[RSS] Exploiting the Synology DiskStation with Null-byte Writes

https://blog.ret2.io/2025/04/23/pwn2own-soho-2024-diskstation/

@CryptoLek Thanks, will try!

@MegaMichelle I wouldn't outrule self-hosted options, but tailoring Nextcloud for this seems too much effort. Mobilizon looks really cool though, I'll give it a shot, thanks for the tip!

@somebody I would very much want to tear down FB's effective monopoly in event organization, and I even have a fully anonymized plan, but this particular request is unrealted ;)

@somebody I don't need names or any PII other than a (disposable) e-mail addresses to send notifications to.

So, any suggestions?

@kirakira Time to register the lib and add some (fake) ransomware code

Any tips for a privacy respecting, free event organization platform? I'm thinking about features like:

- Some rich text + images hosted online for the event
- Subscription form to get updates
- Stats about expected attendance
- ??? (this is my first time)

Edit: I don't charge anything for the event, so percentage commission can work.

MEDA 43HA analogue computer formerly used at the Paks nuclear power plant

https://muzeuldecalculatoare.ro/2020/06/11/the-meda-43-analog-hybrid-computer/

The FastCGI library, mostly used in embedded equipment, was vulnerable for decades to an integer overflow over the IPC socket in 32-bits architecture. Check out how @shiropycatchown found it and exploited it for RCE!
https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library

I know Chrome is the browser everybody loves to hate, but I think most would agree this would be very bad.

https://www.axios.com/2025/04/23/open-ai-google-chrome

If you haven't seen it yet, make sure to check out another great RE//verse talk, Code reuse and attribution: best friends and worst enemies from Max 'Libra' Kersten (https://youtu.be/GPT1IksBkaI)

RE//verse 2025 videos

https://www.youtube.com/playlist?list=PLBKkldXXZQhAW5QKjUQOUWaMAHAxDtgio

Coworker: ...and the IP address are compared with a string match.
Me: grinning manically
Coworker: Why are you looking at me like that?
Me: Open up a terminal and type ping 4.2.514 and hit enter.
Coworker: ...what's the fourth number?
Me: grin widens Just hit enter.
Coworker: WTF!?

testssl.sh 3.2.0 is finally out, see https://github.com/testssl/testssl.sh/releases/tag/v3.2.0 or just https://testssl.sh .

Changelog see https://github.com/testssl/testssl.sh/blob/3.2/CHANGELOG.md .

Spring is here, and the cable plugs are blooming.

Google is what happens when a system forgets why it was built but remembers how.

We have identified some security vulnerabilities (CVE-2025-1731) in Zyxel USG FLEX H Series firewall appliances, that allow local users with access to a Linux OS shell to escalate privileges to root.

https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731

#Zyxel #VulnerabilityResearch #CoordinatedDisclosure

🐣 HAPPY EASTER FROM PHRACK 🐣

SPECIAL CrackMe Easter-2025 Challenge ONLINE NOW.

👉ZGlnICtzaG9ydCBlZ2c/Pz8/LnBocmFjay5vcmcgVFhU👈

Go find the EGG by solving the riddle :>

https://github.com/phrackzine/crackme

[RSS] Auditing Moodle's core hunting for logical bugs

http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.html

If you heard about that hacking of the voices of traffic light crosswalks in the US recently, the root cause is the devices all had the password '1234' and an app to reprogram the devices was on the Apple app store.
https://www.theregister.com/2025/04/19/us_crosswalk_button_hacking/