Engineering WCF Hacks

There aren’t too many professions in IT that makes professionals learn so many different technologies as pentesting does: one week you are neck-deep in Windows AD, the other you are trying to make sense of some custom thick client protocol in Wireshark, while you are running some webapp scans in...

13 minute read

Technical Details of CVE-2023-30988 - IBM Facsimile Support Privilege Escalation

Preface Have you ever seen privilege escalation in action on IBM i? In this post we show how techniques we already posted about could be used to discover and exploit a previously unknown vulnerability. The IBM Facsimile Support for i was vulnerable to local privilege escalation - the vulnerabilities were...

2 minute read

Technical Details of CVE-2023-30990 - Unauthenticated RCE in IBM i DDM Service

Preface IBM published a security bulletin called IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture on 2023.06.30, fixing an unauthenticated remote code execution vulnerability reported by us. This blog post contains the technical details of the discovery and exploitation processes. About...

6 minute read

Booby Trapping IBM i

Post-exploitation is a crucial element of any attack aiming for realistic objectives, so it is no surprise that the topic is extensively researched, resulting in a trove of information that defenders can rely on to design and implement countermeasures. Unfortunately, owners of IBM i systems do not have the luxury...

7 minute read

Abusing Adopted Authority on IBM i

In our first blog post of 2023, we continue our series about penetration testing IBM i. This time we look into how the so-called Adopted Authority mechanism can be abused for privilege escalation if privileged scripts are not implemented with enough care. Most of the time, when a user executes...

5 minute read

Our new scanner for Text4Shell

Some say, CVE-2022-42889 is the new Log4Shell, for which we developed our own tool to enumerate affected hosts back in 2021. Others like Rapid7 argue that it may not be as easy to exploit like Log4Shell. Regardless of the severity and exploitability of this vulnerability, we quickly morphed a clone...

2 minute read

Another Tale of IBM i (AS/400) Hacking

Our next journey takes us into the infrastructure of a bank. One element of the infrastructure was an IBM i (AS/400) server, and the only piece of information we got to conduct the penetration test was its IP address. We had been collecting a list of common application and service...

6 minute read

Simple IBM i (AS/400) hacking

When you get the chance to take a look at the IT systems of financial institutions, telcos, and other big companies, where availability has been a key business concern for decades, you’ll find, that some critical operations run through some obscure systems, in many cases accessed via nostalgic green-on-black terminals,...

9 minute read