timb_machine: RT @portcullislabs In other news, there were 5 members of @portcullislabs working on an ICS research project this evening. Expect bugs.
timb_machine: RT @portcullislabs We've been recommending turning off SSLv3 for a while (https://labs.portcullis.co.uk/whitepapers/ssl-good-practice-guide/)
timb_machine: $crash ++; # Given how often xfreerdp crashes under normal use, there might be some nice bugs to exploit
timb_machine: @michael_jordon Just wondered about your SAP bug. Was it acknowledged on non-Windows and is there a patch?
timb_machine: @pentestmonkey yaptest autoconf'd in revision 111
timb_machine: @nmonkee AFAIK, they have no IDS, let alone one that triggers physical destruction
timb_machine: @nmonkee Not yet, this was a literal fire (alarm)
timb_machine: die("in a fire"); # SAP pentest on hold
timb_machine: @timb_machine Credits to @__Freakyclown__ for persuading me fuzz something I last looked at in 2007-8.
timb_machine: alert(document.location + document.domain); # Just found a universal XSS :)
timb_machine: @dyngnosis Writing PoC is easy bit but are there systems that are actually exploitable, other than those still affected by @stealth's bug?
timb_machine: @kurtseifried, @marklinton, @dakami, @chort0, @ErrataRob Would also violate UK (probably European) law too.
timb_machine: @nmonkee Already had root acces, so know all the weak creds. Shits and giggles only.
timb_machine: @nmonkee That web service they popped is a heap of shit.
timb_machine: @nmonkee Ported the @CTXIS sploit to AIX ;)
timb_machine: $root ++; # Another SAP estate dismantled.
timb_machine: @CTXIS Can someone poke @michael_jordon for me? :)
timb_machine: @michael_jordon Your SAP bug.. got time for a couple of DMs?
timb_machine: @gsuberland Are they senior or junior to you?
timb_machine: @pentestmonkey Been busy working on yaptest. Expect patches. ;)
timb_machine: @grsecurity, @jduck, @_larry0, @OSVDB And here's Papillon from 2001 (on Solaris): http://www.mlsec.org/papillon/
timb_machine: @_larry0 @pentestmonkey and I have been playing with the same using auditd with mixed success...
timb_machine: $spurious ++; # @<someone> is wrong because <unsubstantiated drama>
timb_machine: @_larry0 #boycottlennart
timb_machine: @SushiDude Noone allows root logins these days do they? <duck/>
timb_machine: @OSVDB, @SushiDude, @_larry0 You guys saw this, right? https://twitter.com/grsecurity/status/511988946541502464
timb_machine: @timb_machine 3/5 missing patches are for bugs I reported \o/
timb_machine: $happiness = (0 == setuid(0)) ; # About those IBM AIX patches that keep on being released...
timb_machine: @scarybeasts, @solardiz Surely f-d is the correct venue.
timb_machine: @openvas ++; # Woo, OpenVAS has a wiki now \o/
timb_machine: @_larry0, @__Freakyclown__, @sqshr Well, I think all of us are on freenode, but this was about somewhere else :)
timb_machine: @sqshr, @__Freakyclown__ Fancy having a pop at a DES crypt() "hash" for me?
timb_machine: @__Freakyclown__ No but I know the devs/security folk at KDE.
timb_machine: @__Freakyclown__ Day 2 and I've got an Outlook account & not much more. Would have been quicker for me to hack access to the systems I need.
timb_machine: $sap ++; # 20 days of consultancy. Will make a nice change from BB7/10, 'droid, Windows Mobile and iOS cc: @nmonkee
timb_machine: @RosamondMc You've had the luck so far. Expecting the ref to bottle it at our end second half to even things up.
timb_machine: @RosamondMc Sitting in Vicarage Road, thinking back to those drunken conversations about Watford. Promised land, we have arrived.
timb_machine: $messages ++; # Thanks @stealth and @BBSIRT
timb_machine: @crstig You get what you pay for.
timb_machine: @schrotthaufen There's something to be said for pruning features though. I wonder what else would break...
timb_machine: @schrotthaufen Many years ago when I did UNIX opsec we used it in anger on ksh93. No idea if our scripts are still running though.
timb_machine: @steaIth What's your take on shellshock and dhclient? Not looked but kinda assumed the mitigation for your bug should kill it?
timb_machine: @schrotthaufen Compatability with Korn and zsh?
timb_machine: @SushiDude Will there be a CWE for #shellshock? Child of 146 maybe?
timb_machine: @belowring0 Fuzzing? Why not just search for the exploitable sinks and work back?
timb_machine: @ioerror, @Bincker Not convinced it is exploitable outside of lab. Wrote my own PoC days ago and have been playing a bit.
timb_machine: @BBSIRT Is the 'droid implementation on BB documented anywhere from a security standpoint?
timb_machine: @chort0, @lcamtuf, @mubix s/2/3/g: http://metadata.ftp-master.debian.org/changelogs//main/b/bash/bash_4.2+dfsg-0.1+deb7u3_changelog
timb_machine: @chort0, @lcamtuf, @mubix Do you mean at src level? Believe Florian's patch made Debian's second binary patch...
timb_machine: @bsdaemon :)
timb_machine: @grsecurity ++
timb_machine: @markfc Didn't realise it but his Grandad was actually one of the founders - happy we're still associated :)
timb_machine: @markbfc Reckon I'll be saying this again and again this season but @BrentfordFC looked good again today. The old man would have enjoyed it.
timb_machine: @garyoleary Going down with the Fulham.
timb_machine: @_sinn3r, @jduck Still no proof that any common dhclient conf is exploitable?
timb_machine: @garyoleary If it makes you better, the penalty our center half missed never should have been given. Nothing if not sporting, #brentfordfc
timb_machine: @garyoleary Big game today. Maybe we can do beers at the reverse?
timb_machine: @wheeliesmom, @ioerror To be clear, I'm not conflating the two. Just think serving any power blindly for reasons of "belief" is dubious.
timb_machine: @ioerror Interesting question, one most politicians haven't been brave enough to discuss. Safer to be called anti-islamic than anti-semetic.
timb_machine: @ioerror Rumour has it we have the prospect of leaving the ECHR to look forward to, if Conservatives win again. Loathsome.
timb_machine: @rabite, @ErrataRob, @dakami ++
timb_machine: @_sinn3r No, DHCP doesn't work that way ;) I meant embedded stuff really.
timb_machine: @ErrataRob The Linux kernel is prettier than AIX, but uglier than QNX, Solaris and FreeBSD. But anyway, that wasn't my point.
timb_machine: @ErrataRob Despite the efforts of OpenBSD and Apple and they're the only two that are/have tried. It will be around for a long time to come.
timb_machine: @ErrataRob No, but I don't agree it's GNU code is obsolete just because you say it is.
timb_machine: @_sinn3r Have you actually triggered it on real toys? See previous tweets...
timb_machine: @ErrataRob I'm not commenting on the latter, I'm commenting on the former.
timb_machine: @ErrataRob Incorrect.
timb_machine: @matthew_d_green, @tqbf When it comes to crypto, most people are stupid. Present company excluded. :)
timb_machine: @gmillard I've not triggered it on any thing yet with my PoC (https://twitter.com/timb_machine/status/515086258973192192). Suspect patch for CVE-2011-0997 will make it hard.
timb_machine: @sambowne, @WeldPond It's going to be pretty device specific anyway. Not expecting any of the big OS to fall due to that patch.
timb_machine: @sambowne, @WeldPond Not yet exploited anything with the PoC I shared last night. I wonder if the fix for CVE-2011-0997 has neutered it.
timb_machine: @tqbf Seen e=3 in real code recently. It's interesting what you can report on code reviews if you know to look for it.
timb_machine: @Viss https://twitter.com/timb_machine/status/515086258973192192 :P
timb_machine: @TrustedSec Have you had it work on much? Not seen my PoC work on anything other than jury rigged devices so far.
timb_machine: @singe Exactly, this is another opportunity for @iseezeroday to get on Sunday Brunch or some such tat ;)
timb_machine: $curious ++; # Playing with bash, NULL pointer deref inside delete_job()
timb_machine: @loganattwood, @wiretapped I do wonder if https://kb.isc.org/article/AA-00455/75/CVE-2011-0997:-dhclient-Does-Not-Strip-or-Escape-Shell-Meta-characters.html will limit the exploitability assuming it's been patched.
timb_machine: @wiretapped, @loganattwood http://pastebin.com/S1WVzTv9 Not seen it pop any of my IoT devices yet :(
timb_machine: @sqshr Better tight than hard in the context of plane physics.
SAP Transaction Codes
Patch to x3270 to make it ignore protected fields, and allow them to be modified. This provided some significant pwnage on an assessment where the mainframe (IMS) application appeared to pass the username from one field to another. I'm still researching
security - Exploitable PHP functions - Stack Overflow
Rechenzentrum Kreuznach - die AS/400-Profis
Configuration of hidden Sendmail SSL/TLS connection options « TriathlonMike
Native Extensions for Perl without Smoke and Mirrors
Deconstructing the Azure Point-to-Site VPN for Command Line usage - Diary Of A Ninja
Cryptographic flaws in Oracle Database authentication protocol | Marcel's Blog
OpenPGP Best Practices - Privacy and Authenticity Ou... - Riseup Labs - Groups - we.riseup.net
A brief look at the Acer ChromeBook #2
A brief look at the Acer ChromeBook #1
Dead bugs society
A brief look at the RIM PlayBook
Breaking cpau, a dummies guide
Bypassing the Android pattern lock
Exploiting the Linux linker
Dumping Samba hashes
Defcon 18 CTF qualifiers: who is the h4x13st h4x0r of them all