home > posts
  • April 17, 2024
    HD Moore
    @hdm

    #golang 

    Looking for something to do in ~90 minutes over a meal? Drop by for the @runZeroInc Hour webcast today with me, @lorddimwit, and @blainsmith.

    We're chatting about remote detection of the xz-utils affected SSH binaries, our upcoming research report, the Palo Alto Networks RCE and surprise #golang zero-day in gorilla/sessions, Binarly's epic lighttpd vulnerability and supply chain research, and much more!

    https://runzero.zoom.us/webinar/register/1217102670048/WN_4Po_Qnx4S1Og3Plm9KyiZA#/registration

    ↪ reply
  • April 17, 2024
    HD Moore
    @hdm

    #golang  #cve_2024_3400 

    The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655

    This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.

    https://github.com/golang/vulndb/issues/2730

    If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.

    ↪ reply
  • April 17, 2024
    HD Moore
    @hdm

    #golang  #vulnerability 

    Huh. So the Gorilla project went into archive-only mode in 2022. The gorilla/sessions project opened an issue asking for a new maintainer, this issue was closed as "stale", and a final comment was added indicating that the project is archived: https://github.com/gorilla/sessions/issues/250

    The Gorilla project website, however, states that as of July 2023, a new maintainer has been identified, and the gorilla/mux project is seeing recent commits, so hopefully the same maintainers are also managing gorilla/sessions. The gorilla/sessions CI automation is failing with a bad credential and it looks like the sessions project specifically hasn't seen much love lately. #golang #vulnerability

    Looks like quite a few projects are using session.FilesystemStore: https://github.com/search?q=sessions.NewFilesystemStore+language%3Ago+&type=code

    ↪ reply
  • April 17, 2024
    HD Moore
    @hdm

    #golang 

    The watchTowr folks published an in-depth article today covering the Palo Alto Networks unauthenticated RCE at: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

    Even more impressive is they also disclosed a zero-day directory traversal vulnerability in the #golang gorilla/sessions package (used far and wide). The gorilla vulnerability only applies to code using the FilesystemStore, but it is still likely to impact a huge range of products and services. A pull request to fix this is open at https://github.com/gorilla/sessions/pull/274

    Huge thanks to @alizthehax0r and the watchTowr team as well as @moloch of Bishop Fox for co-discovery (and providing a fix for) of the gorilla/sessions bug.

    ↪ reply
  • April 5, 2024
    HD Moore
    @hdm

    Thank you @CypherCon! What an amazing event and a great community! Opening slides from my keynote today:

    ↪ reply
  • April 4, 2024
    HD Moore
    @hdm

    #cyphercon 

    Hello #cyphercon! Badge line con is moving along fast, please say hi if you see me! I’m excited for today’s lineup and stoked to share some work during my 11am keynote tomorrow!

    ↪ reply
  • April 1, 2024
    HD Moore
    @hdm

    Fantastic work by @amlw - xzbot

    Exploration of the xz backdoor (CVE-2024-3094). Includes the following:

    * honeypot: fake vulnerable server to detect exploit attempts

    * ed448 patch: patch liblzma.so to use our own ED448 public key

    * backdoor format: format of the backdoor payload

    * backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key

    https://github.com/amlweems/xzbot

    ↪ reply
  • March 31, 2024
    HD Moore
    @hdm

    If you spent this weekend scrambling to respond to CVE-2024-3094 (the libxz-utils backdoor), we have good news! The universe of affected distributions seems small and relatively easy to track down: https://www.runzero.com/blog/how-to-find-systems-impacted-by-cve-2024-3094-libxz-utils-with-runzero/

    TL;DR: The "rolling" releases affected by this issue all use very new builds of OpenSSH (9.6p1/9.7p1) which simplifies the search.

    ↪ reply
  • February 19, 2024
    HD Moore
    @hdm

    maybe an interesting listen to follow it: "This is an hour long conversation with Jon Lebkowsky, Ed Cavazos, and John Quarterman discussing the history of EFF-Austin, an independent organization that was originally supposed to be a chapter of the Electronic Frontier Foundation (EFF), but established its own identity when EFF decided not to have chapters in 1992.": https://archive.org/details/JoelGreenbergEFFAHistoryPart1

    ↪ reply
  • February 11, 2024
    HD Moore
    @hdm

    #defcon 

    A couple of ancient photos from my first #DEFCON

    ↪ reply
  • << View newer posts View older posts >>

Copyright 1998-2025 HD Moore