After #flareon11 challenge 7, I got inspired to build tooling for #dotnet Native AOT reverse engineering.

As such, I built a #Ghidra Analyzer that can automatically recover most .NET types, methods and frozen objects (e.g., strings).

👉https://blog.washi.dev/posts/recovering-nativeaot-metadata/

CVE-2025-25364: Speedify VPN MacOS privilege Escalation https://blog.securelayer7.net/cve-2025-25364-speedify-vpn-macos-escalation/

Take Action: Defend the @internetarchive - https://blog.archive.org/2025/04/17/take-action-defend-the-internet-archive/ "This lawsuit is an existential threat to the Internet Archive and everything we preserve—including the Wayback Machine, a cornerstone of memory and preservation on the internet." please sign the open letter if you can

Fun fact:

💁 The oldest known buffer overflow vuln dates back to UNIX V6 login

💁‍♀️ It appeared in a 1981 post by Truscott & Ellis (better known for inventing Usenet)

💁‍♂️ The next overflow vuln was fingerd, 1988

Bonus fact:

🙅 The login vuln isn’t real:

https://www.tuhs.org/cgi-bin/utree.pl?file=V6/usr/source/s1/login.c

Multiple vulnerabilities in libxml2 https://www.openwall.com/lists/oss-security/2025/04/17/3
CVE-2025-32414: Buffer overflow when parsing text streams with Python API
Python Package Index contains outdated and unsanctioned vulnerable upload
CVE-2025-32415: Heap-based Buffer Overflow in xmlSchemaIDCFillNodeTables

It was only a matter of time - a contracted, approved grant to the Internet Archive was cut with no warning.

https://sfstandard.com/2025/04/17/doge-neh-funding-cuts-sf/

The first edition of the #CHERIoT book has been published!

The eBook editions are available for purchase now from a few retailers, print editions will take a bit longer to appear (up to two weeks). And, of course, the drafts of the second edition remain free (HTML, ePub, PDF) from the CHERIoT site

Thanks to Discribe Hub for funding a lot of the work on this edition!

oss-security - Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
https://www.openwall.com/lists/oss-security/2025/04/18/1

Exploit published ^

microsoft word, the predecessor to microsoft dword,

Quite proud of myself for successfully building a Windows 16-bit application that runs on Windows 3.1 - all dialog-based, and it makes network connections, too! Compiled with Visual C++ 1.52 on XP, it works on this old system. Consumes 14kb disk space and does everything in even less RAM :)

https://techcommunity.microsoft.com/blog/windows-itpro-blog/hotpatch-for-windows-client-now-available/4399808 Finally! I personally worked on Hotpatch, together with my team 3 years ago... and now is finally approaching client versions of Windows... Yuuuyuuu!

My new blog for Check Point Research - check it out! 💙 // #ProcessInjection : #WaitingThreadHijacking

https://bird.makeup/@_cpresearch_/1911835975006777818

I am thrilled to be back and offer the in-person training once again at Hexacon, the fabulous conf. in Paris
https://hexacon.fr/trainer/tanda/

Get hands-on experience with virtualization and learn real-world applications and bugs of them!

The tickets will be available for purchase soon.

https://bird.makeup/@hexacon_fr/1912154010062094633

Interesting links of the week:

Strategy:

* https://en.wikipedia.org/wiki/SIPOC - modelling systems with SIPOC
* https://www.thecvefoundation.org/ - the CVE foundation
* https://euvd.enisa.europa.eu/ - EU bug jail
* https://xntrik.wtf/aisa2024/ - @xntrik maps threats with https://threatcl.github.io/
* https://threatspec.org/ - the ThreatSpec

Threats:

* https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol - a novel phishing attack involving RDP

Detection:

* https://rulehound.com/rules - a single place to find interesting detection engineering ideas

Bugs:

* https://bugs.chromium.org/p/chromium/issues/detail?id=584535 - an 11 year old bug in every browser, still not dead!

Exploitation:

* https://silentsignal.github.io/BelowMI/ - memory management on System i courtesy of @buherator
* https://github.com/N1ckDunn/SOSLInjection/blob/main/SOSLInjection.pdf - Sal''esforce \o/
* https://github.com/N1ckDunn/DoubleFetch/blob/main/Double-FetchVulnerabilitiesInC.pdf - exploiting double fetch

Hard hacks:

* https://xairy.io/articles/thinkpad-xdci - emulating USB on a ThinkPad
* https://www.rtl-sdr.com/dragonos-lte-imsi-sniffing-using-the-lte-sniffer-tool-and-an-ettus-x310-sdr/ - build your own LTE sniffer
* https://blog.sesse.net/blog/tech/2025-04-05-10-57_cisco_2504_password_extraction.html - extracting passwords from Cisco WLC
* https://www.prizmlabs.io/post/remote-rootkits-uncovering-a-0-click-rce-in-the-supernote-nomad-e-ink-tablet - exploiting the Nomad e-ink tablet

Nerd:

* https://ukparliament.github.io/ontologies/meta/bots/ - UK parliamentary bots
* https://mwl.io/fiction/crime - Git drives people to murder
* https://changelog.complete.org/archives/10768-announcing-the-nncpnet-email-network - building a new mail protocol

#security, #research

Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits

Alexander Popov @a13xp0p0v published the slides from his talk at Zer0Con 2025. In this talk, he presented the kernel-hack-drill open-source project and showed how it helped him to exploit CVE-2024-50264 in the Linux kernel.

Slides: https://a13xp0p0v.github.io/img/Alexander_Popov-Kernel_Hack_Drill-Zer0Con.pdf
Project: https://github.com/a13xp0p0v/kernel-hack-drill

Love the absolute units! (And I suck at photography)

Did a post on the personal blog (i.e., “the views expressed by me do not…blah blah”) — “Trump’s Retaliation Against Chris Krebs — and the Cybersecurity Industry’s Deafening Silence”.

Unlike most years, everyone attending RSA next week has a tangible, meaningful opportunity to make a difference.

Be better than the complicit cowards (humans & vendors) in our industry, speak up, & hold folks accountable.

Otherwise, “Many Voices. One Community” is just BS RSA marketing.

https://rud.is/b/2025/04/17/trumps-retaliation-against-chris-krebs-and-the-cybersecurity-industrys-deafening-silence/

"Providers are pushed to spend less time caring for each patient as health systems move to reduce costs and increase revenue under the technological principle of maximal efficiency and output. But medicine was never intended to be another industrial complex."

This essay is beautiful and powerful.

https://www.statnews.com/2025/04/15/ai-scribes-artificial-intelligence-medicine-note-writing-physician-patient-relationship/

Today my #rust compiler told me "expected future, found a different future".

And I'm like: me too buddy, me too

[RSS] New writeup: a vulnerability in PHP's extract() function allows attackers to trigger a double-free, which in turn allows arbitrary code execution (native code)

https://ssd-disclosure.com/ssd-advisory-extract-double-free5-x-use-after-free7-x-8-x/

Can't find official identifiers for this, the GitHub advisory link is broken...