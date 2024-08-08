For each vulnerability discovery, inherent challenges were present which limited the vulnerability research process. In both cases, these vulnerabilities were discovered, and a viable exploit was verified during a time-bound security engagement, meaning that only a fixed amount of time could be allocated to pursuing each vulnerability. Additionally, due to these time constraints, I could not acquire a physical device for offline research or debugging. This meant that testing would be conducted against a live, remote asset in an organization’s environment. While these activities fell within the scope of authorized testing and both devices did not host business-critical applications, the avoidance of crashing a service remained a high priority to avoid adding additional business impact for the customer and to avoid triggering detection and response activities.

The previously mentioned constraints are shared to provide context surrounding the scope of vulnerability research performed for each target device. This scenario naturally resulted in a vulnerability research effort for each device that was not comprehensive and heavily influenced how I analyzed each device.

After the initial inspection of each device, I gravitated to researching the viability of command injection vulnerabilities and limited my research solely to that attack vector. Certain vulnerability classes, like memory corruption vulnerabilities, were left out of scope as these carry an almost certain risk of crashing the affected service while developing an exploit. Command injection vulnerabilities are generally straightforward and while any vulnerability category carries some level of inherent risk, intentionally crafted inputs may reduce the risk of crashing the targeted service and subsequently potentially disrupting the availability of the device.