Conversation
@cR0w How can this company still exist?
0
0
5

@cR0w @buherator I wish a company that decided to rebuild their edge device code in Rust would be handsomely rewarded by the market, but I know that almost nobody actually cares about these vulns, and even fewer about true systemic fixes.

1
2
0
@mttaggart @cR0w I don't want unicorns, I just would like to see that shitty security QA has consequences on the market, regardless of technology.
0
0
6

@cR0w @mttaggart @buherator the first time i saw this was with fireeye, way way way back when. then sonicwalls, then some others, now its like, everybody who has php on a firewall with the one exception of pfsense, who i just never hear about, ever.

but yeah, this sentiment is absolutely dead on. way too many people who have no clue wtf theyre doing, and will scream gatekeeping at you over the mere suggestion they be 'even remotely qualified'

1
0
0

@cR0w @mttaggart @buherator imagine someone who was formerly a florist in an operating room during a neurosurgeons job, screaming gatekeeping at the head of medicine for the hospital because the head of medicine suggested that maybe the florist, i dunno, attend medical school? learn some stuff about surgery or medicine?

thats where we're at

0
0
0

@cR0w @mttaggart @buherator im not sure if 44con published the talk, but it was massive news at the time. some german researcher guy figured it out
- send one email through with a 7zip that uncompresses to absolute paths, have it overwrite the python script which parses a file format with python meterpreter
- send a second email through with an attachment for that fileformat (he used rtf). that will trigger the parser.

meterp rootshell on fireeye appliance via 2 emails

it was bananas

1
1
0

@cR0w @buherator I'm in agreement with you. Rust is just the only real game in town for memory-safe code at the moment. But it's not about that; as you said, it's about process. But yeah, there is zero incentive at all to improve. Nor will there be, especially as we lose the CSRB and CISA gets gutted even beyond its prior state of toothlessness.

0
1
0

@cR0w @mttaggart @buherator that musta been like.. 2014 maybe? i forget, but it blew my mind. i was in the room for the talk

0
0
0

@cR0w @mttaggart @buherator they made 'fuck fireeye' stickers for like 2 years afterwards

0
0
0

@da_667 @cR0w @mttaggart @buherator yeah once that german dude showed people how to trivially get shells on the things, a buuuuunch of other folks dove in :D

1
0
0
@Viss @da_667 @cR0w @mttaggart FTR it was Felix Wilhelm (who then went to big G) and these seem to be the slides:

https://ernw.de/download/ERNW_44CON_PlayingWithFire_signed.pdf
1
2
4
Edited 22 days ago
@da_667 @Viss @cR0w @mttaggart I don't remember UPX unpacker vulns in FE specifically, but this old P0 post is still a fun read:

https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

Edit: it seems they needed a (rather trivial) privesc in case of FE, so give credit where it's due ;)

https://project-zero.issues.chromium.org/issues/42452189
0
0
1

@cR0w @buherator @mttaggart But customers often don't really care either? Cost of doing business and stuff

0
1
0