Fantastic work by @amlw - xzbot
Exploration of the xz backdoor (CVE-2024-3094). Includes the following:
* honeypot: fake vulnerable server to detect exploit attempts
* ed448 patch: patch liblzma.so to use our own ED448 public key
* backdoor format: format of the backdoor payload
* backdoor demo: cli to trigger the RCE assuming knowledge of the ED448 private key
If you spent this weekend scrambling to respond to CVE-2024-3094 (the libxz-utils backdoor), we have good news! The universe of affected distributions seems small and relatively easy to track down: https://www.runzero.com/blog/how-to-find-systems-impacted-by-cve-2024-3094-libxz-utils-with-runzero/
TL;DR: The "rolling" releases affected by this issue all use very new builds of OpenSSH (9.6p1/9.7p1) which simplifies the search.
Is the "light of the compelling consumer proposition" going to shine brightly in 2024? https://torrentfreak.com/netflix-piracy-is-difficult-to-compete-against-and-growing-rapidly-240204/
The FOSDEM 2024 talks are 🔥: https://fosdem.org/2024/schedule/rooms/
Some favorites so far:
* "Where the !?*! are the packets going?”, covering TCP "InSession" traceroute (and more!) by Luca Sani - https://fosdem.org/2024/schedule/event/fosdem-2024-2929--where-the-are-the-packets-going-/
* "Effortless Bug Hunting with Differential Fuzzing" by Maciej Mionskowski - https://fosdem.org/2024/schedule/event/fosdem-2024-1927-effortless-bug-hunting-with-differential-fuzzing/
* "Linux on a Confidential VM in a cloud: where's the challenge?" by Vitaly Kuznetsov - https://fosdem.org/2024/schedule/event/fosdem-2024-2394-linux-on-a-confidential-vm-in-a-cloud-where-s-the-challenge-/
The world got weird. Help Systems acquired many security vendors, then spun them out as Fortra, including Cobalt Strike, Core Impact, and this week's flavor of exploitable file transfer software: GoAnywhere MFT (CVE-2024-0204)!
Surely these all belong together.
Looking for exposed GoAnywhere systems? Look for HTML bodies containing: "GoAnywhere Web Client". @runZeroInc search query at: https://www.runzero.com/blog/finding-fortra-goanywhere-mft/
How much you say? I can't quite read this, let me find my monocle.
#golang PSA: If you are shipping binaries built with Go 1.21.1 or newer to Linux systems with Transparent Huge Pages (THP) enabled (default in many cases), you either need to tweak the system THP settings via SysFS or upgrade to Go 1.21.6 AND set the workaround GODEBUG=disablethp environment variable.
If you don't, it can lead to what looks like a slow memory leak and eventually an out-of-memory condition. The issue doesn't affect every application (it depends on your memory use patterns), but when it does trigger, it's a pain to debug.
Go docs on THP: https://go.dev/doc/gc-guide#Linux_transparent_huge_pages
Github issue: https://github.com/golang/go/issues/64561
Original Linux kernel issue: https://bugzilla.kernel.org/show_bug.cgi?id=93111
Huge thanks to @TomSellers for tracking this down. The latest @runZeroInc build (4.0.240109.0) includes the fix for self-hosted customers.
Piping /dev/urandom into the USB HID keyboard stream[1] of a Windows 11 host logon screen makes for some funny videos.
Semi-related, you can do silly things with the "Microsoft OS Descriptor" USB parameters (properties get mapped to registry keys/values), but it looks generally safe, since not much happens automatically with those properties, especially outside of the Explorer view for Mass Storage/MTP/PTP devices.
1. Pi Zero W 2 in OTG mode, setup as a composite device via ConfigFS, and literally mashing random bytes into /dev/hidg0
Hot takes for 2024:
* Is the project part of the Apache Foundation and something you have never heard of as a defender? Expect to see in-the-wild exploitation.
* Seeing a ton of lower-case error messages? It's Go. It's all Go now. Go ate Java, it's coming for .NET next. Rust folks (aka C++ refugees) are welcome to hang out in the basement and drink Bailey's from a boot (or at least, work on bootloaders) while everyone else moves to Go.
Happy new year!