So good to be back on here after such a long time! Props to everyone still holding it down in the scene. I love seeing all the progress you guys are making. Just dropping by to say hi, big hug to all!
@notnotzecoxao Ok... Path Traversal in PSDescriptorFactory to overwrite the internal /userprefs file with a poisoned Java object (Payload) that, when processed without filters by readObject() in UserPreferenceManagerImpl, executes arbitrary code... ???
@CelesteBlue123 In Java, you can use `!` to access the internal contents of a JAR file and load a specific class. It's simply one of the easy ways to exploit the bug before the patch.
i've deleted previous tweet, but 15432 asked me to repost it again, so yeah.
path traversal is still possible on 13.04 because sony fucked big time. expect it to be patched on something like 13.50 or 14.00 though.
and if you think hackerone is what made the scene prosper, you are wrong :)
@spammail350362 @notnotzecoxao BD-J bug where JAR paths were improperly validated.
Using .jar!/../../payload.jar could trick the runtime into treating an external JAR as if it were in lib/ext and grant it AllPermission.
The patch trims the path at .jar before canonicalization.
Sandbox escape via path confusion
@m0ur0ne@BlieDieBlaDie WTF?
Escribí eso en noviembre...
Que mal te debes de sentir por dentro...
¿Y ahora cambias la historia diciendo que es otro?
Lo que hay que ver...
Por lo menos espero que hagas buen uso del dinero.
Un saludo.