Conversation

Notices

Embed this notice
calcifer@hackers.town's status on Wednesday, 15-Mar-2023 00:26:04 JST calcifer

One of my devs didn't understand how his new code was subject to a code injection attack. So another one wrote a harmless PoC to demonstrate it. First dev misunderstood and thought it couldn't lead to anything dangerous. So second dev used dd if=/dev/random of=/dev/sda as an example, intending the first dev to try it out in a local Docker image, which he did
Then he wanted to see if it would work in staging… and now he's learning how to rebuild our staging env (the relevant part of which is still on bare metal…)

In conversation Wednesday, 15-Mar-2023 00:26:04 JST from hackers.town permalink
- Embed this notice
  silverwizard (silverwizard@convenient.email)'s status on Wednesday, 15-Mar-2023 00:26:03 JST silverwizard
  in reply to
  
  @calcifer Wait - uh - privsep?! Oh no!?
  
  In conversation Wednesday, 15-Mar-2023 00:26:03 JST permalink
- Embed this notice
  calcifer@hackers.town's status on Wednesday, 15-Mar-2023 05:11:28 JST calcifer
  in reply to
  - silverwizard
  @silverwizard not really a privsep issue; the component in question is a tiny thing that runs as root for one function that requires it. It was exploitable as a normal user. It was already blocked from merging to prod, dev was just trying to figure out if it worked in a realistic environment and didn't think it through.
  Vulns don't respect privsep ?
  
  In conversation Wednesday, 15-Mar-2023 05:11:28 JST permalink
  
  silverwizard likes this.

Public

Notices

Feeds