calcifer :nes_fire:

1 year ago •

calcifer :nes_fire:
1 year ago •

One of my devs didn't understand how his new code was subject to a code injection attack. So another one wrote a harmless PoC to demonstrate it. First dev misunderstood and thought it couldn't lead to anything dangerous. So second dev used dd if=/dev/random of=/dev/sda as an example, intending the first dev to try it out in a local Docker image, which he did

Then he wanted to see if it would work in staging… and now he's learning how to rebuild our staging env (the relevant part of which is still on bare metal…)

unlofl [Promoted Toot]

1 year ago •

@calcifer

@calcifer :nes_fire:

Lord Kusuriya :tower:

1 year ago •

@calcifer

a picture of Kevin Hart captioned you gon' learn today.

@calcifer :nes_fire:

silverwizard

1 year ago

@calcifer Wait - uh - privsep?! Oh no!?

@calcifer :nes_fire:

calcifer :nes_fire:

1 year ago •

@silverwizard not really a privsep issue; the component in question is a tiny thing that runs as root for one function that requires it. It was exploitable as a normal user. It was already blocked from merging to prod, dev was just trying to figure out if it worked in a realistic environment and didn't think it through.

Vulns don't respect privsep 🤣

@silverwizard

silverwizard likes this.

Extruded Plastic Dingus

1 year ago •

😂

⇧

calcifer :nes_fire:

calcifer :nes_fire: 1 year ago •

unlofl [Promoted Toot]

Lord Kusuriya ​:tower:​

silverwizard

calcifer :nes_fire:

Extruded Plastic Dingus

calcifer :nes_fire:
1 year ago •

Lord Kusuriya :tower: