Lightnews — Scholar-powered news

Reposted by root

Mathy Vanhoef

@vanhoefm.bsky.social

For more info and a demol video, see the article by @simonmigliano.bsky.social at top10vpn.com/research/tun...

IT admins can request access to our code to test servers (code is not yet public to prevent abuse): github.com/vanhoefm/tun...

Academic paper: papers.mathyvanhoef.com/usenix2025-t...

New Protocol Vulnerabilities: CVE-2024-7595/7596 & CVE-2025-23018/23019

Over 4.2 million VPN servers, private home routers and other network hosts are vulnerable to hijacking due using tunneling protocols without security.

top10vpn.com

January 14, 2025 at 2:12 PM

Reposted by root

Aryeh Goretsky

@goretsky.bsky.social

Sure!

Here's the story of my first day on the job: www.reddit.com/r/talesfromt...

And something from my 20th anniversary in the industry: www.welivesecurity.com/2010/07/16/a...

Hope you find them interesting reading. :)

Tales from the Scottish-Sounding Anti Virus Company No. 1: In The Beginning

www.reddit.com

December 6, 2024 at 2:51 AM

Reposted by root

Yehuda Smirnov

@yudasm.bsky.social

Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them.

blog.fndsec.net/2024/11/25/s...

November 25, 2024 at 12:25 PM

root

@ro0ot.bsky.social

Trouble cracking password hashes? Remember that #hashcat can stack (combine) rules. Just use:
▪️-r 1.rule -r 2.rule

You can even add more rules, but it will quickly use a lot of memory. Save the rules that cracked a hash with:
▪️--debug-mode=1 --debug-file=found.rule

Shows the contents of 123.rule, that adds the number 1, 2 and 3 after a word and abc.rule, that adds a, b and c after a word.
The third command shows hashcat being used with 123.rule and abc.rule used with the word hashcat as wordlist. The output generates hashcat1a, hashcat2a etc until hashcat3c as final output on the last line.

November 21, 2024 at 11:19 AM

root

@ro0ot.bsky.social

Fortimanager Unauthenticated Remote Code Execution
AKA fortijump
CVE-2024-47575

💾 PoC:
github.com/watchtowrlab...

🔖 Blog post:
labs.watchtowr.com/hop-skip-for...

Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575

It’s been a tricky time for Fortinet (and their customers) lately - arguably, even more so than usual. Adding to the steady flow of vulnerabilities in appliances recently was a nasty CVSS 9.8 vulnerab...

labs.watchtowr.com

November 14, 2024 at 11:14 PM

Reposted by root

Filippo Valsorda

@filippo.abyssdomain.expert

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

Filippo Valsorda @filippo.abyssdomain.expert · Mar 29

This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.

Looks like this got caught by chance. Wonder how long it would have taken otherwise.

Filippo Valsorda @filippo.abyssdomain.expert · Mar 29

Woah. Backdoor in liblzma targeting ssh servers.

www.openwall.com/lists/oss-se...

It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…

Now I’m curious what it does in RSA_public_decrypt

March 30, 2024 at 5:13 PM

root

@ro0ot.bsky.social

AngryOxide
802.11 Attack tool built in Rust 🦀
github.com/Ragnt/AngryO...

The documentation is pretty nice, also has recommendations for WiFi hardware.
github.com/Ragnt/AngryO...