchase to use with their framework.


Sure, under what theory of law wouldn't it be? I mean, assuming of course that there is no insider dealing here, that they didn't have any hand in creating the security vulnerability themselves (or inducing its creation), but that they only discovered something out there in the world, then they have the right to talk about that as they see fit. Or not, or sell it. There may be social consequences, and if they're employed by someone else there could be terms in their contract covering that or a range of other legal behavior, but publishing/selling true information one discovers is protected under general law (and common sense frankly). It could be different if the entity they were selling to was itself a criminal enterprise and they knew or should have known that ("a reasonable person would have"), but even that is not an issue for government agencies, or selling it to the responsible developer, or to generalist security middlemen companies that do things like buy these up and then sell special early notice to their clients or such. There are legal entities that are willing to pay for some exploits, and it's legal to sell to them.

Many security researches voluntarily have decided on a moral level that they care about general security welfare most of all and that following specific standards and timelines of disclosure will maximize that, but even with the same goal reasonable people can disagree there too right up until full disclosure immediately. Some are just paid for that, because like open source an organization might decide that better security overall will ultimately be good for their bottom line (like Google). And some people just want fame or to put food on the table via their unique marketable skills, which is their call too.


It's questionable, and doing it wrong can get you sued or worse. Here's [1] EFF advice on it, but as usual getting a lawyer knowledgeable in the area is your best bet.

Most people that publish play with fire but have learned some boundaries making it somewhat safe.

[1] https://www.eff.org/issues/coders/vulnerability-reporting-fa...


>but she is on the path to seriously burn bridges

As a transgender person, this is all that happens in our lives to be honest. It's very tough to have anything but a 'rough time' when the general public views you weirdly, and your family/friends have completely abandoned you.


But these bridges aren't being burned as a result of this person being trans, the bridges are being burned as a result of this person dropping 0 days and associating the professional vuln research with personal anti-social posts.


I don't think you are contradicting prolikewh0a's point. To rephrase their point in terms of your language, it's difficult to not be (openly) anti-social if you feel like society is anti-you.

Not impossible and not necessarily excusable. Just... difficult.


>it's difficult to not be (openly) anti-social if you feel like society is anti-you.

This is really accurate. I've really had to work on making good decisions and working on some slight anger issues during my transition after pretty much all of my family abandoned me, a lot of my friends started making fun of me publicly or just abandoned me totally. It's a significant reason why I moved across the country to Seattle -- a more open and accepting area of the USA -- to make new friends and get a job that was very open to LGBT persons. It's still tough, but the life change, surrounding myself with people who support me, really helped.


Society is very anti-me. I just wear a suit to work and pretend to be someone else. Not terribly hard.


Unfortunately, depression and anxiety don't really limit themselves to a specific domain, and the anxiety of gender dysphoria is pretty all-consuming since you can't really stop being reminded of it


Is this person trans? I didn't know until you said something..


http://sandboxescaper.blogspot.com/

>Travel blog of an evil transgirl

First post talks about her transition slightly.


[flagged]


We've banned this account.


> I really aspire to become a mentally unstable transgirl that nobody wants to hire or do business with.

From her blog last week

http://sandboxescaper.blogspot.com/2018/08/my-greatest-ambit...


Applying armchair psychology and a tiny bit of my own experience with trying to express frustration, I think this is using melodramatic/caricaturized negative articulation to express opposites to the point being made.

As in, this person wants the opposite of everything being stated, and they're frustrated to the point of saying "of course I want everything to be going as badly as it is". I honestly don't read this any other way.


I see the same thing, and empathize totally...but still, what HR person would see this and think "yeah, let's reach out to this person for a job"


Sadly, probably none.

On that note, I think my comment was at 2 before; it's at 0 as of this reply. Heh.


> admitted that she is willing to sell a 0day for profit

Researchers sell bugs all the time. Whether to a bounty program, a broker, a carder forum, etc, it happens all the time.

Nobody is going to look down on her for admitting to doing what some people do for a living.

Would you prefer she works for MSFT for free or "responsibly" works with Zerodium so that the Feds can get their hooves on the bug first?


I didn't mean in terms of a bug bounty. I meant in terms of trying to sell it to something like a foreign gov't or deep web entity. The other guy above said the same thing as you, I did not know at all that researchers sold bugs separately from bug bounty programs.


Frankly, the only reason this doesn't happen more often is that it's hard. Unless you know the right people, finding a buyer for a bug like this is nearly impossible these days. The more legitimate routes are easier, faster, and require less work -- for instance, no need to have a solid exploit, just a good write-up.


You go to ZERODIUM or another broker. They find a buyer. Sure, you get less, but you don't have to deal with sourcing buyers yourself.


There are ethical issues surrounding brokers like Zerodium, Grugq, et. al. Specifically, that 95% of the time you know that bug is going to NSA, CIA, FBI, DoD, GCHQ, BND, Mossad, etc.


You're absolutely right. Many good, wonderful, amazing people consider that an ethical concern sufficient to stop them in their tracks!

It's perhaps possible that some people, in some scenarios, might be willing to compromise on the ethics of their situation in exchange for a significantly higher chance of a much, much higher payout.

EDIT:

To expand slightly, anyone in a position to pay out for bug bounties should consider carefully what they are willing to do to shift incentives towards ethical behavior. The ability to attack your systems is worth money to those who would do so. It should be worth more to you than to them. How much are you, hypothetical person making such choices, willing to spend?

It's perhaps unfair to expect highly skilled people to take a 90%+ discount on the value of their work in order to be more ethical. Ethics are incredibly important! But it can be difficult to argue that successfully in the face of a breathtaking ask.


Then the bug bounty programs can step up and pay what bugs are actually worth. The right bug in windows could decimate their entire os market, but most companies that i've seen tend to pay some flat rate for bugs.


Thus my point: until bug bounties are calculated to approach or exceed the black or grey-market value of exploits, they can't strongly push people towards ethical behavior.

Right now bug bounties seem mainly to serve as a way for skiddies in the third world with burp to make for-them-bank on trivial XSS vulns and for serious professionals to make a little extra money. And, y'know, to serve the PR purpose of being able to say you have a bug bounty program.


What stops someone from "leaking" the bug after getting paid, or getting paid multiple times for the same 0-day? You know, to even the playing field from just the TLAs from having all of the fun?


The inability to sell their next bug.


You get significantly more money - some exploits are worth $100-250k. You just need to ask in underground hacker forums and not on Twitter. But doing business with those guys is hard af because no one can trust each other.


A popular trade-off is to work for a government contractor. You can get that kind of money as a salary, and the trust issues are all taken care of. Having a real salary is helpful if you want to get a loan to buy a house. It evens out your finances.

Example job that I posted: https://news.ycombinator.com/item?id=17442484

Somebody like SandboxEscaper would qualify technically, but I have a feeling that running off randomly to foreign countries and hinting at a possible suicide would be disqualifying. The government frowns on that sort of stuff when sorting out trust issues.


> Did not realize selling bugs outside of bug bounty programs and related bug programs was a normal thing. Now I know.

I'm curious why you made such a post without knowing the industry?


Possibly because they didn't think there was a market for legitimate use of such information, and selling something for clear use in a criminal act is a different story, and may even be criminal in itself depending on circumstances. Even if the industry accepts that (not implying that it does), openly airing it might be a different matter.

Some level of assumption is often required to efficiently converse, so we just have to accept that occasionally the assumptions are a little more off base than we would like.


.. how could you not, the valley and the great tech industry are rife with libertarianism. 0-Days are a market like any other either companies pay researchers the market rate so they can fix their bugs before they get sued by their customers or they don't in which case any number of less reputable sources will pay for them.


Absolutely. I always thought that if you can find multiple 0days, you are good enough to land into any senior developer position in a few weeks. Is that not the case? And why? To me, being able to find 0days was always synonymous with "broad knowledge" + "out of the box thinking".


I always found that while I could probably spend 6-8 months studying to try to land a job at one of the big tech companies to do RE/security research/malware analysis or whatever you want related to that, I usually got more interested in reverse engineering something new and quickly got bored reviewing the details of binary search trees.

Limits jobs at the big 4/5 as nearly every job that involves security research/RE will inevitably still have the standard leetcode algorithms whiteboard interview, but there's plenty of other stuff out there if you're willing to put together a decent portfolio. The few exceptions to that are being so famous you can make it to recognized teams, but that isn't a realistic goal for most engineers.

If there's a company you really, really want to work for, you can responsibly disclose something to them and at least get an in-person. Skip the phone algorithms test and go right to the whiteboard! Heck yeah.


Being good at reverse engineering, analysis, and programming are almost completely orthogonal to being able to implement 5 variations of search algorithms from memory on a whiteboard in syntactically correct code.


Being transgender makes getting hired much harder, or often impossible.

Some people that held a senior position in major companies before transition ended up as cashier or in similar jobs afterwards.


That's a unfortunate state of affairs.


If I recall correctly, she has an "interesting" relationship with MS. Finds lot of stuff, gets really frustrated with their process.


I'm not surprised. For me, the process of reporting to MS has gone:

1) Jump through a surprising number of hoops to set up a Windows 10 Insider channel machine, reproduction on which is required for their security program.

2) Email a write-up and PoCs to their security address.

3) Get back two emails naming a point of contact and dumping a pile of legal agreements they expect me to follow just for reaching out to them.

4) Receive no further contact or indications of progress.


Sounds like she had a frustrating experience while trying to responsibly report it to Microsoft.


For what it’s worth, even Microsoft famously disavowed the use of the term “responsible” in this context.


It satisfies a profile that hostile intelligence services take advantage of.


I'm always curious about the individuals discovering these zero day vulnerabilities.

What framework do they use to find it? Is it just educated trial and error until you hit something?


Fuzzers[1] as well as reverse engineering tools. For fuzzers there is both the publicly available ones like AFL [2] and custom/closed source ones. It seems to me every zero day author has their own fuzzers or fuzzing frameworks or at least a closed fork of an open source fuzzer. But to me finding the bug is less difficult then turning it into an exploit. Shoot you can still find bugs in modern software by bit flipping, as an example I wrote a fuzzer that opened up random PDF files and flipped some bits at random and then opened them with Preview. it did this about 40,000 times a day and after a couple days I would come back and my mac had kernel panicked. Now turning one of these PDF files that cause kernel panics into an exploit is going to require significantly more effort then writing and running a dumb fuzzer.

[1]: https://en.wikipedia.org/wiki/Fuzzing

[2]: https://en.wikipedia.org/wiki/American_fuzzy_lop_(fuzzer)


wow....that is pretty interesting. how do you write your own fuzzer, seems like that's where the edge comes from? How much more of an effort is it to write an exploit? Is it necessary to build a Proof of Concept or is simply disclosing the vulnerability enough?

If I buy ADA what software/API can I start tinkering with?

What you described seems like so much fun but scared of the writing exploit part. Now that seems really hard especially considering it needs to be fully undetectable for a long time until the buyer gets their return on investment.

Is there a course or resource I can use to begin this path?

I love love poking around with things to see how they work....basically the chase or the process is what I enjoy most and curious to know more.

How did you get into all of this?


> wow....that is pretty interesting. how do you write your own fuzzer, seems like that's where the edge comes from? How much more of an effort is it to write an exploit? Is it necessary to build a Proof of Concept or is simply disclosing the vulnerability enough?

Dumb fuzzers can be written in anywhere from a day to a few weeks of work, smart fuzzers can take several years to write, also lots of fuzzers continually evolve over time because they have to. Its the Red queen effect[1], fuzzers keep finding bugs so they have to keep getting better to keep finding harder and harder to find bugs in a target codebase. So I would say an exploit is usually the harder task but some of the things smart fuzzers like SAGE[2] do would be incredibly hard to implement.

> If I buy ADA what software/API can I start tinkering with?

I'm not sure what ADA is. However for testable software I would go for programs that come installed on your operating system of choice. So in my case I was using MacOS at the time so I was targeting MacOS default applications.

> What you described seems like so much fun but scared of the writing exploit part. Now that seems really hard especially considering it needs to be fully undetectable for a long time until the buyer gets their return on investment.

Fuzzer development and exploit development are pretty different tasks. Fuzzer development is basically normal software development, while exploit development at least with security mitigations turned on is an entirely different beast. For example in exploit development your going to need to know x86-64 assembly, as well as general memory layout, how a particular operating system implements ASLR[3] so you can bypass that. As well as bypassing DEP/NX[4] which is often done using ROP[5] and now recently newer techniques[6]. The fuzzer I was describing above was a dumb file mutation fuzzer which can be extremely simple. So first it was a file fuzzer, meaning it fuzzed programs that take files as inputs, stuff like video and music players or in my case pdf files. The mutation part means the fuzzer took existing valid files and added random mutations as opposed to generative fuzzers that build semi valid files from scratch. The dumb part means it didn't do cool stuff like AFL that use a genetic algorithm and probe system to better test code paths in a target program.

> Is there a course or resource I can use to begin this path?

Search fuzzers online until you've seen every/most pages, no joke thats basically what I did theres a few books but most of the info they have can be found online for free. Also make sure to try building a fuzzer or two, go simple at first. As well as using existing opensource fuzzers like AFL, Trinity and syzkaller.

> How did you get into all of this?

I forget how I got into fuzzing but I did try and start a fuzzing company a few years ago, but it turns out its way easier making money doing web development then selling fuzzing software or doing bug bounties for a living.

[1]: https://en.wikipedia.org/wiki/Red_Queen_hypothesis

[2]: https://patricegodefroid.github.io/public_psfiles/SAGE-in-1s...

[3]: https://en.wikipedia.org/wiki/Address_space_layout_randomiza...

[4]: https://support.microsoft.com/en-us/help/875352/a-detailed-d...

[5]: https://en.wikipedia.org/wiki/Return-oriented_programming

[6]: https://www.endgame.com/blog/technical-blog/rop-dying-and-yo...


A good place to start is learning how to poke at some API, and fizzers are a good way to do that. Pick some API that you think is complex (often places with previous bugs still have bugs), find a way to bang on it with all sorts of malformed data until something happens (crash, fault, or such). When you find that, you now have a set of inputs that the API is not sanitized against. Then you can try to disassemble, using tools like IdaPRO (best, but expensive), free reversing tools, kernel debuggers, etc. to get a handle on what is going wrong. At some point you might find the precise error at the assembly level. Then you may try to craft your inputs to bypass checks and affect the underlying system in a way you control. Here there are an astounding number of tricks and ways to bypass various security features, and you will have to read extensively to get a large bag of tricks for this step.

Now you have a decent exploit.

Each of these steps takes learning through just doing it and reading. You'll learn tools for various pieces of the game. But it's doable with decent effort.


wow...you piqued my interest now...

what API or software should I start with? Also, @SandboxEscaper mentions logic based exploits vs memory based ones which are disappearing (?), what is she referring to?

also any good resources on starting this journey. I'm very serious about this because it potentially could be a dream job for me.


Start by looking up an exploit that has details published, and recreate it. Do that a few times, and you will begin to understand how it works without the frustration of not finding anything. As you get better you'll both get better at finding things and at dealing with the long periods of not feeling like you're making progress. I suspect there's sites that help you walk through this, and I know I've seen ones that walk you through prepared exploits.

You really just have to start putting in legwork consistently.


Ah, the old "trick a system process into overwriting a link destination" ploy. That used to be a popular exploit method on UNIX in the 1980s.


It still is a common vulnerability on *NIX


Yikes, that's a nasty one. Sad MSFT didn't want to pay bounty on this.


Exactly how terrified should I be right now?


Well I've made my Plan B...

https://github.com/linker3000/Z80-Board/blob/master/README.m...

Wordstar and Supercalc (and Zork I, II and III) installed and working fine, so I'm good!


I love this!

I also love the idea of digital prepping (? Not sure if there's a real term for it). Even just jokingly preparing to have a set of tech work after some kind of apocalypse. UPS/solar driven home LAN with a server running copies of wiki, stack overflow, various other resources. Maybe a bunch of music/movies/games. Whatever would assist us if we lost the internet and power grids.

I don't actually think that's likely to happen, but I absolutely do enjoy some mild prepping just for fun and because the effort is so low I might as well be prepared (we have a bugout bag, extensive first aid kit, all the basic tools and survival gear, etc).

It's also just handy to have this stuff around and "own" it rather than always depend on others to be there for us.


I've often wondered about obtaining my own copy of wikipedia (and other knowledge) to put on a portable device. It would be very useful when I jump in my time machine to travel back in time. I'm going to need to know how to build things so that I can become the "winner" of history. Of course, as history would show us if we learned, when you upset the apple cart, the establishment usually eliminates the threat. So, that's the last piece I haven't worked out yet. Oh, and the time traveling bit.


Not terribly terrified. At best it seem to be a Medium IL to SYSTEM. In other words a slightly better UAC bypass than most, but I don't think you can use it to escape from a browser sandbox for example.


People always seem to overlook this distinction... escalating admin privileges is typically one of the easier things for a hacker to do. Getting in is the harder part (ie, remote/browser exploits, etc).


(Hey dmix; hangs soon?)

I'm not really sure if that is true. Adobe exploits are pretty cheap and unless your target is in software you can usually get a click on a link one way or another.

Really, to me, the hard part is getting in without needing to have the user consciously do anything since then you're in and nobody could even have noticed you doing something.


> Really, to me, the hard part is getting in without needing to have the user consciously do anything

That's why I said remote/browser, everything else is noisy and therefore the 'easy' route. Usually this is sufficient for low tech nation states because they attack organizations not individuals, so all you need is a weak human link where noisey isn't a big deal. Then moving horizontally across the organization.

But more importantly OS are terribly insecure and privesc bugs are a dime a dozen. You don't need zero days to achieve that the vast majority of the time.


Yeah, sorry, a no-click / remote exploit is hard. I agree with you there.

But a browser exploit isn't. They're a dime a dozen. Also, I'm surprised that email is still a primary vector that's used to get people to click on links with their work computer. It seems like such a monitored method compared to, say, a LinkedIn contact.


Have they changed their policy on UAC not being considered security barrier on administrator accounts since W10? Windows was screwed for a long time[1], in practice not much better than running in SYSTEM all the time like in Windows 95 days.

[1] http://www.istartedsomething.com/20090611/uac-in-windows-7-s...


I'm not sure even sure they will ever change it. It was designed for Vista using a security model that now corresponds to the "always ask" setting, and hastily changed to propose the two other settings for Windows 7 because users were thinking it asked too often. But the other settings do not even correspond to a sound security model, so there are hundreds or maybe thousands of bypass in Windows if using those, which include the setting by default. That's why MS simply declared that it is not a security boundary, because they had no sound model to make it work against. It's a "best effort" casual mitigation.


Several of these are patched every month. It’s a non-event for the most part. If somebody was targeting you personally, it isn’t going to be a local privilege escalation bug that closes the gap for them.


From what I gather this is privilege escalation for a attacker that already has arbitrary code execution. It is serious but not "shut everything down immediately" serious. Malware or malicious apps you already have could be made more dangerous.


It looks like a local privilege escalation per the comments elsewhere in the post. That's bad, but a low-ish risk to casual use of a personal device unless it's combined with some other way to get your system to execute an attacker's binary.


Just enough to switch to Mac or Linux. :-)


7



Not at all since you aren't using Windows of course?


As a hacker I can assure you that I can just easily annoy you with UAC pop-ups until you click "Ok". So it doesn't really add much and you don't need SYSTEM to do great harm, anyways.


To answer the downvotes:

You can install Chrome extensions without the user noticing (built this in the past) which gives you access to basically everything without even resorting to DLL injections (I don't share this because it's dangerous and can't be fixed by the Chromium team). Reminder: It's possible to hijack 2FA and online banking with this method. I've read the source code of Zeus and SpyEye, I can do the same thing a) without AV detection and b) without DLL injections (which are very easy to spot).

If you know the Win32 APIs, it's extremely easy to build malicious software that doesn't need escalated privileges.

edit: I'm pretty sure I can implement it on Mac and Linux, too. I don't like the sentiment that those systems are more secure, it's just the difference in usage.

edit2: I can recommend Sandboxie. Please use it to get a little bit more security.


I'm genuinely curious how you'd go about doing what you describe.

I'm vaguely aware that Chrome has a mechanism to silent-install extensions, IIRC when they're placed in the filesystem in a certain way, specified in the registry, or configured via GP. I don't remember which, but I think they install silently. Failing all that, you can probably just extract the extension into the Chrome profile folder and on next restart it'll pick it up.

You saying it "gives you access to basically everything" makes me think you're doing one of the techniques above, which does bypass the permissions dialogs.

And sure, "Access all data on all websites you visit" would grant you the ability to see everything in every webpage and do what you're describing.

I honestly wouldn't mind knowing which Win32 APIs you're referring to. Perhaps you could drop a couple of them, so I get a ballpark idea of which direction you're going in with that.

Finally, the reason I'm writing this comment, really, is that I'm _most_ curious how you'd implement "it" on macOS and Linux too. I 100% agree that both are just as vulnerable as Windows in their own ways but have less market share. I would be extremely interested to hear some of the ways you'd particularly go about attacking Linux, which I use everyday.

SandboxIE doesn't run on macOS or Linux.


> Failing all that, you can probably just extract the extension into the Chrome profile folder and on next restart it'll pick it up.

No, this would be a security hazard. All the mentioned ways require admin privileges or even group policy privileges. I'm doing it without any permissions.

Chrome hardened the process to protect their users. They're doing the best they can, but the Win-APIs are too powerful and there is no sandbox (like those for Mac) in place. Officially, all ways (registry keys, files, ...) require admin privileges for a very good reason.

See http://www.chromium.org/administrators/pre-installed-extensi... for an overview of the official methods.

> SandboxIE doesn't run on macOS or Linux.

Mac has its own sandbox and Linux offers SELinux and I was talking about a security vulnerability I have written for Windows specifically, that's why I gave the tip for Sandboxie.

> Perhaps you could drop a couple of them, so I get a ballpark idea of which direction you're going in with that.

> I would be extremely interested to hear some of the ways you'd particularly go about attacking Linux, which I use everyday.

Sorry, I can't talk about this specific attack in detail because this vulnerability can't be fixed. It's conceptually fairly simple and <400 LoC and I'm sure you can find it on your own if you're determined.

For Linux and security: If you're not constantly monitoring your running processes and bash scripts, privilege escalation and others can be easily pulled off (e.g. simply aliasing sudo). As an example, it's extremely simple to extract all stored passwords from Chrome and others [1]. That's the reason I prefer to use separate password managers (most of them protect their address space), although you can easily hack them as well. That's the reason I prefer encrypted virtual drives - it's unconventional and most tools don't cover it so the hacker has to search for them manually. Security is mainly making it more difficult to find the stuff, it's nearly impossible to hide it completely (otherwise the user wouldn't be able to access it, too).

It's a big field, so I don't really know what what you're interested in. You can find exploits on https://www.exploit-db.com and look for things that are interesting for you. For most of the pwnage, you don't need any exploits (except the chain of remote exploits to get in). As soon as you're in, you can do anything without any problems - getting root user, keylogging [2] (very easy for X11), injecting shared libraries (especially easy on Linux with LD_LIBRARY_PATH) and other stuff.

I would recommend sandboxing tools, network- and host-based IDS/IPS, a good firewall which also analyzes behavior patterns and a healthy amount of paranoia. Many AV systems are mainly security risks themselves and add a false sense of security, it's extremely easy to bypass them and their sandbox-analyzers.

[1]: https://securityxploded.com/googlechromesecrets.php

[2]: https://github.com/anko/xkbcat


> All the mentioned ways require admin privileges or even group policy privileges. I'm doing it without any permissions.

Oh, nice :)

> They're doing the best they can, but the Win-APIs are too powerful and there is no sandbox (like those for Mac) in place.

Hmmmm.

> Mac has its own sandbox and Linux offers SELinux and I was talking about a security vulnerability I have written for Windows specifically, that's why I gave the tip for Sandboxie.

I have to admit I've never really poked SELinux. My understanding of it is that because it was bolted-on, both architecturally and conceptually, that getting the most out of it is a real pain. This has put me off. :/ (heh)

>> I would be extremely interested to hear some of the ways you'd particularly go about attacking Linux, which I use everyday.

> Sorry, I can't talk about this specific attack in detail because this vulnerability can't be fixed. It's conceptually fairly simple and <400 LoC and I'm sure you can find it on your own if you're determined.

Righteo then writes program that generates all possible C programs <400 LoC long

In all seriousness, you definitely have me interested now :) I guess what might be a relevant question is, how universally applicable is it? Would it run on my minimally-configured Slackware box, for example?

And I am _very_ fascinated to hear that this "cannot be fixed". Are you describing a Linux-specific Spectre/Meltdown?

If this is Chrome-specific - or, shall we say, could be deeply contextualized into domains very important to Chrome - well, I'm sure you've seen https://bugs.chromium.org/p/chromium/issues/detail?id=648971 and https://bugs.chromium.org/p/chromium/issues/detail?id=766253, and particularly the one tag with the numbers in it in the sidebar on the left...

To be honest I'm not really sure what I'm interested in, you could sort of describe where I'm at as somewhat similar to your post 8 months ago about finding your passion. (In my case it's a resource thing.) I've started playing with X11 recently though, to the extent of just learning the wire protocol for fun.

I was actually thinking of making a tiny Xlib-less keylogger the other day, haha. (As in, talking to X via write()/read() directly.) Not quite sure why; perhaps the theoretically-interesting scenario of "not linking to libX11 might be less suspicious?" could be one explanation. I don't seem to need to give myself a rationale to stay motivated on my current track (woohoo), so I'm just tinkering for now.

Uh - getting root on Linux isn't exactly straightforward! Although there was that one time I found a very confused Docker installation (running Ubuntu on CentOS... I'd never used Docker before and could not figure out which way was up ("wat, I have yum AND ap--wait no now apt-get disappeared where did it go"), for about an hour lol) and this system may or may not have left /dev/vda1 in the Docker image... and it may have allowed me to mount it read-write from under the host system, with effective UID 0... ._. (IIRC, I think it was visudo that worked great.)

I wonder if there's a password manager that stores data in the kernel and/or uses the kernel's crypto keyring - and whether such effort would be worth it? (At least this would thwart local attacks, and only remote attacks via the Wi-Fi stack would work. xD)

I've fished forgotten passwords out of Login Data more times than I have fingers, I think. sqlite3 .dump + printf "$(sed 's/../\\x&/g')" FTW.

Linux's non-umbrella model, where there's no cohesive oversight, will be its undoing, I think.

I've wanted to do do packet inspection for a little while now, incidentally, and the introduction of TLS 1.3 has been most annoying. https://news.ycombinator.com/item?id=17540111

On the subject of AV my favorite thing is https://github.com/taviso/loadlibrary :P (if just for the very non-official "you totally know Google is using this every day.")

One thing I was vaguely considering (last night, actually) was an idea I've had for a while - taking forensic memory-dump analysis tools to the next level and making them work in realtime with QEMU. End result being, you run a tool as root with the PID to a running QEMU instance, it attaches (possibly via process_vm_{read,write}v) and lets you watch VT streams, see keys+passwords being typed in SSH, perhaps take screenshots, see the process tree, etc.

Thanks for the tips!


A friend of mine is running SmashTheStack. He has build an IT sec company in the past (and sold it), maybe you can learn something from the war games. People from Project Zero and very clever people from Stanford are active in the community - those are top-notch hackers.

It's very low-level stuff, but if you like, try to hack those servers. Have fun!

http://smashthestack.org/faq.html


Interesting.

Been meaning to get into this kind of thing for ages.

This website seems a bit quieter than some of the other platforms out there, which I always like. I'll have to give it a poke sometime. Thanks.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: