Preface IBM published a security bulletin called IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture on 2023.06.30, fixing an unauthenticated remote code execution vulnerability reported by us. This blog post contains the technical details of the discovery and exploitation processes. About...
2023-07-03 — 6 minute readPost-exploitation is a crucial element of any attack aiming for realistic objectives, so it is no surprise that the topic is extensively researched, resulting in a trove of information that defenders can rely on to design and implement countermeasures. Unfortunately, owners of IBM i systems do not have the luxury...
2023-03-30 — 7 minute readIn our first blog post of 2023, we continue our series about penetration testing IBM i. This time we look into how the so-called Adopted Authority mechanism can be abused for privilege escalation if privileged scripts are not implemented with enough care. Most of the time, when a user executes...
2023-01-20 — 5 minute readSome say, CVE-2022-42889 is the new Log4Shell, for which we developed our own tool to enumerate affected hosts back in 2021. Others like Rapid7 argue that it may not be as easy to exploit like Log4Shell. Regardless of the severity and exploitability of this vulnerability, we quickly morphed a clone...
2022-10-18 — 2 minute readOur next journey takes us into the infrastructure of a bank. One element of the infrastructure was an IBM i (AS/400) server, and the only piece of information we got to conduct the penetration test was its IP address. We had been collecting a list of common application and service...
2022-09-28 — 6 minute readWhen you get the chance to take a look at the IT systems of financial institutions, telcos, and other big companies, where availability has been a key business concern for decades, you’ll find, that some critical operations run through some obscure systems, in many cases accessed via nostalgic green-on-black terminals,...
2022-09-05 — 9 minute readLog4Shell, formally known as CVE-2021-44228 seems to be the next big vulnerability that affects a huge number of systems, and the affected component, Log4j gets involved in logging untrusted data by design. This results in lots of vulnerable hosts that are hidden in the sense that naive testing won’t find...
2021-12-12 — 3 minute readIn January Mozilla published a post on their Attack & Defense blog about Effectively Fuzzing the IPC Layer in Firefox. In this post the authors pointed out that testing individual components of complex systems (such as a web browser) in isolation should be extended by full-system testing, for which snapshot...
2021-10-14 — 15 minute read