Every vulnerability report has the line we all write: "This results in remote code execution as root." And every time, the engineer on the other side writes back: "It doesn't run as root, it runs as a dedicated, low-privilege account. Where's the PoC?"
That gap is the episode: the difference between finding a bug and actually being able to use it.
- X: @almorabea
- X: @CyberRiddler
- Website: https://thecyberriddler.com
[00:00:00] Found but not exploited, this is the gap between bug existing and bug counting Here's a sentence that everyone loves to write, this results in a remote code execution as root And here's another sentence the engineer on the other side wrote back The service doesn't run as root, it runs as www-data, it cant write to the path you've described, can you attach a working proof concept for it
[00:00:30] That little exchange, that's the whole episode, that's the gap I want to live inside this episode The distance between found a bug and I can do something with this bug Because those are not the same thing, they are not even close to the same thing And a huge amount of bad security research, including some of mine early on Lives in the same space where the researcher quietly pretended they were
[00:01:06] The Cyber Riddler, where we decipher the offensive and defensive side of the cyber world I'm Ahmad Imraqa I'm Ahmad, I break into things for a living and then write reports about how I did it
[00:01:31] Which means I spend half of my life on the offensive side and the other half getting fact-checked by people who own the asset Today, finding versus exploiting, false assumptions that trick findings And the strange, slightly humbling phenomenon where the person who finds the bug isn't the person who actually understood it Part 1 Primitive is not a capability Let me define the gap properly here, because found versus exploited
[00:02:02] Sounds obvious right? Until you are staring at the write-up at 2am Trying to decide if you have a finding or a fantasy When you find a bug, what you actually have is a primitive A small specific violation of how things are supposed to behave Like, I can write one byte past the end of this buffer This parameter reaches a SQL string without sanitization
[00:02:29] Or, this deserilizer will instantiate a class I name A primitive is a capability in principle It's potential energy Exploiting is the work of tuning the bug into an authorized access A reliable, useful, repeatable effect that survives contact with the real world And the real world have its own mitigation here and guards The real world has ASLR So your overflow doesn't know where anything is
[00:02:59] It has non-executable stack and heap So your shellcode just sits there It has stack canaries and control flow integrity It has a Waffen front that eats your payload It has the application running with no shell on the box No outbound network A read-only file system And a user account that can't do anything interesting Even if you are fully owning the process So, the honest question isn't is there a bug There is always a bug
[00:03:28] The honest question here is With the primitive I actually have Under the constraints that actually exist What can I actually cause to happen And can I approve it? If you can't answer that You don't have an exploit You have a theory And theories are fine Half of good research starts as theory But you have to label it as one The sin isn't finding a theoretical bug The sin is writing a theory up As if it were a demonstrated impact
[00:03:58] Part 2 It doesn't run as root Okay, a favorite assumption here The big one The one I've been burned by And the one I see other people's report constantly Assume the process is running as root You find command injection in some web application And then you find an input text And then you type ID You get output You feel the dopamine In your head With no evidence The impact section writes itself Full system compromise
[00:04:28] Route access Game over Then someone who actually Administrates the box reads your report And says The demon dropped privileges at startup It runs as a dedicated service account www-data Nobody App service Whatever With no sodo entry No write access outside its own directory No shell assigned Your ID output literally said www-data And you didn't read it You run the command That would have told you the truth
[00:04:57] And then You choose to ignore that This always happens And it's worth understanding why It's the default failure mode Because The reason is psychological here Not technical When you are in the offensive side You are optimizing for impact You want it to be root The whole emotional reward structure Of finding a bug That has root word on it So Your brain fills the gap The solution runs as root Not because you checked But because it makes your finding better
[00:05:26] That's motivated reasoning And It's the single most common way Good researches produce bad findings The discipline here is boring And It's this Establish the security context Before you write the impact What user? What groups? What capabilities? Is it container or not? Is the container privileged or not? Is there a SECOM profile? What can this account actually reach On the network from where it sits? Because RCE as root
[00:05:56] And code execution As unpreveraged service account In a locked down container With no egress Are both real findings But They are not the same finding And the difference is the difference Between critical and medium When you label the second one As the first You don't just inflate a number You burn your credibility And your nice findings Part 3 Theoretically critical I want to tell you about the real one here Because It's almost too perfect
[00:06:25] Is the curl CVE 2020-19909 And It's the master class In the difference between A bug existing And a bug counting So Curl properly is the most widely deployed piece of software In the Linux system It's In a billion of installs Maintained famously by Daniel Stenberg And In 2023 A CVE shows up against it Failed anonymously With the national vulnerability database The description is An integer overflow
[00:06:54] In the command line parsing Of the switch Retry Delay And NVDA rates it as 9.8 Critical Out of 10 Now 9.8 Is the score you give something That lets an Authenticated attacker Across the network Run code on your box That's The catastrophe tier So what's the actual bug? The retry delay option Tells curl How many seconds to wait Before retrying a failed transfer Curl Takes your number
[00:07:23] Multiply it by 1000 To get milliseconds And when a crafted value That multiplication Overflows That's the vulnerability The impact is The absolute worst case Is the curl waits A wrong amount of time Before retrying Or the command line tool Actually crash A denial of service Against a program You are running On your own machine By typing your own flag With your own absurd value Into it It had been reported back 2019 By a researcher named Jason Lee On hacker 1 And quietly fixed
[00:07:53] As a regular bug The same year There was no security emergency And then years later Someone reported it back Filled it as a CVE A new one And the scoring missionary Looked at the word overflow And panic rated it As 9.8 Stenberg reaction Is the thing to learn from He recognized The description instantly He would see In the original report And he went to work To get it rejected Because A false 9.8 Against curl
[00:08:21] Propagates to every scanner Every dependency dashboard Every compliance report On the planet Within days Ubuntu security team Looked at it Marked it as a non-security issue The crash only affected The command line tool Not the library itself Mitre refused to fully reject it But flagged it as disputed And eventually The score came down To a 3.3 low From 9.8 To a 3.3 Same bug The bug never changed The only thing that changed Was the people Who understood it
[00:08:51] The context finally Got looked at That's The lesson And it cuts both ways The bug was real There genuinely was An integer overflow there The primitive existed But the report was garbage Because report isn't the bug A report Is a claim About what the bug means And that claim Has to survive Someone who knows The deployment Contained the word overflow Is not a threat model Part 4 The assumption The rule thing Is the famous assumption But
[00:09:20] It's got a whole family Let me run through The ones I see most Because Once you can name them You stop making them Unauthenticated Well it's authenticated You found the bug While looked as admin And you'll forget You were logged in As admin The reachability Of the vulnerable code path Requires a session You only have Because you already Have the keys Pre-auth And post-auth Are different planets Always ask Who has to be standing Where Holding what For this code
[00:09:49] Even to execute A race you won Once is a reliable race You heard the wind One time Out of the thousand tries And wrote Exploitable Reliability is the exploit A one in a thousand primitive That you can't make Fires on demand Is a finding that says This is theoretically A race condition Not a camp of this easily The mitigation isn't there You wrote a memory corruption Exploit In your head And you assumed You can defeat ASLR But you have no information leak To defeat it With no leak No addresses
[00:10:19] No addresses means No exploit It would be exploitable If I had a leak Is an honest sentence And a completely different finding Than It's exploitable A crash is RCE This is the big one In memory You sick faulted the target And called it Remote code execution A crash Proves you can influence The process It does not prove You can control it Going from I can't crash it To I control The infrastructure pointer And I survive mitigation And I land a payload Is 90%
[00:10:48] Of the actual work And skipping that 90% And writing RCE It's just lying With extra steps The info leak That leaks nothing Memory disclosure Okay You have one Disclosure of what then An initialized heap That happens to contain Padding bytes Okay An SLR bypass Is really gold But A leak of constant zeros Is a CVE Nobody needs You will notice that Every one Of these The same move The researcher assumed
[00:11:18] The most convenient fact In the chain Instead of proving it Because The convenient fact Made the findings bigger Finding is optimistic By nature Exploiting Is where the optimism Goes To get tested Part 5 When someone writes it up Better than the person Who actually found it Last thing And It's the one I find genuinely humbling Sometimes The person who finds a bug Not the person Who understands it And The write-up
[00:11:47] Everyone eventually cites Comes From somebody else Entirely Dirty cow CVE 2016 5195 Erase condition In the linux kernels Copy on write handling That lets an unprivileged locker user Write to memory That's supposed to be read only Clean privilies creation Truth Now It was found in 2016 And See how he found it He was investigating a server He managed That had been compromised And he pulled out the exploit
[00:12:16] Out of a captured HTTP request It was already being used In the wild He found it by getting hit with it Here's the part that gets me Linus Revolts Had attempted to fix this exact race 11 years earlier There is a 2007 commit Fix Function name Get user pages Race For write access And then The fix caused problem On the S390 Architecture And at the time The race was so hard To trigger That leaving it alone Was a reasonable call
[00:12:45] It sat there then Over the years And related changes To the kernels Made the window easier And easier to hit Until What had been A basically theoretical race In 2007 Became A rock solid route Exploit In 2016 The bug was known A version of it Was looked at But That judgment Was correct for the time Found versus exploited Isn't just two researchers It can be the same bug A decade apart The primitive existed in 2007
[00:13:14] The capability only matured In 2016 Same flow The world around it Changed Here's what I want To leave you with Whichever side of the report You are on If you are finding The bug is the easy part There is always a bug Your value As in the discovery It's the honesty Of the claim You attach to it Establish the security context Before you write the impact Find out What user It actually runs as Name every F Don't promote a crash to RCE
[00:13:44] A theory to a demonstration A one in a thousand race To a reliable primitive Do a POC Or it didn't happen Is a thing That separates finding From a vibe And if you are on the receiving end Reviewing Triaging Owning the asset The current story Is your permission slip A 9.8 Is a claim Not a fact The word Overflow Is not a threat model You are allowed to read The ID output Check what user It runs as And quietly Walk a critical finding Down to a medium finding Where it belongs
[00:14:13] That's not being difficult That's the job You've been listening to The Cyber Riddler If you are reporting bugs Or discovering bugs Please share your stories with me Don't forget to share this episode With anyone you think Is interested about this topic And don't forget to follow us on X At Cyber Riddler Or me personally at Al Morabeh Until next time This is Ahmed Al Morabeh Signing off

