Happy holidays from a chilly Austin, Texas!

Happy Halloween!

A mini-rant on the use of murmur3 32-bit hashes for favicon.ico fingerprinting:

1) The canonical implementation is @shodan which uses the Python mmh3 module, so far so good...

2) The Murmur3 hashing algorithms are generally architecture-dependent. Python mmh3 uses the C implementation, which produces different hashes based on architecture and possibly endian-ness.

3) The Go implementations cover 32/64/128 variants, but they also lean on unsafe pointer usage for some silly reason, and although they support byte swap for big endian, it looks fragile.

4) This Shodan hash isn't of the binary data, but rather the base64 of the data.

5) And it's actually more specific. It depends on the variant with 76-character line wrap, using "\n" (but not "\r\n") line wraps, and a trailing "\n", with the base64 `=` padding.

6) If you want to calculate the Shodan compatible Favicon hash without relying on a C compiler, the native build architecture, or the base64 implementation, use this: https://gist.github.com/hdm/1552cdfad14b32a2d2f44a64468558c5#file-mmh3-go-L78

TL;DR: If you generate some sort of hash or fingerprint, it helps if the generation process isn't defined by build architecture or a stack of implementation-specific defaults.

""?! ANSI Terminal security in 2023 and finding 10 CVEs: https://dgl.cx/2023/09/ansi-terminal-security - awesome research by @dgl

Looking for Cisco IOS-XE devices with an exposed web interface in your environment? (CVE-2023-20198), runZero can help: https://www.runzero.com/blog/finding-cisco-ios-xe-2/

Services query hotlink: https://console.runzero.com/inventory/services?search=%28products%3Anginx%20OR%20products%3Aopenresty%29%20AND%20_asset.protocol%3Ahttp%20AND%20protocol%3Ahttp%20AND%20http.body%3A%22window.onload%3Dfunction%25url%25%3D%25%2Fwebui%22

@simontsui thanks! pretty gnarly that there is no patch and the exploitation is rampant enough that IOCs are necessary

An actively exploited zero-day in Cisco IOS-XE's web interface is leading to mass compromise and implant (backdoor) installation: https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/

CVSS 10.0 and bad enough that Cisco is providing methods to check for the specific implant being installed.

via @dangoodin

The spirit of full-disclosure is alive and well. "Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days" https://megamansec.github.io/Squid-Security-Audit/

Excited to finally participate in #caturday! He likes to hang out like this.

PSA: Some of the "JA" series of fingerprints (HASSH, JARM, etc) are patented by Salesforce. The new JA4 methods are patent-pending by FoxIO. The JA4+ license is commercial ($ for OEM). Nothing wrong with charging for your work, but OSS projects should be careful about adoption.