44Con 2019 - Continuous Integration Continuous Bounties

CI/CD pipelines are the perfect, bug-rich target for new and experienced bug hunters. As complex, user-controlled automated processes with access to authentication secrets, source code, and application servers in multi-system, multi-user environments, they combine all the things that make bugs likely. In the presentation, I will outline a methodology for hunting for bugs in CI/CD pipelines and walk through actual bugs which have resulted in tens of thousands of dollars in bounty payments.

Continue reading...

Black Hat 2015 - WSUSpect - Compromising the Windows Enterprise via Windows Update

Ever wondered what really happens when you plug in a USB device and Windows begins ‘searching for Drivers’? Who doesn’t have that Windows Update reboot dialog sitting in the corner of their desktop? Our talk will take an exciting look at one of the dullest corners of the Windows OS.

WSUS (Windows Server Update Services) allows admins to co-ordinate software updates to servers and desktops throughout their organisation. Whilst all updates must be signed by Microsoft, we find other routes to deliver malicious updates to Windows systems using WSUS. We will demonstrate how a default WSUS deployment can be leveraged to gain SYSTEM level access to machines on the local network.

Continue reading...

44Con 2014 - Hacking an Internet Enabled Lagomorph

So, I have to admit, I got a little obsessed with this project. Who would have thought an internet enabled, hyperkinetic, 9.6-inch rabbity thing could hold so much intrigue. Little did I know that in procuring this geek toy I’d be delving down the proverbial rabbit hole of ARM exploitation, including reverse engineering, cross compiling, protocol analysis, 0days and producing exploits from vulnerability advisories. All this in an attempt to get remote code execution… on a rabbit… seriously!

Continue reading...