[RSS] A design flaw in the Windows 3D Pipes screen saver pointed out by a customer

https://devblogs.microsoft.com/oldnewthing/20241224-00/?p=110675

[RSS] Everyday #Ghidra: Symbols -- Automatic Symbol Acquisition with Ghidra -- Part 2

https://clearbluejar.github.io/posts/everyday-ghidra-symbols-automatic-symbol-acquisition-with-ghidra-part-2/

[RSS] An Initial Analysis of Adobe ColdFusion CVE-2024-53961

https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html

[RSS] ghidralib - A Pythonic Ghidra standard library

https://github.com/msm-code/ghidralib

#Ghidra

[RSS] Exploiting Second Order SQL Injection with Stored Procedures

https://www.netspi.com/blog/technical-blog/web-application-pentesting/second-order-sql-injection-with-stored-procedures-dns-based-egress/

[RSS] A functionally complete decompilation of LEGO Island (1997)

https://github.com/isledecomp/isle

[RSS] Starship, Star Fox 64 recompilation project

https://github.com/HarbourMasters/Starship

OK, this is my summary for today

#Rust

Hewlett Packard report that they are spotting AI-generated malware in the wild, not through complex analysis or watermarking, but because… it is weirdly well-commented. https://threatresearch.ext.hp.com/wp-content/uploads/2024/09/HP_Wolf_Security_Threat_Insights_Report_September_2024.pdf

I'm at about third of the 100 #Rust exercises and I think we just got to the "Draw the rest of the fucking owl" part 🖊

I find CVE-2024-40896 (Raptor/libxml2 XXE) very educational:

Based on the analysis[1] it's a nice example of Chesterton’s Fence[2], while its discovery[3] underlines the importance of automated testing for regressions and known dangerous behavior.

[1] https://www.openwall.com/lists/oss-security/2024/12/25/2 (thx @alexandreborges for sharing!)
[2] https://fs.blog/chestertons-fence/
[3] https://gitlab.gnome.org/GNOME/libxml2/-/issues/761

CVE-2024-40896 Analysis: libxml2 XXE due to type confusion

https://www.openwall.com/lists/oss-security/2024/12/25/2

#cve #linux #libxml2 #xxe #vulnerability #exploitation #bug #typeconfusion

Find your first zero-day vulnerability!

In this article, we want to share a step-by-step guide on how to run American Fuzzy Lop ++ (AFL++) to fuzz an open source target.
https://www.hackers-arise.com/post/exploit-development-fuzzing-with-american-fuzzy-lop-afl-to-find-zero-day-vulnerabilities
#AFL #Fuzzing #Hacking #ZeroDay

Safe #Rust AIN'T SAFE!? (cve-rs explainer)

https://youtu.be/vfMpIsJwpjU

🤣🤣🤣
[CVE-2024-40896][libxml2] XXE protection broken in downstream code
https://gitlab.gnome.org/GNOME/libxml2/-/issues/761
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6

"...bug should occur if you compile libraptor with the commit above and libxml2 2.11 or greater."

PoC:
https://git.libreoffice.org/core/+/cdda6533b44333b18d3dc6306dfd0f7058e40b32/unoxml/qa/unit/data/cve_2012_0037.rdf

🎄 All I Want for Christmas is a CVE-2024-30085 Exploit 🎄
As always, we at @starlabs_sg are sharing what we learnt. This time, it's brought to you by Cherie-Anne Lee

https://starlabs.sg/blog/2024/all-i-want-for-christmas-is-a-cve-2024-30085-exploit/

More than funds, what Wikipedia really needs is more good editors. The number of people who regularly edit articles in English Wikipedia hasn't grown substantially in years, while the number of articles has, and editor demographics remains skewed. The foundation itself largely stays away from editing, leaving it to volunteers. While articles that get a lot of attention are often good, it's not hard to find ones with biased and promotional content in less-visited topics, and in other languages.

Oh my god, I just learned of a hilariously obvious bug that Nintendo (of all companies) failed to fix.

So, NES & SNES games often have a problem with pressing left+right and up+down, at the same time. This is because that's not supposed to be possible. It's physically prevented from happening by the design of the controller itself.

Former NSA cyberspy's not-so-secret hobby – Xmas light hacks • The Register
https://www.theregister.com/2024/12/25/joyce_christmas_lights/

#frombsky

Elon Musk has ordered everyone to stop donating to Wikipedia.

I never started, until this morning.

https://donate.wikimedia.org is the link, if anyone feels like disobeying a direct order from a billionaire jerkwad.