Cool Java Exploits
So today we found a huge gaping security whole in one of our as of yet unreleased software products. Without going into too many details, due to reasons, and poor offshore outsourcing, it is possible to gain the ability to execute arbitrary code within the running JVM. We've already pretty much confirmed that we can get shell execution by using proc (Runtime.exec gets blocked by the security manager). But regardless, tomorrow, for "research purposes", we are going to take a run at seeing how far we can penetrate the system. Any ideas on some things we should try out. I'll tell you that we are running java on a weblogic server.
Things we've already planned include: Mapping out the network Trying to break out of the vm KeyLogging Passwords Database Manipulation
P.S. Yes we know how to fix the issue and are. This will never make it to production in this state. This is more of a nice exercise to flex some of our more destructive muscles.
0 comments
[ 2.5 ms ] story [ 7.4 ms ] threadNo comments yet.