|
Subjunctive posted:in the 90s I worked with the team that set up the HoC network bridging, and it apparently hasn't advanced at all since then oh, so you're to blame for that mess? but yeah, they haven't changed a thing in like 20 years as far as i can tell. the individual mp's offices just find some local scrublord to hack it together into something that is functional for them, from what i've seen this usually results in some godawful network abomination that's held together with prayers and chewing gum
|
#
?
Dec 4, 2017 19:05
|
|
|
|
| # ? Jun 3, 2024 16:58 |
|
|
infernal machines posted:oh, so you're to blame for that mess? no, their insufferable internal IT people decided the architecture, I was just responsible for making sure they hadn't hosed up the security aspects of the initial implementation (hint: ask your heart)
|
|
#
?
Dec 4, 2017 19:06
|
|
|
well they got one thing right, in that they managed to insulate themselves from the stupid poo poo the mps do on their office networks
|
|
#
?
Dec 4, 2017 19:08
|
|
|
Security Fuckup Megathread - Glad you're taking full advantage of it!
|
|
#
?
Dec 4, 2017 19:13
|
|
|
Schadenboner posted:Security Fuckup Megathread - Glad you're taking full advantage of it!
|
|
#
?
Dec 4, 2017 19:18
|
|
|
the mso team response is funny, but where exactly is the secfuck? it seems to me like that guy is turning code execution into... code execution
|
|
#
?
Dec 4, 2017 19:19
|
|
|
yeah that's a code execution allows code execution thing. maybe its a child learning of vbas existence for the first time? at this point lots of people probably only know of the web side of office.
|
|
#
?
Dec 4, 2017 19:21
|
|
|
i think the "without creating any additional processes" is kind of the sticking point
|
|
#
?
Dec 4, 2017 19:22
|
|
|
well unless you count powershell as a process. also there is a com process running the code, he just created it without a UI
|
|
#
?
Dec 4, 2017 19:23
|
|
|
Bonfire Lit posted:the mso team response is funny, but where exactly is the secfuck? it seems to me like that guy is turning code execution into... code execution it's a way of pulling payload without tripping process-detection defenses
|
|
#
?
Dec 4, 2017 19:28
|
|
|
isn’t it just another “macro” abuse?!
|
|
#
?
Dec 4, 2017 19:35
|
|
|
Subjunctive posted:it's a way of pulling payload without tripping process-detection defenses even if it does hide a process, what process-detection mechanism is going to be worried about visio running on a computer where visio is installed? also you could just do a regular remote execution over rpc and then you don't have to worry about visio being installed.
|
|
#
?
Dec 4, 2017 19:38
|
|
|
geonetix posted:isn’t it just another “macro” abuse?! do macros let you run an executable without the executable showing up as its own process? this would appear to bypass application whitelisting for example
|
|
#
?
Dec 4, 2017 19:40
|
|
|
Shaggar posted:even if it does hide a process, what process-detection mechanism is going to be worried about visio running on a computer where visio is installed? yes, exactly the point
|
|
#
?
Dec 4, 2017 20:01
|
|
|
so then you agree this is stupid since its the same thing as just doing a regular remote exec without the visio middleman.
|
|
#
?
Dec 4, 2017 20:08
|
|
|
Shaggar posted:so then you agree this is stupid since its the same thing as just doing a regular remote exec without the visio middleman. it's stupid because graphviz is better than visio and also doesn't have insipid ties into the whole windows automation malware rodeo
|
|
#
?
Dec 4, 2017 20:13
|
|
|
Shaggar posted:so then you agree this is stupid since its the same thing as just doing a regular remote exec without the visio middleman. I believe that it means that if you open a visio file it can grab a payload and execute it, hidden with visio's benign-looking process
|
|
#
?
Dec 4, 2017 20:15
|
|
|
Subjunctive posted:I believe that it means that if you open a visio file it can grab a payload and execute it, hidden with visio's benign-looking process I too am scared of interpreters.
|
|
#
?
Dec 4, 2017 20:16
|
|
|
apseudonym posted:I too am scared of interpreters. ah nice it's great to meet somebody who writes security procedures for big companies and the government finally (disa stigs generally want you to not have compilers or interpreters lying around but lmao)
|
|
#
?
Dec 4, 2017 20:19
|
|
|
apseudonym posted:I too am scared of interpreters. I don't like unbounded interpreters that are accessible via office-esque file types, I admit. It's a lot easier to trick someone into opening a Visio file than a powershell one, and harder to filter the former at an edge, and harder to make the latter silent and invisible AFAIK.
|
|
#
?
Dec 4, 2017 20:36
|
|
|
infernal machines posted:oh, so you're to blame for that mess? That's apparently true for everything in the palace of Westminster, if this article is to be believed. It's one electrical fire or sewage pump failure away from disaster.
|
|
#
?
Dec 4, 2017 21:22
|
|
|
Subjunctive posted:I believe that it means that if you open a visio file it can grab a payload and execute it, hidden with visio's benign-looking process i took it to mean visio itself was not visible, but its really not clear from a single tweet. it would be strange indeed if visio hid the calc.exe process somehow.
|
|
#
?
Dec 4, 2017 21:25
|
|
|
Shaggar posted:i took it to mean visio itself was not visible, but its really not clear from a single tweet.
|
|
#
?
Dec 4, 2017 21:26
|
|
|
idk how you would take it to mean calc.exe is invisible when hes talking about the VBA
|
|
#
?
Dec 4, 2017 21:27
|
|
|
calc.exe isn't invisible. launching it is what the sample payload does to visibly demonstrate that it can execute code. actually installing a persistence layer and being malware wouldn't require additional processes, but would also be sort of an rear end in a top hat demo
|
|
#
?
Dec 4, 2017 21:30
|
|
|
Shaggar posted:idk how you would take it to mean calc.exe is invisible when hes talking about the VBA
|
|
#
?
Dec 4, 2017 21:33
|
|
|
Subjunctive posted:calc.exe isn't invisible. launching it is what the sample payload does to visibly demonstrate that it can execute code. actually installing a persistence layer and being malware wouldn't require additional processes, but would also be sort of an rear end in a top hat demo if calc.exe shows up then why wouldn't a replacement piece of malware show up? You still need permission/whitelisting to launch the calc.exe or whatever malware is being run as a child process of visio.
|
|
#
?
Dec 4, 2017 21:37
|
|
|
Shaggar posted:if calc.exe shows up then why wouldn't a replacement piece of malware show up? You still need permission/whitelisting to launch the calc.exe or whatever malware is being run as a child process of visio. the malware is the script that's downloaded as a string and now running on the fully-functional interpreter. it doesn't need another process to execute
|
|
#
?
Dec 4, 2017 21:40
|
|
|
lol this has been a joy to watch unfold
|
|
#
?
Dec 4, 2017 21:43
|
|
|
BangersInMyKnickers posted:lol this has been a joy to watch unfold It feels like this is going to reduce itself to a semantic argument about the nature of threats, and have to build on that understanding to reach a point where "why this specific situation is not necessarily a good thing" is reached. Proteus Jones fucked around with this message at 21:50 on Dec 4, 2017 |
|
#
?
Dec 4, 2017 21:47
|
|
|
Subjunctive posted:the malware is the script that's downloaded as a string and now running on the fully-functional interpreter. it doesn't need another process to execute so then its just like WMI or other dcom stuff? Granted idk why visio would ever need to be remotely activated, but this isn't exactly new.
|
|
#
?
Dec 4, 2017 21:47
|
|
|
reminds me of this old new thing
|
|
#
?
Dec 4, 2017 21:48
|
|
|
Security Bug? I can delete my documents in the "my documents" directory. e: Actually looks like I have full privileges on those documents. e2: Holy poo poo! I can use Visio to create new documents, and those documents can contain arbitrary code that will delete all the files, or create new ones! drat. Where should I report this? Should I tweet @tavis? e3: Final test, it appears I can also launch calc.exe. Boom, pwned!
|
|
#
?
Dec 4, 2017 22:08
|
|
|
anyone here used airwatch for mdm before?
|
|
#
?
Dec 4, 2017 22:15
|
|
|
my bitter bi rival posted:anyone here used airwatch for mdm before? We looked at it, mathed out their $4/mo/device rate, and said fuuuuuck no standardized on iOS only and bought a Mac to run the free apple MDM software
|
|
#
?
Dec 4, 2017 22:25
|
|
|
my bitter bi rival posted:anyone here used airwatch for mdm before? yeah and we're moving as fast as we can to google mdm because it is a waste of money for spotty features. But we're using it for exclusively corp. owned devices so maybe there is a killer byod feature we don't care about.
|
|
#
?
Dec 4, 2017 22:38
|
|
|
i'm evaluating it for a client because they want sandboxed mail they insist on mixed-environment BYOD, so our options are limited
|
|
#
?
Dec 4, 2017 22:40
|
|
|
Intune MAM is p good
|
|
#
?
Dec 4, 2017 22:43
|
|
|
try mdma
|
|
#
?
Dec 4, 2017 23:42
|
|
|
|
| # ? Jun 3, 2024 16:58 |
|
|
Powaqoatse posted:try mdma 
|
|
#
?
Dec 5, 2017 00:15
|
|
