Mastodawn

The `left-pad` incident was 10 years ago today.

https://en.wikipedia.org/wiki/Npm_left-pad_incident

Thankfully, we've completely solved software supply chains in the years since.

npm left-pad incident - Wikipedia

Fysac Nov 3

Exploit demo for CVE-2024-51317, a use-after-free in the #NetSurf web browser enabling arbitrary code execution when JavaScript is enabled. Target is NetSurf 3.11 on Ubuntu 22.04.

Patched in upstream source code, still making its way to distro packages. To mitigate, disable JS (off by default).

Fysac Oct 31

qurlyjoe Oct 31

A hyper-logical Halloween
#programming
IFLScience.com

Fysac Nov 14, 2024

Today I am publishing the technical details of CVE-2024-44625, an unpatched RCE vulnerability in Gogs: https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs/

Unpatched Remote Code Execution in Gogs

The Gogs self-hosted Git service is vulnerable to symbolic link path traversal that enables remote code execution (CVE-2024-44625). The latest version at the time of writing (0.13.0) is affected. This vulnerability is exploitable against a default install, with the only attacker requirement being access to an account that can push to a repository and edit that repository’s files from the web interface. Per Gogs’ SECURITY.md, I reported this issue to the maintainers as a GitHub advisory on August 10, 2024.

Vulnerability research and more

Fysac Nov 14, 2022

Nice write-up for CVE-2020-27861 from @hypr (I found the vuln): https://blog.coffinsec.com/research/2022/07/02/orbi-nday-exploit-cve-2020-27861.html

My exploit was different, but I liked this approach to getting around the *really annoying* constraints, too.

nday exploit: netgear orbi unauthenticated command injection (CVE-2020-27861)

rediscovering and developing a weaponized exploit for a command injection vulnerability in Orbi wifi systems that was reported and patched last year.

hyprblog

Fysac Nov 12, 2022

Yellow, world.