It finally happened… I’ve been published on #Phrack! After more than five years since the last issue, #Phrack70 is out, featuring my article “Exploiting a Format String Bug in Solaris CDE”! I guess I can retire now 🐛
phrack.org/issues/70/13.html…
CVE-2022-26766: the CoreTrust bug
"For years, macOS allowed any root certificate when checking code signatures, making code signing completely useless."
// bug discovered by @LinusHenze
// writeup by @zhuoweiworthdoingbadly.com/coretrus…
As it turns out, a non-negligible number of people in infosec don’t know what L0phtCrack is and, I assume by extension, what L0pht is.
I suppose it’s somewhat normal but it shouldn’t be. Our roots are important. We should not forget them. I think.
Always a great read:
dolosgroup.io/blog/2021/7/9/…
“We took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network.”
Google Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent 🤨
github.com/irsl/gcp-dhcp-tak…
My unsolicited advice to young hackers: don’t get stuck for too long with CTFs, don’t be afraid to move to real-world stuff. It’s more fulfilling and interesting than you think.
Chances are that real-world challenges are even easier than CTFs (for some definitions of “easier”).
For all the people out there learning to hack their way through @offsectraining#OSCP and other #CTF-style challenges, I’m gonna tweet a few high quality resources. Here we go…
WordPress 5.0.0 Remote Code Execution
“This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to RCE in the WordPress core. The vulnerability remained uncovered for over 6 years.”
blog.ripstech.com/2019/wordp…
CVE-2022-43995 is really something.
Sudo 1.8.0 through 1.9.12 contains an array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by local users with access to Sudo by entering a password of 7 chars or fewer.
github.com/sudo-project/sudo…
“AD is a system where any time you hack any computer on the network, you can become the domain controller, and own the whole company. That’s just how it works.”
—@daveaitel
Just a reminder that sshuttle is awesome
“Transparent proxy server that works as a poor man’s VPN. Forwards over ssh. Doesn’t require admin. Works with Linux and MacOS. Supports DNS tunneling.”
github.com/sshuttle/sshuttle
This is a bit dated, but it's a very well written article on the vulnerability research process, from setting up the environment to target selection, and from bug hunting via fuzzing to exploitation. Very recommended reading.
medium.com/@maxi./finding-an…
“mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse.”
github.com/blackarrowsec/mss…
I was investigating another 0day, when I noticed that Solaris 11 is also affected by the recent Xorg local privilege escalation vulnerability (CVE-2018-14665).
Here’s my fresh exploit:
github.com/0xdea/exploits/bl…
Please read comments carefully before running it.
Awesome Linux kernel vuln-dev writeup from a few months ago 👏
CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google’s KCTF Containers
willsroot.io/2022/01/cve-202…
Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)
secura.com/blog/zero-logon
Hmm, it looks bad. Looking forward to reading the whitepaper tomorrow!
Shufflecake is a tool for Linux that allows to create multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes.
research.kudelskisecurity.co…
CVE-2023–26604: "[...] This presents a substantial security risk when running systemctl from Sudo, because #less executes as root when the terminal size is too small to show the complete systemctl output."
medium.com/@zenmoviefornotif…
This is pretty cool:
github.com/0xsobky/HackVault…
jaVasCript:/*-/*`/*\`/*‘/*“/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/—!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
And here’s the original article that applied a similar methodology, by @wcbowling
GitHub - RCE via git option injection (almost) - $20,000 Bounty
devcraft.io/2020/10/18/githu…
Long, detailed read that digs into the recent dirty pipe vulnerability of the Linux kernel
Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)
lolcads.github.io/posts/2022…
Today I realized young hackers don’t know about THC/ADM/teso/etc.
I also realized there are no modern hacking crews, except perhaps for CTF teams.
That’s probably to be expected but it’s also kinda sad, dunno…
A minimal operating system (2K LOC) on #QEMU and a RISC-V board
“This project's vision is to help every college student read all the code of an operating system.” 👏
github.com/yhzhang0128/egos-…
This is pretty handy: knowledge base of exploit mitigations available across numerous operating systems, architectures and applications and versions, by @NCCGroupInfosecgithub.com/nccgroup/exploit_…
Impacket implementation of the PrintNightmare PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)
Tested on a fully patched 2019 Domain Controller
Execute malicious DLL’s remotely or locally
github.com/cube0x0/CVE-2021-…
“A lot of us have built lives, careers, and considerable material comfort on top of something that people told us to stop doing for most of our youth.”
— @halvarflake
New tool from p0: weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.
github.com/googleprojectzero…