Francesco Giordano 

@[email protected]
33 Followers
44 Following
84 Posts
Casually stumbling on vulnerabilities ¯\_(ツ)_/¯


Security Engineer by day, flag dodger @JBZTeam by night 

Rants are my own.
twitterhttps://twitter.com/0xakuma
verifiedhttps://twittodon.com/share.php?t=0xakuma&[email protected]
Bloghttps://appsec.space
Francesco Giordano Aug 26, 2025

This House is Haunted:
A decade-old bug in the AION client’s housing system let Lua scripts trigger RCE.

A dive into game scripting, sandboxes, and forgotten exploits.

https://appsec.space/posts/aion-housing-exploit/

#gamedev #infosec #mmorpg

Francesco Giordano Aug 7, 2024

My keyboard was misbehaving so I had to exploit my NAS

http://appsec.space/posts/zimaos-casaos-rce/

#appsec #infosec #cybersecurity

My keyboard was misbehaving so I had to exploit my NAS

I recently received my ZimaCube: a NAS from IceWhale, the same company behind the ZimaBlade, ZimaBoard and most notably CasaOS, a UI to manage docker applications.

appsec & stuff
Francesco Giordano Jul 12, 2024

Few weeks ago I did a small code review on #CasaOS and #ZimaOS from #IceWhaleTech
Glad to say that web (2.0) vulnerabilities are still a thing 😬
Ended up reporting a bunch of them that are being fixed. One is CVE-2024-39692.

More in a blogpost soon™️

Show threadFrancesco Giordano Mar 31, 2024

@portaloffreedom There are actual contraints to the exploit, so the real number of target is unclear unless the analysis is complete. Still, having a package built by a malicious attacker doesn't look too good, even Arch suggested to patch: https://archlinux.org/news/the-xz-package-has-been-backdoored/

> source is still available, from the website

Yes it is (https://git.tukaani.org/?p=xz.git;a=summary) , but the operations are mostly performed in GitHub (the original attacker had access only to it, so inspecting the repo could give additional info on the attacker OpSec but is now gone for good)

> we only found about the backdoor because it's open source. Corporate software is much more opaque.

Indeed this is good, I am not against open source at all, this backdoor was a big issue on the supply chain management

Arch Linux - News: The xz package has been backdoored

Francesco Giordano Mar 31, 2024
shellsharksMar 31, 2024

There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.

https://shellsharks.com/xz-compromise-link-roundup

I will *try* to keep this up-to-date (ish) for a few days while things are hot but I make no promises beyond that.

#cve20243094 #xz #xzbackdoor #xzorcist #supplychainattack #xz4shell #infosec #cybersecurity

xz/liblzma Compromise Link Roundup

Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).

shellsharks
Show threadFrancesco Giordano Mar 31, 2024
@shellsharks thanks for the shoutout Mike
Francesco Giordano Mar 30, 2024

I wrote a post on the xz backdoor. No backdoor analysis, just considerations on what went wrong.

#cve20243094 #xz

https://appsec.space/posts/xz-backdoor

The xz backdoor from a Security Engineer persepective

As you probably already heard, the xz package got compromised. The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094.

appsec.space
Francesco Giordano Mar 29, 2024

A #backdoor was found in xz/liblzma 5.6.0 to 5.6.1

https://www.openwall.com/lists/oss-security/2024/03/29/4

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Francesco Giordano Mar 19, 2024
VissMar 18, 2024
cant wait for this to be a 'medium level finding' in nessus, and have all 6000 security taxonomies submit to gladitorial combat about its severity level and 400 years of bickering about how bad it is
Show threadFrancesco Giordano Mar 13, 2024
@jerry ready for retirement after that Jerry? 😁