mosesrenegade

Happy America Day for 2025.

I spend the last few days on a new project. Get IPv6 running in my homelab. The dual horned nature of my house made me hesitant. I learned a ton along the way. Probably will do a video or blog post soon. #IPv6 #Homelab

May SFISSA Meeting @ HackMiami XII, Thu, May 15, 2025, 6:00 PM | Meetup We’re excited to be hosting this month’s meeting at the HackMiami Conference, one of South Florida’s most anticipated cybersecurity events. Location: Marenas Beach Resort

I am speaking at the South Florida ISSA Meeting Tonight. It's in the same venue as the HackMiami conference. If you are in the area and want to hang out, here are the details:

www.meetup.com/south...

I have not been active on social media for the last 45 days. My ability to share sharply declined. After some deep thinking and professional life changes, I can now share more freely—such a burden lifted from my shoulders. Videos are coming soon.

SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries — WorkOS Any service using xml-crypto or a Node.js SAML implementation using it, should update immediately to the latest version. WorkOS customers are safe and were not impacted.

If you have ever taken #SEC588, I have always said that SAML needs to go away. Here is a nasty bug in a library where you can bypass it altogether mostly: workos.com/blog/samlstorm

Just send a signed request, and you will be good to go.

That post was scheduled weeks ago so I do apologize for that. Clarification on my thoughts. Internal systems running Windows (older stacks) I think could be a bigger concern. I’m thinking through customer internal environments where the servlet console is exposed. Sadly.

If you see the following header in your weblogs and your running next.js ... well...

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

#CVE-2025-29927

I just wanted to go on record in saying if the internet ever went dark, it is truly when this website is gone....
www.zombo.com

Leaking Passwords ...and more on macOS

This is an excellent writeup by the Objective See folks. I had to ensure I was still reading about an exploit halfway through the beginning because the build-up was so good.

If MacOS and Exploiting MacOS is your thing, this is a great read: bit.ly/4bTsGnZ

Apache Tomcat RCE Vulnerability Under Fire With Exploit The researchers who discovered the initial assault warned that the simple, staged attack is just the beginning for advanced exploit sequences that will test cyber defenses in new and more difficult ways.

Sketchy POC: github.com/iSee857/C...

Apache Tomcat RCE Vulnerability Under Fire With Exploit The researchers who discovered the initial assault warned that the simple, staged attack is just the beginning for advanced exploit sequences that will test cyber defenses in new and more difficult ways.

I'll more than likely discuss this at some point in a video. This Apache Tomcat bug is pretty bad. The POC is dead simple and it will probably be easy to work around firewalls.

Patch!

www.darkreading.com/...

1/n

I want to be clear that in the video, I'm talking about this post:https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in... Infosec Drama of the Week?

I was, of course, to my detriment, going to give the vendor some grace, hoping that, given enough time, they would do the right thing. But time is the factor will they, in time, change to a whitelist method?

I want to be clear that in the video, I'm talking about this post:https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in... Infosec Drama of the Week?

Let me be crystal clear: the person who wrote the @watchtowrcyber blog is correct about deserialization gadgets. The video gives some thoughts, but I wanted to add context. Amazing work from @sinsinology

1/n
youtu.be/mJTo_YGwYzY

Is that Tomcat bug a non-issue? I'm hesitant to say so, primarily because of the many horror show bugs I've seen in Tomcat servlets in the past. Do I suspect there will be more issues on the internal networks? Yes.
Comment Below
Video: youtu.be/Du4d7Q4R51Q

The jc-action/changed-files attack, was it new and novel? If you look at the gist of the python memdump.py script, you may have noticed that this was just a copy of an existing set of research studies from pwnhub and others—link in the video's description.

youtu.be/lqPoWd7CbTE

Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity tj-actions/changed-files

I feel like I'm off my game. I would have never even considered this vector. This group knew what it was doing; they made their Author Commit show up as "Responder Bot." Smart.

Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity tj-actions/changed-files

This particular attacker leveraged the fact that 23,000 companies use this plug-in. When used, it leaks out secrets from your CI/CD system. This is scarily brilliant.

Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity tj-actions/changed-files

This is super interesting. An attacker gained access to a popular "plug-in" (the best way I could describe it) to your CI/CD pipeline in a Github Action that would do change file detection in your runs.

www.stepsecurity.io/...

1/n

If that is your cup of tea, check out the following: github.com/nickvourd... Using Cloudflare Workers and Azure CDN to make this work. This is a pretty good idea.

The other day, one of my coworkers asked me a question, and it was around: what do you currently recommend for C2 in a Red Team Engagement? Now, this question comes up a ton. In practice, we have been using Cloudflare because it just "works," but what if that no longer works?

Let's talk about what I got wrong; in this case, it was Amnesty International's Cellebrite article. I wanted to clarify all the things that I got wrong. Well... Bug Fixes for the Week of March 2nd

On the road, so I recorded this over the week. Bug fixes for last week.

bit.ly/4kNdqgk

Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube. - YouTube

Do you all think Manus AI Is a threat. I thought I'd give some folks a fun one for a video update:

bit.ly/41ylBEo

Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube. - YouTube

Healthcare IT is a total mess. Microsoft is injecting some funding in it: bit.ly/4i4ts3I

Everyone is alarmed by a "Webcam" used to deploy ransomware as a nothing-burger. The article should highlight that ransomware actors are not just automating the attack but actively looking into a network. If you have a vulnerable non-windows device, it will be used.

You want to execute malware in a sandboxed environment. You want to do this self-hosted or in the cloud in your environment. What do you choose?

(Yes, I know that online analysis tools exist).

Comment Below

#security #cybersecurity #onlinesafety #privacy #technology

What happens after PQC? Post Quantum Cryptography

Quantum Curious? Today's topic is Post Quantum Cryptography, more or less.

#security #cybersecurity #onlinesafety #privacy #technology #crypto

bit.ly/3XuoNja

Blog: Zen and the Art of Microcode Hacking This blog post covers the full details of EntrySign, the AMD Zen microcode signature validation vulnerability recently discovered by the Google Security team.

I don't yet know the full implications of this, but being able to "patch" your Microcode such that, idk, XOR compares always return true for specific functions would be bad. bit.ly/3F4V3TP

I will make a video of this later today. Youtube.com/@MosesFr...

Yesterday on a Podcast Interview I did with the ktrlpanel I ended it with a butchered quick explaination of Shors Algorithm and Quantum Computing. For those curious the idea is this. Quantum Computing should be able to, using a QFT, factorize prime numbers quickly.

The Moses Frost Show Share your videos with friends, family, and the world

I'm posting this here while experimenting with different media. The focus, currently, is on short-form videos on a different Cyber Security Topic (bit.ly/YTMosesFrostShow). I am however going to expand that at some point.