Hacker Fantastic @hackerfantastic@social.hackerfraternity.org

Exploiting Solaris 10 -11.0 SunSSH via libpam on x86 - a blog post from Hacker House https://hacker.house/lab/cve-2020-18471/

What's the magic word for a cookie?

CVE-2021-3156 heap overflow in sudo command line / environment argument handling can be exploited on MacOS Big Sur (currently unpatched) by creating a symlink to sudo, additionally I have observed that t_delete() exploitation on Solaris has been updated to prevent negative chunk size overwrites but because you can write NULL's it is possible to reliably exploit this flaw on Solaris 10/11. You should patch Solaris if you use sudo as the repo has an update - https://www.opencsw.org/package/sudo/

I was trying to exploit the heap allocator on Solaris via the sudo bug, it appears that since Solaris 10 the libc now checks for a negative chunk size to prevent creating the tree structure that is used as a primitive against the Sys V heap allocator since 2001. You can still corrupt the chunk with large size but it would seem that a fix was added to prevent t_delete() method of exploitation first described in 2001 in "once upon a free()" article.

I've been enjoying exploring glibc and heap internals over the past few days thanks to the sudo vulnerability. It's rare for null writes and capability to smash entire heap space with a single vulnerability. All the public exploits so far just corrupt the heap structs and don't misuse the allocator via unlink or free() etc. I noticed that the overflow on libmuslc leads to an arbitrary write which is used by Alpine Linux. Writing some heap exploration tools for experiments, this is great fun!

Writing glibc heap overflow exploits for sudo. These were some very insightful resources & gdb extensions for inspecting the heap layout.

https://sourceware.org/glibc/wiki/MallocInternals
http://www.phrack.org/archives/issues/66/10.txt
https://github.com/shellphish/how2heap
https://github.com/longld/peda
https://github.com/scwuaptx/Pwngdb

APT group (who maybe based in China or speak native Chinese), working at request of North Korea DPRK, used Chrome 0day exploit and backdoor'd visual studio projects to hack security researchers and steal their warez. Be careful when clicking on blog links or security research related materials, ideally use a VM or separate host for social interactions. The attackers were active in the community for almost a year before they were detected and hacked prominent researchers.

uHF is a virtual hacker-space, topics range from cybersecurity, ethical hacking, bug bounties, exploitation, reverse engineering and privacy. We will be holding bi-monthly online only meetups with occasional workshops on cybersecurity topics. We are using the US fraternity model to create an environment for people who enjoy computers and beer to network with and have fun, it is also a personal project of mine - you can find our virtual space & Matrix chatroom here https://hackerfraternity.org/

cool-retro-term is ace.

ShadowSocks decreasing in effectiveness for stealth communication tunnels over the last few months has given rise to alternative solutions, one of them "shadowtunnel" has been broken during a CTF, write-up here https://blog.cryptohack.org/cracking-chinese-proxy-realworldctf - I have been using ShadowSocks for years and will continue to use it until a more suitable alternative becomes available. I am in need of something that is like ShadowSocks but implements Steganographic traffic.

ShadowSocks, my preferred SOCKS proxy of choice due to it's absolutely awesome design & cross-platform support - it's even the tech which underpins Outline (Alphabet soup's communication tool for journalists) - is now being detected and blocked by the GFW in China according to reports. These blocks are performed with some manual oversight, but this reduces the effectiveness of this tool for those who bounce communications through ASIAPAC region. Report here - https://gfw.report/blog/gfw_shadowsocks/

Built Ghidra with the new debugging feature, keen to try it out on something practical. It won't build on aarch64 annoyingly so couldn't compile it on my pinebook pro as the debugger component uses protoc that supports only x86/x86, hope they add arrch64. However, ImHex compiled perfectly on the pbp and I discovered that if you enable OpenGL 3.3 extensions, it works!

Removing the US president from social media sends a powerful message about the censorship companies like Facebook and Twitter can enforce. We give them control over data and public debates that require discussion on opposing views to engage with one another to resolve conflicts. Our world has never been as divided as it is today and it is through division that we as people are conquered. You cannot have a revolution without unity. The world needs to have access to information free of censorship.

St. Maximilian Maria Kolbe - the patron saint of Amateur Radio. He volunteered himself to die in place of another man at Auschwitz and is celebrated on August 14th. A friar, he is pictured here using his radio rig. During World War II his radio transmissions under the callsign SP3RN helped foreign allies learn of the atrocities in Poland.

Chaos Computer Club Congress this year is a browser based MMORPG https://rc3.world/rc3 (requires ticket).

Missed out on ticket? You can live-stream the talks and join Matrix chats:
DE: #rc3:fairydust.space
EN: #rc3-en:fairydust.space
Fahrplan: https://rc3.world/rc3/public_fahrplan
Live stream: https://streaming.media.ccc.de/rc3

Send your cyber friends a post card from the event! #rc3 https://rc3.c3post.de

36C3 Android app works with rC3 schedule - APK https://f-droid.org/en/packages/info.metadude.android.congress.schedule/
URL setup - https://fahrplan.events.ccc.de/rc3/2020/Fahrplan/schedule.xml

SunOS kernel mode payload, this neat little trick will form the basis of my LPE exploit's for the OS, a very short payload stub that will locate and overwrite a process privilege structure to obtain root privileges. This is the basis of how a kernel read/write exploit primitive could be used to gain root.

Using Android anbox on the pinephone, you can virtualize an Android 7.1.2 image (API 25) in an LXC container, as you can run it is as root you can use it to dynamic instrument and mitmproxy the communication on-device. It's linux so all the usual Linux dm-crypt & LUKS applies. An interesting thing I learned https://linux-sunxi.org/JTAG - this has to be the most interesting place to hack the CPU :-) insert a magic MicroSD card to get root or pop a hidden secret file system.

privacypwn pinephone