“For every character in the password add the entire password.”

Though we have presented quite a bit of informal and recent use, our earliest written use of welp goes back over 70 years. It shows up in a scholarly article on two of welp’s linguistic cousins: yep and nope. Well gained that final -p as part of a normal process of articular: the lips come together to stop the sound of well and prepare for the next sound, and some hear that stoppage as a -p. This means it is very common in speech. One linguist went so far as to say that anyone who didn’t know what welp meant was probably an alien.

The goal of this talk is to broaden the awareness of the how and why container escapes work, starting from a brief intro to what makes a process a container, and then spanning the gamut of escape techniques, covering exposed orchestrators, access to the Docker socket, exposed mount points, /proc, all the way down to overwriting/exploiting the kernel structures to leave the confines of the container.

source: white

Census tract hacking is the new p hacking.

This is most annoying when the most important keyboard shortcuts are inaccessible. A very common shortcut is / for accessing search functionality. Unfortunately, there is no /-key on most international layouts. Adding modifiers to produce this key with your layout rarely helps. For example, on my German layout, / is produced via Shift+7. Most web applications will ignore this. Similarly painful is when Electron apps use [ and ] for navigating backwards and forwards.

If you use a US layout, you might be surprised to hear about these problems. But rest assured, they are not new and I am not the only one who is affected. We are at a point where it is easy to find users complaining about this for almost any popular web application.

source: HN

By the time Garden headed back down the driveway, he was well on his way to a SoftBank investment of $375 million, with double that money on the table if his business gained traction. But that’s not what happened. Instead, Zume marks one of the biggest recent disappointments in SoftBank’s port­folio. As of this year it no longer makes or ­delivers pizzas. In January, Zume cut 360 jobs, leaving a little over 300 employees, and said it would focus on packaging and efficiency gains for other food delivery companies.

Levine commentary: https://www.bloomberg.com/opinion/articles/2020-02-14/robot-pizza-trucks-hit-some-bumps

Just, what a closed loop it is. You run a pizza delivery business. You craft a pitch calculated to convince Masayoshi Son that your pizza delivery business will change the world. You meet with Masayoshi Son. He convinces you that you will change the world. Now you are all believers, all in it together. He hands you piles of money. You go home and weep to your friends, “I am going to change the world.” The friends are like “wait what with the pizzas?” But it is too late for skepticism, you have the money, the robots are in the trucks, they are fanning out across town, the cheese is everywhere, they cannot turn back.

source: ML

The Unicorn-based test harness loads the target code, sets up the initial state, and loads in data mutated by AFL from disk. The test harness then emulates the target binary code, and if it detects that a crash or error occurred it throws a signal. AFL will do all its normal stuff, but it’s actually fuzzing the emulated target binary code!

https://github.com/njv299/afl-unicorn

source: grugq

The rare type-system C link. Lots of examples.

source: L

In this post I would like to show my take on this particular RCE and also perhaps share additional insight that may prove to be helpful in the future - perhaps in your own research.

source: grugq

A sandbox that leaks a lot of sand.

source: solar

Nothing critical, plus 90 more bug fixes.

source: L

Open redirect is a vulnerability which, in my opinion, tends to be overvalued.

I agree with the sentiment. In general users should trust the address bar as the only reliable security indicator. The thing is that it is no longer true in case of Electron. In Electron app we don’t have the address bar, hence the user is unable to confirm to identity of the website. So in this case, it is clearly a severe vulnerability.

Matt Austin (@mattaustin) proved in a tweet that it could actually be exploited to gain a code execution.

source: L

Half a century ago, the puzzling phrase “special register groups” started showing up in definitions of “CPU”, and it is still there. In this blog post, I uncover how special register groups went from an obscure feature in the Honeywell 800 mainframe to appearing in the Washington Post.

Link to tools: https://github.com/iaik/armageddon

Web cache poisoning has long been an elusive vulnerability, a ‘theoretical’ threat used mostly to scare developers into obediently patching issues that nobody could actually exploit. In this paper I’ll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.

Web cache poisoning is far from a theoretical vulnerability, and bloated applications and towering server stacks are conspiring to take it to the masses. We’ve seen that even well-known frameworks can hide dangerous omnipresent features, confirming it’s never safe to assume that someone else has read the source code just because it’s open-source and has millions of users. We’ve also seen how placing a cache in front of a website can take it from completely secure to critically vulnerable.

source: grugq

In an interesting twist, this exploit may be more obvious to users who aren’t so familiar with Rust and/or have experience in other languages - it actually uses data races to do its thing.

I initially blew this one off as a simple path traversal attack, but I think it’s a bit more than that because of how Cargo is involved.

source: HN

Life support continues for one more release.

source: L

Fun fact: 50% of code is below average.

For those who are new, let me explain what makes sr.ht special. It provides many of the trimmings you’re used to from sites like GitHub, Gitlab, BitBucket, and so on, including git repository hosting, bug tracking software, CI, wikis, and so on. However, the sr.ht model is different from these projects - where many forges attempt to replicate GitHub’s success with a thinly veiled clone of the GitHub UI and workflow, sr.ht is fundamentally different in its approach.

source: L

checkm8 exploits the Boot ROM to allow anyone with physical control of a phone to run arbitrary code. The Boot ROM, also called the Secure ROM, is the first code that executes when an iPhone is powered on and cannot be changed, because it’s “burned in” to the iPhone’s hardware. The Boot ROM initializes the system and eventually passes control to the kernel. It’s the root of trust for the trusted boot chain of iOS and verifies the integrity of the next stage of the boot process before passing execution control.

Detailed writeup: https://habr.com/en/company/dsec/blog/472762/

source: white