Mastodawn

greg Mar 11

Fredrik Engberg Mar 11

Has anyone tried getting a Windows 11 VM running with tpm 2.0 on #bhyve and #freebsd 15?

greg Mar 11

Just had a real positive experience with @hetzner customer service. Thanks a ton and keep up the good work!

greg Feb 24

Janik Besendorf Feb 24

Fritz Kola macht echt gutes Marketing. Sie schenken Getränke an Anti-G20 Proteste in Hamburg und sponsern den CDU Parteitag ohne dass sie viele Leute aufregen

greg Jan 24

Ela Jan 24

OMG. -froot bug resurfaced. https://seclists.org/oss-sec/2026/q1/89

I see the headlines, "10 years old bug".

My friends, this bug is older. Much older. Not this particular instance, but it is a classical mistake to make. It's a command line injection when calling the login executable.

Some people point to CVE-2007-0882. Solaris had that, almost 20 years ago.

But it's even older than that. It's so old it predates the CVE system. I don't remember exact dates, but we popped Linux and AIX boxes with that, mid 90s.

https://github.com/calmsacibis995/svr4-src/blob/7dabeda6fc10bd1bbd1a84d502f05642b1bf0c9e/cmd/getty/getty.c#L526

But how deep does the rabbit hole go? When was this bug introduced?

Getty called login with user input since the dawn of time (UNIX V2, 1972):

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/getty.s

But this predates command line arguments in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/login.s

So, when did this particular command line feature of login appear?

In the BSD universe, -f was introduced with POSIX compatibilitiy in 4.3BSD-Reno:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/login/login.c

But someone paid attention and filtered out user names starting with - in getty:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/libexec/getty/main.c

RCS timestamp says 6/29/1990, so same age as SysV R4.

The original 4.3BSD (1986) doesn't filter the user name:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/getty/main.c

And it does have a -r option in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/bin/login.c

Exploitable? No idea, argv processing might be a problem. I'll find out another day.

In conclusion: bug existed since 1990, it's so easy to make when implementing POSIX that it keeps resurfacing, and at least one person in Berkeley knew since day 0.

oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

greg Jan 18

⬡-49016

Jan 17

it saw another windows aero theme for kde. that's cute but it thinks gnome also deserves some love too

anyways here's a gnome desktop composited by the real aero dwm.exe from win7

greg Jan 8

Ron Gilbert (GrumpyGamer)Jan 8

State of the art game dev tools in 1989:

greg Dec 7

Leander Dec 5

Linus Torvalds calls a spade a spade

greg Oct 22

~n Oct 22

Today in 1975 – 50 years ago: The Venera 9 lander transmits the first pictures from the surface of Venus. After passing through thick clouds of sulphuric acid, it survived the atmospheric conditions of 485°C and 90 bar for 53 minutes. It was the first spacecraft to return images from the surface of another planet.

greg Aug 5, 2025

li5a Aug 5, 2025

Mmmmh delicious 0day

greg Jun 27, 2025

Sebastian Schinzel Jun 27, 2025

RIP Claus Peter Schnorr https://mittelhessen-gedenkt.de/traueranzeige/claus-peter-schnorr https://en.m.wikipedia.org/wiki/Schnorr_signature

Traueranzeigen von Claus Peter Schnorr | mittelhessen-gedenkt.de

Besuchen Sie die Gedenkseite von Claus Peter Schnorr. Lesen Sie die Traueranzeige und gedenken Sie des Verstorbenen mit einer Kerze oder Kondolenz.

Company	https://secfault-security.com
Birdchan	https://twitter.com/teh_gerg