CVE-2024-29510 – Exploiting Ghostscript using format strings

https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/

angr for real-world use-cases

https://plowsec.github.io/angr-introspection-2024.html

The Dark Side of EDR: Repurpose EDR as an Offensive Tool

https://www.safebreach.com/blog/dark-side-of-edr-offensive-tool/?s=09

Unpatched RCE Vulnerabilities in Gogs: Argument Injection in the Built-In SSH Server https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/

Just released oletools 0.60.2: this is mostly a bugfix release, to address some dependency issues and compatibility with Python 3.12.
More details: https://github.com/decalage2/oletools/releases/tag/v0.60.2
How to upgrade:
pip install -U oletools
or:
pipx install oletools

Another release with new features should come soon!

found the problem

stupid fox walked all over my boards

Finally! The Mozilla HTTP Observatory is back. https://developer.mozilla.org/en-US/blog/mdn-http-observatory-launch/

I wrote the thing:

Import Existing #Ghidra Project to Eclipse

https://gist.github.com/v-p-b/1b60e4a18188d26207529aeb5b4edf66

In case you want to contribute to other people's work :)

#documentation #BeingGlue

We are planning to release new Mastodon security updates for versions 4.1, 4.2 and nightly this Thursday, Jul 04, at 15:00 UTC. It solves multiple security issues, including a major one. We encourage server administrators to plan for a timely upgrade to ensure their Mastodon server is protected.

Cocaine Bear > Barbie > Oppenheimer

I think my next project will to figure out _and document_ how to import existing #Ghidra extension code into a new Eclipse project.

Are you aware of similar docs existing?

I ended up implementing this little #Ghidra Cartographer QoL improvement on top of @datalocaltmp 's branch, that has much better DRCOV format handling and a couple of important bugfixes, can recommend:

https://github.com/v-p-b/Cartographer/tree/gtable

During development I ended up in a state where Ghidra would load the extension but not configure it, rendering it unusable. The solution was to delete the directory corresponding to the Ghidra version under ~/.config/ghidra .

#TIL #jetlag

Progress on the new C decompiler backend!
The model type system can now be imported into our MLIR dialect, Clift!
The PR: https://github.com/revng/revng-c/pull/1/files

SecureLayer7: Major Security Flaws in Mailcow: Inside the XSS and Path Traversal Exploits (CVE-2024-31204 and CVE-2024-30270)
Mailcow is an open source mail server software suite. CVE-2024-31204 (6.1 medium) XSS in the Admin Panel and CVE-2024-30270 (6.2 medium) arbitrary file overwrite were originally reported by SonarSource. SecureLayer7 performs patch diffing to provide a root cause analysis (proof of concept) for them.

#vulnerability #CVE_2024_31204 #CVE_2024_30270 #mailcow #proofofconcept #CVE

Wow, this guy setup fake free WiFi to harvest FB logins on a Plane! This is one of those always rumored, but never true attacks. Article doesn’t specify just how they figured out which guy on the plane was doing it.

https://www.infosecurity-magazine.com/news/australia-police-fake-wifi-airport/

I couldn't turn it on tbh :(

#dating #tinder

Now that I'm back to the old continent, I can reveal that the real purpose of my overseas visit was to conspire with the most influential entities in the cyber domain

#DontFuckWithTheSquirrels​

OpenSSH CVE-2024-6387 mitigation (on Fedora):

echo 'OPTIONS=-e' | sudo tee -a /etc/sysconfig/sshd && sudo systemctl restart sshd

I have no idea why Qualys didn't mention this. The only non-async-safe function called by the vulnerable signal handler is syslog(). So just turn off syslog and log to stderr. On systemd distros, this still ends up in the journal anyway, so you lose nothing.

I confirmed that the message at the root of the issue is logged to stderr and not syslog with this option:

[pid 638194] --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
[pid 638194] getpgid(0)                 = 638194
[pid 638194] getpid()                   = 638194
[pid 638194] rt_sigaction(SIGTERM, {sa_handler=SIG_IGN, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTART}, {sa_handler=SIG_DFL, sa_mask=~[KILL STOP RTMIN RT_1], sa_flags=SA_RESTART}, 8) = 0
[pid 638194] kill(0, SIGTERM)           = 0
[pid 638194] getpid()                   = 638194
[pid 638194] write(2, "Timeout before authentication for 192.168.21.10 port 37734\r\n", 60) = 60
[pid 638194] exit_group(1)              = ?
[pid 638194] +++ exited with 1 +++

Edit: The problem code still calls snprintf() which on-paper is still unsafe. However, it does this a bunch of times anyway in multiple code paths, and Qualys didn't mention anything about it. A quick look through glibc code suggests that snprintf() only does unsafe things (allocate memory) if you format floats, which obviously ssh does not.

Edit 2: Turns out there is another related issue, CVE-2024-6409, which is not mitigated by this trick. However, it only affects F35 through F37 and RHEL9, since it's caused by distro patches. The mitigation above works for current Fedora releases. If you're stuck on the vulnerable range for some reason, use the LoginGraceTime 0 mitigation and update your OS ASAP since those old versions won't get the patches at all.

Microsoft has told customers that the Russian criminals who compromised its systems earlier this year made off with even more emails than it first admitted. | @theregister

“the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, and sensitive US government data. Reports last week revealed that the issue was even larger than initially believed and additional customers' data has been stolen.”

https://www.theregister.com/2024/07/01/infosec_in_brief/

I have discovered 7 long lost #DEFCON 6 videos, but they are in Real Media format and I can't find any utilities that work on current technology to convert them.

Does anyone know of tools that work?