Hacker News new | ask | show | jobs
by freeqaz 1538 days ago
Nobody wants to hand a bunch of blackhats a working exploit without there being a patch available. But yeah, at some point you have to accept that the blackhats have it and it's "more ethical" to just start handing out the exploit POC so that companies can start testing their ability to detect + remediate the issue.

It's the whole "responsible disclosure" dance. Finding a 0-day is exciting as a researcher, but you have to keep your mouth shut while a fix gets built and tested. (Google's Project Zero gives a 90 day grace period, for example)
3 comments
EE84M3i 1538 days ago
The post says "there is a public proof-of-concept available." If that's true, just link to it. The cat's already out of the bag.
link
freeqaz 1538 days ago
Thanks for pointing that out -- I didn't realize we missed adding the link! It's in a repo on GitHub, and we were banging on it to verify the exploit prerequisites.

I'll go do that as soon as I sit down again.

link
cyberpunk 1538 days ago
I still can't find it.. Got the link to the repo?
link
freeqaz 1538 days ago
I'll ask my engineers to post the one he wrote. He did put more details into the article, so go check that. Here is a repo with a POC though: https://github.com/TheGejr/SpringShell
link
vips7L 1538 days ago
That’s not really a POC though. That’s not a Spring Application I can run and reproduce on. That’s just a py script.
link
growse 1538 days ago
The PDF in the repo contains a simple Java sample that should be straightforward to build and run.
link
freeqaz 1537 days ago
Check the post again. We made a repo with a full end to end vulnerable app and POC
link
hsbauauvhabzb 1538 days ago
How is handing out a poc 0day ethical when it’s leaked but difficult to find? I’d rather see it censored until at least a patch drops + grace period.

I guess it’s a case by case basis, adding app-specific waf rules will be handy, but that only matters if exploitation patterns are unique per applications, otherwise generic rules could be published.

link
EdwardDiego 1538 days ago
The whole basis of this claim was a commit in a merged PR yeah?
link
richbell 1538 days ago
No. There was a credible report, but one of the blogs (Cyber Kendra) linked to a commit that mentioned RCE off hand and said "it looks like they're cleaning up".

https://spring.io/blog/2022/03/31/spring-framework-rce-early...

link