#Dynamic Library Vulnerabilities (Retracted)

arguably zero-day is the correct term

sounds fun though

if a vuln is discovered in an old version, but a newer ver without the vuln is already out, I'm not sure it would actually be considered a zero-day. What do you think?

a zero-day just means an exploit that was previously unknown
its been a known vulnerability for zero days

even better i just got to this part in my cybersec course

https://csrc.nist.gov/glossary/term/zero_day_attack

Hm, I've always heard it to mean an vuln that the software/hardware creators have had zero-days to patch, hence leaving anyone using that software without an opportunity to upgrade and patch

thats definitely an interpretation of it

I like the idea of zero days but im not sure that would be the best way to find them. Someone could get the lib version they want to hack and rescan it over and over until they get a zero day leaving their computer open all day.

for someone like me its even worse

i can rent an entire server farm dedicated to only scanning libs

I think there should just be a chance for each new version of metaxploit to have new vulnerabilities in old libs or old libs could become obsolete after a while and not be compatible with other libs so we are forced to change them which would be more realistic I guess

maybe

As for zero days there could be extra hard special missions to obtain them from security researchers or something. Then as soon as it is used the next version of metaxploit will include them. They could span a wide range of versions instead of just being for a single version so they have more chance to be useful.

I'd see it as a feature not a bug. Would be akin to vulnerability research. You would have to spend computing power and hardware health to possibly discover a vuln. Against simple defenses this could be effective and rewarding. Against more advanced defenses it would likely be insufficient.

Idk about that I think rather than new vulnerabilities being discovered there should be private exploits that only some people get and they can choose if they want to publish it. That still makes the owner of a system want to setup further defences but once a system is proven to be secure it cant just suddenly be hacked

Isn't more realistic but with your option popular player services would be completely untrustable. I mean everyone with enough computing power could just force their way in and replace the binaries

That would be pretty cool

That would also make private exploits a popular asset to trade with other players and could cause some people to code new shops etc which would be kinda cool

yeah, and people could scam you and sell you fake exploits XD

I think it would probably only be shared between members of guilds or player to player rather than shops, because once it's used it's just a matter of time before it becomes public

private vuln bruteforcer

That could be cool too. Maybe instead of scan and scan_address returning a list of addresses/strings, they instead return a boolean indicating if that address/string is vulnerable? Could still have the scan progress bar.

Exploits become a comodity, hackshop exploits could be reverse-engineered after purchase

i hate the concept

a bit too complex that one

I mean the shop dev could just check uploaded vulnerabilities if they are fr

they would be their own shop dev

most likely

but then the zero-day becomes public, at least once the new metaxploit version is out

Or even better the shop could not give you the full details but instead an importable binary that executes the vuln only if your player is accessing it

I guess they could sell you bins instead of telling you the actual vul

might get scammed tho 😛 but thats part of the fun

yeah. As a buyer that's risky bc it could be a scam, could be a backdoor, could be not a flexible in usage. As a result, maybe wouldn't sell as much as a flexible exploit that uses get_custom_object or something. Seller could also offer to sell the details of the exploit instead but charge a ton of money

I mean the shop owner would be the only one who could include a backdoor if you implement it in a smart way.

Also flexible in usage... I mean the shop owner would obviously automatically create the binary so the usage would always work in the exact same way and would probably be scriptable. + He could even auto sell you exploits

Simple/no defensive strategy would be completely vulnerable to this. A more advanced strategy might be resistant. For example, dedicated server admins could run scripts to constantly update their software to the latest version

No that last sentence was weird you could even auto buy exploits. Hacking script with included private exploit buyer and downloader

apt repo/ftp/ssh w/ crypto integration could probably get the job done

Yeah but that requires being online 24/7. And it's not even safe.

the latest libs are not that secure usually

under this system they likely would be since vulns would be added over time, not at creation. Even then, that would also add depth because maybe your script should make some checks before deciding to upgrade

what do you mean at creation ?

Actually now that i think about it this would work great. Instead of downloading a includeable binary you could run a program on the server with your user ssh credentials. The script on the server will then basically chmod itself back so that you cant access it anymore before returning the exploit in a custom object

thats smart

still, giving or selling zero-days would make them public soonish anyway, people might want to keep them to hack players

as a defense against attackers being online 24/7. Although, maybe this is an opportunity to add daemon processes into the game. Could possibly be very very slow running but not require user to be online. However, that's starting to move beyond the scope of this thread

yeah. Black-hats might horde them. Grey-hats might sell them. White-hats might make them public via some form of responsible disclosure so everyone knows to patch their systems.

that actually sounds like fun

I'm starting to like this a lot more than my initial suggestion - might edit it.

very bypassable

Why do you think that? Theres literally no way to get them from the function in the custom object (if it checks for globals and locals injection)

And you can't share it either. I mean as soon as you leave your terminal they're gone

I guess the properties of the vulnerability would be public but that's not too important.

Actually you wouldn't even have to make the properties of the vulnerability public when searching for exploits in your shop api the buyers could have to insert the IP they're trying to hack and then get a list of working vulnerabilities. That way it wouldn't decrease the value of sold vulnerabilities because people running services wouldn't know which libraries have private exploits

Agreed
Espacially with the better cpu distribution from the nightly (haven't played in a while idk if it is the current nightly version) deamons wouldnt be so far fetched

Tell me abt it

Oh I meant, if it works like I proposed where as soon as a zero-day exploit is used it becomes part of the next metaxploit version people might not want to give them away because then it becomes public

Yeah true they'd probably wait until a popular website uses the library or something

Why would it be very bypassable?

Each registered user has a home folder with --x------- and the bought ones would go into there and then delete themselves

you
ctrl+c the script before it does that

boom the file still exists unchmodded

funky

I guess they would need to sell you the thing that connects to ssh too

refer to that time i hacked rsarecovery in this exact way if you need more info

Ok but you dont have the vulnerability either

but you have other vulnerabilities

?

its not become a zero-day only trial you still have your base guest comp shell file exploits always available

can still get access in that way

then rip whatever you need to off of the server

No it cant

--x------

Permissions

So guest cant do anything

you said something about chmodding so i would assume it trying to chmod a default built -rwxr-xr-- binary to your ---x------

before all that

so you ctrl+c to cancel it before it chmods anything and you exploit in, your file

Ohh yeah thats an issue

Ok but you have to get really lucky for thst

and i did

The timeframe isnt exactly large

its definitely large enough

race condition is never good

Ok what if i build the exploit directly into a --x------ directory are the permissions copied to the file?

no

everything is created with -rwxr-xr-- by default

But i mean you could still compile on a second server chmod there and then send them over

you have to chmod it after its made

now theres the kicker

thats what file hosting services should do

you solved the puzzle

better yet you just have the 2 servers, proxy and hosting, hosting is never visible but proxy is and the proxy holds no data

Thats interesting is that really the only way tho? I mean if i build + chmod the exploit when the seller uploads the vulnerability it would be even worse if the seller used ctrl + c

But then again they would be pretty stupid for doing that

They probably want to make money with their script after all

if you do it with one server and they do that and get shell access something tells me they could try and execute it to escalate on your server in some way

then everyones is public access to them

I guess so. But you have to pay twice and i dont like that i prefer being optimistic and saving an insignificant amount of money

i can make more money in a minute than it would cost me to perform this

Yeah I mean i even said insignificant

and im a hacker

think like a hacker not like a reasonable being

Hmmm i mean if the only executable files would be exploits that literally delete themselves after the first person uses them that would be impossible if the shop owner implements it correctly

kinda bloated this :(

then you just execute it right the first time

Uhm yeah

Really cool concept tho i think this would work really well in game and i think kuro even wanted to overhaul the vulnerabilities so this is definitely a cool concept

I still prefer my way of obtaining zero-days tho, should I make a new suggestion for it ?

It isn't even importable or anything tho. The only attack vector is custom object and that one is bascially non existant

I guess

then you figure out how it custom_objects and make a script to execute it

I'm thinking about writing a new one too. Want to collab? Could include NotYou and Clover if they'd like

i can only say vulns do need an overhaul but i dont think a lot of these suggestions are the right way to do it

Well what do you think is the right way then?

I definitely think private exploits should be a part of it dont really care abt the rest.

i dont have any better ideas right now

but i believe limiting a gameplay feature to a random subsection of players and making it pay2win is not a fun system

Yeah that makes sense. I guess you could combine it with the above mentioned extra hard mission where you hack a security researcher to get a private vulnerability.

Then it wouldn't be random there would be a way to hunt for them etc.

I guess that is a bit too easy to automate tho

that could work a lot better however

And also other people could still find the vulnerability if you leave traces to the mission or they just randomly stumble upon the ip

yeah

maybe instead of players just randomly having access to the vulnerability they randomly get an email with a lead to it

if the player isn't interested its in their email if they dont delete it and anyone could still try and hack them to pick up the lead

i think that would work

brings more of a reason to pvp; trying to find zero-days off of other players

Yeah that sounds pretty good

maybe if they delete the email its resent to another player

You could also have people hunting for the deletion of zero days if they're problematic for their own server

yeah

maybe if a zero-day isn't used after a long while it still gets included in metaxploit to prevent hoarding too much ?

that sounds good too

maybe on like every major version change; ie the first version number 1.x.x
it makes a random zero-day public

Idk about that then we would have 100% secure systems all over again

maybe the mission where you get them would be a group of hackers and they would talk about an attack they plan to do so you would know at which date it will become public so you have to use it before then

combined with everything else i mean

ofc

perhaps

Yeah i like the security researcher too.
We could also make that one time based basically the researcher publishes it in x days

yeah makes sense

I like the idea that players could be the security researchers. That would also encourage PVP because you'd be incentivized to target players discovering/hording exploits

Whaast? So you basically get a mail with a player ip telling you that that person has a vulnerability stored on their pc?

But how should that work would the file just get generated on the player pc?

No no, that missions/emails aren't necesarrily part of it. You as the player have to tools to discover new vulnerabilities by researching libraries. That could make you a target.

Especially if you try selling them. A player shop that offers zero-days? Massive, high-reward target

making it more skill based would be neat than just random

Thats what the missions are for tho

actually i just realized, if it is a zero-day then the zero-day would probably persist through many versions

until its public

Yeah that makes a lot of sense

But is kinda op

yeah

so maybe not zero days

How about this: each library still has hard-coded vulnerabilities. However, they aren't public. MetaLib.scan() can be passed an address which returns a boolean indiciating if that address is vulnerable. MetaLib.scan_address() can be passed a string in addition to an address and also returns a boolean indicating if that string/address combo is vulnerable. Each method takes computing time to run like MetaLib.scan() does now.

that would be very annoying

So you want people to bruteforce random combinations?

Kuros server wouldnt think that's too great

yeah

Except, you can still call them without the new parameters to get a list of public exploits available in that metaxploit version

That's what the compute time would be for. It would rate limit players

that would absolutely suck

Yeah but thats worse in every aspect then the missions. 0 skill invoved. You basically just need computing power

I guess they would span many versions but it doesn't mean that they would still be present, maybe they changed some code when including new features so the vul is not there anymore even if they never knew about it

Combine it with non-public exploits existing in the world. The slow and inefficient brute force method or just find the address/string combo in the environment

We could also have a third type of mission where a company hires you to pentest their library and gives you like extra information (like irl pentesters do most of the time). With that extra info you can then find a private exploit and either give it to the conpany for a lot of money or keep it to yourself

yeah

That would also make the selection not random and you could actually farm for vulnerabilites maybe even for a specific library

im not sure how accurate this is i'll return when im done with my cybersec course

It would still be a few vesions tho

Maybe submitting an ExploitReport.exe could remove that specifc vuln and keep all current ones and have a change to add new ones? I think that's similar to current implementation

thats like
already exactly how it currently works

how so?

wait is there an ExploitReport.exe ?

there is ExploitReport.exe

haha yeah

you report the vuln and its removed from the new version
new vulns are found in the new versions and old ones also persist until patched naturally or reported also

I think it needs to be multiple versions or else it would be mostly useless. If you spend a lot of time getting the 0-day and it's for a single lib thats already full of holes you would have to keep doing these missions over and over

Also true

This type of mission would basically allow you to farm vulns but only for the newest version (and if you keep them for future versions) and choose the library you want.

To make it less op with this theres still the risk of the exact same vulnerability being discovered by another player i guess?

could be cool. Maybe you would even need these to do missions to get the juicy zero-days

scratch that, I thought about it some more, I think it could be really cool

I think it could be combined with some of the stuff I'm suggesting: Accept a mission, get an email with a lib.so and maybe a string or address value to test. You can either reply with the full string/address combo and get money/rep, you can keep it, or you can report it in ExploitReport.exe

I also think reporting in ExploitReport.exe could give you money to further incentivize public disclosure

yeah, although I think it shouldn't give you the address and value directly, you should need to hack for it. Maybe there could be easier ones to get zero-days in the current latest versions like NotYou said though

Right, I'm thinking maybe it just gives you one of the two and you have to find the second. Otherwise you're back to having to bruteforce the entire thing

I don't get what you mean there

if the lib scanning mechanic I'm advocating for is added, you fuzz libraries for new zero-days. You have to guess the address and string to find exploits. However if you do this mission type, they will tell you the address, so you only have to guess the string

Skill can be involved depending on how the vulnerable string values are generated. It could reward players who use wordlists or special characters like semicolons

the thing with scanning is that it becomes pay 2 win. You could buy the game multiple times to have 5 instance scanning and make it faster and/or if it damages the components faster it becomes pay2win but with ingame money. Also it makes the devs server work harder

throttle by making scanning for a new address/string take a few seconds like scanning does currently. Players can already buy multiple copies to mine cryptocurrency. I expect it would be about as much an issue as cryptomining is currently. Could also argue things are already pay to win because you can run more scripts across more devices. That's beyond this feature suggestion

yeah I guess. But still, I think it's more fun to have to hack than waiting for a bruteforcer

yeah

I think you could add both. Zero-day details could be spread around as loot like images and chatlogs are now, rewarding players for hacking around. Like I said the scanning could also involve skill. If you sat there and tried everything from 'a' to '9999999'... it would take forever. If you're more precise it could reward that

what would you rather do
sit and watch a screen for a thousand hours just to get one thing
or have fun hacking through and figuring out puzzles in a network

personally i prefer the active participation route

That's why both could be added

The scanner is more a means to manually explore the mechanic of having exploits not be immediately public

And allows for fully white-hat security researcher style of play if people choose

Im all for changes to the current balance. I guess it is all about that though, balancing

we seem to mostly agree that private exploits should be a thing - question is what avenues are players given to discover those exploits

im on the fence with private exploits

except clover

on one side it feels unfair to give small portions of the players randomly exploit to hack anything
the other hand, if its implemented just right it could be good

I agree. It'd have to be a balance. It should be very difficult to find exploits on your own and difficult to keep them secret. Something suited only for highly capable and highly dedicated players and groups

yeah

oh, here's a thought: what if the exploit requirements aren't handed over? you enumerate a vulnerable address, a vulnerable string, but your exploit fails until you determine what the requirements are by meeting them

oh thats a neat thought

That would make security research really really interesting

maybe like some sort of vuln type for escalating a file result to a computer result or similar

file result to the new pcomputer

You design brute forcing tools to identify vulnerable areas and strings (and even that has an element of skill), and then you have to enumerate the requirements and quirks yourself

yeah that could be cool too. Rather than reqs being a binary fail/pass, they determine the extent of the result

ooh yeah

a range from guest file to root shell

would also mean public exploits aren't everything they say they are. Could still perform security research to try and escalate a public exploit into a more powerful version. This gets you the address and string faster but you still end up with a zero-day essentially

Dynamic Library Vulnerabilities (Retracted)