New vulnerability report from Talos:

GNOME Project G Structured File Library (libgsf) Compound Document Binary File Directory integer overflow vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2068

CVE-2024-36474

New vulnerability report from Talos:

GNOME Project G Structured File Library (libgsf) Compound Document Binary File Sector Allocation Table integer overflow vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2069

CVE-2024-42415

[RSS] Pwning LLaMA.cpp RPC Server with CVE-2024-42478 and CVE-2024-42479

https://pwner.gg/2024/10/03/llama-cpp-cves/

Just published a deep dive on how we have made it possible to debug the kernel with drgn, without installing any debuginfo packages, on Oracle Linux.

This is a really cool feature that we're in the middle of upstreaming, so it's not quite present in drgn's main branch. However the article has links to all the relevant code, PRs, and issues, so you can see the process in real time, and learn how to get it working on other kernels/distros.

https://blogs.oracle.com/linux/post/introducing-ctf-support-in-drgn-for-oracle-linux

[RSS] How can I detect whether the user is running as an elevated administrator (as opposed to a natural administrator)?

https://devblogs.microsoft.com/oldnewthing/20241003-00/?p=110336

#Hacking is not just #OldSchool tooling and techniques. Modern #MobileApps are a fun target for #ReverseEngineers and #Pentesters alike. A fundamental tool to properly hack mobile apps is @fridadotre by @oleavr.

We continue our tour of my @github projects with my humble contributions to this field:
https://github.com/0xdea/frida-scripts

For a well-maintained project that includes some of my #Frida scripts, check out #Brida by @apps3c and Piergiovanni Cipolloni:
https://github.com/federicodotta/Brida

And even after many years, if you search for well-crafted Frida scripts to bypass certificate pinning or root detection, there’s a very good chance that you’ll stumble upon the work of some of my colleagues… Very proud of my team at @hnsec!

New Project Zero issue:

UAF race of global maps in fastrpc_mmap_create (and epilogue functions) cause memory corruption

https://project-zero.issues.chromium.org/issues/42451715

CVE-2024-33060

New Project Zero issue:

Incorrect searching algorithm in fastrpc_mmap_find leads to kernel address space info leak

https://project-zero.issues.chromium.org/issues/42451713

CVE-2024-33060

New Project Zero issue:

Double-free (or UAF) race in possibly unused qrtr_bpf_filter_detach

https://project-zero.issues.chromium.org/issues/42451712

CVE-2024-38401

https://googleprojectzero.blogspot.com/2024/10/effective-fuzzing-dav1d-case-study.html Finally have my public post up on the bug I found in dav1d last year.

[RSS] A function for creating an absolute security descriptor from a self-relative one

https://devblogs.microsoft.com/oldnewthing/20241002-00/?p=110333

"Best email money can buy" product Zimbra has an embarrassingly bad vulnerability: CVE-2024-45519

The vulnerable code appends the attacker-provided email address to a command line and then runs it with popen() (which uses a shell). Guess what happens when the email address has a backticks, a semicolon, $(), etc?

What year is this?

Luckily the attack vector to get there (postjournal) isn't enabled by default, as there are exploitation attempts occurring in the wild:
https://infosec.exchange/@justicerage/113231837285277188

https://blog.projectdiscovery.io/zimbra-remote-code-execution/

[RSS] Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges

https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html

As I am seeing some Medium links in my timeline today, and Medium is pretty annoying (pop-overs and all). So reminder that you can just replace:

> medium.com

…with:

> scribe.rip

In any Medium link and get a wonderful simple unobtrusive reading experience instead.

#Medium #ScribeRip #AlternativeFrontends

The Cryptodifference Engine: An in-depth look at differential fuzzing for harvesting crypto bugs, by Célian Glénaz

https://blog.quarkslab.com/differential-fuzzing-for-cryptography.html

@briankrebs The first sentence really made me feel I'm living in the future, thank you!

To get rich in a gold rush, sell shovels.

https://www.sonarsource.com/lp/solutions/ai-assurance-codefix/

Matt Levine brought to my attention this insider trading case involving a dude who hacked into company computer systems to get nonpublic info and then traded on it.
https://www.sec.gov/enforcement-litigation/litigation-releases/lr-26141

What's funny to me is the application of insider trading law to computer hacking.

To prove the point that users will continue to click links, regardless of how obvious it is that they shouldn't, I worked with the person in charge of the monthly phishing trainings at $dayjob last month. Historically, they have used the hated ruses like fake gift cards, and I wanted to try to get away from that, especially during the holidays. We ended up using something to the effect of the following:

---
Hello <first name>,

Happy Holidays. This is the monthly phishing test. Yes, really. It's not a trick. Use the <phishing reporting function> to report this as phishing. If you do not know how to use <phishing reporting function>, feel free to ask a colleague. If you still have questions, search for <phishing reporting function> on <internal docs site>.

Do not click the following link as it is there for metrics and will cause you to be assigned phishing awareness training: <phishing training 'malicious' link>

Sincerely,
IT Security Team
---

I don't know how well it was received by users, but I do know that we still had more clicks than two other months in 2023, despite being explicitly told not to click the link. Users will always click links with their link-clicking machines. Relying on their discretion is either ignorant, or I expect in some cases, malicious in that there will always be a scapegoat to blame for the inevitable breach.

#phishing #infosec

I’ve been offered free credit monitoring at least 6 times in the last few years (still using my OPM one). How many breaches does it take before we prioritize real cybersecurity over cleanup offers? What's your free credit monitoring number?