Audit of Unbound DNS by X41 D-Sec – Full Results
> Both the audit team and the Unbound team are happy with the results as they are shown. This project led to a total of 48 changes in unbound that either improve security or fix minor issues that could lead to future security problems as the application grows and evolves over time. The consensus is that Unbound has greatly benefited from the work and that the users and applications that depend on it are now safer than they were prior to our work. A patch will be released tomorrow, December 12th 2019.
Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)
> 1a/ we set the LD_LIBRARY_PATH environment variable to one single dot (the current working directory) and approximately ARG_MAX colons (the maximum number of bytes for the argument and environment list); as described in man ld.so:
> 1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *) (2MB on amd64, 1MB on i386); as described in man setrlimit:
So We Don'T Have A Solution For Catalina...Yet
> With the release of macOS 10.15 (Catalina), Apple has dropped support for running 32-bit executables and removed the 32-bit versions of system frameworks and libraries. Most Windows applications our users run with CrossOver are 32-bit and CrossOver uses a 32-bit Mac executable, system frameworks, and libraries to run them. This will break with Catalina.
And then comes the fun part:
> We have built a modified version of the standard C language compiler for macOS, Clang, to automate many of the changes we need to make to Wine’s behavior without pervasive changes to Wine’s source code.
> First, our version of Clang understands both 32- and 64-bit pointers. We are able to control from a broad level down to a detailed level which pointers in Wine’s source code need to be 32-bit and which 64-bit. Any code which substitutes for Windows at the interface with the Windows app has to use 32-bit pointers. On the other hand, the interfaces to the system libraries are always 64-bit.
Git submodule update command execution
> The git submodule update operation can lead to execution of arbitrary shell commands defined in the .gitmodules file.
> Modern processors are being pushed to perform faster than ever before - and with this comes increases in heat and power consumption. To manage this, many chip manufacturers allow frequency and voltage to be adjusted as and when needed. But more than that, they offer the user the opportunity to modify the frequency and voltage through priviledged software interfaces. With Plundervolt we showed that these software interfaces can be exploited to undermine the system’s security. We were able to corrupt the integrity of Intel SGX on Intel Core processors by controling the voltage when executing enclave computations. This means that even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt.
Not sure anyone should care about SGX anymore, all things considered, but for completeness, here’s another one.
> Meet the ZedRipper – a 16-core, 83 MHz Z80 powerhouse as portable as it is impractical. The ZedRipper is my latest attempt to build a fun ‘project’ machine, with a couple of goals in mind:
Chunking Optimizations: Let the Knife Do the Work
> “Letting the knife do the work” means writing a correct program and lifting unnecessary constraints so that the compiler can use whatever chunk size is appropriate for the target.
It was 20 years ago today
> It’s amzing to think I’ve been doing this whole blog thing for a whole twenty years.
> But despite all the code changes, the actual storage format has not changed one bit in all twenty years.
Teletext’s creative legacy lives on
> Like Walkmans and VHS recorders, teletext now seems impossibly quaint. But designer and writer Craig Oldham explains that not only was Teletext a revolutionary technology in its prime, its creative legacy lives on with a new generation of artists who love its creative limits.
The Go runtime scheduler's clever way of dealing with system calls
> One of Go’s signature features is goroutines, which are lightweight threads that are managed by the Go runtime. The Go runtime implements goroutines using a M:N work stealing scheduler to multiplex goroutines on to operating system threads. The scheduler has special terminology for three important entities; a G is a goroutine, an M is an OS thread (a ‘machine’), and a P is a ‘processor’, which at its core is a limited resource that must be claimed by an M in order to run Go code. Having a limited supply of Ps is how Go limits how many things it will do at once, so as to not overload the overall system; generally there is one P per actual CPU that the OS reports (the number of Ps is GOMAXPROCS).
In the modern commune, a case of beer is not welcome
> didn’t plan to move into a commune. But when The Economist sent me to San Francisco for two months to cover a gap in our Silicon Valley coverage, my housing options seemed unpalatable. I didn’t want to live in a soulless serviced apartment, and hotels and Airbnbs were horrifically expensive for long stays. So I found myself trawling Facebook groups with names like “San Francisco flatshare”. A stranger suggested I look at a spare room in a communal house he knew. I wrote an earnest email introducing myself to its occupants and asking whether they had a room for a month. A few hours later I was in.
> I felt like a Neanderthal, supping beer and interjecting to add that surely it was important to enjoy yourself now and again. This sat oddly with a group that was on a different path towards self-actualisation.
[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.
> I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.
Some more info in replies, such as https://marc.info/?l=oss-security&m=157554332429760&w=2.
Non-blocking I/O in Go
> Whether you know it or not, if you are using Go you are probably using non-blocking I/O. This post will dig in a little into that, but go further into how you can actually take more control of the I/O handling in Go. This is especially nice as go1.11 and go1.12 add some very interesting interfaces to help with this.
Authentication vulnerabilities in OpenBSD
> We discovered an authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
> Some commenters have recently brought up the perennial question of when speech becomes constitutionally unprotected blackmail. As I’ve mentioned before, this is one of the thorniest conceptual questions in all of jurisprudence.
> What’s the explanation? Legal scholars have debated this for decades, and to my knowledge have not come up with a perfectly satisfactory answer.
Finding the hotel room of a target
War dial hotel WiFi login... Room number and last name login.
The New York City Subway Map as You’ve Never Seen It Before
The three ins of web design: interesting and infuriatingly interactive.
That time a monkey flew to the edge of space
> So when NASA’s young engineers at Langley Research Center in Virginia began testing their new Mercury capsule in flight, they wanted to see whether the accelerations experienced during the abort of a Mercury flight shortly after launch were survivable. Enter Sam, an eight-pound rhesus monkey.
Addressing of AF_INET, AF_INET6 and AF_UNIX sockets
> A freshly created socket isn’t very useful. We have to tell it to either listen for incoming data, or connect to a remote peer. To achieve anything useful we need to perform a syscall dance, which involves either bind() or connect() or both.
And some notes about the DNS resolver rabbit hole.
Writing a Texture Painter: Part #1
> Many programmers appreciate being able to see their code render something interesting to the screen. For a while I’ve wanted to write a texture painter, where I can import a model, paint colors on it, and then export those textures back to a file. I’m using OpenGL in my code, but I’ll focus on the actual mechanics and less on the language or code.