Turbo Pascal turns 41. who here remembers this one?

[RSS] Don't Be a CVE Dummy

https://jericho.blog/2024/11/28/dont-be-a-cve-dummy/

"So please, if you are writing documentation and need to use dummy CVE identifiers, please use one of the ones MITRE designated a decade ago"

No camel can perish on the Hungarian internet

https://translate.kagi.com/https://telex.hu/after/2024/11/29/teveclub-nevelde-jatekok-juhasz-balazs-illovszky-viktor

#neopets #sunday

If you are planning to learn Zig via Advent of Code this year, I highly recommend the tips from @kristoff 's blog post:

https://kristoff.it/blog/advent-of-code-zig/

Can someone send me the (untruncated) output of ioreg on an M4 MacBook/Mac Mini?

In other news, enough RE tool dev for today…

It is just natural that in #Ghidra #Sleigh “The [operand] identifier must appear in the [bit pattern section] as if it were a term in a sequence of constraints but without the operator and right-hand side of the constraint.”, see section 7.4.3:

https://scrapco.de/ghidra_docs/GhidraDocs/languages/html/sleigh_constructors.html

But it seems, you can’t use the identifier in the display of the instruction if it’s part of a constraint.

Error: “wrong type (should be family) in pattern equation”

Why is that?!

(Workaround: define an alias token for the same bits and use that in display)

If a #Ghidra build throws an error similar to:

“No IP found for $slaspec in module: $dir”

You have to extend the certification.manifest file in $dir.

If you use #vim to edit #Ghidra sources, beware that some build scripts try to handle all files in a directory, so .swp’s can cause build errors.

#ProTIp

(Neovim stores swap files under your config directory by default, so the situation is better there)

I've just subscribed to MDN Plus, perhaps the most valuable resource for #WebDev, browser extensions & #developers in general, which I've used for free so many years. Stepped up to paid subscription as a small thanks to @mozilla , and also to unlock the offline premium feature

https://developer.mozilla.org/en-US/

1 little known secret of ShellExec_RunDLL

https://www.hexacorn.com/blog/2024/11/30/1-little-known-secret-of-shellexec_rundll/

#lolbin

[RSS] Assessing the attack complexity of a race condition security vulnerability

https://devblogs.microsoft.com/oldnewthing/20241129-00/?p=110588

Luke and Leia take center stage in this vibrant panel of Budapest’s Star Wars mural by Rawman, CSM, Little Mejo, and Time.

This is the largest breakthrough in Windows / Office piracy ever.
This solution will be available in the coming months—stay tuned for updates!

Sooo Ars, after correcting the original deeply flawed, pure clickbait article, has now doubled down with new info about how "Bootkitty" is actually used.

TL;DR: I was right about Bootkitty only being useful at all for UEFI Secure Boot systems. Turns out there's a separate component that exploits LogoFAIL, a year-old UEFI vulnerability discovered by researchers, to enroll Bootkitty's key into UEFI Secure Boot, which then bypasses the need for user consent for the new bootloader.

So, to recap:

• There is no new vulnerability here. This is not a zero-day.
• Everything in this proof-of-concept attack is just putting things we already knew were possible together.
• Bootkitty is still just PoC level and useless on real production systems, since it still works only on a single Ubuntu kernel.
• Bootkitty is still not a real bootkit, just a component that's part of enabling the Secure Boot bypass, and trivial to remove and detect.
• This whole thing is still not persistent in any way in firmware, and trivial to remove. The LogoFAIL exploit is also stored on disk, not anywhere in firmware.
• This is not a remote exploit, or a local user exploit. You need root to install it, there is no extra OS-level exploit chain anywhere to be seen.

The only news here is that someone decided to use LogoFAIL, which again was discovered a year ago, to create the capability of installing a traditional, old school kernel rootkit on UEFI Secure Boot systems without user consent on reboot. Which, again, is obviously possible when you have something like LogoFAIL. And you still need root access to install any of this.

To reiterate, this only matters if your threat model is an attacker might get root on my system, but they won't be able to install a kernel-level rootkit because I use Secure Boot, oh and also I didn't bother to patch LogoFAIL. Note that under this model an attacker can still install user-level rootkits anyway, so it's... certainly an interesting model. Also note that under this model an attacker can also just install any old known-vulnerable-to-something distro kernel (there is no revocation for those) and then exploit it to add the rootkit on every boot, achieving the same result of a module rootkit on a Secure Boot system without any of the LogoFAIL or Bootkitty nonsense. You could even just kexec into a backdoored newer kernel that way.

So, cute and interesting, yes. Still a PoC and a nothingburger for the security world. If you rely on UEFI Secure Boot's guarantees and you haven't patched LogoFAIL one year later, that's on you.

And if you take the Secure Boot stuff seriously you should probably get an Apple Silicon Mac anyway, because UEFI Secure Boot is Swiss cheese with a massive attack surface and stuff like LogoFAIL is bound to keep happening.

Edit: Aaaand it indeed was a student project.

Guys; you should try binary ninja on reversing c++ classes. Look at this writeup from Sean Deaton.

Gotta RE 'em All: Reversing C++ Virtual Function Tables with Binary Ninja

https://www.seandeaton.com/gotta-re-em-all-reversing-c-virtual-function-tables-with-binary-ninja/

#binaryninja #binary_ninja #binary #ninja #reversing #reverseengineering #cpp

SoK: Prudent Evaluation Practices for #Fuzzing

https://arxiv.org/pdf/2405.10220

#frombsky

Here’s how stupid me got his bot banned from Bsky:

• I accidentally commited a debug raise that caused my script to exit with error
• The systemd unit running the script was configured with Restart=always, because I usually just copy these configs :P
• Turns out, systemd restarts services really fast on failed status

On the plus side Bsky’s API errors are pretty informative about what went wrong and when the ban will be lifted. Unfortunately because of that stupid raise I lost the logs of why the first failures (before the ban) happened :/

Moral?

Sent from Amsterdam, Netherlands on February 20, 1996. https://postcardware.net/?id=4-49

A collection of Charles Babbage Institute newsletters from the 80s and 90s
I couldn't find scans on line at the CBI website.
Lots of interesting information on how they came to be and what there collecting strategy was.
https://bitsavers.org/pdf/charlesBabbageInstitute/newsletters

#bitsavers