[RSS] SSD Advisory – Google Chrome RCE

https://ssd-disclosure.com/ssd-advisory-google-chrome-rce/

fun Linux fact:

There are at least two places in the Linux kernel where performance-sensitive code paths use a, uh, retrospective approach to memory safety, where you do the memory read first (and suppress the occasional kernel page fault) and worry about making sure it was memory-safe later.

One of the two is in the SLUB allocator's lockless allocation fastpath: https://elixir.bootlin.com/linux/v6.10.4/source/mm/slub.c#L544
It (1) first loads the pointer to the current top freelist element, then (2) reads the next freelist pointer out of that element, and (3) does a double-wide atomic compare-exchange to check if it raced and replace the freelist head. The read in step (2) can return garbage or fault if someone else concurrently modified the freelist (basically it can be UAF), but in that case step (3) that uses the result of the read is guaranteed to fail, so it's fine.

The other one is in the Virtual File System layer, used for printing pathnames (like for getcwd()):
https://elixir.bootlin.com/linux/v6.10.4/source/fs/d_path.c#L50
As the comment there explains:

 * The source of the prepend data can be an optimistic load
 * of a dentry name and length. And because we don't hold any
 * locks, the length and the pointer to the name may not be
 * in sync if a concurrent rename happens, and the kernel
 * copy might fault as a result.
 *
 * The end result will correct itself when we check the
 * rename sequence count, but we need to be able to handle
 * the fault gracefully.

So this one can race so that OOB memory is copied into the path buffer, but the kernel will afterwards notice that the "how many rename operations have happened" counter has gone up (or that the "we are currently in the middle of a rename" bit is set), discard the result, and try again.

Resorts World (one of the hotels defcon contracted with to offer rooms to con attendees) decided to pull some clown shit and announce they’re doing daily room checks for “hacking” as some knee-jerk response to the MGM ransom attack last year. Someone leaked the checklist they gave to employees and it’s even dumber than you thought.

Ghost in the PPL Part 1: BYOVDLL

https://blog.scrt.ch/2024/08/09/ghost-in-the-ppl-part-1-byovdll/?utm_source=twitter&utm_medium=social&utm_campaign=resources&s=09

Ghost in the PPL Part 1: BYOVDLL

https://blog.scrt.ch/2024/08/09/ghost-in-the-ppl-part-1-byovdll/?utm_source=twitter&utm_medium=social&utm_campaign=resources&s=09

Wormable Substack XSS
https://blog.calif.io/p/wormable-substack-xss

Wireless hacking doesn't have to be a mess of dongles and ad-hoc code anymore.

Yesterday @virtualabs from Quarkslab and @rcayre from EURECOM released WHAD, a set of open source tools, libraries and firmware to make wireless security research easier.

WHAD implements 6 protocols (BLE, ZigBee, RF4CE, Unifying, ESB, LoRaWAN) and supports 11 different hardware devices, including 4 embedding our custom firmwares to extend their capabilities.

It can be used to sniff various protocols (BLE, 802.15.4, ZigBee, RF4CE, Enhanced Shockburst, Logitech Unifying and even unknown ones via its PHY support), packet injection, MITM attacks, device emulation, device sharing over TCP, and a number of other features and capabilities.

See the code repository here https://github.com/whad-team/whad-client

if AI wants to be useful, it can read the build instructions of a github readme and tell me which seventeen packages the author forgot to mention I need to install first

Losing my mind at this. Google says that cellsite simulators are being used to send SMS spam.

https://security.googleblog.com/2024/08/keeping-your-android-device-safe-from.html

We had a lot of fun handing out our first-ever #Vanguard Awards. If you couldn't be there, we've updated our blog with all the winners. Check it out at https://www.zerodayinitiative.com/blog/2024/8/1/introducing-the-vanguard-awards

Looks like we shipped Firefox 129 last week, where the address bar is defaulting to use HTTPS (and falls back to HTTP if it doesn't work). Kudos to the team for shipping! 😀 It's nice to see something happen so smoothly when on vacation

Huh, with the new IDAlib headless mode in @HexRaysSA IDA 9.0, #BinDiff can get rid of the visible second IDA instance. Need to play around with this more.

Wrote BASIC on original C64 and BBC Micro and felt the blessing of the Omnissiah wash over me. 😊

Tried to browse webapps on Android and felt like smashing the fucking phone into the sea.🤽

Step aside, devs. The Infosec Wizards are coming.

https://www.theregister.com/2024/08/09/marlinspike/

I very much enjoyed this talk by @thegrugq While there are many issues here worth discussing like systems' perception of the world or why is it not so easy to predict how system will fail, I particularly liked discussion on impact of policy decision.

Too often I have heard arguments how certain technical solution can overcome/solve particular issues and make them "policy-proof". In reality scope of influence available to both state and private actors, makes policy way more important factor determining outcome. You can't out-obfuscate your way out of telemetry available to major tech companies or out-encrypt government level targeted surveillance.

https://www.youtube.com/watch?v=P6PnhDfWvx0

excited to see my janky code being put to good use for jailbreaking flagship smartphones such as the "vtech kidizoom snap touch"

https://bird.makeup/@rdjgr/1818367871086686432

Time-travel Testing of Android Apps

https://mboehme.github.io/paper/ICSE20.TTT.pdf

Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap – BlackHat USA 2024 Whitepaper [PDF]

https://www.nccgroup.com/media/uzbp3ttw/bhus24_sonos_whitepaper.pdf