OMG. -froot bug resurfaced. https://seclists.org/oss-sec/2026/q1/89

I see the headlines, "10 years old bug".

My friends, this bug is older. Much older. Not this particular instance, but it is a classical mistake to make. It's a command line injection when calling the login executable.

Some people point to CVE-2007-0882. Solaris had that, almost 20 years ago.

But it's even older than that. It's so old it predates the CVE system. I don't remember exact dates, but we popped Linux and AIX boxes with that, mid 90s.

But it is *even older* than that. Have a look at System V R4, ©1990, getty calling login with unsanitized input:

https://github.com/calmsacibis995/svr4-src/blob/7dabeda6fc10bd1bbd1a84d502f05642b1bf0c9e/cmd/getty/getty.c#L526

But how deep does the rabbit hole go? When was this bug introduced?

Getty called login with user input since the dawn of time (UNIX V2, 1972):

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/getty.s

But this predates command line arguments in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/login.s

So, when did this particular command line feature of login appear?

In the BSD universe, -f was introduced with POSIX compatibilitiy in 4.3BSD-Reno:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/login/login.c

But someone paid attention and filtered out user names starting with - in getty:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/libexec/getty/main.c

RCS timestamp says 6/29/1990, so same age as SysV R4.

The original 4.3BSD (1986) doesn't filter the user name:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/getty/main.c

And it does have a -r option in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/bin/login.c

Exploitable? No idea, argv processing might be a problem. I'll find out another day.

In conclusion: bug existed since 1990, it's so easy to make when implementing POSIX that it keeps resurfacing, and at least one person in Berkeley knew since day 0.

Today, on the International Day of Education, we are reminded that digital skills are essential for everyday life and for future-proof jobs.

Europeans are clear about this priority: 92% agree that digital skills should be taught to everyone, at all levels of education.

Learn more about the different EU initiatives to support and promote excellence in digital skills:

🔗https://link.europa.eu/rMg4dk

And check out the new "Future needs in digital education" report:

🔗https://link.europa.eu/JMtTcR

Bunnie's about to release a dev board for his BaoChip:

https://www.crowdsupply.com/baochip/dabao

I really wish someone who broke into the e.g. AMD PSP would explain how they did it

not because I wanna write malware, but because there's an ARM CPU in my PC that I paid for then dammit that thing is mine and I'mma program for it 😡

COMPART/NICKDR.GIF

Hacker pro tip:

If you get someone's creds and try to attach to their Entra account, maybe change the user agent string to something other than 'AADInternals'.

Join @vulncheck next week for our new In the Wild webcast series! This month, our research team will do a deep dive on developing an exploit for Gladinet Triofox CVE-2025-12480, a process that wound up being significantly more complex than expected.

Wednesday, Jan. 28 @ 1 PM ET (and the last Wednesday of every month!)

https://wwv.vulncheck.com/in-the-wild-with-vulncheck-webinar-series

When you get a screenshot of an individual window in Windows, using either Alt + PrtScn or the fancy new Snipping Tool, you also capture the contents of whatever is behind the window around the edges.

Linux doesn't do this.
macOS doesn't do this.
Just Windows.

Why are expectations for how Windows works so low?
Or has Microsoft crafted a world where they are not required to care?

CVE-2025-56005 - If you pass untrusted data in the `run_this_code` parameter of bar() of library foo then untrusted code gets executed. This is a vulnerability, because it's not documented that `run_this_code` will run code.

Developer resigned:
https://github.com/dabeaz/ply/commit/9d7c40099e23ff78f9d86ef69a26c1e8a83e706a

#cve #slop #FOSS

I took a slip from my tea mug. It wasn't the rum I expected.

I'm deeply disappointed.

Have we considered suggesting DNS-over-ChatGPT yet?

With TikTok now going to be owned by Larry Ellison and Emerati MGX/G42, the concerns about it being used as a government propaganda machine really are totally put to rest. Phew!

(My hope remains that this move will ruin the product and the kids will move on.)

Microsoft is handing over Bitlocker keys to law enforcement. https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

🚩✊ Friday is Dependency Deletion Day! Today on the chopping block: whatever library you use to encode and decode Base64. Nowadays Uint8Array has built-in toBase64() and fromBase64() methods that support all the flavors you can think of: with or without padding, with or without URL safety… no more need for that crusty old dependency! Free your node_modules, use native Base64 APIs!

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array/toBase64

[RSS] Firefox / WebRTC Encoded Transforms: UAF via undetached ArrayBuffer / CVE-2025-1432

https://aisle.com/blog/firefox-webrtc-encoded-transforms-uaf-via-undetached-arraybuffer-cve-2025-14321

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

https://apply.workable.com/portswigger/j/FC27ED6166/

@singe Right? I'm also glad we have oss-sec where these discussions can actually happen! I always recover some of my hope for humanity when Solar Designer enters even the most ridiculous thread in the most polite and level-headed way.

[RSS] Dead Ends, Red Herrings, and Failures In Our Time

https://www.hoyahaxa.com/2026/01/dead-ends-red-herrings-and-failures-in.html

(ColdFusion research #fail)

[RSS] Pwn2Own Automotive 2026 - Day Three Results and the Master of Pwn

https://www.thezdi.com/blog/2026/1/23/pwn2own-automotive-2026-day-three-results-and-the-master-of-pwn

90% of the time you don’t need a DevOps guy.

You need a C++ guy, a SQL guy, and one fat server with a lot of ram.

StackOverflow used to run on *one* SQL Server with a hot spare.

Peaked Alexa Rank #36, 10+ Million visits a day.