New blog post is out!

Exploiting the NT Kernel in 24H2: New Bugs in Old Code & Side Channels Against KASLR

a fun story of finding weird new bugs where they didn't exist before, and what the future holds for KASLR bypasses on windows. i hope you enjoy!

https://exploits.forsale/24h2-nt-exploit/

ICYDK DOS checks for the 'MZ' magic for its executables (.EXE), but also 'ZM'.
https://github.com/microsoft/MS-DOS/blob/2d04cacc5322951f187bb17e017c12920ac8ebe2/v2.0/source/EXEC.ASM#L333-L336

Nullcon Berlin 2024 | Fuzzing At Mach Speed: Uncovering IPC Vulnerabilities On MacOS - Dillon Franke

https://www.youtube.com/watch?v=92W7HprKu-o

😡 @EDPS is giving up on its @Mastodon and @peertube experiment because it couldn’t find an EU agency to continue operating it.

I hope @EU_Commission can find a new home for it before May 18th as the executive body.

https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/edps-decentralised-social-media-pilot-end-successful-story_en

As a user,
I want your application to randomly steal focus
So that,
I enter my password managers main password into a chat box

Every time a techbro tells me I need to change to some boneheaded security solution like DoH or shit like that it ends up with shitty consequences. Today it's Passkeys being used to lock customers into platforms. Other than anyone who looked at who was involved, who could've possibly predicted this might happen?

https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

MS-DOS is now open source, so in a time honored tradition. Lets look for curse words!

https://github.com/microsoft/MS-DOS

🥳 radare2 has been updated in Debian SID after 3 years! https://packages.debian.org/sid/radare2

The main gripe I have about #GenAI in business is how it sucked the oxygen out of so many rooms. Teams who know what the important problems are, and who have conventional tools that would solve those problems, are being diverted away from that. They’re being asked to learn a new tool they barely understand and try to find problems it can solve. It’s a year of “amateur hour” all over the tech landscape. Meanwhile ordinary problems we could just solve with ordinary methods are left unsolved.

So we have had massive layoffs across the sector, and the remaining folks are all distracted with the new shiny in a way that I’ve never seen so pervasive. It will be a year of no growth and no results. And the blame will land anywhere except where it belongs.

Have any exciting security research to share this summer? REcon’s CFPs closes on April 26th.

https://bird.makeup/@reconmtl/1778070797912850671

ZDI-24-400] Microsoft uAMQP for Python azure-iot-sdks-ci Uncontrolled Search Path Element Remote Code Execution Vulnerability (CVSS 9.8; Credit: Nitesh Surana (@_niteshsurana) of Trend Micro Research)
https://www.zerodayinitiative.com/advisories/ZDI-24-400/

CVE-2024-0582: Linux kernel use-after-free vulnerability in io_uring, writeup and exploit strategy https://www.openwall.com/lists/oss-security/2024/04/24/3

https://bird.makeup/@foolisses/1773106195684839765

In Japan – the Fukui Prefectural Police Echizen Police Station have created the "Virus/Trojan horse removal fee payment card" and the "Unpaid charges/delinquent charges payment card".

The fake cards, designed to combat telephone scammers, are positioned intentionally at convenience stores to assist police at identifying victims and safeguarding them from financial harm. When someone tries to purchase the card the police are immediately notified.

Upon placement in stores in November 2023, it immediately stopped 3 elderly people from being scammed in November and December.

No additional information has been released regarding the success rate. However, the police officers who came up with the idea were given a promotion in February, 2024.

Information via @topilaron, @ten_forward, and @fukuinpmedia

I thought @da_667 would find this amusing but it's also interesting to the general world: Cisco actually does keep receipts on its backdoor problem: https://search.cisco.com/search?locale=enUS&query=%22CWE-798%22 . You can filter by date, quite a few in 2024 so far.

The odd part: lots of the advisories have a title like "Default Credentials" but if you read the description they do say "static" or "static default" so it looks like they are all propertly hard-coded.

I'm not trying to poop on vendors, just think accountability and transparency are good things. Let's make CWE-798 (and CWE-1392/CWE-1393 default credentials) disappear in the future ;-).

I don't know why we're starting with TikTok in particular, but I'm generally in favor of banning much of the internet

Can we just start the next tech fad that execs believe will cause free growth as I’m done with AI bullshit already.