Gotta love IoT stuff

Splunk security advisories since apparently they missed #PatchTuesday and everyone wants to push to prod before Thanksgiving:

• SVD-2024-1101 Third-Party Package Updates in Python for Scientific Computing - November 2024 (1 CVE)
• SVD-2024-1102 Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024 (3 CVEs)

No mention of exploitation.

#splunk #vulnerability #cve #infosec #cybersecurity

[RSS] Introducing NachoVPN: One VPN Server to Pwn Them All

https://blog.amberwolf.com/blog/2024/november/introducing-nachovpn---one-vpn-server-to-pwn-them-all/

Interesting concept: rogue VPN server to compromise misconfigured clients

GitLab security advisory: GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5

• CVE-2024-8114 (8.2 high) Privilege Escalation via LFS Tokens
• CVE-2024-8237 (6.5 medium) Denial of Service (DoS) through uncontrolled resource consumption when viewing a maliciously crafted cargo.toml file.
• CVE-2024-11669 (6.5 medium) Unintended Access to Usage Data via Scoped Tokens
• CVE-2024-8177 (5.3 medium) Gitlab DOS via Harbor registry integration
• CVE-2024-1947 (4.3 medium) Resource exhaustion and denial of service with test_report API calls
• CVE-2024-11668 (4.2 medium) Streaming endpoint did not invalidate tokens after revocation

No mention of exploitation.

#gitlab #vulnerability #cve #patchtuesday

XBOW found a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI project that allows attackers to download any file on the server. XBOW combined a series of URL encodings and path normalization bypasses to trigger the flaw. Users of versions 4.3–5.3 should upgrade.

Since my previous PSA got so popular, here's a fun fact:

The very popular blog engine #Jekyll does not generate a feed by default! You have to add the jekyll-feed plugin and reference the generated Atom XML in your template!

https://github.com/jekyll/jekyll-feed

VMware security advisory: VMSA-2024-0022: VMware Aria Operations updates address multiple vulnerabilities(CVE-2024-38830, CVE-2024-38831, CVE-2024-38832, CVE-2024-38833, CVE-2024-38834)

• CVE-2024-38830 (7.8 high) Local privilege escalation vulnerability
• CVE-2024-38831 (7.8 high) Local privilege escalation vulnerability
• CVE-2024-38832 (7.1 high) Stored cross-site scripting vulnerability
• CVE-2024-38833 (6.8 medium) Stored cross-site scripting vulnerability
• CVE-2024-38834 (6.5 medium) Stored cross-site scripting vulnerability

No mention of exploitation

#CVE_2024_38830 #vmware #vulnerability #CVE #infosec #cybersecurity #CVE_2024_38831 #CVE_2024_38832 #CVE_2024_38833 #CVE_2024_38834 #aria #AriaOperations

Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels

An outstanding paper by Lukas Maar et al. about analyzing the exploitation techniques used in public 1-day Android kernel exploits over the last few years and cross-referencing them with the mitigations implemented by various Android vendors 🔥

https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf

🎮 The @travisgoodspeed training on recovering Gameboy ROMs from microscopic pictures with the help of #radare2 is now indexed, with the rest of #r2con2024 presentations in the Radare TV website 👉 https://www.radare.org/tv/

I want to level-up my jump roping and apparently I clicked a Reddit link while searching for tips.

Now instead of the absolutely braindead topics that come up based on geoloation (is the average Hungarian Internet user really this shallow??) I get awesome jumprope vids and tips!

Thx #adtech!

I don't know if this is known but last week I found out that giving a user the #Windows OOBE experience can be abused for privilege escalation.

Scenario: A company gives a new employee his computer and lets him do the first login. During the #Windows OOBE, he presses SHIFT+F10 and opens CMD.

Since this CMD runs as SYSTEM, he installs a custom CA certificate via certutil, places 'WptsExtensions.dll' into System32, and creates a new local backdoor admin user.

Once the #Microsoft OOBE and/or #Intune setup is complete, only the local backdoor admin user will be deleted. The certificate and DLL still remain. A reboot is enough to trigger the DLL being loaded as SYSTEM.

The third-party cert could be detected using sigcheck, but that's a little hacky...

Does anyone know a fix for this? I've not found anything inside #Intune that would kill this vector.

PSA: Please, please, please add an RSS/Atom feed to your blog and publications! It's not hard, and makes following your content so much easier!

#RSS #POSSE #Syndication

Bad idea: build a captcha library that embeds DOSBox so it can make you beat levels/puzzles from DOS games to continue.

Prove you're a human! Beat Lifewater Oasis from Commander Keen 4! Defeat the Yeti in Kings Quest 5! Make sure 15 lemmings survive! Get the sword in Prince of Persia!

I discovered a certificate using a "public private key", in this case a key that is part of OpenSSL's test suite. This would not necessarily be a particularly interesting event. It happens every now and then that people use private keys they find on the Internet, likely due to a lack of understanding of public key cryptography. I usually report them for revocation, and move on. However, this one is a bit more unusual. It has been issued by the CA Digicert - for a domain owned by Digicert. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/d21mtDJ7YXQ

Eighth article of the series "Extending Burp Suite for fun and profit - The Montoya way" is out!

Topic: BChecks - A quick way to extend Burp Suite Active and Passive Scanner!

https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-8/

[RSS] A Dual Game Boy Chiptune Keytar

https://blog.adafruit.com/2024/11/25/a-dual-game-boy-chiptune-keytar-musicmonday-2/

"Your scientists were so preoccupied with whether they could, they didn't stop to think if they should."

Since it's almost been a year and OBTSv7 is around the corner, I published the long overdue writeup for badmalloc:
https://gergelykalman.com/badmalloc-CVE-2023-32428-a-macos-lpe.html

[RSS] Windows - DPAPI Revisited for Chromium App-Bound encryption recent changes

https://tierzerosecurity.co.nz/2024/11/26/data-protection-windows-api-revisited.html

Slides & video from our @grehackconf talk "Attacking Hypervisors - A Practical Case" are online! Learn how we exploited vulnerabilities to escape VirtualBox during Pwn2Own Vancouver 2024: https://www.reversetactics.com/publications/2024_conf_grehack_virtualbox/

Reversing virtualized binaries is no easy task. Our intern Jack took on exploring automated devirtualization techniques, and presents in our latest blog post an efficient, modular, taint-based approach that leverages LLVM IR: https://blog.thalium.re/posts/llvm-powered-devirtualization/