🦀 The slides for my workshop at @recon in Montreal this year, "Reversing Rust Binaries: One Step Beyond Strings", are now online!

https://github.com/cxiao/rust-reversing-workshop-recon-2024/tree/main/slides

You can find both the slides and the diagrams I used for the workshop linked there. The slides are meant to be a resource for you to use while reversing, so they have lots of clickable links in them (:

In case you lose the link, you can also find the slides linked from my page on the REcon 2024 schedule: https://cfp.recon.cx/recon2024/talk/QCA37X/

Really great to meet so many cool people, and lots of work to do for Rust RE going forward! I left the conference with a lot of great ideas and directions for new research.

#REcon2024 #reconmtl #rustlang #reverseengineering #reversing #malwareanalysis

use-after-free vulnerability due to the interaction between Unix garbage collection (GC) and the io_uring Linux kernel component

https://blogs.oracle.com/linux/post/unix-garbage-collection-and-iouring

Credits Shoily Rahman

#Linux #cybsersecurity

"Saved

MTV News Is Back (Kind Of) Thanks to the Internet Archive

After Paramount Global yanked over 20 years of music journalism, the non-profit Internet Archive created a searchable index of MTV News via its Wayback Machine"

rolling stone.

https://www.rollingstone.com/music/music-news/mtv-news-saved-internet-archive-1235051776/

Unpatched RCE Vulnerabilities in Gogs: Argument Injection in the Built-In SSH Server https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/

Just released oletools 0.60.2: this is mostly a bugfix release, to address some dependency issues and compatibility with Python 3.12.
More details: https://github.com/decalage2/oletools/releases/tag/v0.60.2
How to upgrade:
pip install -U oletools
or:
pipx install oletools

Another release with new features should come soon!

@florian “Let me be very clear - this decision is simply unacceptable, undermines
IETF's mission, and calls the management's competence into question.” Well said, +1 .

found the problem

stupid fox walked all over my boards

Finally! The Mozilla HTTP Observatory is back. https://developer.mozilla.org/en-US/blog/mdn-http-observatory-launch/

We are planning to release new Mastodon security updates for versions 4.1, 4.2 and nightly this Thursday, Jul 04, at 15:00 UTC. It solves multiple security issues, including a major one. We encourage server administrators to plan for a timely upgrade to ensure their Mastodon server is protected.

Progress on the new C decompiler backend!
The model type system can now be imported into our MLIR dialect, Clift!
The PR: https://github.com/revng/revng-c/pull/1/files

SecureLayer7: Major Security Flaws in Mailcow: Inside the XSS and Path Traversal Exploits (CVE-2024-31204 and CVE-2024-30270)
Mailcow is an open source mail server software suite. CVE-2024-31204 (6.1 medium) XSS in the Admin Panel and CVE-2024-30270 (6.2 medium) arbitrary file overwrite were originally reported by SonarSource. SecureLayer7 performs patch diffing to provide a root cause analysis (proof of concept) for them.

#vulnerability #CVE_2024_31204 #CVE_2024_30270 #mailcow #proofofconcept #CVE

Wow, this guy setup fake free WiFi to harvest FB logins on a Plane! This is one of those always rumored, but never true attacks. Article doesn’t specify just how they figured out which guy on the plane was doing it.

https://www.infosecurity-magazine.com/news/australia-police-fake-wifi-airport/

OpenSSH CVE-2024-6387 mitigation (on Fedora):

echo 'OPTIONS=-e' | sudo tee -a /etc/sysconfig/sshd && sudo systemctl restart sshd

I have no idea why Qualys didn't mention this. The only non-async-safe function called by the vulnerable signal handler is syslog(). So just turn off syslog and log to stderr. On systemd distros, this still ends up in the journal anyway, so you lose nothing.

I confirmed that the message at the root of the issue is logged to stderr and not syslog with this option:

[pid 638194] --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
[pid 638194] getpgid(0)                 = 638194
[pid 638194] getpid()                   = 638194
[pid 638194] rt_sigaction(SIGTERM, {sa_handler=SIG_IGN, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTART}, {sa_handler=SIG_DFL, sa_mask=~[KILL STOP RTMIN RT_1], sa_flags=SA_RESTART}, 8) = 0
[pid 638194] kill(0, SIGTERM)           = 0
[pid 638194] getpid()                   = 638194
[pid 638194] write(2, "Timeout before authentication for 192.168.21.10 port 37734\r\n", 60) = 60
[pid 638194] exit_group(1)              = ?
[pid 638194] +++ exited with 1 +++

Edit: The problem code still calls snprintf() which on-paper is still unsafe. However, it does this a bunch of times anyway in multiple code paths, and Qualys didn't mention anything about it. A quick look through glibc code suggests that snprintf() only does unsafe things (allocate memory) if you format floats, which obviously ssh does not.

Edit 2: Turns out there is another related issue, CVE-2024-6409, which is not mitigated by this trick. However, it only affects F35 through F37 and RHEL9, since it's caused by distro patches. The mitigation above works for current Fedora releases. If you're stuck on the vulnerable range for some reason, use the LoginGraceTime 0 mitigation and update your OS ASAP since those old versions won't get the patches at all.

Microsoft has told customers that the Russian criminals who compromised its systems earlier this year made off with even more emails than it first admitted. | @theregister

“the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, and sensitive US government data. Reports last week revealed that the issue was even larger than initially believed and additional customers' data has been stolen.”

https://www.theregister.com/2024/07/01/infosec_in_brief/

I have discovered 7 long lost #DEFCON 6 videos, but they are in Real Media format and I can't find any utilities that work on current technology to convert them.

Does anyone know of tools that work?

So i wrote this on the other site (the short messages wannabe porn site) and predictably got just a single response.
Perhaps here I would fare better?

Reading the Qualys writeup about the OpenSSH race condition RCE it occurred to me that there should be a book titled "Beautiful Exploits" in which a handful of beautiful exploits are explained and their philosophical and historical implications are discussed.

Which ones you'd pick?

Meta claims that the "ad-free subscription" (Pay-or-Consent) model has been "approved" by the Court of Justice of the European Union (indeed ot opined on the matter). It states that this model is compatible with the DMA. An interesting case developing. Very well.

When it comes to Qualys, in the context of the OpenSSH vuln, I'll just repeat what I said a while back:

"I'm impressed with the Qualys security research team. Not only because they are clearly talented and have an impressive portfolio of high-impact findings - but because in an era of vanity domains and logos for bugs, they're keeping the 1990s research aesthetics alive."

Truth to be told, Qualys might be the only group still regularly doing this kind of "basic stack" research. Almost all the vuln research has shifted elsewhere, largely in response to financial incentives.

Do you like Splunk? Do you like them enough to read 18* security advisories?

1. SVD-2024-0701 Missing CVE ID (8.8 high) Remote Code Execution through dashboard PDF generation component
2. SVD-2024-0702 CVE-2024-36982 (7.5 high) Denial of Service through null pointer reference in “cluster/config” REST endpoint
3. SVD-2024-0703 CVE-2024-36983 (8.0 high) Command Injection using External Lookups
4. SVD-2024-0704 CVE-2024-36984 (8.8 high) Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows
5. SVD-2024-0705 CVE-2024-36985 (8.8 high) Remote Code Execution (RCE) through an external lookup due to "copybuckets.py" script in the "splunk_archiver" application in Splunk Enterprise
6. SVD-2024-0706 CVE-2024-36986 (6.3 medium) Risky command safeguards bypass through Search ID query in Analytics Workspace
7. SVD-2024-0707 CVE-2024-36987 (4.3 medium) Insecure File Upload in the indexing/preview REST endpoint
8. SVD-2024-0708 No CVE ID, informational only: OpenSSL crypto library (libcrypto.so) incorrectly compiled with stack execution bit set in Splunk Enterprise and Universal Forwarder on certain operating systems
9. SVD-2024-0709 CVE-2024-36989 (6.5 medium) Low-privileged user could create notifications in Splunk Web Bulletin Messages
10. SVD-2024-0710 CVE-2024-36990 (6.5 medium) Denial of Service (DoS) on the datamodel/web REST endpoint
11. SVD-2024-0711 CVE-2024-36991 (7.5 high) Path Traversal on the "/modules/messaging/" endpoint in Splunk Enterprise on Windows (cc: @reverseics)
12. SVD-2024-0712 CVE-2024-36992 (5.4 medium) Persistent Cross-site Scripting (XSS) in Dashboard Elements
13. SVD-2024-0713 CVE-2024-36993 (5.4 medium) Persistent Cross-site Scripting (XSS) in Web Bulletin
14. SVD-2024-0714 CVE-2024-36994 (5.4 medium) Persistent Cross-site Scripting (XSS) in Dashboard Elements
15. SVD-2024-0715 CVE-2024-36995 (4.3 medium) Low-privileged user could create experimental items
16. SVD-2024-0716 CVE-2024-36996 (5.3 medium) Information Disclosure of user names
17. SVD-2024-0717 CVE-2024-36997 (4.6 medium) Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpoint
18. SVD-2024-0718 Third-Party Package Updates in Splunk Enterprise - July 2024 (23 vulnerabilities, unknown exploitation and CVSS score statuses)

No mention of exploitation. h/t for @cR0w for the last 2 CVE IDs (I relied specifically on the RSS feed entries).

#PatchTuesday #Splunk #vulnerability #CVE

Notes on regreSSHion on musl — https://dustri.org/b/notes-on-regresshion-on-musl.html