What are typical #vulnerability types of 90s/early 2000s that are now more or less irrelevant/rare?

(I'm less interested in easy to exploit memory corruptions, more in "logical" bugs)

@buherator sharing $c over the network which included the Internet back then.

@buherator Autorun.inf?

@tmr232 Excellent!

@buherator self replicating virii come to mind, and I feel that format string bugs got rarer

@buherator php injections into system() and include()?

@freddy Yeah, I also have the impression that direct code/command injections (not counting deserialization) are less common these days, thanks!

Thinking out loud:
- Permanent pre-auth DoS in network services (yeah I know this is usually memory corruption)
- SQL injection (???)

@buherator @freddy same for argument injection bugs :)

@swapgs @freddy Were those common in any time period? o.O

@buherator With the exception of recent Qualys findings, userland LPEs seem less common now (setuid bins, etc.)? This could be explained by the "recent" hegemony of Linux, even though @raptor has fun with Solaris from time to time.

@swapgs @raptor There have been multiple shifts of focus that shaped our perception for sure. I find userland LPEs on Windows still plenty and important though. Also I'm more interested in bug types than impacts (slightly contradicting my other reply about DoS).

@buherator Word macro viruses? 🤔
"I love you" was the plague of the time, and in my spam folder I haven't seen those for quite some time..

@buherator @freddy It’s always been an old-school bug class for me, but I wasn’t around in the 90’s so it could be "artificial" nostalgia :D

@skyr If you mean self-replication then absolutely! Macros are still going strong AFAICT (default blocking will change that ofc).

It's also interesting how the exposure to trojans (iloveyou.txt.vbs et al.) have been reduced (MOTW, perimteter filtering, ???).

@buherator all things eval() and friends in any interpreted language.

#vulnerability

@buherator the year 2000 bugs are all mitigated by now. Wait... 🤣

#vulnerability

@byteborg lol

@buherator @swapgs 20+ years ago, you could scan a network, identify some software in use, download it, reverse it if it wasn’t open source, audit it for security vulnerabilities, write an exploit and hack your target in a few days/weeks.

Now, I think it’s harder. I’d say mostly because of mitigations, I don’t believe developers got any better, although some common software became more mature and robust.

Luckily (for attackers) there are still security appliances that are easy to exploit 😜

@buherator For me it's the unauth remotely exploitable shit that's getting harder to find, credentials however are easier to obtain these days, authenticated attacks on software are still everywhere and useful for getting into infra.

Can we say that filesystem path traversals are replaced with URL path traversals (Orange Tsai, Exchange shitshow ...)?

@buherator oh and race conditions in /tmp

@buherator IMHO fs path traversals are still a thing

@joern @buherator It's tough to think of one that _isn't_ memory corruption (Windows SEH pop/pop/ret, easy heap exploits due to lack of DEP/ASLR, etc). Everything else is still out there in some form (missing auth, embedded credentials, SQL injection, even format strings for info-leaks).

@joern I have no doubts about that, but I don't think they are as easy to come by as in the early days of PHP for example.

@hdm I'm also interested in bug classes becoming less prevalent (not extinct). IME SQLi's are definitely out there, but rarer than before.

@buherator @hdm Stuff gets better in general I think. Just by programming languages making better choices e.g. AFAIK in Go you don’t have a built in system method which does sh -c $USERINPUT. Another example is Ruby’s ReDoS defenses shipped in 3.2.

@buherator @hdm since the media hype around ZIP traversals those were addressed at large in frameworks/languages.

@buherator Well comparing to the early days of PHP is kinda unfair :D. Things have generally evolved and we have a huge security industry nowadays with all kinds of silver bullets

@buherator File upload into the webroot accepting (e.g.) .php files, leading to RCE.

@joern It's interesting to approach the problem from the other direction: $technology causing spikes in specific vulnerability classes 🤔

@xnyhps Yes! More generally: my remote interfaces are files (CGI, PHP, JSP, ...).

@buherator I'd argue that if SQLi fits your bill, then *XSS should be there as well, at least in my experience. Modern frameworks do generally a good job at mitigating both vuln classes with default settings, and usually require the dev to explicitly disable the safeguards in order to fuck it up.

@joern @buherator flipping the question around, what bug classes have become more common? (excluding LLM prompt injection) -- maybe HTTP desyncs?

@buherator Despite it being a solved problem, SQL injection is still extremely common, because developers who paste strings together into SQL queries are still extremely common.

@hdm @joern @buherator maybe php rfi?

@hdm @joern I'd put serialization on that list

@buherator
In the early 2000s almost every consumer router had an admin interface with a trivial injection in the ping diagnostic page.
@swapgs @freddy

@raptor @buherator @swapgs everything in a case sold as an appliance running kernel 2.6 and php 5 helps too, i bet :D

@Viss @buherator @swapgs junk hacking FTW!!1!