secfuck v18.51: who needs they entrussy revoked

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > secfuck v18.51: who needs they entrussy revoked

«‹›975 »

Soricidus: Oct 21, 2010; freedom-hating statist shill

I see there�s a new iOS out and Apple don�t seem to have updated their security info page yet, anyone have any idea if it fixes the Pegasus thing?

# ? Jul 20, 2021 17:19

Adbot: ADBOT LOVES YOU

# ? Jun 9, 2024 16:05

Achmed Jones: Oct 16, 2004

Volmarias posted:

Advanced
Pooping
Threat

please do not dox me in the infosec thread

# ? Jul 20, 2021 17:25

Shifty Pony: Dec 28, 2004; Up ta somethin'

if anyone hasn't seen it yet amnesty international's writeup on pegasus is a fascinating read.

# ? Jul 20, 2021 17:39

Soricidus: Oct 21, 2010; freedom-hating statist shill

mostly I�m just waiting for the exploit to leak to a ransomware gang

# ? Jul 20, 2021 17:47

Potato Salad: Oct 23, 2014; nobody cares

Volmarias posted:

Advanced
Pooping
Threat

writing a bot rn that searches for and runs powershell statements in a disposable vm when an authorized user mentions it

# ? Jul 20, 2021 17:54

Potato Salad: Oct 23, 2014; nobody cares

enhancing PoC testing for my Twitter on the Shitter time

# ? Jul 20, 2021 17:55

Wiggly Wayne DDS: Sep 11, 2010

citizenlab poke them every so often as well, always worth keeping an eye on their reports

# ? Jul 20, 2021 17:57

FlapYoJacks: Feb 12, 2009

Polkit is such a trash heap and I hate that it's integral to privilege escalation.

It requires MozJS which is a 20MB .so file.
After 0.117 it requires MozJS > 60, which means Yocto and Buildroot can't use it.

There has been a pending patch to integrate duktape support for over a year and the maintainers have been downright rude and unresponsive whenever people speak up and say "hey, what's the status of this?"

Ugh.

FlapYoJacks fucked around with this message at 18:05 on Jul 20, 2021

# ? Jul 20, 2021 18:02

Antigravitas: Dec 8, 2019; Die Rettung fuer die Landwirte:

Making your desktop security framework thing use js feels like taking a massive amount of piss tbh.

I've written stuff for polkit and ugh

# ? Jul 20, 2021 20:35

Agile Vector: May 21, 2007; scrum bored

Soricidus posted:

I see there�s a new iOS out and Apple don�t seem to have updated their security info page yet, anyone have any idea if it fixes the Pegasus thing?

if it does there's a big coverage gap in the pending release for iPadOS because it's still 14.6

# ? Jul 21, 2021 00:59

ewiley: Jul 9, 2003; More trash for the trash fire

spankmeister posted:

Microsoft is having a bad month

Jesus gently caress if you�ve updated from 1809 rather that format reinstall at every feature release than you�ve likely got shadow copy user-readable backups of your SAM and SECURITY reg hives. fuuuuuuuuuuuuuuck

also pr*nters continue to be gently caress

https://www.zdnet.com/article/hp-patches-vulnerable-printer-driver-impacting-millions-of-devices/

quote:

The driver in question, SSPORT.SYS, is automatically installed and activated, whether the model was wireless or cabled. The driver is also loaded automatically by Microsoft's Windows operating system on PC boot.

"This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected," the researchers say.

# ? Jul 21, 2021 02:07

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

quote:

1/ We mkdir() a deep directory structure (roughly 1M nested directories) whose total path length exceeds 1GB, we bind-mount it in an unprivileged user namespace, and rmdir() it.

2/ We create a thread that vmalloc()ates a small eBPF program (via BPF_PROG_LOAD), and we block this thread (via userfaultfd or FUSE) after our eBPF program has been validated by the kernel eBPF verifier but before it is JIT-compiled by the kernel.

3/ We open() /proc/self/mountinfo in our unprivileged user namespace and start read()ing the long path of our bind-mounted directory, thereby writing the string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated buffer.

4/ We arrange for this "//deleted" string to overwrite an instruction of our validated eBPF program (and therefore nullify the security checks of the kernel eBPF verifier) and transform this uncontrolled out-of-bounds write into an information disclosure and into a limited but controlled out-of-bounds write.

5/ We transform this limited out-of-bounds write into an arbitrary read and write of kernel memory by reusing Manfred Paul's beautiful btf and map_push_elem techniques from:

https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification

# ? Jul 21, 2021 03:08

duz: Jul 11, 2005; Come on Ilhan, lets go bag us a shitpost

security threat: ants

https://i.imgur.com/9EAyU5R.mp4

# ? Jul 21, 2021 05:05

MononcQc: May 29, 2007

just playing SIM ant

# ? Jul 21, 2021 05:14

Agile Vector: May 21, 2007; scrum bored

MononcQc posted:

just playing SIM ant

# ? Jul 21, 2021 05:18

Quackles: Aug 11, 2018; Pixels of Light.

MononcQc posted:

just playing SIM ant

# ? Jul 21, 2021 05:26

Midjack: Dec 24, 2007

MononcQc posted:

just playing SIM ant

# ? Jul 21, 2021 05:37

haveblue: Aug 15, 2005; Toilet Rascal

MononcQc posted:

just playing SIM ant

# ? Jul 21, 2021 05:57

Kuvo: Oct 27, 2008; Blame it on the misfortune of your bark!; Fun Shoe

MononcQc posted:

just playing SIM ant

# ? Jul 21, 2021 07:24

Cold on a Cob: Feb 6, 2006; i've seen so much, i'm going blind
and i'm brain dead virtually; College Slice

MononcQc posted:

just playing SIM ant

# ? Jul 21, 2021 07:50

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

infernal machines posted:

What in the world

# ? Jul 21, 2021 08:02

jesus WEP: Oct 17, 2004

MononcQc posted:

just playing SIM ant

# ? Jul 21, 2021 08:43

BlankSystemDaemon: Mar 13, 2009

infernal machines posted:

systemd is, predictably, also involved - including in but not limited to a bypass of one of the mitigations:

quote:

systemd monitors and parses the contents of /proc/self/mountinfo, and passes each mountpoint path to mount_setup_unit(), which passes it to unit_name_from_path(), which passes it to unit_name_path_escape():

------------------------------------------------------------------
1720 static int mount_load_proc_self_mountinfo(Manager *m, bool set_flags) {
�.
1727 r = libmount_parse(NULL, NULL, &table, &iter);
�.
1731 for (; {
�.
1735 r = mnt_table_next_fs(table, iter, &fs);
�.
1742 path = mnt_fs_get_target(fs);
�.
1751 (void) mount_setup_unit(m, device, path, options, fstype, set_flags);
------------------------------------------------------------------
1644 static int mount_setup_unit(
1645 Manager *m,
1646 const char *what,
1647 const char *where,
1648 const char *options,
1649 const char *fstype,
1650 bool set_flags) {
�.
1683 r = unit_name_from_path(where, ".mount", &e);
------------------------------------------------------------------
512 int unit_name_from_path(const char *path, const char *suffix, char **ret) {
�
523 r = unit_name_path_escape(path, &p);
------------------------------------------------------------------
380 int unit_name_path_escape(const char *f, char **ret) {
�
386 p = strdupa(f);
------------------------------------------------------------------

At line 386, unit_name_path_escape() passes the mountpoint path to strdupa(), which is similar to strdup() but allocates memory on the stack (via alloca()), not in the heap (via malloc()).

As a result, if the total path length of this mountpoint exceeds 8MB (the default RLIMIT_STACK), then systemd crashes with a segmentation fault that also crashes the entire operating system (a kernel panic, because systemd is the �global init�, PID 1).

more information here and the mitigations section here

BlankSystemDaemon fucked around with this message at 10:02 on Jul 21, 2021

# ? Jul 21, 2021 10:00

cinci zoo sniper: Mar 15, 2013

for (;

{

# ? Jul 21, 2021 10:09

BlankSystemDaemon: Mar 13, 2009

cinci zoo sniper posted:

for (; {

i forgot to press the 'disable smilies' button in SALR
orz

# ? Jul 21, 2021 10:17

cinci zoo sniper: Mar 15, 2013

too late, it�s compiling 💪😤💯

# ? Jul 21, 2021 10:33

BlankSystemDaemon: Mar 13, 2009

watching code compile is one of the most zen things a system operator can do

# ? Jul 21, 2021 12:20

Antigravitas: Dec 8, 2019; Die Rettung fuer die Landwirte:

Can confirm, Gentoo is the most zen.

# ? Jul 21, 2021 13:59

flakeloaf: Feb 26, 2003; Still better than android clock

generating endless guru meditations is not, in fact, zen

# ? Jul 21, 2021 14:11

mystes: May 31, 2006

BlankSystemDaemon posted:

watching code compile is one of the most zen things a system operator can do

In that it crashes first generation zen processors, sure.

# ? Jul 21, 2021 14:19

RFC2324: Jun 7, 2012; http 418

Antigravitas posted:

Can confirm, Gentoo is the most zen.

I really want a working gentoo system so I can emerge @world when I need to calm down, but installing Gentoo is the opposite of zen. Nez?

# ? Jul 21, 2021 17:05

Rooney McNibnug: Sep 2, 2008; "Life always hopes. When a definite object cannot be outlined, the indomitable spirit of hope still impels the living mass to move toward something--something that shall somehow be better."

I installed Gentoo successfully and now the old laptop I put it on just sits there collecting dust. Has been this way for months since the install was completed. :zen:

# ? Jul 21, 2021 17:11

Chris Knight: Jun 5, 2002; me @ ur posts; Fun Shoe

BlankSystemDaemon posted:

SALR

lol

# ? Jul 21, 2021 17:37

Cybernetic Vermin: Apr 18, 2005

RFC2324 posted:

I really want a working gentoo system so I can emerge @world when I need to calm down, but installing Gentoo is the opposite of zen. Nez?

start programming either heavily templated c++ or julia, i think they are tied for percentage of time you are just waiting for compilations to finish (though distributed in time very differently).

# ? Jul 21, 2021 17:44

FlapYoJacks: Feb 12, 2009

just compile mongodb, nodejs, or QT if you want to see things compiling forever.

# ? Jul 21, 2021 18:23

flakeloaf: Feb 26, 2003; Still better than android clock

DoomTrainPhD posted:

just compile mongodb

no self-harm in yospos

# ? Jul 21, 2021 18:26

FlapYoJacks: Feb 12, 2009

flakeloaf posted:

no self-harm in yospos

Hey now, I never said to run mongodb. I�m not that mean.

# ? Jul 21, 2021 18:29

flakeloaf: Feb 26, 2003; Still better than android clock

it's not mine i'm just compiling it for a friend

this tab a8 is mine, and it hasn't received a security update in a year

# ? Jul 21, 2021 18:32

The_Franz: Aug 8, 2003

Cybernetic Vermin posted:

start programming either heavily templated c++ or julia, i think they are tied for percentage of time you are just waiting for compilations to finish (though distributed in time very differently).

make a mistake with boost on an older compiler and it will spend more time spitting out an endless stream of cryptic error lines than it ever would compiling

# ? Jul 21, 2021 18:33

Adbot: ADBOT LOVES YOU

# ? Jun 9, 2024 16:05

Methanar: Sep 26, 2013; by the sex ghost

My favorite mongodb story was that a nodejs/react native app was writing data with different types depending on whether you did something on mobile or web and mongodb happily accepted things sometimes being ints and sometimes being strings and maybe even sometimes datetime objects

and javascript was able to read back mixed type data fine anyway because javascript is dogshit.

# ? Jul 21, 2021 18:52

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > secfuck v18.51: who needs they entrussy revoked

«‹›975 »