Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels

An outstanding paper by Lukas Maar et al. about analyzing the exploitation techniques used in public 1-day Android kernel exploits over the last few years and cross-referencing them with the mitigations implemented by various Android vendors 🔥

https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf

🎮 The @travisgoodspeed training on recovering Gameboy ROMs from microscopic pictures with the help of #radare2 is now indexed, with the rest of #r2con2024 presentations in the Radare TV website 👉 https://www.radare.org/tv/

I want to level-up my jump roping and apparently I clicked a Reddit link while searching for tips.

Now instead of the absolutely braindead topics that come up based on geoloation (is the average Hungarian Internet user really this shallow??) I get awesome jumprope vids and tips!

Thx #adtech!

I don't know if this is known but last week I found out that giving a user the #Windows OOBE experience can be abused for privilege escalation.

Scenario: A company gives a new employee his computer and lets him do the first login. During the #Windows OOBE, he presses SHIFT+F10 and opens CMD.

Since this CMD runs as SYSTEM, he installs a custom CA certificate via certutil, places 'WptsExtensions.dll' into System32, and creates a new local backdoor admin user.

Once the #Microsoft OOBE and/or #Intune setup is complete, only the local backdoor admin user will be deleted. The certificate and DLL still remain. A reboot is enough to trigger the DLL being loaded as SYSTEM.

The third-party cert could be detected using sigcheck, but that's a little hacky...

Does anyone know a fix for this? I've not found anything inside #Intune that would kill this vector.

PSA: Please, please, please add an RSS/Atom feed to your blog and publications! It's not hard, and makes following your content so much easier!

#RSS #POSSE #Syndication

Bad idea: build a captcha library that embeds DOSBox so it can make you beat levels/puzzles from DOS games to continue.

Prove you're a human! Beat Lifewater Oasis from Commander Keen 4! Defeat the Yeti in Kings Quest 5! Make sure 15 lemmings survive! Get the sword in Prince of Persia!

I discovered a certificate using a "public private key", in this case a key that is part of OpenSSL's test suite. This would not necessarily be a particularly interesting event. It happens every now and then that people use private keys they find on the Internet, likely due to a lack of understanding of public key cryptography. I usually report them for revocation, and move on. However, this one is a bit more unusual. It has been issued by the CA Digicert - for a domain owned by Digicert. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/d21mtDJ7YXQ

Eighth article of the series "Extending Burp Suite for fun and profit - The Montoya way" is out!

Topic: BChecks - A quick way to extend Burp Suite Active and Passive Scanner!

https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-8/

[RSS] A Dual Game Boy Chiptune Keytar

https://blog.adafruit.com/2024/11/25/a-dual-game-boy-chiptune-keytar-musicmonday-2/

"Your scientists were so preoccupied with whether they could, they didn't stop to think if they should."

Since it's almost been a year and OBTSv7 is around the corner, I published the long overdue writeup for badmalloc:
https://gergelykalman.com/badmalloc-CVE-2023-32428-a-macos-lpe.html

[RSS] Windows - DPAPI Revisited for Chromium App-Bound encryption recent changes

https://tierzerosecurity.co.nz/2024/11/26/data-protection-windows-api-revisited.html

Slides & video from our @grehackconf talk "Attacking Hypervisors - A Practical Case" are online! Learn how we exploited vulnerabilities to escape VirtualBox during Pwn2Own Vancouver 2024: https://www.reversetactics.com/publications/2024_conf_grehack_virtualbox/

Reversing virtualized binaries is no easy task. Our intern Jack took on exploring automated devirtualization techniques, and presents in our latest blog post an efficient, modular, taint-based approach that leverages LLVM IR: https://blog.thalium.re/posts/llvm-powered-devirtualization/

Channeling @Viss

"Go to the cloud, it'll be great"

Microsoft has been reporting an issue since 8:54pm yesterday. The basic summary of the issue is "Teams,. Exchange, Purview, SharePoint, and Universal Print are all broken". So you know - everything you need to use in Office365 to operate on a day to day basis in a Microsoft world.

Copilot is also broken apparently, but we don't like that anyway, right?!

A lot of people don’t know this one weird trick — much like JavaScript, C also lets you perform arithmetic with mixed types:

[RSS] Arbitrary web root file read in Sitecore before v10.4.0 rev. 010422

https://blog.scrt.ch/2024/11/25/arbitrary-web-root-file-read-in-sitecore-before-v10-4-0-rev-010422/

[RSS] Finding vulnerabilities in ClipSp, the driver at the core of Windows' Client License Platform

https://blog.talosintelligence.com/finding-vulnerabilities-in-clipsp-the-driver-at-the-core-of-windows-client-license-platform/

Dear everyone who owns domains that are *not used for e-mail*, particularly ones that are potential targets for phishing (banks, high-profile names): Could you please configure SPF+DMARC, ideally with p=reject? You may wonder: Why should I configure anything email for a host that isn't used for email? Well... it helps others to identify spam sent with your domain as the sender.

Good news: The Dell firmware update utility definitely checks whether update executables are signed.

Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news

[RSS] How JWT Libraries Block Algorithm Confusion: Key Lessons for Code Review

https://pentesterlab.com/blog/jwt-algorithm-confusion-code-review-lessons