Finally got around to uploading my slides for Reflections on trusting Zero Trust (or why I have zero trust in Zero Trust) from BSides London 2021:

https://github.com/timb-machine/presentations/blob/main/Reflections%20on%20Trusting%20Zero%20Trust%20-%20Why%20I%20have%20Zero%20Trust%20in%20Zero%20Trust%20v3.pdf

#engineering, #architecture

❤️RELEASE: The TEAM-TESO cvs:

https://thc.org/team-teso/

Exploits, advisories, teso-informational (never released), burneye ELF crypter, bscan mass scanner, …plus some rare pictures.

Which 7350 exploit was your favourite?

Enjoy & Keep hacking,

Yours Sincerely,
Team-Teso (via THC’s bsky account).

Due to $reasons I came across this blogpost https://www.elttam.com/blog/env/ about turning ENV variables into code execution which is nice. But the Python vector is depending on Perl, I didn't like that :P.

Digging a bit deeper in the code often helps, so it did this time:

Looking at https://github.com/python/cpython/blob/d73634935cb9ce00a57dcacbd2e56371e4c18451/Lib/webbrowser.py#L51-L52 I could simplify the payload to: