We are extending our call for papers to January 1, 2025!

We are now targeting an end of January release.

If you have any Linux/ELF related research, projects, or papers, we would love to publish them!

Huge thank you to everyone who has already submitted!

We updated our CFP for Phrack 72! The deadline is now April 1st 2025. Check the site for specifics on how to contribute, as well as some inspiration! We also posted a link to purchase physical copies of Phrack 71, and a donation link too. Enjoy!

https://phrack.org

CCCS (Canada): Alert - CVE-2024-53677 - Vulnerability impacting Apache Struts 2
I see multiple government organizations emphasize the criticality of CVE-2024-53677 (CVSSv4: 9.5 critical) affecting both end-of-life and current versions of Apache Struts 2. A malicious actor can exploit this vulnerability to traverse system paths, upload malicious files, and perform remote code execution.

The Canadian Centre for Cyber Security (CCCS) is aware that a proof of concept (POC) exploit is available for this CVE.

#apache #struts #CVE_2024_53677 #vulnerability #cve #infosec #cybersecurity #proofofconcept #poc

I just replied to a blog comment, and I thought that I post my reply here as well:

I think that I have good reasons to be “against Avast,” having published seven articles on them so far. The security issues alone are bad enough. But Avast abused their position to collect and sell users’ browsing profiles. After they were caught they claimed the data to be anonymized, they claimed to only sell aggregated data – and they continue lying to this day, despite there being conclusive evidence to the contrary. While the company has been bought, it’s still the same people in charge. This sort of undermines any trust in them for anything related to security.

As the security of antivirus software goes, I’m not very fond of any as the articles in the “antivirus” category of my blog show. With Kaspersky it wasn’t only the security issues but also how they handled them, pushing out half-hearted fixes only for these to be circumvented shortly afterwards. McAfee and BullGuard had massive security issues stemming from being careless about security and not following best practices.

I’ve found a critical security issue in Bitdefender’s solution as well, but with them I at least had the impression that they were trying. Unfortunately, that’s currently the bar in the antivirus industry – at least trying to make their product secure.

Security-wise, one good thing about Windows Defender is that it only needs to do one job. It doesn’t need all the extra functionality as a selling argument. It doesn’t need to be a banking browser, it doesn’t need to be a phishing protection, it only needs to be an antivirus solution. It can keep a very small attack surface compared to all those antivirus suites, and so it does (yes, I checked).

#antivirus #security #avast #McAfee #BullGuard #Bitdefender #WindowsDefender

just had an interesting realization: one of the reasons people struggle to understand template injection in GHA is probably because lines like this:

```
echo "hello: ${{ expr }}"
```

...get lexed mentally as "variable expansion, followed by Jinja template."

in other words, people think the `$` comes from the shell and the `{{ }}` is the template syntax, and therefore the entire thing is quoted correctly.

in reality of course the entire `${{ .. }}` is template syntax, and has nothing to do with shell quoting/expansion rules. but `$` is mentally overloaded!

i wonder how much easier this would be to teach people if GitHub had chosen `@{{ ... }}` or even just `{{ }}` as their template syntax instead.

#security #opensource

🎉Announcing the latest research from our intern Michael Pastor! In it, you'll learn all about Decompression Attacks, get to practice in custom-built labs and get some free Semgrep rules for detecting flaws. Check it out today!

https://blog.doyensec.com/2024/12/16/unsafe-unpacking.html

#appsec #doyensec #semgrep

I have posted the slides for the talk @chompie1337 and I gave this past weekend at @h2hconference -> The Kernel Hacker’s Guide to the Galaxy: Automating Exploit Engineering Workflows #H2HC

https://github.com/FuzzySecurity/H2HC-2024/blob/main/H2HC2024_The_Kernel_Hackers_Guide_to_the_Galaxy.pdf

Google is trying to jam "AI" into all of their products but an interesting element of the way they integrated it into Android Messages is "Gemini" shows up as a conversation, which means it is actually possible to block and report it to Google as spam

Thanks to the excellent people at Rapid7 (HT @catc0n ), we can see what the full exploit looks like for CVE-2024-55956
https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

My prior hunch that I couldn't get an exploit working because I didn't have a licensed copy of the software was a red herring. Though a plausible-enough one that caused me to stop looking. 😕

My other wonder about the introduction of a call to validatePath() was also irrelevant, as that was added to the fileIn() function in 5.8.0.21. But all the fun here happens in SyncIn(), so this change does nothing related to this vulnerability. You can still use directory traversal or even specify a full path (even a UNC one) for the target file.

So with the Rapid7 technique, we can confirm the arbitrary creation of files on a 5.8.0.21 system, as well as the triggering of what would be RCE via creating a file in the autorun directory, even on an unlicensed instance of LexiCom. Because my VM isn't licensed, the exploit stops short of triggering the RCE using this technique. But clearly we can stop here with our repro analysis, as all the parts are here. 😀

The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED BUT REPULSIVE", "WRONG BUT WROMANTIC", "FREQUENTLY MISUNDERSTOOD", "NOBODY BOTHERS WITH THIS BIT", "SHOULDN'T REALLY BUT WE WON'T JUDGE", "REQUIRED IN ORDER TO WORK AROUND EVERYONE ELSE'S BUGS", "YOU DO YOU", and "OBVIOUSLY ABSURD BUT VERY COMMON FOR SOME REASON" in this document are to be interpreted as described in RFC 2119.

NEW: Amnesty International has documented two cases where Serbian authorities used Cellebrite to unlock the phones of a journalist and an activist.

And then they installed spyware on the devices.

In a way, this is a return to the old days of government spyware, where remote attacks were rare and impractical, and cops needed to get their hands on target's computers.

https://techcrunch.com/2024/12/15/serbian-police-used-cellebrite-to-unlock-then-plant-spyware-on-a-journalists-phone/

Platform.sh team finds auth bypass in Go SSH package https://platform.sh/blog/uncovered-and-patched-golang-vunerability/

as a sysadmin this so much. It’s one thing to say “oopsie something went wrong” and provide a button for the professionals to see where it went wrong and it’s another to just not provide any diagnostic information so I get to debug a black box.

#shitpost

Just returned from #BHEU. I presented my research on how server-side HTML sanitization is a security nightmare due to the mess that is HTML parsing.

If you are interested in learning more on that topic, please check out the following resources:
Github: https://github.com/ias-tubs/HTML_parsing_differentials
Our S&P '24 Paper: https://www.ias.cs.tu-bs.de/publications/parsing_differentials.pdf
Slides will be available shortly.

Or get in touch :)

Huge thanks to @BlackHatEvents, @InfosecVandana, and all the other great folks who made this such an amazing experience.

🍿🍿🍿
https://youtu.be/6hVe_spuJQI

Good and interesting presentation by Joe Bialek:

Pointer Problems – Why We’re Refactoring the Windows Kernel:

https://t.co/Qwz0zk3CLH

#microsoft #windows #kernelsecurity #programming

@nsg650 Technically yes, but the system would immediately crash if you enabled it since user mode access happens constantly from ring 0. They are working to enable it for real some time in the future.

Important news: Microsoft is working to bring SMAP into Windows

https://bird.makeup/@ale_sp_brazil/1868496728275452261