OpenSSL Engines for Linux Persistence

So a while back I read a blog post about using OpenSSL engines on Windows as part of a local privesc exploit against a certain VPN client. This got me thinking. If every time the OpenSSL library is called, an engine gets loaded, that seems like a fairly decent place to persist a process. So …

Continue reading “OpenSSL Engines for Linux Persistence”

Zimbra “zmslapd” Local Root Exploit.

This exploit was brought to you by “reading the manual”, mostly. It is the second local privilege escalation I found while doing an extremely low effort audit of Zimbra. You should read the first post, here: https://darrenmartyn.ie/2021/10/25/zimbra-nginx-local-root-exploit/ In order to exploit this issue, you need code execution as the “zimbra” user. TL;DR: In a stock …

Continue reading “Zimbra “zmslapd” Local Root Exploit.”

Zimbra “nginx” Local Root Exploit

Recently I decided to have a look at the somewhat popular email and collaboration platform, Zimbra, with the idea to go find some bugs in it. I’m simply dropping these as full disclosure, because the Zimbra “disclosure policy” prohibits publication of exploit code, which is something I find incredibly disagreeable. I also find that “responsible” …

Continue reading “Zimbra “nginx” Local Root Exploit”

Honeypot Detection: SSH Host Keys

In this post I’ll outline a method to detect Cowrie honeypots in both “shell” and “proxy” mode based on SSH Host Keys, post authentication. The method involved is quite simple. It also works on some other honeypots. Firstly, we grab the hosts SSH public key. This can be easily done by using the ssh-keyscan utility. …

Continue reading “Honeypot Detection: SSH Host Keys”