Not a great start to 2024: `The fee is now $%!f(*float64=0xc1f673a2e0)`

As a long-time Chrom(e|ium) user, switching to Firefox this week was painless (+uBlock Origin to match Brave-like defaults).

@roy makes a good case for switching going into 2024:
https://roytanck.com/2023/12/23/in-2024-please-switch-to-firefox/

There was one snag that folks should be aware of: Firefox "suggestions" send your URL bar input to Mozilla and/or your configured search engine. It was easy to disable, but felt shady given that it leaks your search input to two external parties by default.

If anyone is wondering why I stopped writing exploits, this graphic from @dangoodin's article on the Triangulation exploit chain sums it up: https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/

Even the most difficult exploits I worked on rarely took more than a week. Modern exploit development is a different beast altogether.

Happy holidays from a chilly Austin, Texas!

A mini-rant on the use of murmur3 32-bit hashes for favicon.ico fingerprinting:

1) The canonical implementation is @shodan which uses the Python mmh3 module, so far so good...

2) The Murmur3 hashing algorithms are generally architecture-dependent. Python mmh3 uses the C implementation, which produces different hashes based on architecture and possibly endian-ness.

3) The Go implementations cover 32/64/128 variants, but they also lean on unsafe pointer usage for some silly reason, and although they support byte swap for big endian, it looks fragile.

4) This Shodan hash isn't of the binary data, but rather the base64 of the data.

5) And it's actually more specific. It depends on the variant with 76-character line wrap, using "\n" (but not "\r\n") line wraps, and a trailing "\n", with the base64 `=` padding.

6) If you want to calculate the Shodan compatible Favicon hash without relying on a C compiler, the native build architecture, or the base64 implementation, use this: https://gist.github.com/hdm/1552cdfad14b32a2d2f44a64468558c5#file-mmh3-go-L78

TL;DR: If you generate some sort of hash or fingerprint, it helps if the generation process isn't defined by build architecture or a stack of implementation-specific defaults.

""?! ANSI Terminal security in 2023 and finding 10 CVEs: https://dgl.cx/2023/09/ansi-terminal-security - awesome research by @dgl

Looking for Cisco IOS-XE devices with an exposed web interface in your environment? (CVE-2023-20198), runZero can help: https://www.runzero.com/blog/finding-cisco-ios-xe-2/

Services query hotlink: https://console.runzero.com/inventory/services?search=%28products%3Anginx%20OR%20products%3Aopenresty%29%20AND%20_asset.protocol%3Ahttp%20AND%20protocol%3Ahttp%20AND%20http.body%3A%22window.onload%3Dfunction%25url%25%3D%25%2Fwebui%22

An actively exploited zero-day in Cisco IOS-XE's web interface is leading to mass compromise and implant (backdoor) installation: https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/

CVSS 10.0 and bad enough that Cisco is providing methods to check for the specific implant being installed.

via @dangoodin

The spirit of full-disclosure is alive and well. "Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days" https://megamansec.github.io/Squid-Security-Audit/

Excited to finally participate in #caturday! He likes to hang out like this.