Check Point Research (CPR): Exploring Compiled V8 JavaScript Usage in Malware
CPR showcases a custom tool named ”View8" for decompiling V8 bytecode to a high-level readable language. Compiled V8 JavaScript is used by malware authors to evade static detections and hiding their original source code. CPR explains compiled V8 JavaScript, how attackers can leverage it in their malware and how it appears in the wild. No IOC but a single SHA256 hash highlighted in pink.

#javascript #malwareanalysis #threatintel

40 vulnerabilities in Toshiba Multi-Function Printers https://pierrekim.github.io/blog/2024-06-27-toshiba-mfp-40-vulnerabilities.html

🇬🇧 Von der Leyen‘s EU Commission sues the European Data Protection Supervisor to keep using Microsoft Office and Cloud Suite which violate EU privacy rules.

Did anyone hope this Commission would crack down on Microsoft for the violations?

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C_202403925
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C_202403926

I saw this meme going around so I fixed it

Well, looks like native PDB files finally (unofficially) support compression. A few recent versions of msdia140.dll implement a new MSF format that stores PDB streams in compressed "chunks". It was fairly easy to reverse the implementation, though I have some past experience with the PDB format. Takeaways:

- zstd is used for compression, looks like the open source implementation without any tweaks.
- there doesn't seem to be a way to produce the files in this format at the moment, at least it looks like the code was compiled to only provide deserialization of the new format.
- decompression of chunks is done on-demand. this means that the format is pretty flexible, which allows to optimize for space/speed.(e.g. you can compress the entire stream in a single chunk and get the best compression ratio, but that means the entire stream has to be decompressed at runtime)

I'm gonna write up a converter with some simple compression strategies to see how the new format fares in practice, but that's probably going to take a few days. Hopefully MS comes out with something official soon.

I finally got up a first draft of docs for ABI Cafe and KDLScript!

https://faultlore.com/abi-cafe/book/

== Homemade / DIY magnetic tape head, episode 3 ==

As you might have heard, a few days ago we've made a magnetic tape head at home. It is a big deal, because there is a general consensus online that it cannot be done without precise machinery, and if can, will only work on tape pullers working at tape speeds of 38 to 100 cm/s, and perhaps closer to the oldest tape formats with the track width of 1/4" (that should affect volume of the signal).

In this video, the DIY head is playing while using commercial tape puller at 9.5cm/s, and the track is a 1/16" wide (aka single speed domestic standard). This means the frequency response and the signal/noise ratio could be doubled or tripled if we had a faster tape puller.

In this episode:
* Recap of the previous episodes
* Upgrading Mk 1.5 to 1.999
* Erasing the tape at home, and using this head for recording (it works!)
* Ideas for Mk 2

🧵

TIL the new YubiKey 5.7 firmware lets Yubico ship keys in a "Restricted NFC" mode, so that folks can't easily talk NFC to them in packaging until they've gotten at least 3 seconds of juice at the destination. Clever. And it can also be toggled by the user!

https://docs.yubico.com/hardware/yubikey/yk-tech-manual/5.7-firmware-specifics.html#restricted-nfc

"Restricted NFC mode prevents wireless device manipulation before a YubiKey NFC with the 5.7 firmware is taken out of its blister pack or other packaging such as a tray. To ensure that these keys cannot be tampered with during shipping, this mode is enabled by default on new NFC keys with the 5.7 firmware.

"When these keys are taken out of their packaging, the only permitted action via the NFC connection is reading the URL configured by Yubico on the NDEF tag set by Yubico. Because both major mobile OSs read NDEF tags and open URLs by default, users immediately learn how to disable Restricted NFC mode. The NDEF tag is set to https://www.yubico.com/getting-started/.

"When tapped against a mobile device, a YubiKey 5.7 NFC will cause the browser to open to the configured URL with the instructions for enabling full NFC operation. The end user is instructed to plug the key into USB power such as a USB charger or computer USB port for 3 seconds. This action is sufficient to disable Restricted NFC mode. The user can re-enable the restriction as often as they desire using the Yubico Authenticator or the YubiKey Manager/ykman."

h/t: Reddit user 'ovirot' - thanks!

#yubikey

Auth. Bypass In (Un)Limited Scenarios - Progress #MOVEit Transfer (CVE-2024-5806)

https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/

Writing a Frida-based VBS API monitor

https://www.hexacorn.com/blog/2024/07/07/writing-a-frida-based-vbs-api-monitor/

#DFIR #RCE

Has anyone checked if macOS is vulnerable to regreSSHion (Qualys's OpenSSH SIGALRM vulnerability, CVE-2024-6387)?

Qualys's writeup notes that glibc is vulnerable because its malloc skips locking on single threaded programs
(https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt),

macOS doesn't have this optimization: malloc always seems to take locks, and will crash in `os_unfair_lock_recursive_abort` if you try to call it during an interrupted call.

So Qualys's initial exploit strategy probably won't work.

macOS's syslog is complex, however; it has several files (https://github.com/apple-oss-distributions/syslog/tree/main/libsystem_asl.tproj/src) that uses malloc, Mach messaging, libdispatch, XPC, ObjC... would there be something non-re-entrant-safe there? If so, would the lock aborts prevent you from exploiting them?

This is a problem domain where the constraints and effects are pretty much entirely comprehensible in terms of known physical models. Any suboptimal behavior is entirely a matter of nobody having spent the time to apply known models. But sure, let's instead spend the time hooking up ML, CV to evaluate results, and waste tons (literally) of plastic training a model to learn a poor approximation of what we already know.

But this is a general pattern that's terrifying...

An unexpected journey into Microsoft Defender's signature World:

https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world

#cybersecurity #windowsdefender #windows #informationsecurity #infosec #reverseengineering

Our @recon slides and demo videos are now online as well:

https://silentsignal.hu/docs/S2-REcon24-Control_Flow_Integrity_on_IBM_i.pdf

#IBMi #reconmtl #recon2024 #recon24

== Let's make a magnetophone / tape player / magnetic tape head at home! ==

Many people started following me after my DIY magnetic tape and DIY floppy disk experiments. A common request ever since was to make a DIY magnetic head, and, truth to be told, I was curious to experiment with it, too.

The task was daunting, and many people were convinced that it could not be done at all. In fact, I could not find a single mention of a successful experiment in the West, and scarce mentions of it in vintage Russian radio hobbyist magazines. But I know that it could be done; my father says he made some magnetic heads over 40 years ago.

Just two weeks ago Hackaday.com made a post claiming that a (really cool btw) hobbyist made a tape player with a DIY tape head. I was excited at first, and then outraged - it was fake news! The DIY tape head was not (and could not be) used in the tape player on the video, and in fact could only erase tape.

Now, I present you The Real DIY Magnetic/Tape Head (and a DIY microphone)

🧵~

Reverse engineering eBPF programs https://www.armosec.io/blog/ebpf-reverse-engineering-programs/

did you know that intel shipped a userspace driver that does kernel physical memory grooming (like heap grooming, but for physmem allocations) to get a contiguous memory block https://git.dpdk.org/dpdk/tree/lib/eal/linux/eal_memory.c

like... allocates a bunch of pages, checks if they're physically contiguous, frees the ones that are not, and retries it has enough that are, more or less

Ok, finally! Here wo go: #Illumos on #ARM64 via #IllumosGate.

Here, we have a basic image running which will be soon shared as a raw image (including instructions how to run it w/o patched #Qemu) and also trying to provide a #Vagrant image.

#aarch64 #solaris #openIndiana #Tribblix #OmniOS #unix