Has anyone checked if macOS is vulnerable to regreSSHion (Qualys's OpenSSH SIGALRM vulnerability, CVE-2024-6387)?

Qualys's writeup notes that glibc is vulnerable because its malloc skips locking on single threaded programs
(https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt),

macOS doesn't have this optimization: malloc always seems to take locks, and will crash in `os_unfair_lock_recursive_abort` if you try to call it during an interrupted call.

So Qualys's initial exploit strategy probably won't work.

macOS's syslog is complex, however; it has several files (https://github.com/apple-oss-distributions/syslog/tree/main/libsystem_asl.tproj/src) that uses malloc, Mach messaging, libdispatch, XPC, ObjC... would there be something non-re-entrant-safe there? If so, would the lock aborts prevent you from exploiting them?

An unexpected journey into Microsoft Defender's signature World:

https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world

#cybersecurity #windowsdefender #windows #informationsecurity #infosec #reverseengineering

Our @recon slides and demo videos are now online as well:

https://silentsignal.hu/docs/S2-REcon24-Control_Flow_Integrity_on_IBM_i.pdf

#IBMi #reconmtl #recon2024 #recon24

== Let's make a magnetophone / tape player / magnetic tape head at home! ==

Many people started following me after my DIY magnetic tape and DIY floppy disk experiments. A common request ever since was to make a DIY magnetic head, and, truth to be told, I was curious to experiment with it, too.

The task was daunting, and many people were convinced that it could not be done at all. In fact, I could not find a single mention of a successful experiment in the West, and scarce mentions of it in vintage Russian radio hobbyist magazines. But I know that it could be done; my father says he made some magnetic heads over 40 years ago.

Just two weeks ago Hackaday.com made a post claiming that a (really cool btw) hobbyist made a tape player with a DIY tape head. I was excited at first, and then outraged - it was fake news! The DIY tape head was not (and could not be) used in the tape player on the video, and in fact could only erase tape.

Now, I present you The Real DIY Magnetic/Tape Head (and a DIY microphone)

🧵~

Reverse engineering eBPF programs https://www.armosec.io/blog/ebpf-reverse-engineering-programs/

did you know that intel shipped a userspace driver that does kernel physical memory grooming (like heap grooming, but for physmem allocations) to get a contiguous memory block https://git.dpdk.org/dpdk/tree/lib/eal/linux/eal_memory.c

like... allocates a bunch of pages, checks if they're physically contiguous, frees the ones that are not, and retries it has enough that are, more or less

Ok, finally! Here wo go: #Illumos on #ARM64 via #IllumosGate.

Here, we have a basic image running which will be soon shared as a raw image (including instructions how to run it w/o patched #Qemu) and also trying to provide a #Vagrant image.

#aarch64 #solaris #openIndiana #Tribblix #OmniOS #unix

🦀 The slides for my workshop at @recon in Montreal this year, "Reversing Rust Binaries: One Step Beyond Strings", are now online!

https://github.com/cxiao/rust-reversing-workshop-recon-2024/tree/main/slides

You can find both the slides and the diagrams I used for the workshop linked there. The slides are meant to be a resource for you to use while reversing, so they have lots of clickable links in them (:

In case you lose the link, you can also find the slides linked from my page on the REcon 2024 schedule: https://cfp.recon.cx/recon2024/talk/QCA37X/

Really great to meet so many cool people, and lots of work to do for Rust RE going forward! I left the conference with a lot of great ideas and directions for new research.

#REcon2024 #reconmtl #rustlang #reverseengineering #reversing #malwareanalysis

use-after-free vulnerability due to the interaction between Unix garbage collection (GC) and the io_uring Linux kernel component

https://blogs.oracle.com/linux/post/unix-garbage-collection-and-iouring

Credits Shoily Rahman

#Linux #cybsersecurity

"Saved

MTV News Is Back (Kind Of) Thanks to the Internet Archive

After Paramount Global yanked over 20 years of music journalism, the non-profit Internet Archive created a searchable index of MTV News via its Wayback Machine"

rolling stone.

https://www.rollingstone.com/music/music-news/mtv-news-saved-internet-archive-1235051776/

Unpatched RCE Vulnerabilities in Gogs: Argument Injection in the Built-In SSH Server https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/

Just released oletools 0.60.2: this is mostly a bugfix release, to address some dependency issues and compatibility with Python 3.12.
More details: https://github.com/decalage2/oletools/releases/tag/v0.60.2
How to upgrade:
pip install -U oletools
or:
pipx install oletools

Another release with new features should come soon!

found the problem

stupid fox walked all over my boards

Finally! The Mozilla HTTP Observatory is back. https://developer.mozilla.org/en-US/blog/mdn-http-observatory-launch/

We are planning to release new Mastodon security updates for versions 4.1, 4.2 and nightly this Thursday, Jul 04, at 15:00 UTC. It solves multiple security issues, including a major one. We encourage server administrators to plan for a timely upgrade to ensure their Mastodon server is protected.

Progress on the new C decompiler backend!
The model type system can now be imported into our MLIR dialect, Clift!
The PR: https://github.com/revng/revng-c/pull/1/files

SecureLayer7: Major Security Flaws in Mailcow: Inside the XSS and Path Traversal Exploits (CVE-2024-31204 and CVE-2024-30270)
Mailcow is an open source mail server software suite. CVE-2024-31204 (6.1 medium) XSS in the Admin Panel and CVE-2024-30270 (6.2 medium) arbitrary file overwrite were originally reported by SonarSource. SecureLayer7 performs patch diffing to provide a root cause analysis (proof of concept) for them.

#vulnerability #CVE_2024_31204 #CVE_2024_30270 #mailcow #proofofconcept #CVE

Wow, this guy setup fake free WiFi to harvest FB logins on a Plane! This is one of those always rumored, but never true attacks. Article doesn’t specify just how they figured out which guy on the plane was doing it.

https://www.infosecurity-magazine.com/news/australia-police-fake-wifi-airport/

OpenSSH CVE-2024-6387 mitigation (on Fedora):

echo 'OPTIONS=-e' | sudo tee -a /etc/sysconfig/sshd && sudo systemctl restart sshd

I have no idea why Qualys didn't mention this. The only non-async-safe function called by the vulnerable signal handler is syslog(). So just turn off syslog and log to stderr. On systemd distros, this still ends up in the journal anyway, so you lose nothing.

I confirmed that the message at the root of the issue is logged to stderr and not syslog with this option:

[pid 638194] --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
[pid 638194] getpgid(0)                 = 638194
[pid 638194] getpid()                   = 638194
[pid 638194] rt_sigaction(SIGTERM, {sa_handler=SIG_IGN, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTART}, {sa_handler=SIG_DFL, sa_mask=~[KILL STOP RTMIN RT_1], sa_flags=SA_RESTART}, 8) = 0
[pid 638194] kill(0, SIGTERM)           = 0
[pid 638194] getpid()                   = 638194
[pid 638194] write(2, "Timeout before authentication for 192.168.21.10 port 37734\r\n", 60) = 60
[pid 638194] exit_group(1)              = ?
[pid 638194] +++ exited with 1 +++

Edit: The problem code still calls snprintf() which on-paper is still unsafe. However, it does this a bunch of times anyway in multiple code paths, and Qualys didn't mention anything about it. A quick look through glibc code suggests that snprintf() only does unsafe things (allocate memory) if you format floats, which obviously ssh does not.

Edit 2: Turns out there is another related issue, CVE-2024-6409, which is not mitigated by this trick. However, it only affects F35 through F37 and RHEL9, since it's caused by distro patches. The mitigation above works for current Fedora releases. If you're stuck on the vulnerable range for some reason, use the LoginGraceTime 0 mitigation and update your OS ASAP since those old versions won't get the patches at all.