Abusing Adopted Authority on IBM i

In our first blog post of 2023, we continue our series about penetration testing IBM i. This time we look into how the so-called Adopted Authority mechanism can be abused for privilege escalation if privileged scripts are not implemented with enough care. Most of the time, when a user executes...

5 minute read

Our new scanner for Text4Shell

Some say, CVE-2022-42889 is the new Log4Shell, for which we developed our own tool to enumerate affected hosts back in 2021. Others like Rapid7 argue that it may not be as easy to exploit like Log4Shell. Regardless of the severity and exploitability of this vulnerability, we quickly morphed a clone...

2 minute read

Another Tale of IBM i (AS/400) Hacking

Our next journey takes us into the infrastructure of a bank. One element of the infrastructure was an IBM i (AS/400) server, and the only piece of information we got to conduct the penetration test was its IP address. We had been collecting a list of common application and service...

6 minute read

Simple IBM i (AS/400) hacking

When you get the chance to take a look at the IT systems of financial institutions, telcos, and other big companies, where availability has been a key business concern for decades, you’ll find, that some critical operations run through some obscure systems, in many cases accessed via nostalgic green-on-black terminals,...

9 minute read

Our new tool for enumerating hidden Log4Shell-affected hosts

Log4Shell, formally known as CVE-2021-44228 seems to be the next big vulnerability that affects a huge number of systems, and the affected component, Log4j gets involved in logging untrusted data by design. This results in lots of vulnerable hosts that are hidden in the sense that naive testing won’t find...

3 minute read

Fuzzy Snapshots of Firefox IPC

In January Mozilla published a post on their Attack & Defense blog about Effectively Fuzzing the IPC Layer in Firefox. In this post the authors pointed out that testing individual components of complex systems (such as a web browser) in isolation should be extended by full-system testing, for which snapshot...

15 minute read

Adding XCOFF Support to Ghidra with Kaitai Struct

It’s not a secret that we at Silent Signal are hopeless romantics, especially when it comes to classic Unix systems (1, 2, 3). Since some of these systems – that still run business critical applications at our clients – are based on some “exotic” architectures, we have a nice hardware...

5 minute read

Abusing JWT public keys without the public key

This blog post is dedicated to those to brave souls that dare to roll their own crypto The RSA Textbook of Horrors This story begins with an old project of ours, where we were tasked to verify (among other things) how a business application handles digital signatures of transactions, to...

6 minute read