FriendsDontLetFriends: Friends don't let friends make certain types of data visualization - What are they and why are they bad. https://github.com/cxli233/FriendsDontLetFriends
GitHub
GitHub - cxli233/FriendsDontLetFriends: Friends don't let friends make certain types of data visualization - What are they and…
Friends don't let friends make certain types of data visualization - What are they and why are they bad. - GitHub - cxli233/FriendsDontLetFriends: Friends don't let friends make ce...
Pillow’s Critical Flaw: CVE-2023-50447 Exposes Python Projects to Risk https://securityonline.info/pillows-critical-flaw-cve-2023-50447-exposes-python-projects-to-risk/
Cybersecurity News
Pillow's Critical Flaw: CVE-2023-50447 Exposes Python Projects to Risk
Duarte Santos uncovered a critical vulnerability, CVE-2023-50447, that could potentially allow attackers to execute arbitrary code.
💩1
A Recipe for Scaling Security https://bughunters.google.com/blog/5896512897417216/a-recipe-for-scaling-security
Google
Blog: A Recipe for Scaling Security
There are vastly more engineers at Google dedicated to creating and maintaining new products than there are security engineers working to secure products. For this reason, Google security has to focus on operating at scale and find ways to make meaningful…
🔥1
Fuzzer Development 1: The Soul of a New Machine https://h0mbre.github.io/New_Fuzzer_Project
The Human Machine Interface
Fuzzer Development 1: The Soul of a New Machine
Introduction && Credit to Gamozolabs For a long time I’ve wanted to develop a fuzzer on the blog during my weekends and freetime, but for one reason or another, I could never really conceptualize a project that would be not only worthwhile as an educational…
A lightweight method to detect potential iOS malware https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/
Securelist
Detecting iOS malware via Shutdown.log file
Analyzing Shutdown.log file as a lightweight method to detect indicators of infection with sophisticated iOS malware such as Pegasus, Reign and Predator.
Cactus Ransomware https://www.shadowstackre.com/analysis/cactus
CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/
Horizon3.ai
CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive
CVE-2024-0204 Fortra GoAnywhere MFT Deep-Dive and Indicators of Compromise. This blog details the authentication bypass which allows an unauthenticated attacker to add an administrative user to the application.
Improving LLM Security Against Prompt Injection: AppSec Guidance For Pentesters and Developers https://blog.includesecurity.com/2024/01/improving-llm-security-against-prompt-injection-appsec-guidance-for-pentesters-and-developers/
Include Security Research Blog
Improving LLM Security Against Prompt Injection: AppSec Guidance For Pentesters and Developers - Include Security Research Blog
Developers should be using OpenAI roles to mitigate LLM prompt injection, while pentesters are missing vulnerabilities in LLM design.
One shot, Triple kill:
Pwning all three Google kernelCTF instances
with a single 1-day Linux vulnerability https://kaist-hacking.github.io/pubs/2023/kim:kernel-ctf-slides.pdf
Pwning all three Google kernelCTF instances
with a single 1-day Linux vulnerability https://kaist-hacking.github.io/pubs/2023/kim:kernel-ctf-slides.pdf
Few lesser known tricks, quirks and features of C https://jorenar.com/blog/less-known-c
Jorenar
Lesser known tricks, quirks, and features of C
👍1
Splunk RCE - PoC: Proof of concept exploit for CVE-2023-46214, SVD-2023-1104 https://github.com/nathan31337/Splunk-RCE-poc
GitHub
GitHub - nathan31337/Splunk-RCE-poc
Contribute to nathan31337/Splunk-RCE-poc development by creating an account on GitHub.
Info-stealer:
Most bang for the buck malware https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Kim-Info-Stealer-Most-Bang-for-the-Buck-Malware.pdf
Most bang for the buck malware https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Kim-Info-Stealer-Most-Bang-for-the-Buck-Malware.pdf
IMPLEMENTATION OF SIGNAL HANDLING https://courses.cms.caltech.edu/cs124/lectures-wi2016/CS124Lec15.pdf
A christmas tale: pwning GTB Central Console (CVE-2024-22107 & CVE-2024-22108) https://adepts.of0x.cc/gtbcc-pwned/
A christmas tale: pwning GTB Central Console (CVE-2024-22107 & CVE-2024-22108) |
A christmas tale: pwning GTB Central Console (CVE-2024-22107 & CVE-2024-22108) | AdeptsOf0xCC
Yet another security platform being pwned by trivial vulnerabilities (CVE-2024-22107 & CVE-2024-22108)
Linux SLUB Allocator Internals and Debugging, Part 1 of 4 https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-1
Oracle
Linux SLUB Allocator Internals and Debugging, Part 1 of 4
The first in a series of blogs discussing the internals of the Linux SLUB allocator and techniques available to assist with debugging issues.
❤1
Chrome 0day in Skia (CVE-2023-6435) https://twitter.com/zerodaytraining/status/1730184167936401466
Ubuntu Shiftfs: Unbalanced
Unlock Exploitation Attempt
CVE-2023-2612 (Grehack 2023) https://www.synacktiv.com/sites/default/files/2023-11/ubuntu_shiftfs.pdf
Unlock Exploitation Attempt
CVE-2023-2612 (Grehack 2023) https://www.synacktiv.com/sites/default/files/2023-11/ubuntu_shiftfs.pdf
*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 2 of 2 https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/
JFrog
*nix libX11: Uncovering and exploiting a 35-year-old vulnerability - Part 2 of 2
Learn all about the 35-year-old vulnerabilities found by our Security Team in libX11, causing a denial-of-service and remote code execution.
SSD Advisory – Zyxel VPN Series Pre-auth Remote Command Execution https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution
SSD Secure Disclosure
SSD Advisory - Zyxel VPN Series Pre-auth Remote Command Execution - SSD Secure Disclosure
Summary Chaining of three vulnerabilities allows unauthenticated attackers to execute arbitrary command with root privileges on Zyxel VPN firewall (VPN50, VPN100, VPN300, VPN500, VPN1000). Due to recent attack surface changes in Zyxel, the chain described…
We build X.509 chains so you don’t have to https://blog.trailofbits.com/2024/01/25/we-build-x-509-chains-so-you-dont-have-to/
The Trail of Bits Blog
We build X.509 chains so you don’t have to
For the past eight months, Trail of Bits has worked with the Python Cryptographic Authority to build cryptography-x509-verification, a brand-new, pure-Rust implementation of the X.509 path validation algorithm that TLS and other encryption and authentication…