This year was my first time at the balccon conference. This infosec event takes place in Serbia and is a community oriented congress very similar to the CCC Congress in Germany. I felt very comfortable there right from the start. There were incredibly good talks and fantastic installations built by the community.

One of my daily work is to create testbeds to test defense mechanisms. As a result, I am constantly watching for vulnerabilities that I could use in such testbeds. In February 2023, someone discovered a vulnerability in the open-source surveillance software “Zoneminder”. It was a command injection vulnerability that an unauthorized attacker could trigger. Since there was only an advisory on Github without any proof of concept code, I created an exploit and contributed it to Metasploit. I learned a lot about developing modules for the Metasploit framework, and this article summarizes my experiences. To give Zoneminder administrators enough time to patch their systems, I waited more than seven months from releasing a patched version of Zoneminder before releasing this exploit.

This is the ninth blog anniversary! Unbelievable!

Due to the corona pandemic the chaos communication congress did not take place in 2022. Different hackerspaces created mini-events with talks and workshops instead. One of them was “Fireshonks 2022” which was organized by “Remote Rhein-Ruhr Stage” and “Haecksen”. I had the honour to give a talk about Logrotten - It’s not a Bug. The full talk is online as a video-stream and was held in german language.
 

BSides Vienna 2022 was a wonderful event. There were so many great talks and the location was beautiful. I gave a talk at the BSides Vienna 2022 about my “logrotten” exploit and I think the hacker community liked it. Here is a short description about the talk: