@xairy @linkersec On the logic error side this deck from @gergelykalman also worth a look: https://gergelykalman.com/the-forgotten-art-of-filesystem-magic-alligatorcon-2024-slides.html

@linkersec The bug exploited in the article appears to have also been reported by syzbot last year. And looks like it haven't been fixed upsteam yet, only in Ubuntu.

syzbot report: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683
Ubuntu fix: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit?h=Ubuntu-6.8.0-57.59&id=09ad3b1e99befe042ae5219e4020eb54411d98ef

Linux kernel hfsplus slab-out-of-bounds Write

Outstanding article by Attila Szasz about exploiting a slab out-of-bounds bug in the HFS+ filesystem driver.

The author discovered that Ubuntu allows local (not remote/SSH'd) non-privileged users to mount arbitrary filesystems via udisks2 due to the used polkit rules. This includes filesystems whose mounting normally requires CAP_SYS_ADMIN in the init user namespace.

The article thoroughly describes a variety of techniques used in the exploit, including a cross-cache attack, page_alloc-level memory shaping, arbitrary write via red-black trees, and modprobe_path privilege escalation.

https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/

🦘🛜Compromising bastion host to gain full control over the internal infrastructure.
Read more about the vulnerabilities we uncovered in JumpServer in our recent blog post:

https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=blog-diving-into-jumpserver-attackers-gateway-to-internal-networks-250319-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=social

#appsec #security #vulnerability

🌪️ TyphoonPWN is back for its 7th year at TyphoonCon! 💻💰
This year, we’re offering up to $70,000 for discovering and exploiting Linux Privilege Escalation vulnerabilities.
Remote participation is allowed, so grab your gear, sharpen your knowledge, and sign up: https://typhooncon.com/typhoonpwn-2025/

@greg ccls.nvim worked best so far, but now I'm wrestling with Emacs where I expected components like the tree buffers to be better integrated. Now I'm stuck because the keys for file manipulation don't seem to work if the tree displays code elements :P

@hajovonta Yeah, I got into this because I want static tooling :/

@greg Maybe disqualifying coc because of node was a mistake on my end...

@hajovonta Apparently people did the implementation, but documentation is seriously lacking. Unfortunately I don't feel I have the experience to contribute, otherwise I'd just open PR's like crazy.

Do you happen to have a solution for Emacs to generate call hierarchies (func1--calls-->func2) without LSP?

In case anyone is wondering why people use VSCode: I spent most of the day configuring LSP's for graybeard editors (vim/emacs) and God my head hurts!

[RSS] Advisory X41-2025-001: Multiple Vulnerabilities in OpenSlides

https://x41-dsec.de/lab/advisories/x41-2025-001-OpenSlides/

THIS IS HUGE!
"Signal would exit the French market before it would comply with this law as written"

What next HTTPS?

@Mer__edith President of Signal
@signal.org

How is that Sourcetrail development was not picked up by anyone?

https://github.com/CoatiSoftware/Sourcetrail

Useful piece. Solar panels are largely cloud managed, and now in The Netherlands alone create the same power as 50 of our nuclear power plants. If you switch this 25GW on/off remotely, the consequences could be huge. And we do not regulate these cloud platforms at all: https://www.dw.com/en/how-hackers-capture-your-solar-panels-and-cause-grid-havoc/a-71593448

It seems that our Veeam CVE-2025-23120 post is live.

I would never do this research without @SinSinology He insisted a lot, thx man. 😅

If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple at this point.

https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/

[RSS] You can't simulate keyboard input with PostMessage, revisited

https://devblogs.microsoft.com/oldnewthing/20250319-00/?p=110979

Love the prank call example :D

Our first video from RE//verse 2025 is live! Part journey of personal discovery, part technical deep-dive, this presentation from Markus Gaasedelen was the highest rated in the feedback survey and is a must-see talk: https://youtu.be/hGlIkgmhZvc