|
"web" ""developers""
|
#
?
Oct 28, 2019 17:22
|
|
|
|
| # ? Jun 7, 2024 18:31 |
|
|
BangersInMyKnickers posted:applocker handles executable, installers, dll's, and scripting including .js (powershell, command scripts, vbs as well). You could absolutely use it to this end if the vendor correctly signs their content correctly Kind of, whitelisting can only handle scripting that is called directly, e.g. calling cscript.exe or mshta.exe with the script as part of the commandline or as part of command processing in a batch script where each line is actually a separate process called with a commandline. It's much harder to take a running process and control script inputs after the initial execution and including scripts dynamically. This is my problem with electron apps in Windows, the js are all included after execution so it's not exposed directly to the whitelisting interface. Microsoft admits that not all interpreted code is checked (like VB macros in Office documents) with applocker. Binary includes like DLL's are obvious to hook in windows and are checked by whitelisting in a predictable way, not so with script files since it's up to the application on how it handles them. a DLL include is actually a specific function call, a script include is just an OS file read. You'd have to write some kind of file read rule that prevents script files from even being read by an application during execution unless those files are on a whitelist, there's no execution control. Each application would need its own set of rules and would probably break on updates.
|
|
#
?
Oct 28, 2019 17:28
|
|
|
BangersInMyKnickers posted:"web" ""developers"" Developer: "Security wasnt in scope"
|
|
#
?
Oct 28, 2019 17:31
|
|
|
ewiley posted:Kind of, whitelisting can only handle scripting that is called directly, e.g. calling cscript.exe or mshta.exe with the script as part of the commandline or as part of command processing in a batch script where each line is actually a separate process called with a commandline. It's much harder to take a running process and control script inputs after the initial execution and including scripts dynamically. You're still under a fairly tight leash even if you're popping the process through its own js interpreter. Ideally the process is marked as low integrity, so the context it is running it only has access to the parts of the filesystem flagged as low. Either you've got something running in-memory and can't go anywhere or do much or anything, or you're trying to escape to a better foothold which means getting around the integrity level stuff AND applocker stopping you from launching a new process. It's not impossible to break, but fairly good model overall.
|
|
#
?
Oct 28, 2019 17:39
|
|
|
BangersInMyKnickers posted:You're still under a fairly tight leash even if you're popping the process through its own js interpreter. Ideally the process is marked as low integrity, so the context it is running it only has access to the parts of the filesystem flagged as low. Either you've got something running in-memory and can't go anywhere or do much or anything, or you're trying to escape to a better foothold which means getting around the integrity level stuff AND applocker stopping you from launching a new process. It's not impossible to break, but fairly good model overall. I agree that getting outside the app and escalating would still be tough, but in most cases that doesn't matter. Teams is a replacement for your phone system. It's also likely directly tied to Office365 or Exchange, probably has an OAuth token too, so I basically own an entire user's communications suite if I compromise this one application. It is also a homogeneous app that if I can compromise on one client, I can likely compromise across an entire company. I'm likely not going to need to escalate any further to get all the info I'm after. Teams is also default installed in the user's path, which means it's user-writable. Not much effort required to overwrite scripts. I'm sure Microsoft has hardened the client against this, but I consider it a critical app that should be able to fit in with all my other apps with respect to security. Also it's Microsoft. How can they not write a native app for their own operating system (which is sort of how my original rant started on this topic)
|
|
#
?
Oct 28, 2019 18:05
|
|
|
https://www.youtube.com/watch?v=WVDQEoe6ZWY
|
|
#
?
Oct 28, 2019 18:16
|
|
|
Boiled Water posted:re: Brave browser: Why does a browser also need a bittorent client? Read this as Bitcoin client, was slightly disappointed on rereading
|
|
#
?
Oct 28, 2019 18:23
|
|
|
Volmarias posted:Read this as Bitcoin client, was slightly disappointed on rereading
|
|
#
?
Oct 28, 2019 18:31
|
|
|
Boiled Water posted:Why does a browser also need a bittorent client? 
|
|
#
?
Oct 28, 2019 18:39
|
|
|
ewiley posted:a DLL include is actually a specific function call, a script include is just an OS file read. is this true? I thought DLLs were just mapped in executably and jumped to, as on Unix, with some userspace sugar in place for LoadLibrary and friends. I though you could just open code kernel32.dll:LoadLibrary or whatever without using that system library facility. https://github.com/gbmaster/loadLibrary/blob/53fb4abe3141df54eba29b0158cc17229ccacb75/kernel32.cpp#L528 looks to be an implementation of it, for example you could hook CreateFileMapping with EXECUTE_READWRITE, plus the cases where the mapping is created and then filled by reading the DLL file into memory, but you could hook that for *.js too if you wanted to maintain a list of hashes somewhere for a given set of applications (or you could hook the script loading functions in the runtimes if you weren't worried about something hostile going around that). certainly MSFT could make that hookable for Teams if they wanted, without too much difficulty; they have the whole set of WPT hooks to build on
|
|
#
?
Oct 28, 2019 18:58
|
|
|
Boiled Water posted:re: Brave browser: Why does a browser also need a bittorent client? what does god need with a starship? some questions you just don't ask. lol beaten
|
|
#
?
Oct 28, 2019 19:07
|
|
|
considering their audience it must be for animes and worse
|
|
#
?
Oct 28, 2019 19:47
|
|
|
So what the gently caress is the point of SPF neutral records? Why the hell does this exist? Who put it in the RFC? What is their address?
|
|
#
?
Oct 28, 2019 20:04
|
|
|
Boiled Water posted:re: Brave browser: Why does a browser also need a bittorent client? Given the current state of bittorrent clients, something built into a browser is likely preferable. Just another download method, not so different from the FTP support that may still exist in most browsers.
|
|
#
?
Oct 28, 2019 20:11
|
|
|
James Baud posted:Given the current state of bittorrent clients, something built into a browser is likely preferable. Just another download method, not so different from the FTP support that may still exist in most browsers.
|
|
#
?
Oct 28, 2019 20:33
|
|
|
Boiled Water posted:re: Brave browser: Why does a browser also need a bittorent client? it's an extremely grognardy browser so i assume some dev is of the hip 2004 crowd when ie6 reigned and standalone download managers were desirable. as dc/adc got phased out in favour of torrents, evey download manager tried to usurp the throne of dc++ by implementing torrent support
|
|
#
?
Oct 28, 2019 20:44
|
|
|
James Baud posted:Given the current state of bittorrent clients, something built into a browser is likely preferable. Just another download method, not so different from the FTP support that may still exist in most browsers. there's like half a dozen of competently put together torrent clients that are at least semi-actively maintained/developed
|
|
#
?
Oct 28, 2019 20:45
|
|
|
Subjunctive posted:is this true? I thought DLLs were just mapped in executably and jumped to, as on Unix, with some userspace sugar in place for LoadLibrary and friends. I though you could just open code kernel32.dll:LoadLibrary or whatever without using that system library facility. https://github.com/gbmaster/loadLibrary/blob/53fb4abe3141df54eba29b0158cc17229ccacb75/kernel32.cpp#L528 looks to be an implementation of it, for example I'm not 100% sure of the specifics, but from what I understand a DLL module load event is a super obvious event that is easily readable across just about any native Windows application. While I'm sure Teams could be specifically instrumented to facilitate hooking every time it loads a js file, this would probably not be the same as every other application that uses non-binary files to load code. I'm not denying you can create rules that will look for js files being loaded into chromium applications the same as you can with vb macros being loaded into Office apps, but it will be messy and fragile and very application specific. I guess what I'm arguing is if you want to make something critical work in Windows, just use Windows-native applications or use UWP applications if you want cross-platform (oh right windows phone is dead)... I do not like the trend of wrapping everything in Chrome and calling it done. This is a perennial problem, like when everyone thought it would be an awesome idea to use Flash for everything including line-of-business applications. Java is an exception and they have actually really good built-in code signing and security mechanisms like code origin and whitelisting that nobody actually uses. We're re-implementing poo poo over and over again because people refuse to either develop clients for each platform, or decide on a good cross-platform model for end-user clients like Java because Oracle is hot garbage. Anyway I will end my rant here, maybe I should make this into a conference talk so I can just let off steam with powerpoint.
|
|
#
?
Oct 28, 2019 20:45
|
|
|
cinci zoo sniper posted:there's like half a dozen of competently put together torrent clients that are at least semi-actively maintained/developed yeah qbittorrent and deluge are still alive and kicking. no idea what exists in the realm of CLI poo poo but chances are nobody bothered to buy the torrent equivalent of lynx for adware distribution
|
|
#
?
Oct 28, 2019 20:52
|
|
|
Kazinsal posted:yeah qbittorrent and deluge are still alive and kicking. no idea what exists in the realm of CLI poo poo but chances are nobody bothered to buy the torrent equivalent of lynx for adware distribution deluge has cli interface, other major cli option is rtorrent. major gui torrent clients, adding to two you mentioned, include transmission and tixati there're a few more esoteric options, but they are woefully unnecessary in 99% cases
|
|
#
?
Oct 28, 2019 20:58
|
|
|
cinci zoo sniper posted:deluge has cli interface, other major cli option is rtorrent. major gui torrent clients, adding to two you mentioned, include transmission and tixati it's lightweight and can run a HELL of a lot of torrents with almost no overhead on freebsd (and probably your favorite platform, too)
|
|
#
?
Oct 28, 2019 21:20
|
|
|
|
|
#
?
Oct 28, 2019 21:21
|
|
|
aria2 is a good for one off torrents i actually use aria2c -x 10 http://url to get my linux isos fast
|
|
#
?
Oct 28, 2019 21:29
|
|
|
ewiley posted:While I'm sure Teams could be specifically instrumented to facilitate hooking every time it loads a js file, this would probably not be the same as every other application that uses non-binary files to load code. I'm not denying you can create rules that will look for js files being loaded into chromium applications the same as you can with vb macros being loaded into Office apps, but it will be messy and fragile and very application specific. If Teams has this problem, I wold assume that, being Microsoft and all, they could add a system call to LoadAndCheckSignature, and strongly suggest all web developer application frameworks use that for loading scripts.
|
|
#
?
Oct 28, 2019 21:44
|
|
|
the teams dev team is all interns so I doubt they're doing much security wise
|
|
#
?
Oct 28, 2019 21:53
|
|
|
Hmm. Have you tried using some ancient version of μTorrent from before the developers tried to monetize it and hosed it all up? How about some even older version of Azureus from before the developers of that did the same thing? I'm sure it will be fine, it's not like you're connecting it to random people on the internet and telling them exactly what outdated not-security-patched software you're running.
|
|
#
?
Oct 28, 2019 22:40
|
|
|
BangersInMyKnickers posted:You're still under a fairly tight leash
|
|
#
?
Oct 29, 2019 03:03
|
|
|
https://shhgit.darkport.co.uk/ a website that scrapes users/passwords/tokens from git pushes
|
|
#
?
Oct 29, 2019 04:13
|
|
|
a peer distributed filesystem based entirely on stolen aws credentials
|
|
#
?
Oct 29, 2019 04:41
|
|
|
i vomit kittens posted:https://shhgit.darkport.co.uk/ pretty funny but they really should ignore the .pem files if they (understandably) don't want to parse them for actual private keys
|
|
#
?
Oct 29, 2019 05:04
|
|
|
https://twitter.com/a_tweeter_user/status/1188811977851887616?s=21 im still stuck on the kaka ‘n peepee, but I guess a compromised nuclear power plant is also serious
|
|
#
?
Oct 29, 2019 07:59
|
|
|
Yeah, crosspost from OSHA thread https://twitter.com/RungRage/status/1188853620541775872?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1188853620541775872
|
|
#
?
Oct 29, 2019 08:31
|
|
|
the plant administration seems to be denying this publicly, citing isolation of their control systems from external networks
|
|
#
?
Oct 29, 2019 08:56
|
|
|
the actual release from the admin seems to be specifically about the operational tech, not the it infra but who knows, iran also never admitted to being stuxnetted i think
|
|
#
?
Oct 29, 2019 11:27
|
|
|
Varkk posted:Yeah, crosspost from OSHA thread 
|
|
#
?
Oct 29, 2019 11:34
|
|
|
KOTEX GOD OF BLOOD posted:please do not kinkshame in yospos but I was implying it was a good thing
|
|
#
?
Oct 29, 2019 14:35
|
|
|
lmbo
|
|
#
?
Oct 29, 2019 14:37
|
|
|
Welp, here's hoping they properly isolated their SCADA network and nobody quietly connected the Corp and SCADA networks together. That never happens, right?
|
|
#
?
Oct 29, 2019 14:46
|
|
|
CommieGIR posted:Welp, here's hoping they properly isolated their SCADA network and nobody quietly connected the Corp and SCADA networks together. That never happens, right? Yeah, I for one have never seen this in person a depressing amount of times in power, water, and wastewater plants
|
|
#
?
Oct 29, 2019 14:53
|
|
|
|
| # ? Jun 7, 2024 18:31 |
|
|
Sleng Teng posted:Yeah, I for one have never seen this in person a depressing amount of times in power, water, and wastewater plants Did a engagement for a chemical plant where someone had plugged in the networks so they could watch videos on the night shift. Their scada solution accepted admin/admin as a login....
|
|
#
?
Oct 29, 2019 14:56
|
|