I am teaching an introduction to Linux binary exploitation class. We start with fundamentals, talking about micro/macro architecture, segmentation, paging, AMD64 changes/improvements, and so on.
In the class yesterday, we did a deep dive accompanied by the AMD manual about segmentation. It's easy to misinterpret many public texts that state "it's disabled/retired" when, in fact, just some features are ignored.
We still have the privilege level defined by segmentation (CS.CPL register); it's needed for 32-bit binaries running in CPU compatibility mode, and the GDT needs to be set up. Also, I showed the class how segmentation (CS.L) still controls the behavior of the processor as, depending on its value, instructions might behave differently. All of this was validated in real time on the VM through kernel debugging.
It seems like overkill to teach all those fundamentals just to learn about buffer overflows, format strings, and what could be done once arbitrary read/write is achieved in a modern Linux distribution, but I think it's valuable. I struggled in the past during binary and kernel exploitation, especially because I didn't understand much of those things well.
During the classes, I also learn important things. In my last Linux kernel exploitation class that took place a few years ago, my exploits stopped working. They exploit a race condition and were working fine, but I just happened to toggle the power mode from performance to power saver, and this interfered with the codes. Before that accident, I wasn't paying much attention to these details for several reasons. I then took the opportunity to read more about those technologies embedded in modern CPUs, and it has been rewarding.
I also learned some interesting things about glibc. As I have been playing with the kernel for most (or all?) of my professional career as a researcher, I didn't pay attention to lots of things. This week I just learned about dynamic and static TLS (Thread Local Storage). I had never imagined the scenario for dynamic TLS. Found some interesting things about it:
glibc: Major issue with Houdini
https://redhat.atlassian.net/browse/RHEL-39415%29
[PATCH] elf: Support recursive use of dynamic TLS in interposed malloc
https://inbox.sourceware.org/libc-alpha/8734p2h0t4.fsf@oldenburg.str.redhat.com/T/
A new TLS alloctor for glibc
https://youtu.be/JIkS4aLvQPg
A new TLS allocator for glibc
https://conf.gnu-tools-cauldron.org/media/opo25/submissions/LQTU3G/resources/tls_z0ToUZm.pdf
Non-technical teams are now shipping production vulns
Honestly, one of the things I like least about traveling for work is having to wear pants. Seems like we should have moved past this expectation by now
They'd have got away with it, if it wasn't for those meddling kids.
π΄ We're starting our live!
https://www.youtube.com/watch?v=RaZrX0PX4kI #reverseengineering #cybersecurity #ai
"That 'responsible disclosure' Thing"
A post with the details of CVE-2026-23918, the double free vulnerability fixed in Apache httpd 2.4.67.
#apache
https://eissing.org/icing/posts/responsible-disclosure/
@daveaitel @sherrod_im The willful ignorance of latent vulns. It was as if it didnβt exist until a vuln researcher discovered it.
Oh cool, Ollama on Windows has unpatched vulnerabilities that lead to Ollama downloading unverified updates from a malicious URL if set locally, and also path traversal that leads to arbitrary file write.
Disclosure without patch.
https://www.striga.ai/research/ollama-windows-auto-update-rce
The world is now so full of ridiculous things that at least I struggle to deal with it all. But this is not an 'us' problem. The (political) world really is idiotic. I needed to vent a bit, so I made a list of things that are impossible to believe, yet are very much what is happening. Perhaps seeing it in writing will help you deal better with the situation. https://berthub.eu/articles/posts/the-impossible-things-we-have-to-believe/
Defender nuked legitimate DigiCert roots as malware because Microsoft shipped detections for a real DigiCert breach without distinguishing root certs from the compromised code-signing ones. Your trust store is one bad signature update away from triage hell.
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/
Google Chrome is silently installing a local LLM on your computer that is 4 gigabytes in size. It's done without consent, it's not visible in the settings, and removing it will reinstall it later.
https://www.thatprivacyguy.com/blog/chrome-silent-nano-install/
The existence of a weird proxy economy for AI tokens is very effing cyberpunk, AI issues notwithstanding (or perhaps especially). (Also, China Talk is an *excellent* source for lots of current tech-related goings-on.)
https://www.chinatalk.media/p/how-to-buy-cheap-claude-tokens-in
This is the wrong message. Ministers do not care about undermining the open web. They see openness as a bug, not a feature.
The message you need to highlight is that the OSA is handing more control to US tech companies that are under the control of Trump.
To kick off his collaboration with @portswigger as a Burp Suite Ambassador, our Research Lead @apps3c just published the 10th article on the creation of extensions for #BurpSuite. Topic: #Burp #AI!
https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-10/