Has anyone checked if macOS is vulnerable to regreSSHion (Qualys's OpenSSH SIGALRM vulnerability, CVE-2024-6387)?

Qualys's writeup notes that glibc is vulnerable because its malloc skips locking on single threaded programs
(https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt),

macOS doesn't have this optimization: malloc always seems to take locks, and will crash in `os_unfair_lock_recursive_abort` if you try to call it during an interrupted call.

So Qualys's initial exploit strategy probably won't work.

macOS's syslog is complex, however; it has several files (https://github.com/apple-oss-distributions/syslog/tree/main/libsystem_asl.tproj/src) that uses malloc, Mach messaging, libdispatch, XPC, ObjC... would there be something non-re-entrant-safe there? If so, would the lock aborts prevent you from exploiting them?

An unexpected journey into Microsoft Defender's signature World:

https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world

#cybersecurity #windowsdefender #windows #informationsecurity #infosec #reverseengineering

Our @recon slides and demo videos are now online as well:

https://silentsignal.hu/docs/S2-REcon24-Control_Flow_Integrity_on_IBM_i.pdf

#IBMi #reconmtl #recon2024 #recon24

== Let's make a magnetophone / tape player / magnetic tape head at home! ==

Many people started following me after my DIY magnetic tape and DIY floppy disk experiments. A common request ever since was to make a DIY magnetic head, and, truth to be told, I was curious to experiment with it, too.

The task was daunting, and many people were convinced that it could not be done at all. In fact, I could not find a single mention of a successful experiment in the West, and scarce mentions of it in vintage Russian radio hobbyist magazines. But I know that it could be done; my father says he made some magnetic heads over 40 years ago.

Just two weeks ago Hackaday.com made a post claiming that a (really cool btw) hobbyist made a tape player with a DIY tape head. I was excited at first, and then outraged - it was fake news! The DIY tape head was not (and could not be) used in the tape player on the video, and in fact could only erase tape.

Now, I present you The Real DIY Magnetic/Tape Head (and a DIY microphone)

🧵~

I was doing a training for sysadmins, and this guy cleared MotW from one of the SmartScreen demo samples in ~3secs from muscle memory.

I was kinda impressed!

[RSS] STRIDE: Simple Type Recognition In Decompiled Executables

https://github.com/hgarrereyn/STRIDE

[RSS] SSD Advisory – Foscam R4M UDTMediaServer Buffer Overflow

https://ssd-disclosure.com/ssd-advisory-foscam-r4m-udtmediaserver-buffer-overflow/

[RSS] Quantum is unimportant to post-quantum

https://blog.trailofbits.com/2024/07/01/quantum-is-unimportant-to-post-quantum/

[RSS] Getting Unauthenticated Remote Code Execution on the Logsign Unified SecOps Platform

https://www.thezdi.com/blog/2024/7/1/getting-unauthenticated-remote-code-execution-on-the-logsign-unified-secops-platform

Ring Around The Regex: Lessons learned from fuzzing regex libraries (Part 1)

https://secret.club/2024/06/30/ring-around-the-regex-1.html

Jack Ren - Exploiting a SpiderMonkey JIT Bug: From Integer Range Inconsistency to Bound Check Elimination then RCE

https://github.com/bjrjk/CVE-2024-29943/blob/main/Slides.pdf

Reverse engineering eBPF programs https://www.armosec.io/blog/ebpf-reverse-engineering-programs/

did you know that intel shipped a userspace driver that does kernel physical memory grooming (like heap grooming, but for physmem allocations) to get a contiguous memory block https://git.dpdk.org/dpdk/tree/lib/eal/linux/eal_memory.c

like... allocates a bunch of pages, checks if they're physically contiguous, frees the ones that are not, and retries it has enough that are, more or less

Ok, finally! Here wo go: #Illumos on #ARM64 via #IllumosGate.

Here, we have a basic image running which will be soon shared as a raw image (including instructions how to run it w/o patched #Qemu) and also trying to provide a #Vagrant image.

#aarch64 #solaris #openIndiana #Tribblix #OmniOS #unix

🦀 The slides for my workshop at @recon in Montreal this year, "Reversing Rust Binaries: One Step Beyond Strings", are now online!

https://github.com/cxiao/rust-reversing-workshop-recon-2024/tree/main/slides

You can find both the slides and the diagrams I used for the workshop linked there. The slides are meant to be a resource for you to use while reversing, so they have lots of clickable links in them (:

In case you lose the link, you can also find the slides linked from my page on the REcon 2024 schedule: https://cfp.recon.cx/recon2024/talk/QCA37X/

Really great to meet so many cool people, and lots of work to do for Rust RE going forward! I left the conference with a lot of great ideas and directions for new research.

#REcon2024 #reconmtl #rustlang #reverseengineering #reversing #malwareanalysis

Modern Cryptographic Attacks: A Guide for the Perplexed
https://research.checkpoint.com/2024/modern-cryptographic-attacks-a-guide-for-the-perplexed/?s=09

use-after-free vulnerability due to the interaction between Unix garbage collection (GC) and the io_uring Linux kernel component

https://blogs.oracle.com/linux/post/unix-garbage-collection-and-iouring

Credits Shoily Rahman

#Linux #cybsersecurity

Hypervisor-enforced Paging Translation - The end of non data-driven Kernel Exploits (Recon2024)

https://github.com/AaLl86/WindowsInternals/blob/master/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pptx?s=09

ZDI-24-821: A Remote UAF in The Kernel's net/tipc

https://sam4k.com/zdi-24-821-a-remote-use-after-free-in-the-kernels-net-tipc/?s=09