There aren’t too many professions in IT that makes professionals learn so many different technologies as pentesting does: one week you are neck-deep in Windows AD, the other you are trying to make sense of some custom thick client protocol in Wireshark, while you are running some webapp scans in...
2024-10-27 — 13 minute readPreface Have you ever seen privilege escalation in action on IBM i? In this post we show how techniques we already posted about could be used to discover and exploit a previously unknown vulnerability. The IBM Facsimile Support for i was vulnerable to local privilege escalation - the vulnerabilities were...
2023-08-22 — 2 minute readPreface IBM published a security bulletin called IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture on 2023.06.30, fixing an unauthenticated remote code execution vulnerability reported by us. This blog post contains the technical details of the discovery and exploitation processes. About...
2023-07-03 — 6 minute readPost-exploitation is a crucial element of any attack aiming for realistic objectives, so it is no surprise that the topic is extensively researched, resulting in a trove of information that defenders can rely on to design and implement countermeasures. Unfortunately, owners of IBM i systems do not have the luxury...
2023-03-30 — 7 minute readIn our first blog post of 2023, we continue our series about penetration testing IBM i. This time we look into how the so-called Adopted Authority mechanism can be abused for privilege escalation if privileged scripts are not implemented with enough care. Most of the time, when a user executes...
2023-01-20 — 5 minute readSome say, CVE-2022-42889 is the new Log4Shell, for which we developed our own tool to enumerate affected hosts back in 2021. Others like Rapid7 argue that it may not be as easy to exploit like Log4Shell. Regardless of the severity and exploitability of this vulnerability, we quickly morphed a clone...
2022-10-18 — 2 minute readOur next journey takes us into the infrastructure of a bank. One element of the infrastructure was an IBM i (AS/400) server, and the only piece of information we got to conduct the penetration test was its IP address. We had been collecting a list of common application and service...
2022-09-28 — 6 minute readWhen you get the chance to take a look at the IT systems of financial institutions, telcos, and other big companies, where availability has been a key business concern for decades, you’ll find, that some critical operations run through some obscure systems, in many cases accessed via nostalgic green-on-black terminals,...
2022-09-05 — 9 minute read