Mastodawn

So i wrote this on the other site (the short messages wannabe porn site) and predictably got just a single response.
Perhaps here I would fare better?

Reading the Qualys writeup about the OpenSSH race condition RCE it occurred to me that there should be a book titled "Beautiful Exploits" in which a handful of beautiful exploits are explained and their philosophical and historical implications are discussed.

Which ones you'd pick?

Damien Miller Jul 2, 2024

@4Dgifts ofc the SSH1 CRC compensation attack detector exploit from @lcamtuf

Will Dormann Jul 2, 2024

@4Dgifts
FORCEDENTRY

Andrew Zonenberg Jul 2, 2024

@4Dgifts the original Morris buffer overflow for sure.

Just because of the Pandora's box it unlocked.

wirepair Jul 2, 2024

@4Dgifts i'd love to see a history of bug _classes_. So like the first known exploit of every vulnerability class from each class of memory corruption to sql injection and so forth. That'd be kinda neat.

@4Dgifts it'd be hard not to pick Kaminsky's abuse of DNS caching/semi-predictable ports.

Ryan Castellucci (they/them)

@4Dgifts boosted for "short messages wannabe porn site"

Oobleck Jul 2, 2024

@4Dgifts Perhaps a less traditional pick, but the bypass of copy protections on music CDs using a black marker.

It’s a beautiful example of the challenges of securing something when the owner has physical access, fair use ethics, understanding storage layout, and creative manipulation.

https://hydrogenaud.io/index.php/topic,1731.0.html

Bypass audio CD protections with a felt tip pen or a Post-It

Bypass audio CD protections with a felt tip pen or a Post-It

BensGreenGamingAc Jul 2, 2024

@Oobleck @4Dgifts And on the PS1 you could bypass copy protection by doing some sort of disc swap.

dcbaok Jul 2, 2024

@4Dgifts Deep cut: "A Tour of the Worm" by Donn Seeley

charlie cummings Jul 2, 2024

@4Dgifts https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/ is one of my personal favorites

fail0verflow :: CVE-2012-0217: Intel's sysret Kernel Privilege Escalation (on FreeBSD)

Seth Hanford 🐡Jul 2, 2024

@4Dgifts @wdormann I think log4j just from the bonkers exploitability surface area. Somebody just drops some jndi string into a device name or form field and some system far removed just goes to grab some Java class & runs it. I also really liked the creativity in CVE-2023-38408 (OpenSSH ssh-agent RCE); but if the Qualys folks write anything up, it just makes me smile.

Will Dormann Jul 2, 2024

@ckure @4Dgifts
Yeah, the fact that log4j affected Ghidra was something special. 😂
Qualys writeups are always next-level.

Graham Sutherland / Polynomial Jul 2, 2024

@4Dgifts rowhammer.

DCoder 🇱🇹❤🇺🇦Jul 2, 2024

@4Dgifts
I like CVE-2005-4560, which spawned multiple different exploits over one hectic week.

curtosis Jul 2, 2024

@4Dgifts Not exactly an exploit—technically a counter-exploit—but the DirecTV Black Sunday Kill was a thing of beauty.

https://blog.codinghorror.com/revisiting-the-black-sunday-hack/

Revisiting the Black Sunday Hack

One of the most impressive hacks I’ve ever read about has to be the Black Sunday kill. Since the original 2001 Slashdot article I read on this is 99.9% quote, I’m going to do the same. I can see why they quoted so extensively; it’d be

Coding Horror

prozacchiwawa Jul 2, 2024

@4Dgifts not as glamorous as the deepest ones but working around xss defense by building javascript out of punctuation brings me joy.

https://hackaday.com/2012/08/13/writing-javascript-without-using-any-letters-or-numbers/

the 'windows metafile files just call any old gdi escape' one is among my all time favorites:

https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

Writing Javascript Without Using Any Letters Or Numbers

Did you know it’s possible to write Javascript code without using any letters or numbers at all? Well, it’s not just Javascript, but that’s the language used in this demonstration…

Hackaday

vxo Jul 2, 2024

@4Dgifts I don't have any vulnerability recommendations but I love that concept.

Well ok, I think at least an honorable mention should go to WinNuke and the weird AOL proggies, just because so many people had memories of messing with those lol

@4Dgifts I think most qualys’s exploits qualify (the stack clash?! come on). My personal favorite bug of all times remain CVE-2001-0797 (Solaris login) that sparked many cool exploits.

Alex Gantman Jul 2, 2024

@4Dgifts 💵 when can we pre-order? ;-)

chris Jul 2, 2024

@4Dgifts
Shellshock, because it was such an unbelievable WTF.

Spectre, Meltdown, and all of the related microarchitectural issues. I was working in the VPS business when Spectre and Meltdown were announced in 2018. Was it ever a stressful year. Those are vulnerabilities, not exploits, though.

I remember telling someone: "Next time I hear Spectre or speculative execution, I'm gonna have a meltdown." And I had a few that year.

Seriously, speculative execution was a gift that kept on giving.

Claus Cramon Houmann Jul 2, 2024

@4Dgifts whatthefax :)

jnazario Jul 2, 2024

@4Dgifts witty worm.

https://www.icir.org/vern/papers/witty-imc05.pdf

keen456 keen456 Jul 2, 2024

@4Dgifts Definitely a book that No Starch would publish- they already did printed copies of PoC||GTFO .

stephen-fox Jul 2, 2024

@4Dgifts NSA's EternalBlue for its historical and philosophical significance. EternalBlue clearly demonstrates that undermining a common good is a terrible idea, and that such information will inevitably leak and become accessible to those with less technological resources.

There was so much fallout from that exploit, particularly WannaCry. I remember listening to a radio program where some US gov. computers were affected by WC and thinking about the irony.

Denny Jul 2, 2024

@4Dgifts One of my friends was involved in finding/disclosing Heartbleed or SHAtter. I think it might have been notable for being one of that early bunch to get cool names.