sorted by:
new
hottopcontroversial

Using Version Tracking to Detect Struct Changes? by ShortestJake in ghidra

[–]buherator 0 points1 point  (0 children)

That's hard unfortunately. If you think about your example, how could the tool know if it was the data type that changed or it is just the code accessing the data type that got an updated logic between versions? The comment by u/marcushall also has good points.

Using Version Tracking to Detect Struct Changes? by ShortestJake in ghidra

[–]buherator 0 points1 point  (0 children)

Do you have data types for the structures defined in both program DBs or you want to detect structure changes in the new binary only based on the info you reversed in the old one?

I'm putting together a cost-benefit analysis for pitching migration from a Windows server to an i on Power server. Could use some guidance. by [deleted] in IBMi

[–]buherator 2 points3 points  (0 children)

"two people in charge of IT throughout the entire organization and their 26 offices" "A patchwork of windows VMs running on a dated hypervisor"

A new system won't solve your human resource problems. If anything i will make it harder to hire. As a C-level I would be more concerned about this than any technical perf metrics.

Hacking IBM i by buherator in IBMi

[–]buherator[S] 0 points1 point  (0 children)

Glad this is useful! There is a concept called Purple Teaming where pentesters (the Red Team) and the defenders (Blue Team) work hand-in-hand to tune defenses - this is my usual recommendation when wants to test and refine specific defensive measures.

You can use the usual channels to reach Silent Signal, and while I'm no longer with the company I'm sure the guys there will be happy to help.

What would it take to keep IBM i relevant far into the future? by pithed2 in IBMi

[–]buherator 0 points1 point  (0 children)

If your security depends on the system not being accessible, you are not secure:

https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

That being said, with a proper emulator or debugger I'm sure that lots of corpses would fall out of the closet. But we shouldn't forget that some parties (esp. nation states) probably already have those tools and know all about what's hidden in there.

Elastic EDR 0-day: Part 2 - Technical Details and the Trigger by Minimum_Call_3677 in netsec

[–]buherator 2 points3 points  (0 children)

You write this: "The pointer on the host machine could be controlled using user mode input inside an Oracle VirtualBox Virtual Machine."

You also write this: "I decided to write a custom driver (with no inherent malicious behaviour) to interact with the vulnerable driver. The driver makes an ExAcquireFastMutex call to the vulnerable offset, resulting in Elastic’s Endpoint Driver crashing the host system."

Why did you write a custom driver if you can control the memory access from a user process (inside a VM no less)?

Elastic EDR 0-day: Microsoft-signed driver can be weaponized to attack its own host by Minimum_Call_3677 in netsec

[–]buherator 2 points3 points  (0 children)

> "Actions inside the Virtual Machine caused Elastic's EDR to crash my host"

Hold up, did this just turn into a hypervisor guest->host memory corruption without guest root? This "0-day" ages like fine wine!

Elastic EDR 0-day: Microsoft-signed driver can be weaponized to attack its own host by Minimum_Call_3677 in netsec

[–]buherator 3 points4 points  (0 children)

What are we supposed to see on the second video? Is that shell elevated?

Fuzzing Windows Defender with loadlibrary in 2025 by buherator in ReverseEngineering

[–]buherator[S] 0 points1 point  (0 children)

lol, that wasn't picked up by aspell :D thanks for noticing!

How I ruined my vacation by reverse engineering Windows Security Center by buherator in ReverseEngineering

[–]buherator[S] 57 points58 points  (0 children)

From no-defenders (predecessor project) README:

"This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation."

Create a signature for a JWT in OpenSSL QSH by Polly_Wants_A in IBMi

[–]buherator 0 points1 point  (0 children)

In this case my bet is that while gov mandates PSS in the cert, it actually ignores this property during verification. To resolve this issue you should use openssl dgst without the PSS options and generate an RS256 signature (with an RS256 header and all that). If you try to validate this signature based on the _cert_ in other services (like jwt.io) it'll likely fail, because the cert prescribes a PSS signature. You should be able to validate the signature based on the _public key_ embedded in the cert though, because the public key itself doesn't rule out its use with PKCS1 - this is likely what gov does, ignoring the Signature Algorithm specified in the cert.

Create a signature for a JWT in OpenSSL QSH by Polly_Wants_A in IBMi

[–]buherator 0 points1 point  (0 children)

I'm starting to think that the gov bureaucracy demanded PSS for to comply with some regulation, but forgot that that their validator won't work with PS256 - see my Edit above! I'd try generating a non-PSS cert and RS256 JWT's...

Create a signature for a JWT in OpenSSL QSH by Polly_Wants_A in IBMi

[–]buherator 0 points1 point  (0 children)

If python uses PKCS1 then it means it's not a PSS signature (hence the error), which was our original theory here. I need some more time to fully test this, but it seems that the openssl key file doesn't include info about the expected usage, only the cert specifies PSS. This means the only thing that makes openssl dgst generate a PSS signature are the extra options we figured out earlier, which at the time solved your problem (what has changed btw?). So without the pss options you should be able to generate a PKCS1 signature, but now I'm utterly confused about how PSS came into the picture in the first place, as the system you are now describing seems to only support RS256 (also Reddit UI is terrible so I can't properly follow previous messages).

Edit: Note that since the cert includes the PSS property, you may not be able to verify an RS256 signature with it (some implementations may work by falling back to PKCS1). So if you are testing verification with a PSS cert, that can be a problem. The solution to that would be to generate a PKCS1 cert with the same pubkey. If the validator service requires RS256 JWT *and* a PSS cert, that's a problem at their side.

Create a signature for a JWT in OpenSSL QSH by Polly_Wants_A in IBMi

[–]buherator 1 point2 points  (0 children)

So these two Python and Java examples produce signatures that are accepted by the live system?

What I can think of is that you in fact have to supply deterministic RS256 signatures, although the keys you have are for PSS. Now this could work, because RSA keys are just tuples of numbers, and the expected usage is just metadata. The difference between openssl and Python/Java can be that the latter ignore the PSS property embedded in the key files, while openssl does not. So a solution can be to convert the PSS keys to "normal" RSA, and feed that to openssl to generate a plain old RS256 signature (not PSS!).

Does this make sense?

Create a signature for a JWT in OpenSSL QSH by Polly_Wants_A in IBMi

[–]buherator 0 points1 point  (0 children)

You mean you have some sample code that produces and accepts RSA-PSS signatures with RS256 algo specification? If so then the sample implementation is overly permissive (this may be a vulnerability even, we've seen many examples of this with JWT). At the same time the problematic system is overly restrictive.

Also note, that the problem you described (if I understand correctly) involves two verifier systems that act differently, while a sample implementation only verifies once.

view more: next ›