Sometimes Google's AI results are accurate.

That brings Day 3 of #Pwn2Own Ireland to a close. We awarded $118,750 today, bringing the total to $993,625. With four more attempts tomorrow, $1 million is right there for the taking. Viettel Cyber Security (@vcslab) maintains their Master of Pwn lead and looks unstoppable.

People keep asking me why we wrote a new clean-slate RTOS for #CHERIoT. The short answer is that CHERIoT is a hardware-software co-design project and retrofitting ground-up co-design is hard. The longer answer is in this post

Unfortunately, ExLuck (@ExLuck99) of ANHTUD was unable to complete his SOHO S=mashup in the time allotted. HE was able to get into the Synology router but couldn't successfully pivot to the Canon printer.

There's only a week or so left on the RE//verse submissions! If you're interested in speaking at the inaugural event, make sure to get your submission in ASAP! Submissions will be closing some time after Nov 1.

https://sessionize.com/re-verse

Hello, I am planning to go to CCC this year. The only thing missing are the tickets. I would really appreciate it if you could help me and my wife get tickets. Thank you!

I presented about file formats identifiers at HackLu:
https://youtu.be/PBbld8xB2Bo

CVE-2024-8260: SMB Force-Authentication Vulnerability in OPA Could Lead to Credential Leakage https://www.tenable.com/blog/cve-2024-8260-smb-force-authentication-vulnerability-in-opa-could-lead-to-credential-leakage

MS Streaming Service Privilege Escalation PoC https://github.com/Dor00tkit/CVE-2024-30090

PoC for the Untrusted Pointer Dereference in the ks.sys driver https://github.com/varwara/CVE-2024-35250

Analysis of CVE-2024-8698 in KeyCloak https://huydoppa.hashnode.dev/analyst-cve-2024-8698-keycloak-with-zero-knowledge-about-keycloak

Confirmed! In the penultimate attempt of Day 2, @daankeuper, @xnyhps, and @notkmhn from @sector7_nl combined 4 bugs, including a command injection and a path traversal to going from the QNAP QHora-322 to the TrueNAS Mini X. They earn $25,000 and 10 Master of Pwn points. #Pwn2Own

Unfortunately, the Viettel Cyber Security (@vcslab) could not get their exploit of the Ubiquiti AI Bullet working within the time allotted.

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Hot off the press!

• CVE-2024-37383 (6.1 medium( RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
• CVE-2024-20481 (5.8 medium) Cisco ASA and FTD Denial-of-Service Vulnerability

#cisa #kev #cve #zeroday #vulnerability #eitw #activeexploitation

An idea I recently heard on a parenting podcast really resonated with me. Tech has created a generation of people used to instant gratification.

Hungry? Open an app. Want to listen to music? Open an app. Bored? Open an app.

However a lot of needs in life can’t be gratified instantly and we now have many people, both adults and kids, who simply don’t know how to handle that. We now have entire subcultures whose main dysfunction is they can’t just get what they want without work and they’re mad.

This is another plus to hosting your own work, by the way. They can still take it up the chain to my service providers, but I don’t have to worry about filing a counterclaim with the webhost because I AM the webhost.