If you are using Signal, and you are doing something the government considers illegal, the way they are going to read your messages about it is they will arrest the person you sent the messages *to*, and make your counterparty show them the logs. We know this because this technique came up again and again in, for example, the Jan. 6 court filings.

There may, hypothetically, be other Signal exploits available to a government, but this is the one they will use, because it works.

Via my son:

#pinky #brain

I just published a blog post about getaddrinfo and all the other weird DNS APIs that we use in Firefox to resolve HTTPS records.

https://valentin.gosu.se/blog/2025/02/getaddrinfo-sucks-everything-else-is-much-worse

All this was part of the talk I gave at FOSDEM last weekend.

ROPing our way to “Yay, RCE” - and a lesson in the importance of a good nights sleep!

From vulnerability to exploit - follow our Colleague Michaels journey of developing an ARM ROP chain to exploit a buffer overflow in uc-http

Via Return-Oriented Programming chain small code snippets, or gadgets, already present in a program’s memory can be leveraged

By chaining these gadgets together, they can execute arbitrary code without injecting anything new

Dive into the process of reverse engineering, gadget hunting, and crafting a working exploit.

Learn all about it in Michaels full report.

https://modzero.com/en/blog/roping-our-way-to-rce/

Why pay for search?

(Illustration by @chazhutton for Kagi)

#Kagi #AdFree #Search #Privacy

Well I guess these folks are fucked, huh

[RSS] Micropatches Released for Windows OLE Remote Code Execution (CVE-2025-21298)

https://blog.0patch.com/2025/02/micropatches-released-for-windows-ole.html

Daniel weekly February 7, 2025

https://lists.haxx.se/pipermail/daniel/2025-February/000099.html

old security, ssh security, BBC, URLs from file, you can help, curl up CVE-2024-7264, EOSAwards, Workshop, FOSDEM, 1337, release, regressions, release candidates, codeql, no goods

If you use Signal, Discord, or any other messaging app and you DON'T want Google or Apple monitoring/reading/learning from your messages, follow these steps.

Android:
1. Open Google app
2. Tap your profile photo
3. Settings
4. Google Assistant
5. "Your Apps"
6. Choose the app (e.g., Signal)
7. Toggle "Let your assistant learn from this app" off

iPhone:
1. Settings
2. Apps
3. Choose the app (e.g., Signal)
4. Toggle Apple intelligence or Siri settings to off (“learn from this app”)

Here is a follow-on rundown of CVE-2024-40890, affecting the HTTP interface of EOL Zyxel CPE routers. Don't forget to filter user input for `\n` 😉 Pairs quite nicely with the supervisor (backdoor) / zyuser user accounts.

https://vulncheck.com/blog/zyxel-http-vuln

Windows Telephony Services: 2025 Patch Diffing & Analysis https://blog.securelayer7.net/windows-telephony-services-2025-patch-diffing-and-analysis-pt-1/

Creating a toy operating system

https://github.com/cfenollosa/os-tutorial

https://539kernel.com/

https://github.com/tuhdo/os01/blob/master/Operating_Systems_From_0_to_1.pdf

UK orders Apple to put backdoor in iCloud encryption (Advanced Data Protection, which is end-to-end encrypted):
https://www.theverge.com/news/608145/apple-uk-icloud-encrypted-backups-spying-snoopers-charter

The way this plays out is that UK iPhones lose the Advanced Data Protection feature, right?
Right??

Big news in Italy around the government misusing Paragon, and Paragon ended up cutting the contract citing misuse/ethical violations.
I commend Paragon on this one, the misuse was pretty blatant and as Italian sad to see. This is how the industry should react to misuse!

****For students and private individuals (not paid by a company) ONLY***

We are releasing a very limited amount of tickets for students and private individuals.

These tickets will be discounted in price and are separate from the waiting list.

Please email us with your story and background on why you want the ticket to info(at)offensivecon(dot)org

Students will have to bring a valid student ID to the conference.

We would love to see submissions from anyone.
Time is running out. Don’t let the ticket to @reverseconf go to waste.

For those who are stuck at the exploitation part, the picture we showed previously and this article will help a bit
https://github.com/vp777/Windows-Non-Paged-Pool-Overflow-Exploitation

https://bird.makeup/@starlabs_sg/1877697987758960773

[RSS] CVE-2024-55957: Local Privilege Escalation Vulnerability in Thermo Scientific(TM) Xcalibur(TM) and Foundation software

https://tierzerosecurity.co.nz/2025/02/07/cve-2024-55957.html

My 10k-word writeup on exploiting a heap-overflow in Llama.cpp's RPC Server's Tensor-operation to RCE. This by far is one of the most challenging but fun exploitation I've ever researched on.

https://retr0.blog/blog/llama-rpc-rce

Status: after two days of intensive calculation the whopping 1MB CalDAV import failed somewhere between 87-100% and I have no clue what was done and what needs to be fixed. #Thunderbird

Fortunately I found a solution that did the job in 5 mins at server-side:

https://www.reddit.com/r/selfhosted/comments/jbnu1l/how_would_i_push_an_ics_to_a_caldav_server/

CVE-2024-43625 - 2024-Nov - Microsoft Windows VMSwitch Elevation of Privilege - Use After Free - CVSS 8.1

#ghidriff vmwsitch diff
https://gist.github.com/clearbluejar/b5c12615270a54d031dc13a7d07988c9
👀🔥

Side-by-side view: https://diffpreview.github.io/?b5c12615270a54d031dc13a7d07988c9 🧐

A patch diffing 🧵...