Notes

→ in reply to @note#1655843185

But then again, no amount of fact checking will stabilise society at this point. People’s interests just don’t align anymore. The carrot is gone.

The internet is a endless mirror you can stare into if you don’t think about it too long. Just like Narcissus.

The internet can be a community fostering tool, but you need to treat it as such. So start your own website, grow it, share it among friends, have some restraint and don’t consume anything that you can’t email the author about.

With the degradation of the net I am expecting “Internet veganism” to be the next thing, at least for me. Focus on connecting with communities that matter, your local community and try not to whore yourself to Google.

All the people who lost their job at pseudo tabloid websites are becoming fact checkers. It is just another way to control the flow of information, they only work the way the system wants them to work.

Features

• Fast port scan, fingerprint detection function
• Fast login password blasting function
• Fast POC detection function
• Fast sensitive file detection
• Lightweight, open source, cross-platform use
• Supports multiple types of input - STDIN/HOST/IP/CIDR/URL/TXT
• Supports multiple types of output - JSON/TXT/CSV/STDOUT scan4all

Making half the internet reliant on one service is always a good idea.

I am looking into a new sample of Android/Joker, reported on June 19, 2022 by @ReBensk:

afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f

Android/Joker is known for using many payloads: a first payload loads another payload, which loads another one etc. Matryoshka dolls-style 😁. See an analysis of a previous Joker sample. This sample uses many payloads too, but the implementation to load the payloads is a bit different. I’ll detail. Tracking Android/Joker payloads with Medusa, static analysis

Let’s start our journey from the architecture of the Android operating system and its internals. This chapter covers the minimal information we need to know to feel comfortable working on topics covered in the following sections.

The kernel used in Android is based on Linux, but with some significant additions, including Low Memory Killer, wake locks, the Binder IPC driver, etc.

For our purposes, we are more interested in the user-mode part of the operating system, and here Android significantly differs from a typical Linux distribution, two important components for us are a managed runtime used by applications (ART/Dalvik) and Bionic, Android’s version of glibc, the GNU C library.Android 101 - Android operating system and its internals

When I’ve firstly seen the technique behind the Shellcode execution through Microsoft Windows Callbacks, I thought it was pure magic. But then, digging a little bit on it, I figured out that it was just brilliant ! Nowadays this technique is quite used in underground communities to inject shellcode into running processes so I decided to write a blog post to make clear to cybersecurity analysts how to deal with it. The takeaway of the day is: Don’t trust your callback function anymore! Running Shellcode Through Windows Callbacks

In this post, we attack the Nest Hub (2nd Gen), an always-connected smart home display from Google, in order to boot a custom OS.

First, we explore both hardware and software attack surface in search of security vulnerabilities that could permit arbitrary code execution on the device.

Then, using a Raspberry Pi Pico microcontroller, we exploit an USB bug in the bootloader to break the secure boot chain.

Finally, we build new bootloader and kernel images to boot a custom OS from an external flash drive. Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu

→ in reply to @note#1655255212

The funny thing is, on a long-enough timescale even sand is sentient.

Today, Huawei has officially announced HarmonyOS 3.0 developer beta testing for public users. This opportunity will allow consumers to install and test HarmonyOS 3.0 on their devices and test the developer version of the software ahead of general public testing.

So, what’s the HarmonyOS 3.0 developer beta all about? Well, we brought you some information that could give you a better understanding of this development version.

HarmonyOS 3.0 developer beta enhances JS/eTS language application development capabilities. At the same time, further, improve the ArkUI and ArkCompile functions. You can use the concise JS/eTS language to efficiently develop complex interface applications, and at the same time obtain the improvement of application startup speed.

Currently, the testing program is limited to the Chinese market and models. On the other hand, it’s unlikely to expand among global consumers for the moment. Huawei has opened this testing to take feedback from consumers and testers to improve the software and push it for the next testing phase.HarmonyOS 3.0 beta begins | Eligible Devices List

Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.

Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.

Hertzbleed is a real, and practical, threat to the security of cryptographic software. We have demonstrated how a clever attacker can use a novel chosen-ciphertext attack against SIKE to perform full key extraction via remote timing, despite SIKE being implemented as “constant time”.

Intel’s security advisory states that all Intel processors are affected. We experimentally confirmed that several Intel processors are affected, including desktop and laptop models from the 8th to the 11th generation Core microarchitecture.

AMD’s security advisory states that several of their desktop, mobile and server processors are affected. We experimentally confirmed that AMD Ryzen processors are affected, including desktop and laptop models from the Zen 2 and Zen 3 microarchitectures.

Other processor vendors (e.g., ARM) also implement frequency scaling in their products and were made aware of Hertzbleed. However, we have not confirmed if they are, or are not, affected by Hertzbleed. Hertzbleed Attack

Ironically, censorship has enabled a minority of absolutely insane people who should otherwise be shouted down, to prosper.

In biology, a symbiote is an organism that lives in symbiosis with another organism. The symbiosis can be mutually beneficial to both organisms, but sometimes it can be parasitic when one benefits and the other is harmed. A few months back, we discovered a new, undetected malware that acts in this parasitic nature affecting Linux operating systems. We have aptly named this malware Symbiote.

What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability. Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat

ConfluencePot is a simple honeypot for the Atlassian Confluence unauthenticated and remote OGNL injection vulnerability (CVE-2022-26134).

ConfluencePot is written in Golang and implements its own HTTPS server to minimize the overall attack surface. To make it appear like a legit Confluence instance it returns a bare-bones version of a Confluence landing page. Log output is written to stdout and a log file on disk. ConfluencePot DOES NOT allow attackers to execute commands/code on your machine, it only logs requests and returns a bogus response. confluencePot - Simple Honeypot For Atlassian Confluence (CVE-2022-26134)

If you have nothing to hide, it means you’re doing nothing good.

We successfully exploited this vulnerability to obtain full root privileges on default installations of Ubuntu 20.04.

1. Among all these *_OR_NULL types, we choose PTR_TO_MEM_OR_NULL which can be created by BPF_FUNC_ringbuf_reserve. First, we pass 0xffff……..ffff to BPF_FUNC_ringbuf_reserve to get a NULL pointer r0, and copy r0 to r1. Then add r1 by 1, and do NULL check on r0. At this point, the verifier will believe that both r0 and r1 are zero.
2. ALU sanitation is hardened after commit “bpf: Fix leakage of uninitialized bpf stack under speculation”. To bypass alu sanitation, we use helper func bpf_skb_load_bytes_* to get partial/full overwrite the pointer on stack to obtain pointer address leakage and arbitrary address read/write.
3. We spawn many child processes, and use arbitrary address read to find the address of task_struct and cred around the the address of the array map we created. After zeroing out the uid/gid/… , full root privileges obtained. CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation | Chinese writeup

DFIR Cheat Sheet is a collection of tools, tips, and resources in an organized way to provide a one-stop place for DFIR folks. (Still under development) DFIR Cheat Sheet