|
lol cool
|
# ? Dec 6, 2023 17:30 |
|
|
# ? Jun 8, 2024 08:41 |
|
"SLAM is the first transient execution attack targeting future CPUs." lol.
|
# ? Dec 6, 2023 17:45 |
|
Computers were a mistake
|
# ? Dec 6, 2023 17:47 |
|
what is “canonicality” in this context?
|
# ? Dec 6, 2023 17:55 |
|
Subjunctive posted:what is “canonicality” in this context? it means the exploit only runs on Ubuntu, OP
|
# ? Dec 6, 2023 18:03 |
|
Subjunctive posted:what is “canonicality” in this context? 64-bit CPUs don't actually support all 64-bits of the address, and modern CPUs were sensibly designed to require the unused bits to be all 0 or all 1, unlike older CPUs that ignored them and let you stick any old garbage in there and then applications poo poo themselves on newer CPUs that supported more bits
|
# ? Dec 6, 2023 18:05 |
|
Subjunctive posted:what is “canonicality” in this context? quote:Since pointers encode 64-bit virtual addresses, the
|
# ? Dec 6, 2023 18:05 |
|
oh, so this is like what the ARM signed-pointer stuff uses to ignore the metadata bits I guess I could have googled that but you guys are cuter
|
# ? Dec 6, 2023 18:10 |
|
Mr. Nice! posted:welp time to check and see if my mobo manufacturer has any firmware updates. I checked and the answer is "no" lol
|
# ? Dec 6, 2023 18:20 |
|
mobo manufacturers are too busy inventing new Secure Boot modes where none of the signatures are checked
|
# ? Dec 6, 2023 18:23 |
|
Subjunctive posted:oh, so this is like what the ARM signed-pointer stuff uses to ignore the metadata bits aarch64 has a couple things in this space that are orthogonal. tbi is a feature which masks off the top 8 bits of a pointer. if you’re using it *and* signed pointers, you lose 8 bits of signature space. you can flip tbi independently on code and data pointers, and apple only enables it for data pointers precisely so that it doesn’t undermine ptrauth security too badly. data pointer signing is sometimes critical to ptrauth’s value as cfi, but trade-offs have to be made, and notably tbi is required for other protections like mte (memory tagging, which uses four of the tbi bits to store a tag that’s then checked against the dynamic tag store). mte’s value is mostly to detect/mitigate temporal memory bugs (e.g. use after free) and so has little value on code pointers because functions presumably don’t get freed. it could also provide some protection against manufacturing code pointers, but ptrauth provides much stronger protection there, so it’s much better to have the 8 extra signature bits even if you were otherwise open to the paying mte overheads on code pointers (which would be enormous, and i’m not even sure it’s in the architecture as a thing you can enable) rjmccall fucked around with this message at 18:45 on Dec 6, 2023 |
# ? Dec 6, 2023 18:36 |
|
akadajet posted:I checked and the answer is "no" lol i had some updates to both firmware and drivers. firmware and bios updates no prob. driver updates have put me in a perpetual blue screen cycle.
|
# ? Dec 6, 2023 18:39 |
|
Mr. Nice! posted:i had some updates to both firmware and drivers. firmware and bios updates no prob. driver updates have put me in a perpetual blue screen cycle. that should keep you from getting hacked, at least
|
# ? Dec 6, 2023 18:53 |
|
i'm sure it's only being responsibly exploited to break centrifuges in iran or whatever.
|
# ? Dec 6, 2023 19:26 |
|
Phishing simulations are good at checking a box and generic awareness. Maybe also being a vampire for time and money for everyone involved. The user education it drives is so.... useless and the bad habits/moral it creates are not worth it.
|
# ? Dec 6, 2023 19:30 |
|
i was able to start a system restore via a bootable usb but it’s been “restoring files” for almost half an hour.
|
# ? Dec 6, 2023 19:52 |
|
haveblue posted:phishing training also serves the important function of moving the fault from the company to the employee when someone falls for one It's more fun to then send security a phishing email and then point out 4 out of the 9 clicked the link and if you were really malicious, the powershell script would not have just changed their background to a LOLcat. That was also my way of telling security to stop redirecting all powershell scripts to run as admin by default on their accounts when I was a desktop engineer. I was told it was not fair to send an email that looked like a new 10.0 CVE about SSH had hit the wild since it was their job to keep on top of all new issues. A year later I got a raise and promotion to be a manager on the security team, then promptly got burned out so bad in 3 years I now work in a hardware store. (If you can't fire people as a manager, are you really a manager?)
|
# ? Dec 6, 2023 20:00 |
|
i got gotten by a phishing test email a few months back, it was late in a stressful day and the email was 'someone has added you to this confluence project' which is a thing that happens with a bit of regularity after the fact i briefly considered filtering everything mentioning confluence to spam, maybe i should have
|
# ? Dec 6, 2023 20:07 |
|
i've been got twice. first time on purpose because i wanted to see what happens. i googled the link before clicking and it was a knowbe4 domain. what happened was i had to do remedial training so massive self-own. the second time they sent an email specifically to me that looked like it was from my boss for an excel sheet to track time in lieu, a thing i had been talking to him about 10 minutes earlier. as soon as i clicked i knew it was a phish test. it wasn't planned, my boss wasn't involved, just an annoying coincidence ... and not unlike how real phish tests catch people lesson learned - never open email sent from an external sender
|
# ? Dec 6, 2023 20:21 |
|
I mean, unless I read the article wrong you need root or SYSTEM privileges to exploit this right? Once you have that, you can get persistence in a myriad of ways, and it's actually not that hard to bypass AV/EDR anyway. So the bootkit element of this makes it insidious, but it's not like anyone is more at risk of being hacked or evil maided? just that it's easier to get persistence and AV/EDR evasion.
|
# ? Dec 6, 2023 20:22 |
|
to which of the two exploits posted recently are you referring?
|
# ? Dec 6, 2023 20:32 |
|
the UEFI one, sorry i forgotten to hit send until a while later
|
# ? Dec 6, 2023 20:49 |
|
spankmeister posted:the UEFI one, sorry i forgotten to hit send until a while later you’re correct. the drivers i downloaded from my mobo manufacturer bricked my windows install. seems like it’s finally time to go get an nvme drive and do a fresh install.
|
# ? Dec 6, 2023 21:16 |
|
spankmeister posted:I mean, unless I read the article wrong you need root or SYSTEM privileges to exploit this right? Once you have that, you can get persistence in a myriad of ways, and it's actually not that hard to bypass AV/EDR anyway. So the bootkit element of this makes it insidious, but it's not like anyone is more at risk of being hacked or evil maided? just that it's easier to get persistence and AV/EDR evasion. it's addressed in the article, but yeah, the proof of concept chains a browser sandbox escape and a privilege escalation exploit to be able to install the modified image in efi. the point being that from there it's a fileless persistent threat but you do have to have some method of gaining local admin to do it
|
# ? Dec 6, 2023 21:41 |
|
now this may strike people as an odd question but why does the UEFI spec allow image handling libs instead of mandating a bitmap at most?
|
# ? Dec 6, 2023 21:49 |
|
yeah it's an odd choice considering how simple uefi is designed to be in general
|
# ? Dec 6, 2023 21:55 |
|
well they found vulnerabilities in multiple UEFI vendors' BMP parsers so i don't think restricting the file formats allowed would have helped if your core problem is the concept of parsing untrusted input
|
# ? Dec 6, 2023 22:19 |
|
also lmao at: we figured out how to fuzz a bunch of code that nobody had apparently fuzzed before and were instantly buried in a deluge of crashesquote:“When the campaign finished, we were overwhelmed by the amount of crashes we found, so much that triaging them manually was quite complicated,” the researchers wrote. In all, they identified 24 unique root causes, 13 of which they believe are exploitable.
|
# ? Dec 6, 2023 22:22 |
|
shackleford posted:also lmao at: we figured out how to fuzz a bunch of code that nobody had apparently fuzzed before and were instantly buried in a deluge of crashes this was our experience when we started automated fuzzing of browsers, which apparently the IE team had not been doing. just insanity, crashing every time within seconds on any random seed we started the tool with. we had someone filing bugs for a full week to convince them to take over the fuzzer-running themselves
|
# ? Dec 6, 2023 22:25 |
|
yeah, i don't think you really had to try to crash ie
|
# ? Dec 6, 2023 22:26 |
|
SIGSEGV posted:now this may strike people as an odd question but why does the UEFI spec allow image handling libs instead of mandating a bitmap at most? I just grabbed a copy of the UEFI spec and you've got PNG and JPEG availble for general bitmaps and font glyphs - we never find any bugs in those decoders ever. Then there's this, which I want to look at now, because it's always the easiest way to get something running inside firmware that you shouldn't. The wonderful vendor extension (please never allow your spec to have these). Never checked, never debugged, always written by the lowest bidder. Section 34.6: "The image decoder protocol can publish the support for additional image decoder names other than the ones defined in this specification. This allows the image decoder to support additional image formats that are not defined by the HII image block types. In that case, callers can send the image raw data to the image decoder protocol instance to retrieve the image information or decode the image." So likely buggy PNG/JPEG in there by specification decoders, but you never know, your firmware vendor may have put in an extension library for something else.
|
# ? Dec 6, 2023 22:27 |
|
I don't even understand why there are still "firmware vendors" when uefi is something that is afaik singlehandedly created by intel. Did the bios companies make some sort of antitrust complaint at the time of the switch to uefi? It seems like they're just another unnecessary layer of middlemen adding security vulnerabilities they're like the car dealerships of the computer world
|
# ? Dec 6, 2023 22:31 |
|
i need to overclock my RAM and configure my fan curves with an AI algorithm, inside a branded UI that looks like this, that's why motherboard vendors need to be able to customize the firmware instead of just shipping a reference design
|
# ? Dec 6, 2023 22:39 |
|
bios vendors add support for stuff like flashback and updates, and customize them for the range of CPUs and other devices they want to support. I don’t know that you could actually cover all that stuff with a reference implementation. Framework had to do a bunch of work with InsydeH20 or whoever as part of the laptop bring-up process, I think there’s a blog post somewhere they are heavily based on a reference implementation from the CPU vendor, though; AGESA in AMD’s case
|
# ? Dec 6, 2023 22:49 |
|
shackleford posted:i need to overclock my RAM and configure my fan curves with an AI algorithm, inside a branded UI that looks like this, that's why motherboard vendors need to be able to customize the firmware instead of just shipping a reference design the ai fan algorithm failed to account for heat generated by processing the ai fan algorithm, leading to catastrophic failure
|
# ? Dec 6, 2023 22:53 |
|
edit: nevermind
|
# ? Dec 6, 2023 22:57 |
|
written, never fuzzed
|
# ? Dec 6, 2023 23:03 |
|
Subjunctive posted:bios vendors add support for stuff like flashback and updates, and customize them for the range of CPUs and other devices they want to support. I don’t know that you could actually cover all that stuff with a reference implementation. Framework had to do a bunch of work with InsydeH20 or whoever as part of the laptop bring-up process, I think there’s a blog post somewhere
|
# ? Dec 6, 2023 23:09 |
|
Chris Knight posted:written, never fuzzed use fuzzing, get ceevee
|
# ? Dec 6, 2023 23:10 |
|
|
# ? Jun 8, 2024 08:41 |
|
mystes posted:I don't even understand why there are still "firmware vendors" when uefi is something that is afaik singlehandedly created by intel. Did the bios companies make some sort of antitrust complaint at the time of the switch to uefi? It seems like they're just another unnecessary layer of middlemen adding security vulnerabilities but yeah all of that needs to be burnt to the ground and people with resources involved but lol at that happening
|
# ? Dec 6, 2023 23:19 |