So i wrote this on the other site (the short messages wannabe porn site) and predictably got just a single response.
Perhaps here I would fare better?

Reading the Qualys writeup about the OpenSSH race condition RCE it occurred to me that there should be a book titled "Beautiful Exploits" in which a handful of beautiful exploits are explained and their philosophical and historical implications are discussed.

Which ones you'd pick?

Meta claims that the "ad-free subscription" (Pay-or-Consent) model has been "approved" by the Court of Justice of the European Union (indeed ot opined on the matter). It states that this model is compatible with the DMA. An interesting case developing. Very well.

When it comes to Qualys, in the context of the OpenSSH vuln, I'll just repeat what I said a while back:

"I'm impressed with the Qualys security research team. Not only because they are clearly talented and have an impressive portfolio of high-impact findings - but because in an era of vanity domains and logos for bugs, they're keeping the 1990s research aesthetics alive."

Truth to be told, Qualys might be the only group still regularly doing this kind of "basic stack" research. Almost all the vuln research has shifted elsewhere, largely in response to financial incentives.

Do you like Splunk? Do you like them enough to read 18* security advisories?

1. SVD-2024-0701 Missing CVE ID (8.8 high) Remote Code Execution through dashboard PDF generation component
2. SVD-2024-0702 CVE-2024-36982 (7.5 high) Denial of Service through null pointer reference in “cluster/config” REST endpoint
3. SVD-2024-0703 CVE-2024-36983 (8.0 high) Command Injection using External Lookups
4. SVD-2024-0704 CVE-2024-36984 (8.8 high) Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows
5. SVD-2024-0705 CVE-2024-36985 (8.8 high) Remote Code Execution (RCE) through an external lookup due to "copybuckets.py" script in the "splunk_archiver" application in Splunk Enterprise
6. SVD-2024-0706 CVE-2024-36986 (6.3 medium) Risky command safeguards bypass through Search ID query in Analytics Workspace
7. SVD-2024-0707 CVE-2024-36987 (4.3 medium) Insecure File Upload in the indexing/preview REST endpoint
8. SVD-2024-0708 No CVE ID, informational only: OpenSSL crypto library (libcrypto.so) incorrectly compiled with stack execution bit set in Splunk Enterprise and Universal Forwarder on certain operating systems
9. SVD-2024-0709 CVE-2024-36989 (6.5 medium) Low-privileged user could create notifications in Splunk Web Bulletin Messages
10. SVD-2024-0710 CVE-2024-36990 (6.5 medium) Denial of Service (DoS) on the datamodel/web REST endpoint
11. SVD-2024-0711 CVE-2024-36991 (7.5 high) Path Traversal on the "/modules/messaging/" endpoint in Splunk Enterprise on Windows (cc: @reverseics)
12. SVD-2024-0712 CVE-2024-36992 (5.4 medium) Persistent Cross-site Scripting (XSS) in Dashboard Elements
13. SVD-2024-0713 CVE-2024-36993 (5.4 medium) Persistent Cross-site Scripting (XSS) in Web Bulletin
14. SVD-2024-0714 CVE-2024-36994 (5.4 medium) Persistent Cross-site Scripting (XSS) in Dashboard Elements
15. SVD-2024-0715 CVE-2024-36995 (4.3 medium) Low-privileged user could create experimental items
16. SVD-2024-0716 CVE-2024-36996 (5.3 medium) Information Disclosure of user names
17. SVD-2024-0717 CVE-2024-36997 (4.6 medium) Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpoint
18. SVD-2024-0718 Third-Party Package Updates in Splunk Enterprise - July 2024 (23 vulnerabilities, unknown exploitation and CVSS score statuses)

No mention of exploitation. h/t for @cR0w for the last 2 CVE IDs (I relied specifically on the RSS feed entries).

#PatchTuesday #Splunk #vulnerability #CVE

Notes on regreSSHion on musl — https://dustri.org/b/notes-on-regresshion-on-musl.html

Google Android security advisory: Android Security Bulletin—July 2024
29 security vulnerabilities, CVE-2024-31320 (EoP) is marked critical severity. Qualcomm vuln CVE-2024-21461 is also critical. 25 vulnerabilities of varying types are high severity. No mention of exploitation

• Pixel does not have a July 2024 Bulletin
• There are no Android Automotive OS security patches in the July 2024 Android Automotive OS Update Bulletin.
• Chromecast does not have a July 2024 Bulletin
• Wear July 2024 bulletin is 404 error.
• Pixel Watch does not have a July 2024 Bulletin

#PatchTuesday #Google #Android #vulnerability #CVE

Running Windows Server on Apple Silicon seems "fun"!

https://trimarcjake.github.io/blog/2024/06/24/Virtualizing-Windows-Server-2025-on-Apple-Silicon.html

just in time to celebrate infosec.exchange returning, Cisco zero day: Cisco NX-OS Software CLI Command Injection Vulnerability
CVE-2024-20399 (6.0 medium) A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root. Note: To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials.

In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild.

EDIT: Sygnia links attempted zero-day exploitation to Chinese state-sponsored threat actor it tracks as Velvet Ant (no article yet). See related Bleeping Computer reporting; Cisco warns of NX-OS zero-day exploited to deploy custom malware

cc: @campuscodi @briankrebs @cR0w @mttaggart

#CVE_2024_20399 #vulnerability #zeroday #cisco #cve #eitw #cyberespionage #velvetant #china

A new blog from ZDI Researcher Yulin Sung and shows how to combine 2 bugs to get unauth RCE on the #Logsign Unified SecOps Platform. These bugs were originally reported by
@mdisec
and were recently patched. Read the details (w/ PoC) at https://www.zerodayinitiative.com/blog/2024/7/1/getting-unauthenticated-remote-code-execution-on-the-logsign-unified-secops-platform

This is a really interesting vulnerability, but *the Internet is not on fire.* Please read the actual advisory before spreading FUD. If you can't understand the original advisory, please get someone to explain it to you.

In short, the exploit has only been proven against x86 versions - NOT x64. That's important because finding the right address to return to in x64 is exponentially harder in x64 than x86.

This is definitely a "don't delay patching" moment, but not a "OMG, get an outage window NOW" moment. Monitor for updates though, that could change (though highly unlikely IMO).

This is also a great time to talk about zero trust. The foundational principle here is "deny all, permit by exception." Most orgs don't need SSH open to the whole Internet. Yes, ACLs are a pain to use. But you're getting a lot back in security. That's true for times like these, but it's also makes credential compromises harder to meaningfully exploit.

As an aside, if you can't do IP ACLs for SSH (and everyone *can*, it's just a question of overhead to maintain), consider changing the default port for SSH. In some testing, that's dropped my failed login attempts by more than 95% (98%+ if you don't make it something obvious like 2200, 2222, or 2022).

Finally, let's talk monitoring. It took @qualys researchers about a week to get a root shell. And that's for the x86 version (which again, is infinitely easier to trigger than in x64). So even if you can't just allow list a few IP addresses, you can for sure block list IPs that are hammering your server with ~10,000 exploit attempts. And before someone says "but Jake, what if they use a distributed network" - okay, but still block the obviously malicious IPs?

Great work by the Qualys team. There aren't many that can turn something like this into RCE - even in controlled environments.
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

The YouTube playlist for #OST2 “Exploitation 4011: Windows Kernel Exploitation: Race Condition + UAF in KTM” class by Cedric Halbronn @saidelike is now public for those who like to download videos: https://www.youtube.com/playlist?list=PLUFkSN0XLZ-nl4HEX4_LWG9H_d9vJKkYL

But the best way to learn the material is with the full class at ​https://ost2.fyi/Exp4011.​ This class assumes you've already taken "x86-64 OS Internals" https://ost2.fyi/Arch2001, "Windows Kernel Internals 2" https://ost2.fyi/Arch2821, and "Advanced WinDbg" https://ost2.fyi/Dbg3011

This is an advanced level class that teaches you how to exploit a race condition vulnerability leading to a use-after-free in the Kernel Transaction Manager (KTM) component of the Windows kernel. This class is meant to show the approach an exploit developer should take in attacking a previously unknown component in the Windows kernel.

Java – Cracking the Random: CVE-2024-29868

https://labs.yarix.com/2024/06/cve-2024-29868/

#java #rce #infosec #exploit #cve #hacking

This presentation by @GabrielLandau introduces a new vulnerability class where you can play double fetch with file operations:

https://github.com/gabriellandau/ItsNotASecurityBoundary/blob/main/Slides/REcon%20Montreal%202024%20Smoke%20and%20Mirrors%20-%20Driver%20Signatures%20Are%20Optional.pdf

My educated guess is that this is a massive problem for AV's, as they operate across privilege boundaries (user->SYSTEM, but I can even think of remote scenarios) and implement tons of file parsers, often from third parties. I hope I can look into specifics soon...

#reconmtl #recon2024 #recon24

Remote Unauthenticated Code Execution #Vulnerability in #OpenSSH server

Affected versions:
- OpenSSH versions earlier than 4.4p1
- Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable
- Versions from 8.5p1 up to, but not including, 9.8p1

Details:
- https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
- https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

For loops have many uses.

[ Text link: https://godbolt.org/z/1cso144nM ]

This week at Config I gave a talk about pixel fonts that I think turned out really well.

It’s called “In defense of an old pixel,” and I don’t think I ever worked harder on a talk before. Check it out here! (25 minutes)

https://www.youtube.com/watch?v=SDI8ubVZi7w

The good news is:

It comes in pints!

I decided to fix this really easy looking UI issue in the Carthographer #Ghidra ext, and now I'm at 1 open Issue and total confusion about how did this thing ever work with the sample that triggered me in the first place o.O

https://github.com/datalocaltmp/RECON-2024

#reconmtl #recon2024 #recon24

Girls' #skateboarding is super impressive these days:

Just saw 14 year old Arisa Trew (first female to land the 900 earlier this year, 25 years after Tony Hawk's epic X Games V session) and 9 (!) year old Mia Kretzer win gold at the #xgames, and now check out 12 year old Reese Nelson's profile here:

https://www.nytimes.com/athletic/5587396/2024/06/28/reese-nelson-tony-hawk-x-games/

Really appreciated @GabrielLandau’s #recon24 talk’s callout of challenges in responsible disclosure and how vendors not making a reasonable effort to work with researchers and their timelines makes those vendors less likely to receive all the security bug reports they otherwise could