|
ultrafilter posted:Someone who has access to edit that file probably has more direct options to do whatever they're trying to do. yeah, but you could make it look like cyberpunk's fault, it's the perfect crime (i kid)
|
#
?
Dec 12, 2020 00:27
|
|
|
|
| # ? May 14, 2024 11:58 |
|
|
QuarkJets posted:This probably isn't a threat to most business networks, but is a threat to tons of individuals. For instance, launch a persistent keylogger prior to launching the game. Or launch something that requests privilege escalation because most users just want to play their game and will click "OK" immediately.
|
|
#
?
Dec 12, 2020 00:42
|
|
|
Shocking new exploit discovered! If you can edit files on the user's drive, you can replace the Cyberpunk launcher EXE with any arbitrary executable code of your choosing! Come on CDPR, this is amateur hour!
|
|
#
?
Dec 12, 2020 01:39
|
|
|
It's not about getting access, it's that you can bypass any signature verification or whitelisting. Not a big deal with a game, but it can be a real problem with programs that are installed on locked-down computers.
|
|
#
?
Dec 12, 2020 01:53
|
|
|
Are you envisioning an allowlisting system where if a trusted executable is allowlisted, it's allowed to invoke anything at all without any checks?
|
|
#
?
Dec 12, 2020 02:00
|
|
|
Jabor posted:Are you envisioning an allowlisting system where if a trusted executable is allowlisted, it's allowed to invoke anything at all without any checks? Envisioning as in "looking right at," yes
|
|
#
?
Dec 12, 2020 02:02
|
|
|
Dylan16807 posted:It's not about getting access, it's that you can bypass any signature verification or whitelisting. If they're that locked down how are you installing this anyway
|
|
#
?
Dec 12, 2020 02:02
|
|
|
Volmarias posted:If they're that locked down how are you installing this anyway Yes, it's not a big deal for a game, because that's probably not going to be installed and whitelisted by the sysadmin. But it's still fun to poke at a flaw like that.
|
|
#
?
Dec 12, 2020 02:53
|
|
|
Volte posted:If that's all it is, then that seemingly barely qualifies as a vulnerability. I mean instead of editing the JSON file it could just replace the exe file wholesale with a compromised one if it has permission to do that, which could apply to any game, even ones without launchers. Hell, if it has permission to do that, it could have just installed the keylogger as a service instead. The JSON string executes under the signed launcher, giving it a veneer of legitimacy that an arbitrary exe wouldn't have.
|
|
#
?
Dec 12, 2020 07:01
|
|
|
QuarkJets posted:The JSON string executes under the signed launcher, giving it a veneer of legitimacy that an arbitrary exe wouldn't have. I think we get that it's a vulnerability and why, we're just questioning the narrow circumstances that would make this specific action worthwhile. You have to have a machine where cyberpunk is installed, and where unsigned applications are not allowed to run, but where you have gained write access, but you cannot write to something more useful, but you specifically want to pop this machine, but you somehow do not have any better exploits to chain.
|
|
#
?
Dec 12, 2020 07:13
|
|
|
the important thing is that their signing key be revoked immediately
|
|
#
?
Dec 12, 2020 07:26
|
|
|
I was under the impression that the file in question was left as user-writable, with no escalation required. So you edit that file, ask for elevation for some malicious code, and then the user (if they're able) provides elevation because it appears to be Cyberpunk asking for elevation.
|
|
#
?
Dec 12, 2020 07:30
|
|
|
Volmarias posted:I think we get that it's a vulnerability and why, we're just questioning the narrow circumstances that would make this specific action worthwhile. You have to have a machine where cyberpunk is installed, and where unsigned applications are not allowed to run, but where you have gained write access, but you cannot write to something more useful, but you specifically want to pop this machine, but you somehow do not have any better exploits to chain. There's also "the user is trying to run code and they're not supposed to be allowed to run non-whitelisted code". Possibly of their own volition, or possibly because you tricked them.
|
|
#
?
Dec 12, 2020 07:35
|
|
|
xtal posted:Envisioning as in "looking right at," yes Why is that not a problem with signed executable explorer.exe in your system then?
|
|
#
?
Dec 12, 2020 09:19
|
|
|
Dylan16807 posted:Yes, it's not a big deal for a game, because that's probably not going to be installed and whitelisted by the sysadmin. But it's still fun to poke at a flaw like that. A internet Cafe or LAN place locked down to only steam maybe?
|
|
#
?
Dec 12, 2020 11:43
|
|
|
Honestly it's less of a horror than everyone standardizing on the same minigame to protect their data and money in the future.
|
|
#
?
Dec 12, 2020 14:31
|
|
|
Does Windows 10 really use a hierarchical code signing model where any process that gets spawned by a signed binary is considered signed by the certificate that signed the parent executable? And this is the default? How do Steam or any other launcher get around it? What should the CP2077 launcher have done differently? What's the use case of "all binaries must be signed, unless its parent process is signed, then whatever, who cares"? I'm trying to Google for examples of this vulnerability in game launchers or anywhere and I'm not turning up anything or even sure what to search for. The only system policy I can even find that would restrict a system to signed binaries is AppLocker, and I can find plenty of examples of child processes failing to launch because of not being in the AppLocker whitelist (and even if they didn't, that feels like it would be a flaw in AppLocker). I do believe that smarter people than me think this is a vulnerability but so far nobody has actually demonstrated why. Has this been shown to be able to circumvent system policy in a proof of concept? The original tweet of pushing a button and opening calc.exe says about as much to me as adding calc.exe as a custom game to Steam and then launching it from there. Steam just has a built-in interface to modify its JSON-configuration equivalent.
|
|
#
?
Dec 12, 2020 15:16
|
|
|
If the config file is world-writable, it allows users to target one another pretty easily. Quark jets said:quote:it's taking advantage of the fact that anyone can edit the JSON that the Cyberpunk launcher reads from when the user presses a button. Idk what windows does these days, but osx asks permission to run unsigned binaries in finder. If someone is used to signed code being an actually enforced(-ish) thing, evading signing looks worse than it does to people who only equate signed binaries with strict enterprise IT policies
|
|
#
?
Dec 12, 2020 17:33
|
|
|
A quick Google confirms that it's in the game directory, i.e. the same directory as the launcher executable itself. I'm not sure about the permissions, but unless it's explicitly made world-writable, it shouldn't create any new vulnerabilities beyond what having the game directory itself be world-writable would.
|
|
#
?
Dec 12, 2020 17:52
|
|
|
E: disregard you ninja'd in a clarifying bit. Thanks! Sounds like it's prob not works writeable Achmed Jones fucked around with this message at 17:56 on Dec 12, 2020 |
|
#
?
Dec 12, 2020 17:54
|
|
|
Jabor posted:Are you envisioning an allowlisting system where if a trusted executable is allowlisted, it's allowed to invoke anything at all without any checks? I would like to imagine that things have gotten better since then, but launching UT via Word to bypass the checks was a thing we did when I was in high school...
|
|
#
?
Dec 12, 2020 21:10
|
|
|
Plorkyeran posted:I would like to imagine that things have gotten better since then Quite an imagination you have there!
|
|
#
?
Dec 13, 2020 00:03
|
|
|
I think the idea is that you distribute the launcher along with your malicious code and just ignore that there was originally a game attached.
|
|
#
?
Dec 13, 2020 00:59
|
|
|
Volte posted:Does Windows 10 really use a hierarchical code signing model where any process that gets spawned by a signed binary is considered signed by the certificate that signed the parent executable? Leaving Cyberpunk aside, did you know that cmd.exe is installed on your computer right now, is signed by Microsoft, and will run whatever command you pass to it!  HACKERS! posted:cmd.exe /C calc
|
|
#
?
Dec 13, 2020 01:24
|
|
|
the json could have a hash made from it to make sure is not exploited against the user this also show that digitally signed binaries are a defense in deep - just create a easy to jump obstacle
|
|
#
?
Dec 16, 2020 08:54
|
|
|
In a trying not to start anything big before Christmas, I've picked up my ex managers ASP.NET Framework project, to try and sort out some logging for someone else. Just need to setup NLog, can't quite see where the dependency injection is being set up. Lets have a look at one of the Controllers: code:I regret offering to look at this.
|
|
#
?
Dec 22, 2020 12:10
|
|
|
Captain Muffin posted:In a trying not to start anything big before Christmas, I've picked up my ex managers ASP.NET Framework project, to try and sort out some logging for someone else. I can't really comment on the practice, since my knowledge of DI is pretty basic, but the thing that leaps out to me is that the implementation doesn't appear to be self-consistent. If everything has a parameterless constructor that constructs the default implementations of its dependencies, then why does the parameterless constructor for HomeController not in turn call the parameterless constructors of its dependencies? Why does it go to the trouble of constructing the dependencies of its dependencies? i.e. the code you quoted says this: code:code:code:code:side note: lol at being horrified that code has been in a state of which you don't approve for two whole years. I've found (and posted in this thread) production code that was outright wrong for about a decade. I'm talking about code that just plain does the wrong thing, not just bad style.
|
|
#
?
Dec 22, 2020 18:20
|
|
|
This is still my favourite thing I've ever posted in this thread, I thinkHammerite posted:Found today in maths code that's been around and in use for years.
|
|
#
?
Dec 22, 2020 18:39
|
|
|
Took me probably far too long to understand what the problem was. Perhaps I am the coding horror.
|
|
#
?
Dec 22, 2020 18:45
|
|
|
Captain Muffin posted:In a trying not to start anything big before Christmas, I've picked up my ex managers ASP.NET Framework project, to try and sort out some logging for someone else. Poor Man's Dependency Injection is a named pattern that's been around for a while, and it has at least one respected proponent in these very forums. I personally don't like it, but it has a case. However, your old manager did it wrong, and should have done it like this: Hammerite posted:I can't really comment on the practice, since my knowledge of DI is pretty basic, but the thing that leaps out to me is that the implementation doesn't appear to be self-consistent. If everything has a parameterless constructor that constructs the default implementations of its dependencies, then why does the parameterless constructor for HomeController not in turn call the parameterless constructors of its dependencies? Why does it go to the trouble of constructing the dependencies of its dependencies?
|
|
#
?
Dec 22, 2020 20:27
|
|
|
raminasi posted:Poor Man's Dependency Injection is a named pattern that's been around for a while, and it has at least one respected proponent in these very forums. I personally don't like it, but it has a case. However, your old manager did it wrong, and should have done it like this: Seconding this. The practice is fine but the implementation here is dead wrong. I actually recommend following this pattern (correctly) to people who are experienced developers but are new to testing practices because I find that it helps it click for them faster if they're constructing dependencies through some mechanism that's less opaque than a DI container.
|
|
#
?
Dec 23, 2020 01:53
|
|
|
Hammerite posted:This is still my favourite thing I've ever posted in this thread, I think Protocol7 posted:Took me probably far too long to understand what the problem was. Perhaps I am the coding horror. Does it always invoke dl=dt; ?
|
|
#
?
Dec 23, 2020 02:19
|
|
|
Yes.
|
|
#
?
Dec 23, 2020 02:37
|
|
|
New Yorp New Yorp posted:Seconding this. The practice is fine but the implementation here is dead wrong. Yeah if you just wanna prototype something quick its acceptable, and DI is super confusing if you don't know how its setup. This was all implemented by my manager who used to randomly quiz you about the SOLID C# principles every five minutes. The best bit is he has one controller called home, so if you go to http://127.0.0.1:8080/home this gets called: code:code:code:
|
|
#
?
Dec 23, 2020 10:22
|
|
|
Hey, it could have been worse, they could have been a singleton.
|
|
#
?
Dec 23, 2020 14:58
|
|
|
If that manually implemented DI is the worst thing in the project I think you're doing okay. Even the unnecessary chained constructor calls are kind of interesting in that they reveal the dependency hierarchy in a very explicit manner. Definitely wouldn't do it that way though. I do similar things in hybrid unit/integration tests sometimes, but I put the instantiation in the test code instead.Captain Muffin posted:Both constructors create their own instance of Ah, there's the real problem. The repository probably shouldn't store the data in memory, and if it does it should be a singleton, or use a singleton memory cache of some sort. You can combine singletons with poor man's DI pretty smoothly by having a static instance variable on the class and no public constructors. It sounds like you already know all of this, but I think it's interesting to get to the heart of the problem. Manual DI could be said to be the cause of the bug because the dev forgot about the shared dependency with local data, but you can easily get the same bug (and I've done this personally multiple times) by setting it up with the wrong lifetime in the DI framework. So the problem is more semantic than structural.
|
|
#
?
Dec 25, 2020 11:04
|
|
|
Quiet day at work so I tried upgrading Keycloak on a test server from 11 to 12 to check out the new console. Well, this has got to be a decent contender for the worst ratio between stack trace length and actual diagnostic usefulness: https://pastebin.com/raw/hnDcxVke
|
|
#
?
Dec 29, 2020 15:42
|
|
|
NihilCredo posted:Quiet day at work so I tried upgrading Keycloak on a test server from 11 to 12 to check out the new console. The first line is the actual problem, isn't it?
|
|
#
?
Dec 29, 2020 16:12
|
|
|
https://twitter.com/dabit3/status/1341537427761074177
|
|
#
?
Dec 29, 2020 16:25
|
|
|
|
| # ? May 14, 2024 11:58 |
|
|
Carbon dioxide posted:The first line is the actual problem, isn't it? Yep so how would you fix it? This doesn't tell you how to correct the issue, it basically tells you "hey read our source code and try to decipher what thing you control can be changed to avoid the problem."
|
|
#
?
Dec 29, 2020 16:25
|
|
