| https://twitter.com/justinsteven | |
| Twitch | https://www.twitch.tv/justinsteven |
| YouTube | https://www.youtube.com/justinsteven |
| www | https://www.justinsteven.com |
A DOM XSS vulnerability in Gartner's Peer Insights Widget affected the sites of Gradle, LogRhythm, SentinelOne, Synopsys, Veeam, Vodafone and more. Details of the bug, the patch, the bypass, and the final patch are up at https://gartner.com.ring0.lol/
Also, when this toot is two hours old (12pm Sydney time) I'll be live at https://twitch.tv/justinsteven breaking down how I found the bug and how it all worked. If you can't make it then it'll be on YouTube in the coming days, but if you can, come say hi! ❤️
OK, so what does fidget mean? What information do you have around you, right now? Take a deeper look. Why is that WiFi AP named XNF998FE? Why is your laptop's serial number XY3327S? How often is that helicopter circling? Why are so many license plates from a particular state with a specific prefix? Look for the lack of entropy that is an encoded signal.
In the early Metasploit days this involved dumping function addresses of DLLs from a literal binder of DVDs. The opcode database and later analysis by folks like skape (matt miller) and spoonm made exploit development much easier as a result.
Scanning the internet is easy. Understanding all the data coming back takes a lifetime. Grab some data dumps and sift through specific protocols and fields. Toss Fiddler at a Windows thick client (or enable HTTP event tracing).
We are flooded in dodgy software, weak numeration, and information leaks. Stop for a bit, breath, pick one, and go deep.
Had this on a recent engagement and thought I'd provide a cut-down version as a fun little CTF-like challenge.
As an attacker, you can invoke `pwnme()` and control the value of `$filename` via a web request.
You cannot control the contents of the file system that this code is running on. You don't have the ability to upload files.
How do you achieve command injection?
Streaming more Ghidra development in an hour! 🐉✨ After experimenting a bit yesterday, today we will be implementing a Ghidra analyzer to parse the Golang `gopclntab` to extract function definitions and improve our function discovery phase! 🦾
Come hang out and we will learn more about Ghidra, Golang and compilers together! ✨💜
Ghidra development stream in an hour! 🐉👩💻💫
We’ll be porting the Golang string parsing from our proof of concept script over to our analysis module so string extraction will be automatic! ✨
If we get through this we’ll start work on type extraction and parsing more Golang specific structures. We should be complete enough for a first release soon! ✨💫
HD Moore
OJ
CyberKaida (サイバーかいだ)
Matthew Garrett