IPE (Integrity Policy Enforcement) is now merged to Linus’ tree for the v6.12 kernel, after many years of upstreaming efforts.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a430d95c5efa2b545d26a094eb5f624e36732af0

See also: https://microsoft.github.io/ipe/

It has long been known that timing analyses are a *theoretical* attack on Tor. By distributing the circuits across different jurisdictions, the goal was to make these attacks impractical to implement:

Only a "global adversary" should be able to break the anonymity by correlating the traffic from entry and exit nodes. Correlation becomes even easier if delays or content can be actively introduced into the traffic pattern.

Just as we could (theoretically) become a "global adversary" by renting enough servers, law enforcement agencies can (practically) achieve this through close cooperation, especially since Tor nodes are not evenly distributed across jurisdictions but tend to cluster in certain regions.

Western law enforcement agencies seem to have reached the "global adversary" level through collaboration (in isolated cases and certainly with significant effort). What is problematic for Tor is that other "law enforcement agencies," whose focus is on dissidents, whistleblowers, and journalists, could do the same.

So, it is finally time for cover traffic and random delays: nodes in the Tor network would introduce a random traffic background noise as well as random delays to make targeted correlations more difficult. This would make Tor even slower. This is probably why it has been avoided until now.

In conclusion, we would like to emphasize that there is no reason for regular users of the Tor browser to worry about their anonymity. These are highly targeted attacks on individual accounts of the messenger "Ricochet" over extended periods of time. Because the messenger, unlike a browser, is also reachable, it naturally has an increased attack surface for timing analyses.

https://www.tagesschau.de/investigativ/panorama/tor-netzwerk-100.html

GitLab security advisory: GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10
CVE-2024-45409 (perfect 10.0 critical 🥳 cc: @cR0w) SAML authentication bypass

GitLab doing me a heccin' concern because they're already talking about detecting unsuccessful and successful exploitation attempts. I can't definitively say if exploitation in the wild occurred based on the verbiage in this advisory.

cc: @campuscodi @goatyell @da_667

#CVE_2024_45409 #GitLab #vulnerability #CVE

Tonight in "Fun with #FOSS":

I installed gerbera to do DLNA things. Config dot freaking XML should've been a warning sign, but I know how to computer.

It took about half an hour until I figured out from the docs what XML tag I should use and where to point to the directory where my media content is (it's not in the default config).

The fun begins when the systemd unit just exists. There is a logging option, but no hint about where the logs are. Nvm, journalctl captured stdout:

"level attribute is missing or invalid"

There is no "level" attribute in the docs.

Googling: 0 result - spoiler: this is because the second part of the message comes from an XML lib, while the attribute name comes from the XSD.

The solution is to checkout the git tag corresponding to the OS package version, find the XSD and the attribute definition in it. I fixed the config.

The software now runs (it just doesn't work).

The city of 's-Hertogenbosch is multiple examples of "falsehoods programmers believe about place names"

Of course, the wisdom of James Mickens applies:

https://www.usenix.org/system/files/1401_08-12_mickens.pdf

Android Virtualization Framework - runs the "host" (Android and Linux kernel) in a VM and launches isolated envs. (= pVMs). Based on KVM but offloads complex code to the host VM. pVM firmware is in Rust
- https://www.youtube.com/watch?v=K24dmA7QGLE
- https://source.android.com/docs/core/virtualization/security
- https://android.googlesource.com/platform/packages/modules/Virtualization/+/refs/tags/aml_con_341511080/pvmfw/

https://bird.makeup/@lauriewired/1832541105390547456

From the WTAF dept: 3 killed, > 1,000 wounded in Beirut by exploding pagers:

"BEIRUT, Sept 17 (Reuters) - At least three people were killed and more than 1,000 others including Hezbollah fighters, medics and Iran's envoy to Beirut were wounded on Tuesday when the pagers they use to communicate exploded across Lebanon, security sources told Reuters.

A Hezbollah official, speaking on condition of anonymity, said the detonation of the pagers was the "biggest security breach" the group had been subjected to in nearly a year of conflict with Israel."

https://www.reuters.com/world/middle-east/dozens-hezbollah-members-wounded-lebanon-when-pagers-exploded-sources-witnesses-2024-09-17/

via @dangoodin

The web Hackvertor now has all of the tags to conduct email parser discrepancies attacks.

https://hackvertor.co.uk/

Ok, my article on porting the SBCL common #lisp implementation to the nintendo #switch is now live:

https://reader.tymoon.eu/article/437

Boosts would be much appreciated! It's been a lot of work to get this far.

#opensource #gamedev #indiedev

I'd like to share some of my projects that are hosted on @github. Let's start with my public #exploits that span more than two decades of #pwning.

https://github.com/0xdea/exploits

"You can't argue with a root shell." -- Felix "FX" Lindner

Probably the most known is raptor_udf.c that targets #MySQL (those of you who solved the @offsec #OSCP training labs should recognize it).

My favorite is still raptor_rlogin.c, a glorious #Solaris #RCE from the early 2000s. Take your pick!

"What you think of Oracle _is even truer_ than you think it is!" - Bryan M. Cantrill[1]

Ellison Declares Oracle 'All In' On AI Mass Surveillance

https://developers.slashdot.org/story/24/09/16/213256/ellison-declares-oracle-all-in-on-ai-mass-surveillance

[1]https://youtu.be/-zRN7XLCRhc?si=FAsYQN2_Xoelkzlp&t=2048

i'm sorry, what??? https://www.justice.gov/usao-edny/pr/ticketmaster-pays-10-million-criminal-fine-intrusions-competitor-s-computer-systems-0

[RSS] Reasons for the unreasonable success of fuzzing (Halvar Flake, Google Slides)

https://docs.google.com/presentation/d/1vw9lywrMnNojiOIu-xU5KXZz7WzE0MYNQF6V7n6vyY8/edit#slide=id.g2768ca7ef44_0_65

[RSS] Exploiting Microsoft Kernel Applocker Driver (CVE-2024-38041)

https://csa.limited/blog/20240916-Exploiting-Microsoft-Kernel-Applocker-Driver.html

[RSS] Mapping Mainframe Memory Made Easy

https://www.netspi.com/blog/technical-blog/mainframe-penetration-testing/mapping-mainframe-memory/

On some level I think people become stronger engineers by running their own databases for a time. Pulling back the cover and seeing the hidden complexity can breed an understanding that serves folks well.

Obviously not a requirement--but something to consider.

CVE-2024-8190: Investigating CISA KEV Ivanti Cloud Service Appliance Command Injection Vulnerability https://www.horizon3.ai/attack-research/cisa-kev-cve-2024-8190-ivanti-csa-command-injection/

The real slim shady || Ivanti Endpoint Manager (EPM) Pre-Auth RCE

CVE-2024-29847

https://summoning.team/blog/ivanti-epm-cve-2024-29847-deserialization-rce/