[RSS] Pipe Dreams: Remote Code Execution via Quest Desktop Authority Named Pipe

https://www.netspi.com/blog/technical-blog/adversary-simulation/pipe-dreams-remote-code-execution-via-quest-desktop-authority-named-pipe/

[RSS] Notepad++ Hijacked by State-Sponsored Hackers

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

#REshare exporter for #BinaryNinja is getting into shape! A sane API and good documentation made a world of difference, but of course I found a bit in the type system that required some hacks :)

https://github.com/v-p-b/reshare

Code coming next week after some more testing.

#ReverseEngineering

According to the Epstein files, he had a "personal hacker" working for him. The FBI document says Epstein's personal hacker was an "Italian citizen born in Calabria who developed zero-day exploits and offensive cyber tools and sold the tools to governments."

https://www.justice.gov/epstein/files/DataSet%2010/EFTA01683874.pdf

"[Redacted] sold a zero-day to Hebollah. [Redacted] was known as the first person to hack and find vulnerabilities in Blackberries and iOS. He was known for finding Firefox vulnerabilities. [Redacted] former company was acquired by CrowdStrike in fall of 2017 and was currently a vice president there."

"S//NF= was very good at finding vulnerabilities was friends with "old school" European hackers. "Received a trunk of cash from Hezbollah when was in Italy; drove the money to Switzerland and deposited it in another ba [redacted]. [redacted] owned a theater company in California and he used the theater company to launder his zeroday money

"Made six figures from the sale of his zero-days. He sold his tools to United Kingdom GCHQ and provided training to the organization. He also sold his zero-days to a Central African government, as well as Hezbollah for political reasons. The Italian Government asked for help, but [redacted] declined because he felt the Government was incompetent. Calabria was mob-controlled an did not have much loyalty for his birth country.

"[Redacted] sold his exploits to the United States and United Kingdom, but he would not sell to Asian countries because he a is racist. He was also anti-Semitic. [Redacted] was terrified of Russia, however, and would never travel there. He lived in Dubai at one time, and was acquainted with the [redacted] lived in Oman as well. He may have an Iranian and Israeli passport, in addition to his Vatican City passport"

Looks likely the top commenter here is correct about "Epstein's hacker":

https://www.reddit.com/r/cybersecurity/comments/1qsi6ds/informant_told_fbi_that_jeffrey_epstein_had_a/

From a single tiny bug recursion creates infinite tiny bugs that eat your program whole.

@XC3LL Thanks for posting this, great to see someone has the guts to say the emperor is naked!

My 2c:
- Red Teams should be about the "difficult" things you mention at the end IMO. Spending resources on initial access is mostly pointless (from the client's perspective, finding 0d is always cool ofc) when a new blinky box exploit, leaked code signing cert, etc. is popping up every other week. IME many clients pay for (bad) initial access simulations because organizing assumed breach in-house is hard.
- A way to burst the bubbles you describe is to mandate scenarios based on real-world threat intel. But this works against intial access again, because RT's can't scale their R&D as black hats do (attack surface is clients vs the Internet).

RE: https://mastodon.social/@XC3LL/115990518822402879

Very valuable insight if you are into #redteaming

For researchers and those trying to disclose incidents responsibly or get help:

There is an international organization called FIRST.

From the FIRST Teams website:

"This is a list of the contact information for incident response teams participating in FIRST, the Forum of Incident Response and Security Teams. The teams are responsible for providing FIRST with their latest contact information for this page. The list is alphabetized by team name. All telephone numbers are preceded with the appropriate country code."

There are 829 teams listed. Some are government CERT teams, some are corporate incident response teams.

You might want to bookmark the site to speed up your attempt to contact these teams:

https://www.first.org/members/teams/#

#responsibledisclosure #incidentresponse #CERT

@cR0w Fursuits are a natural evolution to working in server rooms

I appear to have created a "sound card" for a 4-bit CPU.

As you do.

https://diyelectromusic.com/2026/01/31/td4-4-bit-sound/

#TD4 #SynthDIY

RE: https://diyelectromusic.com/?p=19735

today’s one-sentence horror:

sudo has been largely maintained by a single person for ~30+ years

More on this at Security Affairs:

https://securityaffairs.com/187515/laws-and-regulations/doj-releases-details-alleged-talented-hacker-working-for-jeffrey-epstein.html

Raymond Chen published half dozen posts about SAFEARRAY handling:

What’s the difference between Safe­Array­Access­Data and Safe­Array­Add­Ref?
https://devblogs.microsoft.com/oldnewthing/20260126-00/?p=112016

A digression on the design and implementation of Safe­Array­Add­Ref and extending APIs in general
https://devblogs.microsoft.com/oldnewthing/20260127-00/?p=112018

Why did I lose the data even though I called Safe­Array­Add­Ref?
https://devblogs.microsoft.com/oldnewthing/20260128-00/?p=112021

How can I retain access to the data in a SAFEARRAY after my method returns?
https://devblogs.microsoft.com/oldnewthing/20260129-00/?p=112023

Why not store the SAFEARRAY reference count as a hidden allocation next to the SAFEARRAY?
https://devblogs.microsoft.com/oldnewthing/20260130-00/?p=112025

[RSS] A digression on the design and implementation of Safe-Array-Add-Ref and extending APIs in general

https://devblogs.microsoft.com/oldnewthing/20260127-00/?p=112018

[RSS] Reverse engineering of Schneider Electric PLC "archive" file format

https://github.com/finngineering/apxutil

Finally had some time and llm subscription enough to refactor my asynchronous WinRM library awinrm.
It is based off of pywinrm, but has two key improvements: async and native (python) auth types including kerberos.
Available on Github and pip.
https://github.com/skelsec/awinrm/releases/tag/0.1.0

"New court record from the FBI details the state of the devices seized from Washington Post reporter Hannah Natanson
[...]
Because the iPhone was in Lockdown mode, CART could not extract that device"

https://www.reddit.com/r/privacy/comments/1qsmy8g/fbi_was_not_able_to_extract_data_from_iphone_13/

"Former BlackHat board member Vincenzo Iozzo, and co-author of iOS Hacker's Handbook, had a relationship with Jeffrey Epstein.

It appears Epstein attended DEFCON and/or BlackHat in 2013 and 2015, possibly 2016."

https://x.com/vxunderground/status/2017673353335542039

/via @vxunderground

Generated documentation for #Ghidra 12.0.2 now available at:

https://scrapco.de/ghidra_docs/VERSION12/

(Note that the URLs changed recently so docs for both the latest version 11 and 12 are browsable)

[RSS] exploits.club Weekly(ish) Newsletter 94 - P20 VMWare Bugs, ExpDev With LLMs, Pixel 0-Click Bugs, and More

https://blog.exploits.club/exploits-club-weekly-ish-newsletter-94-p20-vmware-bugs-expdev-with-llms-pixel-0-click-bugs-and-more/