[oss-security] CVE-2025-29953: Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass

https://www.openwall.com/lists/oss-security/2025/04/18/3

"servers could abuse the unbounded deserialization *in the client* to provide malicious responses that may eventually cause arbitrary code execution on the client"

"The project is considering to [...] drop this part of the NMS API altogether."

Proper root cause analysis of the Erlang/OTP SSH bug (CVE-2025-32433):

https://www.openwall.com/lists/oss-security/2025/04/18/2

I spent all morning trying to decode the Apple Positional Audio Codec (APAC)’s GlobalConfig from its MPEG4 Sample Description Box (stsd).

If you want to follow along:

• the codec is in /System/Library/Frameworks/AudioToolbox.framework/AudioCodecs
• See apac::GlobalConfig::Serialize and apac::GlobalConfig::Deserialize
• If you need a sample file: afconvert -o sound.m4a -d apac -f mp4f sound.wav
• Or grab a sample file from https://trac.ffmpeg.org/ticket/11480
• Pull the stsd from the m4a with mp4extract --payload-only moov/trak[0]/mdia/minf/stbl/stsd/apac sound.m4a sound_config.bin
• The config starts after dapa then 4 0x00 bytes
• First two bytes of the apac bitstream are 0x08 0x00 (see IsAPACBitstreamVersionValid / ACAPACBaseEncoder::GetMagicCookie)
• followed by the GlobalConfig

If you know, you know...

Released new Pwndbg: 2025.04.18

It adds display of breakpoints in the disasm view, new libcinfo command, improves attachp & hexdump commands, UI, TUI and more. Also, command names use "-" istead of "_" now for consistency.

Read more and download it on https://github.com/pwndbg/pwndbg/releases/tag/2025.04.18 !

#pwndbg #gdb #binaryexploitation #ctf #security #tools

Oof. Reportedly, if you got a certificate from SSL.com by putting “example[@]gmail.com” at _validation-contactemail.example.com, they would add gmail.com (!!!) to your verified domains.

A good reminder to use the CAA record, and to sign up for CT monitoring (e.g. Cert Spotter).

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

TIC80 jam just kicked off, with a DJ set from Commander Homer!

https://streaming.media.ccc.de/revision2025/revision

#Revision2025

After #flareon11 challenge 7, I got inspired to build tooling for #dotnet Native AOT reverse engineering.

As such, I built a #Ghidra Analyzer that can automatically recover most .NET types, methods and frozen objects (e.g., strings).

👉https://blog.washi.dev/posts/recovering-nativeaot-metadata/

CVE-2025-25364: Speedify VPN MacOS privilege Escalation https://blog.securelayer7.net/cve-2025-25364-speedify-vpn-macos-escalation/

Take Action: Defend the @internetarchive - https://blog.archive.org/2025/04/17/take-action-defend-the-internet-archive/ "This lawsuit is an existential threat to the Internet Archive and everything we preserve—including the Wayback Machine, a cornerstone of memory and preservation on the internet." please sign the open letter if you can

Fun fact:

💁 The oldest known buffer overflow vuln dates back to UNIX V6 login

💁‍♀️ It appeared in a 1981 post by Truscott & Ellis (better known for inventing Usenet)

💁‍♂️ The next overflow vuln was fingerd, 1988

Bonus fact:

🙅 The login vuln isn’t real:

https://www.tuhs.org/cgi-bin/utree.pl?file=V6/usr/source/s1/login.c

Multiple vulnerabilities in libxml2 https://www.openwall.com/lists/oss-security/2025/04/17/3
CVE-2025-32414: Buffer overflow when parsing text streams with Python API
Python Package Index contains outdated and unsanctioned vulnerable upload
CVE-2025-32415: Heap-based Buffer Overflow in xmlSchemaIDCFillNodeTables

It was only a matter of time - a contracted, approved grant to the Internet Archive was cut with no warning.

https://sfstandard.com/2025/04/17/doge-neh-funding-cuts-sf/

The first edition of the #CHERIoT book has been published!

The eBook editions are available for purchase now from a few retailers, print editions will take a bit longer to appear (up to two weeks). And, of course, the drafts of the second edition remain free (HTML, ePub, PDF) from the CHERIoT site

Thanks to Discribe Hub for funding a lot of the work on this edition!

oss-security - Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
https://www.openwall.com/lists/oss-security/2025/04/18/1

Exploit published ^

microsoft word, the predecessor to microsoft dword,

Quite proud of myself for successfully building a Windows 16-bit application that runs on Windows 3.1 - all dialog-based, and it makes network connections, too! Compiled with Visual C++ 1.52 on XP, it works on this old system. Consumes 14kb disk space and does everything in even less RAM :)

https://techcommunity.microsoft.com/blog/windows-itpro-blog/hotpatch-for-windows-client-now-available/4399808 Finally! I personally worked on Hotpatch, together with my team 3 years ago... and now is finally approaching client versions of Windows... Yuuuyuuu!

My new blog for Check Point Research - check it out! 💙 // #ProcessInjection : #WaitingThreadHijacking

https://bird.makeup/@_cpresearch_/1911835975006777818

I am thrilled to be back and offer the in-person training once again at Hexacon, the fabulous conf. in Paris
https://hexacon.fr/trainer/tanda/

Get hands-on experience with virtualization and learn real-world applications and bugs of them!

The tickets will be available for purchase soon.

https://bird.makeup/@hexacon_fr/1912154010062094633