so.cl
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer
Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.
Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.
Hertzbleed is a real, and practical, threat to the security of cryptographic software. We have demonstrated how a clever attacker can use a novel chosen-ciphertext attack against SIKE to perform full key extraction via remote timing, despite SIKE being implemented as “constant time”.
Intel’s security advisory states that all Intel processors are affected. We experimentally confirmed that several Intel processors are affected, including desktop and laptop models from the 8th to the 11th generation Core microarchitecture.
AMD’s security advisory states that several of their desktop, mobile and server processors are affected. We experimentally confirmed that AMD Ryzen processors are affected, including desktop and laptop models from the Zen 2 and Zen 3 microarchitectures.
Other processor vendors (e.g., ARM) also implement frequency scaling in their products and were made aware of Hertzbleed. However, we have not confirmed if they are, or are not, affected by Hertzbleed. Hertzbleed Attack
Ironically, censorship has enabled a minority of absolutely insane people who should otherwise be shouted down, to prosper.
In biology, a symbiote is an organism that lives in symbiosis with another organism. The symbiosis can be mutually beneficial to both organisms, but sometimes it can be parasitic when one benefits and the other is harmed. A few months back, we discovered a new, undetected malware that acts in this parasitic nature affecting Linux operating systems. We have aptly named this malware Symbiote.
What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using
LD_PRELOAD
(T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability. Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat
If you’re into webrings and old-school websites, check out Alexandra’s safonts webring and consider joining it.
Only the cool people, ofc!
ConfluencePot is a simple honeypot for the Atlassian Confluence unauthenticated and remote OGNL injection vulnerability (CVE-2022-26134).
ConfluencePot is written in Golang and implements its own HTTPS server to minimize the overall attack surface. To make it appear like a legit Confluence instance it returns a bare-bones version of a Confluence landing page. Log output is written to stdout and a log file on disk. ConfluencePot DOES NOT allow attackers to execute commands/code on your machine, it only logs requests and returns a bogus response. confluencePot - Simple Honeypot For Atlassian Confluence (CVE-2022-26134)
If you have nothing to hide, it means you’re doing nothing good.
We successfully exploited this vulnerability to obtain full root privileges on default installations of Ubuntu 20.04.
- Among all these
*_OR_NULL types
, we choosePTR_TO_MEM_OR_NULL
which can be created byBPF_FUNC_ringbuf_reserve
. First, we pass0xffff
……..ffff toBPF_FUNC_ringbuf_reserve
to get a NULL pointer r0, and copy r0 to r1. Then add r1 by 1, and do NULL check on r0. At this point, the verifier will believe that both r0 and r1 are zero.- ALU sanitation is hardened after commit “bpf: Fix leakage of uninitialized bpf stack under speculation”. To bypass alu sanitation, we use helper func
bpf_skb_load_bytes_*
to get partial/full overwrite the pointer on stack to obtain pointer address leakage and arbitrary address read/write.- We spawn many child processes, and use arbitrary address read to find the address of task_struct and cred around the the address of the array map we created. After zeroing out the uid/gid/… , full root privileges obtained. CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation | Chinese writeup
DFIR Cheat Sheet is a collection of tools, tips, and resources in an organized way to provide a one-stop place for DFIR folks. (Still under development) DFIR Cheat Sheet
The world is infested with garbage pretending to be people.
Unauthenticated and authenticated Grafana users can send a false request for snapshot query using random key parameters, having access to the system dashboard area by going through the login page. CVE-2022-32276 / CVE-2022-32275 - Grafana vulnerabilities
Watsor detects objects in video stream using deep learning-based approach. Intended primarily for surveillance it works in sheer real-time analysing the most recent frame to deliver the fastest reaction against a detected threat. Watsor
It’s a comforting thought to think that Reddit is all bots, but unfortunately you’re still probably talking to real humans there. The robotic nature of that website has more to do with the ranking and moderation system creating uniformity of thought.
Authenticated Remote Code Execution in Tp-Link Routers
Affected Devices
If your Tp-Link router has backup and restore functionality and firmware is older than june 2022, it is probably vulnerable.
Tested With
Tp-Link Archer AX50, other tplink routers may use different format of backups and exploit needs to be modified. Tp-Link Archer AX50 Authenticated RCE (CVE-2022-30075)
The Notkia uses the Nokia 1680/1681/1682 form factor. Yes, it has a proper shell. The 1680 has a camera, and the other models don’t. It can be comfortably operated one handed, no matter in public transport or in bed. Having it accidentally falling into your face won’t cause extreme pain. It can be put in almost all pockets and bags without a problem, and won’t scratch your clothes or pull your beach pants down.
Note: This is NOT a custom ROM for Nokia phones. It is a freshly designed PCB with exactly the same dimensions as the original PCB of the Nokia phone, so it can be put in the Nokia’s shell. Notkia, Linux phone in the shape of Nokia, with LoRa+WiFI+BT connectivity
PiRogue tool suite (PTS) is an open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform. PiRogue tool suite (PTS)
Nidhogg is a multi-functional rootkit for red teams. The goal of Nidhogg is to provide an all-in-one and easy to use rootkit with multiple helpful functionalities for red team engagements that can be integrated with your own C2 framework via single header file with simple usage, you can see an example here.
Nidhogg can work on any version of Windows 10 and Windows 11.
This repository contains a kernel driver with C++ header to communicate with it.
NOTE: This project is currently on its beta, more features will be released in the coming weeks.Nidhogg - all-in-one simple to use rootkit for red teams
AutoPWN Suite is a project for scanning vulnerabilities and exploiting systems automatically.
AutoPWN Suite uses nmap TCP-SYN scan to enumerate the host and detect the version of software running on it. After gathering enough information about the host, AutoPWN Suite automatically generates a list of “keywords” to search NIST vulnerability database. AutoPWN Suite
We come from the Linux world and we don’t use Windows very often. However, we have been “forced” to use it more here at Trunc lately as we work to properly support Windows logs. Because of that, we installed a Windows 11 Pro server on Azure as one of our testing servers for our Windows logging agent.
And I have to say - unrelated to this content - that the Windows experience has improved a lot. So much easier to use and cleaner than what it was back in the old Windows 2000/Vista days - yes, that’s how long we have avoided Windows. Brute force attacks against Windows Remote Desktop