Assume you find a vulnerability in a software.
The reverse engineering process reveals security by obscurity.
Low quality code and weak algorithms, just obfuscated.
Think ROT13 "encryption" combined with XOR and a static key.
It looks like management told underpaid, unqualified, outsourced sweatshop "developers" to add encryption and the developer just scrambled bytes until it looks encrypted.
Choices:
a) Be a good boy and report vulnerability to vendor. They do have a bug bounty program. However chances are, they will just change their obfuscation, not actually securing the product at all. It will make further exploration harder, but the code is so littered with bad security, I just know it won't be fixed at all.
b) Publish it as 0-day, forfeiting any chance of getting paid or employed by the vendor.
Can it have legal repercussions to public 0-day exploits using your real name? I'm unemployed and I hope this will get me job offers.
>the developer just scrambled bytes until it looks encrypted
Encryption always works this way. It's just hard enough to prevent bruteforcing on common rig. Also you forgot c) Sell the exploit.
>>58354668
>Encryption always works this way
I guess yes, but anyway this is very weak. It's basically just obfuscated.
Would you notify the vendor?
I'm 99% certain they will not fix the underlying issue at all, just piling more obfuscation on top of it, making it harder to reverse, but still totally insecure
>>58354758
You can report the bug with the appropriate bugfix, if you care about the security. You get the money, and increase the probability of a good fix
>>58354805
>bugfix
The bug is in obfuscated Java bytecode and
ARM assembly (not obfuscated but compiled).
That's was irritates me so much. The fact they obfuscate bytecode tells me they won't care about a proper fix.
How many users does the software have? Where is it used etc.
>>58355115
Millions of IoT devices
I just decided, I will just publish it.
Telling the vendor equals me contributing to a proprietary obfuscated codebase. That's unethical.
Depends on how big the bounty is and if they have a reputation for actually paying or not
>>58355171
Bounties are <2000$, more often <$500
but they can keep their bounty. They expect researchers to be open with them, but at the same time obfuscate their garbage software.
Actual security does not need obfuscation.
>>58354376
Do both.
Report it to the vendor and collect that $500.
After they've officially patched it, release it publicly saying what you found, how you found it, how you believe they fixed it, etc, as a .pdf
>>58354376
>Can it have legal repercussions to public 0-day exploits using your real name?
Yes
>>58354376
>Publish it as 0-day, forfeiting any chance of getting paid or employed by the vendor.
>>58355132
>Millions of IoT devices
If you can remote execution I'm sure there's people who would pay for it, those botnets are never big enough.
Don't know where to find those people though.
Let them know about the vulnerabilities, however don't go into any significant details, let them know you can work with their developers or work independently to rectify this issue and would be willing to work for compensation to be discussed.
If they don't want your help, then burn bridges
>>58355213
This. That's literally how everyone does it. Publishing a 0-day is a dick move all around, if you want to do it for the lulz then go ahead but realize it'll actually hinder your potential for employment, if you don't play the good hacker game and properly report the vulnerability to the vendor beforehand.
Report, collect bounty, wait until they "fix" it, break it again and repeat.
>>58355318
>>58355213
>>58355321
Thanks for the viewpoints. I will sleep on it.
>>58355326
>Report, collect bounty, wait until they "fix" it, break it again and repeat.
The problem is, it takes many days to break it again. It involves static disassembly ARM assembly with no way to debug it live, and a lot of guesswork.
But I will consider it
>>58355132
Is there a way to update the firmware on the device?
These IoT botnets exist because even after an exploit is found the device never gets updated.
The user doesn't care because his internet enabled coffee maker still functions as a coffee maker.
The vendor, he already made his money. He'll just release another internet enabled coffee maker, minus that vulnerability.
>>58354376
Find bugs in other software then sell them to hackers/collect all the bounties. If there code is that vulnerable you should make some decent bank picking out all the bugs.
>>58355809
They aren't exactly hackers if they need to purchase exploits.