I’ve started a new security company together with
@claudijd
: Asymmetric Research (
@asymmetric_re
/ ). If you are a strong security engineer or researcher interested in defending and breaking some of the biggest DeFI and Blockchain projects, we’d love to
I stumbled upon a fun heap overflow in Github's markdown rendering library. RCE via a malicious README 🤔 Demonstrates the risk of memory unsafe dependencies used by scripting languages.
I stumbled upon a fun heap overflow in Github's markdown rendering library. RCE via a malicious README 🤔 Demonstrates the risk of memory unsafe dependencies used by scripting languages.
CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: . Exploit fits in a tweet so you should patch as soon as possible.
weggli, my attempt at writing a fast and robust semantic search tool for C and C++ code is now open source: . Please take a look and let me know what you think.
AWS fixed a terminal escape injection in AWS CloudShell. The bug could have resulted in a full account compromise if an admin views malicious logs or external data using CloudShell:
is an interesting design flaw in Github Actions. Actions that print untrusted data to STDOUT are vulnerable to an injection attack that can be turned into code exec.
CVE-2019-0542 is a RCE bug due to insecure terminal escape sequence handling in xterm.js (a xterm rewrite in javascript). Affects vscode and azure cloud shell (cc
@teh_gerg
:))
Another significant software supply chain hack: Codecov Bash Uploader breach went undetected for four months as attackers stole credentials, tokens and keys from orgs around the world
is a (surprisingly easy) bug in containerd that allows a malicious container to read host files. It’s an interesting issue because it will work even if the container is sandboxed with gvisor or firecracker.
We are now sharing the technical write-up of the vulnerability in
@bnbchain
that
@_fel1x
(a security researcher at
@jump_
) discovered and responsibly disclosed earlier this week:
Apache 2.4.46 has fixes for three vulnerabilities I reported () The http2 push diary bug is the most interesting one: Depending on your distris mod_http2 version it is either a wild memmove or a controlled OOB write ()
runc: insecure handling of bind mount sources . Incorrect handling of null-bytes and an integer overflow during message serialization. Good example of the type of bugs you can find in low-level Go code.
is a heap-buffer-overflow in libxml2 for very large inputs. Easy to trigger when you can run XSLT. Another example of a bug that's hard to fuzz but easy to find manually.
New blog post about an Ethermint vulnerability I discovered: . This is a good example of how complex interactions between different Cosmos modules can lead to vulnerabilities.
New blog post: Ethereum Log Confusion in Polygon's Heimdall. A critical vulnerability in Polygon PoS that could have allowed a rogue validator to take over the Heimdall consensus layer, putting over $2B of crypto assets in the PoS bridge at risk.
I reported two interesting issues in usrsctp, which are now fixed: and . Take a look at
@natashenka
amazing blog series on Android messenger exploitation to see why you should care about usrsctp:
Node.js fixed an interesting TLS session caching bug: . Multiple HTTPs requests to the same host can bypass hostname verification by reusing an invalid TLS session.
ISC patched two interesting bugs in their DHCP codebase: A global buffer overflow triggerable over DHCPv6 and a refcount overflow -> use-after-free bug in their option parsing: and
Node.js patched an easy to trigger UaF in their TLS implementation: . Seems very hard to exploit against Current on Linux, but other version-OS combinations might be doable.
XSA-270 is a pretty straight-forward integer overflow in xen-netback. The feature is only used by windows guests running citrix guest drivers but it's enabled by default and can be triggered from both HVM and PV guests:
@tgraf__
Tetragon looks cool, but I think the blog post should be more transparent about its limitations. The CVE-2021-22555 example isn't mitigating the bug, it's blocking the exploit _after_ it already achieved kernel code execution. It's very easy to bypass policies like this.
AWS fixed some issues in their Kubernetes IAM auth provider: . None of them are super critical, but it's another example of sts:GetCallerIdentity being hard to use securely.
I‘ll be speaking about this and other results of my DHCP vulnerability research at
@kiwicon
in NZ and
@HITBSecConf
in Dubai next month. First public talks in two years :)
CVE-2019-0542 is a RCE bug due to insecure terminal escape sequence handling in xterm.js (a xterm rewrite in javascript). Affects vscode and azure cloud shell (cc
@teh_gerg
:))
How do you do, fellow kids. I hear 0-click exploits are "cool" this season, so allow me to present my take on that :). And when I say "present", I will actually be presenting more details on this type of attacks at
@BlackHatEvents
in August.
We published a writeup about a fun Cosmos / IBC bug. An attacker could trigger emission of events even though the corresponding state changes aren't committed.
Our security team recently found a vulnerability in ibc-go, the reference implementation of the Interblockchain Communication Protocol (IBC) used by most
@Cosmos
blockchains.
Dan Carpenter found a super simple out-of-bounds access in the KVM 'send IPI' hypercall: . Was introduced a month ago so it shouldn't affect too many real world deployments:
Earlier this year I found a vulnerability in Apple's kernel (XNU) and I decided to write a blog-post about it. I hope this is useful to some of you! 😁
#apple