|
Solar Designer
@
solardiz
|
|
@Openwall founder. RTs don't imply agreement with points of view.
|
|
|
13.064
Tweetovi
|
966
Pratim
|
12.659
Osobe koje vas prate
|
| Tweetovi |
| Solar Designer proslijedio/la je tweet | ||
|
dragosr
@dragosr
|
8 h |
|
Here is something you don't see very often these days.
An update to the venerable terminal multiplexer GNU "screen" to fix a 768 byte memory overwrite from an on screen color sequence escape (OSC 49). Probably worth updating.
Hat Tip: @solardiz
lists.gnu.org/archive/html/i…
|
||
|
|
||
| Solar Designer proslijedio/la je tweet | ||
|
Andrey Konovalov
@andreyknvl
|
29. sij |
|
Implemented a PoC for disabling kernel lockdown on Ubuntu via a keyboard emulated through USB/IP, CC @mjg59
github.com/xairy/unlockdo…
|
||
|
|
||
|
Solar Designer
@solardiz
|
2. velj |
|
Ouch. Thanks. openwall.com/lists/oss-secu…
|
||
|
|
||
| Solar Designer proslijedio/la je tweet | ||
|
Saul Procterm
@pozdnychev
|
28. sij |
|
Qualys Security Advisory: LPE and RCE (CVE-2020-7247) in OpenSMTPD, OpenBSD's mail server. Erroneous logic in smtp_mailaddr() which validates user and domain. More details and PoC at: openwall.com/lists/oss-secu…
PS: "Did you ever play tic-tac-toe?"
|
||
|
|
||
| Solar Designer proslijedio/la je tweet | ||
|
Saul Procterm
@pozdnychev
|
11. pro |
|
Qualys Security Advisory Team: Local Privilege Escalation in OpenBSD's loader (ld.so, CVE-2019-19726). Getting root on default install (i386/amd64), by tweaking the environment variables. Exploit and more details at: openwall.com/lists/oss-secu…
|
||
|
|
||
|
Solar Designer
@solardiz
|
28. sij |
|
Also, doing it in libc would be significantly slower (extra syscalls just for this hardening check).
|
||
|
|
||
|
Solar Designer
@solardiz
|
28. sij |
|
You could do this checking in libc (and the races might not matter, but explaining this gets beyond a tweet) rather than in the kernel, and have it configurable too, but doing it in the kernel ensures all existing binaries built with various libc's and other runtimes are covered.
|
||
|
|
||
|
Solar Designer
@solardiz
|
28. sij |
|
I probably misunderstand you as I'm sure you realize that if you force O_EXCL on every O_CREAT, you'd break (too) many existing uses - and not only directly from C programs and such, but also from scripts. The kernel feature checks the target file's directory and is configurable.
|
||
|
|
||
|
Solar Designer
@solardiz
|
28. sij |
|
Disclosure/write-up on Linux kernel user-triggerable read-after-free crash or 1-bit infoleak oracle in a userspace security hardening feature of open(2) found/analyzed/fixed by Al Viro (thus effectively by "the vendor"), which I share responsibility for: openwall.com/lists/oss-secu…
|
||
|
|
||
| Solar Designer proslijedio/la je tweet | ||
|
Stephan van Schaik
@themadstephan
|
27. sij |
|
Finally, the disclosure is over! We present CacheOut, a new speculative execution attack to leak data on Intel CPUs via cache eviction despite current mitigations: cacheoutattack.com #intel #cacheout #l1des @MarinaMinkin, Andrew Kwong, Daniel Genkin and @yuvalyarom
|
||
|
|
||
| Solar Designer proslijedio/la je tweet | ||
|
VUSec
@vu5ec
|
27. sij |
|
Another day, another #RIDL embargo and addendum! “New” (not really!) variants of the day: L1D evictions (Fig 6, RIDL paper) or #L1DES and vector registers or #VRS. See mdsattacks.com. As a bonus: a faster RIDL exploit that leaks a root hash in 4s: youtube.com/watch?v=4DQAcC…
|
||
|
|
||
|
Solar Designer
@solardiz
|
27. sij |
|
No, why - this is a common occurrence, especially when cracking hashes from multiple sources at once. Openwall's "all.lst" includes same non-English words in utf-8 and iso-8859-1, or in utf-8 and koi8-r and cp1251 for Cyrillic.
|
||
|
|
||
|
Solar Designer
@solardiz
|
27. sij |
|
It depends. To crack (nearly) all of the HIBP hashes, yes, you need inputs in multiple encodings.
|
||
|
|
||
|
Solar Designer
@solardiz
|
27. sij |
|
Ah, indeed. I expected this would be the case, but ended up misreading. Thanks. @marver
|
||
|
|
||
|
Solar Designer
@solardiz
|
27. sij |
|
Do I get it right that the encryption key is encoded in the filename (not surprised), and that filename is stored on WhatsApp servers (am surprised)? So there's effectively no E2E encryption for media, right? Is this consistent with what (lack of) security WhatsApp claims it has?
|
||
|
|
||
| Solar Designer proslijedio/la je tweet | ||
|
Dino A. Dai Zovi
@dinodaizovi
|
26. sij |
|
The claim in the FTI forensics report on Bezos’ iPhone that, “due to end-to-end encryption employed by WhatsApp, it is virtually impossible to decrypt the contents of the downloader [.enc file]...” bugged me so much that I coded up how to do it:
github.com/ddz/whatsapp-m…
|
||
|
|
||
|
Solar Designer
@solardiz
|
19. sij |
|
We have a match:
$ echo -n '𝓮𝔁𝓪𝓶𝓹𝓵𝓮' | iconv -t utf16 | dd bs=2 skip=1 status=none | openssl md4
(stdin)= bf5b160e133c84572b9fe664bf4c718a
but yes, the Windows password dialog might be receiving the string already as UTF-16, and then is showing the stars like it's UCS-2.
|
||
|
|
||
|
Solar Designer
@solardiz
|
19. sij |
|
BTW, since Solaris is open source, your two advisories are also suitable for oss-security. Please feel free to post them.
|
||
|
|
||
|
Solar Designer
@solardiz
|
19. sij |
|
Thanks. Your two hashes match what I get with:
echo -n ... | iconv -t ucs2 | openssl md4
Can you also try 𝓮𝔁𝓪𝓶𝓹𝓵𝓮 and tweet the resulting hash (if any) to check for UCS-2 vs. UTF-16?
|
||
|
|
||
|
Solar Designer
@solardiz
|
19. sij |
|
Re-processing each leak to identify its encoding(s) is a lot of effort. Besides, it makes some sense to have multiple encodings of the same password in the list if that's how it is in the real life, as this allows for easier matches in the SHA-1 case. But it's trickier with NTLM.
|
||
|
|
||