When I think of "watering hole attack targeting cybersecurity/tech professionals" I was ... hoping for something cooler than this. r/cybersecurity found and banned someone targeting our community with #malware today: https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit/

To follow up on my experiments with black-box detection of the #BLASTPASS vuln[1] I looked into the source code of the dwebp sample used by Isosceles to demonstrate the trigger vs. vipsthumbnail where the vulnerable code doesn't seem to be reachable.

Based on the backtrace, dwebp enters the libwebp library via WebPDecode().

In contrast, vipsthumbnail uses the Demux API[2], and exits early when WebPDemux() reports an error (without triggering an OOB write).

This means that there are supported libwebp APIs that can catch at least some crafted inputs early, so proper error handling (not present in the official sample code btw...) can block exploitable paths.

[1]: https://infosec.place/notice/AaEVhdW3h60AsBaM9g
[2]: https://chromium.googlesource.com/webm/libwebp/+/HEAD/doc/api.md#demux-api

Just noticed that gef.blah.cat is recognized as malware by #Cisco
Umbrella (which is apparently active at the DNS of one of the largest ISPs in Hungary)...

#gef #gdb

/cc @hugsy

"DavRelayUp: A universal no-fix local privilege escalation in domain-joined windows workstations":

https://securityonline.info/davrelayup/

[RSS] RT by @alexjplaskett: Reliable exploit engineering and Linux kernel bug hunting

Presentation slides from OffensiveCon 2023

https://research.nccgroup.com/2023/05/23/offensivecon-2023-exploit-engineering-attacking-the-linux-kernel/

Beyond the good ol’ .bashrc entry… Part 1

https://www.hexacorn.com/blog/2023/09/29/beyond-the-good-ol-bashrc-entry-part-1/

#DFIR

[RSS] A colleague pointed me today to an insane exploit primitive if you control a PHP include() with a fixed .php extension and no upload

https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp

Details and PoC for that WS_FTP 10.0 CVSS vulnerability (CVE-2023-40044):

https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044

Exploitation requires an HTTPS POST request.

There are currently more than 550 WS_FTP servers connected to the internet, according to Shodan.

This is very bad!

Dude tracked down the author of sub7, got the source and released it.
https://gitlab.com/illwill/sub7

Alright, which one of you is picking on North Korea?

Today I found out that google docs infects html exports with spyware, no scripts, but links in your document are replaced with invisible google tracking redirects. I was using their software because a friend wanted me to work with him on a google doc, he is a pretty big fan of their software, but we were both somehow absolutely shocked that they would go that far.

nothing wakes you up on a Saturday better than a newly reported critical security vulnerability in #curl ... 😩

(which *might* get lowered to just"high" but the burn in my soul is intense nonetheless)

Did you know that #Diaphora detects patch diffing sessions and tries to help finding where vulnerabilities were fixed? Here are some examples for CVE-2020-1350 and CVE-2023-28231.

#patchdiffing #binarydiffing #bindiffing #vulnerabilityresearch #vulndev

This might have slipped under the radar these past few days, but a 9.8 RCE in Exim (on many, many mail servers) that does not require authentication is bad bad bad.

https://www.zerodayinitiative.com/advisories/ZDI-23-1469/

Security advisories should be machine-readable! CISA's advisories for ICS, OT, and medical devices are now available in the Common Security Advisory Framework (CSAF)

More info: https://www.cisa.gov/news-events/news/transforming-vulnerability-management-cisa-adds-oasis-csaf-20-standard-ics-advisories

#Ghidra 10.4 is out

https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_10.4_build/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html

The fedi isn't like email. The fedi is like if you accidentally triple booked a bdsm convention, a FSF convention, and a communist workers AGM all in the same german arena

The inevitable has finally happened - someone's used a technique I published to hack a website I made.

0x999 used the single-packet attack to get double points on a hackxor mission and top the leaderboard, then thoughtfully notified me 😂

Hackxor's leaderboard is stored on a super fast in-memory Redis database located on the same machine, so at least it's a great advert for how the single-packet attack makes tiny race windows exploitable!

https://hackxor.net/leaderboard

[RSS] Turing Complete Programming on ARM With Two Instructions

https://hackaday.com/2023/09/29/turing-complete-programming-on-arm-with-two-instructions/

[RSS] The wait is over. Please welcome "Dock Tile Plugins" to the persistence club. My new favorite.

#macos #persistence

https://theevilbit.github.io/beyond/beyond_0032/