[RSS] Pwn everything Bounce everywhere all at once (part 2)

http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part-2.html

New pre-auth RCE exploit chains for old SOPlanning bugs #NoCVE

[RSS] Pwn everything Bounce everywhere all at once (part 1)

http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part-1.html

Blast from the past: new, configuration independent exploitation method of CVE-2009-1151 (pre-auth RCE in phpMyAdmin)

@codecolorist This is epic!

https://gfw.report/publications/ndss25/en/ lmao

@freddy IME a consultants (incl pentesters) are hired in large part to outsource responsibility. We all know testing can't be perfect, but if there was a test and still there was an exploited bug, you have a scapegoat.

Example: you discover 10 SQLi's, which is a lot. Dev fixes all of them bit doesn't go any further in root cause analysis. When the 11th SQLi gets exploited it will be the pentesters fault that it was not in the report, because a) people think in checkbox lists b) doing proper analysis is expensive c) the consultant is not "one of us" ...

Mildly amusing: this Aussie dude got fed up with people parking in his driveway so he installed a motion-activated sprinkler.

The swift strict memory safety proposal has been accepted: https://forums.swift.org/t/accepted-se-0458-opt-in-strict-memory-safety-checking/78116

We found out that machines performed 7% better if we trapped them in an endless loop of profound existential anguish

@lcamtuf "given the opportunity to pretend to be an AI" is genius!

This is a pretty good summary of #pentest as a profession:

https://www.reddit.com/r/Pentesting/comments/1ixoq2g/pentesting_is_the_hardest_cybersecurity/

(I don't think comparisons to other fields makes much sense though)

@yeslikethefood @raptor For some time I went to IT expos for the target trialware

[RSS] Reverse Engineering PowerPoint's XML to Build a Slide Generator

https://merlinai.framer.website/blog/ppt-generator

[RSS] Mixing up Public and Private Keys in OpenID Connect deployments

https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html

Fediverse is protecting my mental health by not showing my own posts to me again

Look at this gem I just found:

Using WinDbg Over KDNet on QEMU-KVM

https://www.osr.com/blog/2021/10/05/using-windbg-over-kdnet-on-qemu-kvm/

"The enlightenments that are enabled by default include setting the hypervisor ID to the same ID that’s reported by Microsoft Hyper-V (which is “Microsoft Hv”). [...] when the KDNet transport initializes, it checks the hypervisor ID, and if it discovers it is running under Microsoft Hyper-V [...] it attempts to open a debugger connection using an undocumented protocol over a synthetic hypervisor-owned debug device that Hyper-V provides."

I'll give this a shot tomorrow on Proxmox and I'll drink something strong if modifying the hypervisor ID actually solves my issues! :D

#windbg #reverseengineering #proxmox #kvm

@mttaggart @cR0w @Sempf +1 for disposable VM's/containers vs the cluttered mess these "purpose built" distros are!

*Proud to be n00b*

Time spent getting the vulnerable software and deploying it: ~10 hours

Time spent writing the exploit: 14 minutes

“Chrome Browser Exploitation: from zero to heap sandbox escape - Matteo Malvica - NDC Security 2025" https://www.youtube.com/watch?v=RL2po1swXO4

JSON Web Keys have a very peculiar property. It is a cryptographic key serialization format where public and private keys look almost the same. The only difference is that private keys contain more values. This means one can accidentally use a private key instead of a public key. Which works, but isn't very secure.
After my recent presentation at the @owasp_de Day, I was asked to have a look at OpenID Connect keys. Which are, well, in JWK format. I guess you can see where this is going.
https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html