just had an interesting realization: one of the reasons people struggle to understand template injection in GHA is probably because lines like this:

```
echo "hello: ${{ expr }}"
```

...get lexed mentally as "variable expansion, followed by Jinja template."

in other words, people think the `$` comes from the shell and the `{{ }}` is the template syntax, and therefore the entire thing is quoted correctly.

in reality of course the entire `${{ .. }}` is template syntax, and has nothing to do with shell quoting/expansion rules. but `$` is mentally overloaded!

i wonder how much easier this would be to teach people if GitHub had chosen `@{{ ... }}` or even just `{{ }}` as their template syntax instead.

#security #opensource

🎉Announcing the latest research from our intern Michael Pastor! In it, you'll learn all about Decompression Attacks, get to practice in custom-built labs and get some free Semgrep rules for detecting flaws. Check it out today!

https://blog.doyensec.com/2024/12/16/unsafe-unpacking.html

#appsec #doyensec #semgrep

I have posted the slides for the talk @chompie1337 and I gave this past weekend at @h2hconference -> The Kernel Hacker’s Guide to the Galaxy: Automating Exploit Engineering Workflows #H2HC

https://github.com/FuzzySecurity/H2HC-2024/blob/main/H2HC2024_The_Kernel_Hackers_Guide_to_the_Galaxy.pdf

Google is trying to jam "AI" into all of their products but an interesting element of the way they integrated it into Android Messages is "Gemini" shows up as a conversation, which means it is actually possible to block and report it to Google as spam

Thanks to the excellent people at Rapid7 (HT @catc0n ), we can see what the full exploit looks like for CVE-2024-55956
https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

My prior hunch that I couldn't get an exploit working because I didn't have a licensed copy of the software was a red herring. Though a plausible-enough one that caused me to stop looking. 😕

My other wonder about the introduction of a call to validatePath() was also irrelevant, as that was added to the fileIn() function in 5.8.0.21. But all the fun here happens in SyncIn(), so this change does nothing related to this vulnerability. You can still use directory traversal or even specify a full path (even a UNC one) for the target file.

So with the Rapid7 technique, we can confirm the arbitrary creation of files on a 5.8.0.21 system, as well as the triggering of what would be RCE via creating a file in the autorun directory, even on an unlicensed instance of LexiCom. Because my VM isn't licensed, the exploit stops short of triggering the RCE using this technique. But clearly we can stop here with our repro analysis, as all the parts are here. 😀

The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED BUT REPULSIVE", "WRONG BUT WROMANTIC", "FREQUENTLY MISUNDERSTOOD", "NOBODY BOTHERS WITH THIS BIT", "SHOULDN'T REALLY BUT WE WON'T JUDGE", "REQUIRED IN ORDER TO WORK AROUND EVERYONE ELSE'S BUGS", "YOU DO YOU", and "OBVIOUSLY ABSURD BUT VERY COMMON FOR SOME REASON" in this document are to be interpreted as described in RFC 2119.

NEW: Amnesty International has documented two cases where Serbian authorities used Cellebrite to unlock the phones of a journalist and an activist.

And then they installed spyware on the devices.

In a way, this is a return to the old days of government spyware, where remote attacks were rare and impractical, and cops needed to get their hands on target's computers.

https://techcrunch.com/2024/12/15/serbian-police-used-cellebrite-to-unlock-then-plant-spyware-on-a-journalists-phone/

Platform.sh team finds auth bypass in Go SSH package https://platform.sh/blog/uncovered-and-patched-golang-vunerability/

as a sysadmin this so much. It’s one thing to say “oopsie something went wrong” and provide a button for the professionals to see where it went wrong and it’s another to just not provide any diagnostic information so I get to debug a black box.

#shitpost

Just returned from #BHEU. I presented my research on how server-side HTML sanitization is a security nightmare due to the mess that is HTML parsing.

If you are interested in learning more on that topic, please check out the following resources:
Github: https://github.com/ias-tubs/HTML_parsing_differentials
Our S&P '24 Paper: https://www.ias.cs.tu-bs.de/publications/parsing_differentials.pdf
Slides will be available shortly.

Or get in touch :)

Huge thanks to @BlackHatEvents, @InfosecVandana, and all the other great folks who made this such an amazing experience.

@nf3xn Because it's how statistics work: sometimes you end up on the other path. And as they say, when you are large enough, 1 in a million is next Tuesday.

🍿🍿🍿
https://youtu.be/6hVe_spuJQI

Good and interesting presentation by Joe Bialek:

Pointer Problems – Why We’re Refactoring the Windows Kernel:

https://t.co/Qwz0zk3CLH

#microsoft #windows #kernelsecurity #programming

@nsg650 Technically yes, but the system would immediately crash if you enabled it since user mode access happens constantly from ring 0. They are working to enable it for real some time in the future.

Important news: Microsoft is working to bring SMAP into Windows

https://bird.makeup/@ale_sp_brazil/1868496728275452261

@floyd I don't do mobile personally so can't tell, but I've heard about similar cases (no clue how they were resolved).

@floyd Precious jailbreakable phones on different versions. Corellium is nice but doesn't support some important I/O like NFC.

#ai #infosec #InfosecMemes

It's one thing that educated people think that using parrots on acid to generate headlines is a good idea. What's terrifying is that people try to spare the work of writing 3 short sentences.

https://www.bbc.com/news/articles/cd0elzk24dno

Why every app icon has to be blue?