|
Grant Hernandez
@
Digital_Cold
The Swamp
|
|
PhD candidate at @UF_FICS, firmware analyst, reverse engineer, and binary breaker. keybase.io/ghh
|
|
|
926
Tweetovi
|
1.340
Pratim
|
1.308
Osobe koje vas prate
|
| Tweetovi |
|
Grant Hernandez
@Digital_Cold
|
2. velj |
|
Install via pyBOMBS, not pacman. It's like a single folder virtualenv but it includes libraries and binaries. Will not break when the system changes
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
31. sij |
|
Another stat to add: I estimate AT LEAST 4.4 million lines of code (see repo for the calculation). Absolutely insane!
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
24. sij |
|
Check out how my CTF team, Kernel Sanders and I approached CSAW's embedded security competition using angr and how we leveraged a buffer overflow to print arbitrary messages to the serial port using RFID shellcode
github.com/ufsit/csawesc19
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
24. sij |
|
Looks like a bug, and almost a vulnerability, but not quite. Maybe some better pwners can take this to an exploit?
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
24. sij |
|
This is the allowed check that is passed to the lack of error handling on fopen: github.com/svagner/vixie-…
And this is as far as the program gets with the new ulimit: github.com/svagner/vixie-…
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
24. sij |
|
Normally it would say this:
$ crontab newtab
You (grant) are not allowed to use this program (crontab)
See crontab(1) for more information
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
24. sij |
|
In vixie-cron, SUID crontab prevents crontab editing if /etc/cron.allow is empty. If you force the ulimit for open files to be 4, auth check is bypassed but you hit another error lower down :(
$ bash -c 'ulimit -n 4; crontab newtab'
/var/spool/cron/: mkstemp: Too many open files
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
18. sij |
|
Might be time to remind them with another hack!
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
15. sij |
|
check out soong (their custom build system in Go)
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
13. sij |
|
I have accepted that the inevitable bi-monthly kernel panic will wipe out half of my tabs
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
8. sij |
|
Justify using defense-in-depth. If one control falls (WAF) for what ever reason, patching this vuln will mitigate the loss along this specific vector.
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
5. sij |
|
"The missile knows where it is..."
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
2. sij |
|
Here was the damage caused by this rotation as it crossed US 441 and hit Lake Wauburg facilities. instagram.com/p/B61Etk7BDLL/ @UFRecSports
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
2. sij |
|
I just ordered 66 of these
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
23. pro |
|
May not be relevant to what you are looking for, but cuttlefish vm is now the preferred system emulation platform internally. Goldfish (qemu) hasn't been maintained as much these days
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
21. pro |
|
The risk is overblown for every day users, BUT Android manufacturers still expose a lot of attack surface via USB, much of it being proprietary. For instance, Samsung exposes AT interfaces on patched phones. Plus charge only can be a lie as we showed in. atcommands.org
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
4. pro |
|
Check out d4stiny.github.io/Insecure-by-De… some good debugger detection routines and how to bypass
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
4. pro |
|
Hmm, nothing else is coming to mind. Source/debugger would be my next step unfortunately
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
4. pro |
|
I've had this issue before on Android (which strips debug info). I ended up using gdb to step through with the sanitizer source available. Is this being used in the context of libfuzzer?
|
||
|
|
||
|
Grant Hernandez
@Digital_Cold
|
4. pro |
|
Are you able to get the information when manually calling llvm-symbolizer with the PC and .so? If not, maybe its version is out of sync with the debug information
|
||
|
|
||