Journal

This of course is sad because we software developers are among the few people who are able to understand the strengths and weaknesses of formats. We have a moral duty to choose wisely the formats we use because everybody else will blindly use whatever formats we choose.

March 2018

Exim pre-auth RCE

https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/

Juggling with packets

As such, the Internet has a non-zero momentary data storage capacity.
It is possible to push out a piece of information and effectively have
it stored until echoed back. By establishing a mechanism for cyclic
transmission and reception of chunks of data to and from a number of
remote hosts, it is possible to maintain an arbitrary amount of data
constantly `on the wire', thus establishing a high-capacity volatile
medium.

http://lcamtuf.coredump.cx/juggling_with_packets.txt

Temporal Return Addresses (2005)

Paper (PDF) An exploitation chronomancer is one who is capable of divining the best time to exploit something based on the alignment of certain bytes that occur naturally in a process’ address space

Abusing Certificate Transparency logs

https://github.com/UnaPibaGeek/ctfr

February 2018

Audio Adversarial Examples

Because the computer is always right. Only a matter of time before there’s malware hidden in the next pop hit. https://nicholas.carlini.com/code/audio_adversarial_examples/

30-year-old OpenVMS local root vuln

https://www.theregister.co.uk/AMP/2018/02/06/openvms_vulnerability/

Meltdown/Spectre (continued)

http://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ Spectre Mitigations in Microsoft’s C/C++ Compiler Intel Analysis of Speculative-Exectutation Side Channels (PDF) AMD Indirect Branch Control Extension (PDF)

December 2018

Meltdown/Spectre

Throw out all your computers. Again.

Intel CPU Design Flaw Meltdown and Spectre attack Reading privileged memory with a side-channel AMD processors unaffected Apple deals with KPTI with DoubleMap As expected, Intel’s CEO dumps his stock Retpoline Theo De Raadttalking about Intel flaws back in 2007

IOHIDeous

This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user.

https://siguza.github.io/IOHIDeous/

MSPaint in your browser

http://jspaint.ml/

December 2017

Advent calendar season

Avast open-sources their decompiler

https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

ROBOT Attack

It has been X many days since last TLS disaster https://robotattack.org/

Microsoft Quantum Development Kit

https://www.microsoft.com/en-us/quantum/development-kit Writing a Quantum Program

AP Christmas Tree

https://imgur.com/gallery/DZRTr

BrickerBot update

Dude destroys tons of equipment, points out internet is broken. http://archive.is/PQAnU

Amazingly, the ISP didn’t try to cover up the outage as some kind of network issue, power spike or a bad firmware upgrade. They didn’t lie to their customers at all. Instead, they promptly published a press release about their modems having been vulnerable which allowed their customers to assess their potential risk exposure. What did the most honest ISP in the world get for its laudable transparency? Sadly it got little more than criticism and bad press. It’s still the most depressing case of ‘why we can’t have nice things’ to me, and probably the main reason for why 99% of security mistakes get covered up and the actual victims get left in the dark. Too often ‘responsible disclosure’ simply becomes a euphemism for ‘coverup.’

Send Crypto People Tulips

Like shorting the market, but funnier https://sendcryptopeopletulips.com/

November 2017

Fooling Neural Networks/Machine Learning

https://arxiv.org/abs/1708.05207 http://www.labsix.org/physical-objects-that-fool-neural-nets/ https://cvdazzle.com/ http://dismagazine.com/dystopia/evolved-lifestyles/8115/anti-surveillance-how-to-hide-from-machines/

So… MINIX is everywhere

Turns out there’s a lot of garbage hidden on CPU’s these days. Work is underway to defang the nastiness https://www.networkworld.com/article/3236064/servers/minix-the-most-popular-os-in-the-world-thanks-to-intel.html https://schd.ws/hosted_files/osseu17/84/Replace%20UEFI%20with%20Linux.pdf

Code exec from VMWare guest

VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in VMNAT device. This issue may allow a guest to execute code on the host.

https://www.vmware.com/ca/security/advisories/VMSA-2017-0018.html

Intel ME is unsurprisingly vulnerable

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

Linus Rant du Jour

If it's been on a random cellphone for a few months, and real users
used it, and had facebook and candy crush running on it, that's a
pretty different deal.

https://lkml.org/lkml/2017/11/21/356 http://lkml.iu.edu/hypermail/linux/kernel/1711.2/01701.html

instant root on macOS High Sierra

I honestly have no words for how dumb this is.

http://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/

fix: sudo passwd -u root dsenableroot -d

October 2017

CommonMark

It turns out having 20+ Markdown implementations with no spec is a bad idea. Let’s see how long before there’s a competing spec ;-) http://commonmark.org/

dnsmasq RCEs

Wouldn’t it be nice if we stopped writing critical system services in C? Nah. https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Google teapot

https://www.google.com/teapot

Macro-less code exec in MS Word

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

A2 Analog Attack

An older one, but a great read. https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/

The Pathologies of Big Data

http://queue.acm.org/detail.cfm?id=1563874

“In designing applications to handle ever-increasing amounts of data, developers would do well to remember that hardware specs are improving too, and keep in mind the so-called ZOI (zero-one-infinity) rule, which states that a program should “allow none of foo, one of foo, or any number of foo.” That is, limits should not be arbitrary; ideally, one should be able to do as much with software as the hardware platform allows.”

“… big data should be defined at any point in time as “data whose size forces us to look beyond the tried-and-true methods that are prevalent at that time.”

KRACK Attack

WPA2 is broken, hum-de-dum https://www.krackattacks.com/ https://github.com/vanhoefm/krackattacks

September 2017

BlueBorne attack

https://arstechnica.com/information-technology/2017/09/bluetooth-bugs-open-billions-of-devices-to-attacks-no-clicking-required/ http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

It turns out most Bluetooth stacks are terrible.

Design of Display Processors

https://twitter.com/rob_pike/status/907164275965255685 http://cva.stanford.edu/classes/cs99s/papers/myer-sutherland-design-of-display-processors.pdf

Distrusting Symantec Certs

https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

ABI Compliance Checker

http://ispras.linuxbase.org/index.php/ABI_compliance_checker

Sandsifter

Black Hat presentation https://github.com/xoreaxeaxeax/sandsifter

Root Causes of Chrome Certificate Errors

https://research.google.com/pubs/pub46359.html

To our surprise, we find that more than half of errors are caused by client-side or network issues instead of server misconfigurations.

CLKSCREW

https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tang

More Intel ME 0wnage

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

Fake packages in PyPI

http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Optionsbleed

CVE-2017-9798 https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

FIN7 Group Uses JavaScript and Stealer DLL Variant in New Attacks

http://blog.talosintelligence.com/2017/09/fin7-stealer.html What makes this one interesting is the obfuscation techniques

The function body of the evaluated JavaScript appears to be within a multi-line comment, however, in reality this is evaluated as a multi-line string.

Linux PIE/stack corruption (CVE-2017-1000253)

https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt