2.8K Followers
81 Following
6.1K Posts
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.
Homepagehttps://0xdeadbeef.info
GitHubhttps://github.com/0xdea
Sums up my experience growing up

This is my analysis (and PoC) for CVE-2026-20817, a privilege escalation in the Windows Error Reporting service.

👉 https://itm4n.github.io/cve-2026-20817-wersvc-eop/

Credit goes to Denis Faiustov and Ruslan Sayfiev for the discovery.

TL;DR A low privilege user could send an ALPC message to the WER service and coerce it to start a WerFault.exe process as SYSTEM with user-controlled arguments and options. I did not achieve arbitrary code execution, but perhaps someone knows how this can be done? 🤷‍♂️

CVE-2026-20817 - Windows Error Reporting Service EoP

This vulnerability was such a gaping hole in the Windows Error Reporting service that Microsoft completely removed the affected feature. A low privilege user could simply send a specially crafted ALPC message with a reference to a command line that the service executed with SYSTEM privileges. At least that’s what I thought initially.

itm4n’s blog
I love how vibecoded commits are called vommits. It's so perfect.

Hello Mastodon!

Since this is my first post, I thought I'd share some incredibly niche C++ trivia / pedantry:

For an enum whose enumerators all have the value 0, C++ asks us to imagine a hypothetical integer type with minimal width that can represent 0 (https://eel.is/c++draft/dcl.enum#8.sentence-2). This means we must consider the case where the width is 0. For an unsigned integer type, this gives a range of representable values of [0, 0], and that's the type we pick. But before we can determine that that's minimal, we must also consider a signed integer type with a width of 0, for which we get a range of representable values of [-½, -½]! (https://eel.is/c++draft/basic.fundamental#1.sentence-5) Conveniently that range does not include 0, so we discover that we must use an unsigned integer type to determine the range of values of the enumeration. (We also rule out an unsigned integer type of negative width as that would have a range of values 0 to -½ (inclusive) or smaller, which I think we can reasonably conclude is an empty range despite the parenthetical.)

In any case: if you ever wondered whether a zero-bit signed integer type in C++ can represent only the value 0 or only the value -1, now you know: no, it can represent only the value -½. Truly a marvelous compromise.

Follow me for more brilliant insights like this one :)

[dcl.enum]

Fixing a Buffer Overflow in UNIX v4 Like It’s 1973

https://sigma-star.at/blog/2025/12/unix-v4-buffer-overflow/

Exploit su on a PDP-11 :)
Fixing a Buffer Overflow in UNIX v4 Like It's 1973

This blog post shows how to fix a buffer overflow in the su progam of UNIX v4

sigma star gmbh
Meteor Rumbles Over Houston, as Six-Pound Fragment Crashes Into a Texas Home - Slashdot

"It is the talk of the town today — the loud boom, the flash of light in the sky experienced by a lot of folks across the Houston area this afternoon," says a local Texas newscaster. "And then there was this — a home in northwest Harris county hit by something that crashed through their...

🚨 We are extending the deadline for our Volume 5 Call For Papers and its Rootkit Competition!

Check out the updated dates below:

https://tmpout.sh/blog/vol5-cfp.html (until May 1st 2026)
https://tmpout.sh/blog/vol5-rootkit-competition.html (until May 31st 2026)

We are looking forward to reading your work!

Great, I finally get myself to learn a Python project management tool then it immediately gets slurped up by OpenAI :P

https://simonw.substack.com/p/thoughts-on-openai-acquiring-astral
Thoughts on OpenAI acquiring Astral and uv/ruff

Plus GPT-5.4 mini and GPT-5.4 nano, which can describe 76,000 photos for $52

Simon Willison’s Newsletter

Reflecting on route home from @1ns0mn1h4ck, where I predominantly focussed on technical talks after giving our first public iteration of our binary instrumentation with Frida training.

Most researchers rarely mentioned AI usage, but were often asked about this during post talk QA, where the answer was almost always along the lines of “it’s pretty bad at $this”.

In some cases there were hints that LLMs helped speed up some of the grunt work, but for anything novel, the human did the work.

This makes me wonder a bit about offensive research and the extreme automation push were facing as a whole. I worry how we are going to keep the energy to push beyond a perceived knowledge ceiling, especially when you know you need to sometimes be unreasonably persistent for good research outcomes, all while not being distracted by LLMs and their force multiplier effect.

That said, I’m encouraged to see people push that noise out of the way and continue to figure out how stuff really works, even though most of us are less sure of what the future looks like.

When I first watched War Games (1983) I thought "wow, so weird, not only they had terrible password management, but their test 'AI' system was directly linked to the prod".

Ha-ha.