[RSS] On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025

https://www.synacktiv.com/en/publications/on-the-clock-escaping-vmware-workstation-at-pwn2own-berlin-2025

“What if I Simply put tailscale in initramfs?”: statements dreamed up by the utterly deranged (that is, @jyn ). Very cool blog post on remotely unlocking an encrypted boot partition: https://jyn.dev/remotely-unlocking-an-encrypted-hard-disk/

So who at Argo CD is sleeping? 68 days old report of RCE with POC reported accordig to procedure as it should, tried poking slack, mail... No ack. Wondering if just full disclosure is the way. Please ping me, not my finding but will relay.

📣 Help needed! For our upcoming #RSAC talk, @boblord and I are studying cyber near misses, moments where serious harm was narrowly avoided, and what we can learn from them. These near misses might apply to software development, or to network defense. (Please boost for reach! 🙏)

We are hoping to surface general patterns using some (anonymized) examples.

If you’re willing, reply with a high-level response to one or two of these prompts. Anonymize as appropriate, and/or send to us in DMs if you prefer:

* What lesson did an organization fail to learn after a near miss, even though it seemed obvious at the time?
* Describe a time when you discovered something and thought “If we didn’t catch this now, it would have been baaaaad”.
* Describe a time when you dealt with a software vulnerability in your systems that was being actively exploited elsewhere, but (as far as you could tell), not in yours. What saved the day?
* What repeated “almost failures” do you see getting normalized or waved away as acceptable risk?
* Can you recall a near miss triggered by a third party such as a researcher report, customer question, bug bounty submission, or vendor advisory that revealed a bigger issue than expected?
* Can you think of a near miss where the most important factor was not a security control, but a human action like someone double-checking, questioning an alert, or escalating a “weird feeling”?

Thanks!

OMG. -froot bug resurfaced. https://seclists.org/oss-sec/2026/q1/89

I see the headlines, "10 years old bug".

My friends, this bug is older. Much older. Not this particular instance, but it is a classical mistake to make. It's a command line injection when calling the login executable.

Some people point to CVE-2007-0882. Solaris had that, almost 20 years ago.

But it's even older than that. It's so old it predates the CVE system. I don't remember exact dates, but we popped Linux and AIX boxes with that, mid 90s.

But it is *even older* than that. Have a look at System V R4, ©1990, getty calling login with unsanitized input:

https://github.com/calmsacibis995/svr4-src/blob/7dabeda6fc10bd1bbd1a84d502f05642b1bf0c9e/cmd/getty/getty.c#L526

But how deep does the rabbit hole go? When was this bug introduced?

Getty called login with user input since the dawn of time (UNIX V2, 1972):

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/getty.s

But this predates command line arguments in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/login.s

So, when did this particular command line feature of login appear?

In the BSD universe, -f was introduced with POSIX compatibilitiy in 4.3BSD-Reno:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/login/login.c

But someone paid attention and filtered out user names starting with - in getty:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/libexec/getty/main.c

RCS timestamp says 6/29/1990, so same age as SysV R4.

The original 4.3BSD (1986) doesn't filter the user name:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/getty/main.c

And it does have a -r option in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/bin/login.c

Exploitable? No idea, argv processing might be a problem. I'll find out another day.

In conclusion: bug existed since 1990, it's so easy to make when implementing POSIX that it keeps resurfacing, and at least one person in Berkeley knew since day 0.

Today, on the International Day of Education, we are reminded that digital skills are essential for everyday life and for future-proof jobs.

Europeans are clear about this priority: 92% agree that digital skills should be taught to everyone, at all levels of education.

Learn more about the different EU initiatives to support and promote excellence in digital skills:

🔗https://link.europa.eu/rMg4dk

And check out the new "Future needs in digital education" report:

🔗https://link.europa.eu/JMtTcR

Bunnie's about to release a dev board for his BaoChip:

https://www.crowdsupply.com/baochip/dabao

I really wish someone who broke into the e.g. AMD PSP would explain how they did it

not because I wanna write malware, but because there's an ARM CPU in my PC that I paid for then dammit that thing is mine and I'mma program for it 😡

COMPART/NICKDR.GIF

Hacker pro tip:

If you get someone's creds and try to attach to their Entra account, maybe change the user agent string to something other than 'AADInternals'.

Join @vulncheck next week for our new In the Wild webcast series! This month, our research team will do a deep dive on developing an exploit for Gladinet Triofox CVE-2025-12480, a process that wound up being significantly more complex than expected.

Wednesday, Jan. 28 @ 1 PM ET (and the last Wednesday of every month!)

https://wwv.vulncheck.com/in-the-wild-with-vulncheck-webinar-series

When you get a screenshot of an individual window in Windows, using either Alt + PrtScn or the fancy new Snipping Tool, you also capture the contents of whatever is behind the window around the edges.

Linux doesn't do this.
macOS doesn't do this.
Just Windows.

Why are expectations for how Windows works so low?
Or has Microsoft crafted a world where they are not required to care?

CVE-2025-56005 - If you pass untrusted data in the `run_this_code` parameter of bar() of library foo then untrusted code gets executed. This is a vulnerability, because it's not documented that `run_this_code` will run code.

Developer resigned:
https://github.com/dabeaz/ply/commit/9d7c40099e23ff78f9d86ef69a26c1e8a83e706a

#cve #slop #FOSS

I took a slip from my tea mug. It wasn't the rum I expected.

I'm deeply disappointed.

Have we considered suggesting DNS-over-ChatGPT yet?

With TikTok now going to be owned by Larry Ellison and Emerati MGX/G42, the concerns about it being used as a government propaganda machine really are totally put to rest. Phew!

(My hope remains that this move will ruin the product and the kids will move on.)

Microsoft is handing over Bitlocker keys to law enforcement. https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

🚩✊ Friday is Dependency Deletion Day! Today on the chopping block: whatever library you use to encode and decode Base64. Nowadays Uint8Array has built-in toBase64() and fromBase64() methods that support all the flavors you can think of: with or without padding, with or without URL safety… no more need for that crusty old dependency! Free your node_modules, use native Base64 APIs!

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array/toBase64

[RSS] Firefox / WebRTC Encoded Transforms: UAF via undetached ArrayBuffer / CVE-2025-1432

https://aisle.com/blog/firefox-webrtc-encoded-transforms-uaf-via-undetached-arraybuffer-cve-2025-14321

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

https://apply.workable.com/portswigger/j/FC27ED6166/