The allegedly weekly roundup of notes – Jan 14th, 2022

Yes, hello. This is a series of supposedly weekly posts I planned to start at the start of 2022, and then rather predictably immediately forgot to do. So this, the end of the second week, will be the first one. Anyway, this is just where I drop various interesting bits I've read/come across during the …

Analysis of the “lib__mdma.so.1” userland rootkit

Note to the reader: This blogpost was written "as it happened", so it may jump around the place a bit. I'll try clean it up somewhat before I hit publish, but I probably won't have time to do much serious editing. Also, there is some value in showing the process, I guess. Or maybe that …

OpenSSL Engines for Linux Persistence

So a while back I read a blog post about using OpenSSL engines on Windows as part of a local privesc exploit against a certain VPN client. This got me thinking. If every time the OpenSSL library is called, an engine gets loaded, that seems like a fairly decent place to persist a process. So …

Zimbra “zmslapd” Local Root Exploit.

This exploit was brought to you by "reading the manual", mostly. It is the second local privilege escalation I found while doing an extremely low effort audit of Zimbra. You should read the first post, here: https://darrenmartyn.ie/2021/10/25/zimbra-nginx-local-root-exploit/ In order to exploit this issue, you need code execution as the "zimbra" user. TL;DR: In a stock …