Identity and access management, also known as IAM, is the application of policies, procedures, and technologies with the purpose of protecting data.

The IAM framework allows an organization to protect their data utilizing three core tenants, typically represented as points on a triangle.

Authentication is the action by which one entity proves their identity to another entity.

An example of authentication is entering a password, signing a message or certificate with a private key via asymmetrical cryptography, or scanning a fingerprint and other biometric means.

Authorization is the policy by which an organization will permit entities to have rights and privileges to certain data within the system. Specifically, authorizing is the defining of policy per an entity.

In this part, I will cover the initial steps, thoughts, and problems I had while attacking LAN Messenger.

I decided to attack LAN Messenger because it was an application which I had used previously and I already found a remote DoS exploit accidentally while poking around with netcat.

According to the SourceForge repository, LAN Messenger was last updated in 2012 (version 1.2.35) which gave me hope that there were some bugs that could be easily exploited. As this was a task meant for practice, I tried to avoid “spoilers”, however I later discovered that there were only two reported vulnerabilities issued CVEs. Both ended up being DoS bugs, one of which I already found anyway and the other doesn’t really make sense and claims to be for a version that doesn’t exist.

Despite there only being two CVEs, I was also very interested in a comment on the SourceForge page by a user claiming that there was a known XSS actively being exploited in the program as well. Despite the initially confusing comment which referenced an Exploit-DB ID for a completely different product, an XSS polyglot eventually did uncover the bug. After several more Google searches, I finally discovered a 2012 PoC from Vulnerability Laboratory that described the XSS, although the URL encoding suggested caused the bug not to trigger on my test machine.

Sometime during testing I discovered that LAN Messenger was forked to a project on GitHub as version 1.2.39.

Since the news of Log4shell initially broke, a few news outlets have been stoking fear about an imminent attack from a devastating worm, from the usual suspects, armed with a Log4j exploit. A month later, and we still haven’t seen it — but why? And how is it actually being used?

The attack surface that a Log4j worm would have to target is very incongruous. Systems such as web servers are easy to mass scan and Java-based web applications like Elasticsearch and VMware Horizon have already been exploited in great numbers. Scanning the entire internet for a select few vulnerable services or even blindly pray-and-spraying every found web service with a payload can be done in a day.

Writing a worm for a scannable exploit is pretty much pointless. Worms like WannaCry made use of an SMBv1 service vulnerability in Windows systems meaning that the entire network could be compromised from a single exploit. Log4j, while devastating in it’s breadth, isn’t as ubiquitous as a default Windows service and the method of exploitation for this library will vary greatly depending on its implementation.

A Log4j worm would only affect the few machines running this library and internal uses of the library would be too varied to be predictable in any meaningful way. Even the operating system would

Additionally, the skill requirement of writing a worm is much higher than scanning. Only nation-state threat actors have the skill and resources to put together an impactful worm quickly enough to be competitive with scanning and even the efficacy of this is debatable.