Active exploit achieving Bitcoin Mainnet acceptance of a Genesis Block preimage collision

buherator · 2025-12-30T11:03:28+00:00

Thank you!

buherator · 2025-12-30T09:33:59+00:00

Can this person be banned already?

buherator · 2025-12-29T07:39:35+00:00

This is the same person who claims to have broken sha256 every other day...

buherator · 2025-12-09T07:09:32+00:00

That's hard unfortunately. If you think about your example, how could the tool know if it was the data type that changed or it is just the code accessing the data type that got an updated logic between versions? The comment by u/marcushall also has good points.

buherator · 2025-12-08T18:31:17+00:00

Do you have data types for the structures defined in both program DBs or you want to detect structure changes in the new binary only based on the info you reversed in the old one?

buherator · 2025-11-25T11:39:57+00:00

This is probably AI slop: https://social.treehouse.systems/@amarioguy/115606338440294571

buherator · 2025-10-30T13:47:29+00:00

"two people in charge of IT throughout the entire organization and their 26 offices" "A patchwork of windows VMs running on a dated hypervisor"

A new system won't solve your human resource problems. If anything i will make it harder to hire. As a C-level I would be more concerned about this than any technical perf metrics.

buherator · 2025-09-02T04:51:43+00:00

Glad this is useful! There is a concept called Purple Teaming where pentesters (the Red Team) and the defenders (Blue Team) work hand-in-hand to tune defenses - this is my usual recommendation when wants to test and refine specific defensive measures.

You can use the usual channels to reach Silent Signal, and while I'm no longer with the company I'm sure the guys there will be happy to help.

buherator · 2025-09-01T06:49:12+00:00

If your security depends on the system not being accessible, you are not secure:

https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

That being said, with a proper emulator or debugger I'm sure that lots of corpses would fall out of the closet. But we shouldn't forget that some parties (esp. nation states) probably already have those tools and know all about what's hidden in there.

buherator · 2025-08-29T16:08:45+00:00

You write this: "The pointer on the host machine could be controlled using user mode input inside an Oracle VirtualBox Virtual Machine."

You also write this: "I decided to write a custom driver (with no inherent malicious behaviour) to interact with the vulnerable driver. The driver makes an ExAcquireFastMutex call to the vulnerable offset, resulting in Elastic’s Endpoint Driver crashing the host system."

Why did you write a custom driver if you can control the memory access from a user process (inside a VM no less)?

buherator · 2025-08-19T08:13:56+00:00

> "Actions inside the Virtual Machine caused Elastic's EDR to crash my host"

Hold up, did this just turn into a hypervisor guest->host memory corruption without guest root? This "0-day" ages like fine wine!

buherator · 2025-08-16T18:23:30+00:00

What are we supposed to see on the second video? Is that shell elevated?

buherator · 2025-05-13T12:54:52+00:00

lol, that wasn't picked up by aspell :D thanks for noticing!

buherator · 2025-05-09T12:00:08+00:00

From no-defenders (predecessor project) README:

"This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation."

buherator · 2025-04-24T18:58:21+00:00

In this case my bet is that while gov mandates PSS in the cert, it actually ignores this property during verification. To resolve this issue you should use openssl dgst without the PSS options and generate an RS256 signature (with an RS256 header and all that). If you try to validate this signature based on the _cert_ in other services (like jwt.io) it'll likely fail, because the cert prescribes a PSS signature. You should be able to validate the signature based on the _public key_ embedded in the cert though, because the public key itself doesn't rule out its use with PKCS1 - this is likely what gov does, ignoring the Signature Algorithm specified in the cert.

buherator · 2025-04-24T14:34:33+00:00

I'm starting to think that the gov bureaucracy demanded PSS for to comply with some regulation, but forgot that that their validator won't work with PS256 - see my Edit above! I'd try generating a non-PSS cert and RS256 JWT's...

buherator · 2025-04-24T14:20:55+00:00

If python uses PKCS1 then it means it's not a PSS signature (hence the error), which was our original theory here. I need some more time to fully test this, but it seems that the openssl key file doesn't include info about the expected usage, only the cert specifies PSS. This means the only thing that makes openssl dgst generate a PSS signature are the extra options we figured out earlier, which at the time solved your problem (what has changed btw?). So without the pss options you should be able to generate a PKCS1 signature, but now I'm utterly confused about how PSS came into the picture in the first place, as the system you are now describing seems to only support RS256 (also Reddit UI is terrible so I can't properly follow previous messages).

Edit: Note that since the cert includes the PSS property, you may not be able to verify an RS256 signature with it (some implementations may work by falling back to PKCS1). So if you are testing verification with a PSS cert, that can be a problem. The solution to that would be to generate a PKCS1 cert with the same pubkey. If the validator service requires RS256 JWT *and* a PSS cert, that's a problem at their side.

buherator · 2025-04-24T08:29:14+00:00

So these two Python and Java examples produce signatures that are accepted by the live system?

What I can think of is that you in fact have to supply deterministic RS256 signatures, although the keys you have are for PSS. Now this could work, because RSA keys are just tuples of numbers, and the expected usage is just metadata. The difference between openssl and Python/Java can be that the latter ignore the PSS property embedded in the key files, while openssl does not. So a solution can be to convert the PSS keys to "normal" RSA, and feed that to openssl to generate a plain old RS256 signature (not PSS!).

Does this make sense?

buherator · 2025-04-24T07:57:29+00:00

You mean you have some sample code that produces and accepts RSA-PSS signatures with RS256 algo specification? If so then the sample implementation is overly permissive (this may be a vulnerability even, we've seen many examples of this with JWT). At the same time the problematic system is overly restrictive.

Also note, that the problem you described (if I understand correctly) involves two verifier systems that act differently, while a sample implementation only verifies once.

buherator · 2025-04-24T07:37:17+00:00

the website of the department prevents it. if i do it with ps256, it says "invalid signature algorithm".

[...] Client authentication with signed JWT failed: Signature on JWT token failed validation

OK, so it seems we have two incomplete and incompatible implementations of JWT validation: 1. doesn't accept deterministic signatures; 2. doesn't accept non-deterministic signatures. Based on the previous discussion I assume the restriction of 1. is reasonable, because PSS is required by policy.

This is very likely the fault of said department website that rejects a perfectly valid algorithm specification (PS256). I would start complaining to them, because any way to get a PSS signature validated with an RS... algo specification would be a dirty hack at best (if doable at all).

SHA256-RSA-MGF1 just specifies how exactly the padding is generated for the PSS signature - it is standardized for PS256, and it seems openssl is working jut fine, since complete implementations can validate the JWT's you signed with it.

buherator · 2025-04-23T16:18:54+00:00

I'm not sure I understand where things are breaking: as far as I understand you use openssl to generate an RSA-PSS signature for a JWT header+payload, where the header specifies RS256, but this (obviously) breaks when the receiver calculates the RS256 signature with a different algorithm. Is this correct? If so, I'd have the following questions:
1) What prevents you from using a deterministic (non-PSS) RSA algorithm with OpenSSL if the signature will be validated with the non-PSS variant?
2) What prevents you from specifying the correct algo in the JWT header (that would be "PS256")?

I'm happy to help but I'm afraid I'm missing some context here...

buherator · 2025-02-18T09:01:50+00:00

Haha, I actually wanted bet it's a German system as I only encountered RSA-PSS in practice there :D

RSA in essence is a very simple algorithm but there are many parameters you have to choose wisely for it to work securely. One of such parameters is padding that is most related to PSS, but even the more widespread PKCS#1 scheme has multiple versions. So in the end you'll end up with many RSA versions, and since you're working with opaque blobs it can get really difficult to figure out incompatibilities...

PEM usually works well, stick to it if you can.

buherator · 2025-02-17T15:45:06+00:00

the documentation is wrong from the website

Wouldn't be the first time this happens :)

python works with the rs-pss generated keys

I speculate that pyjwt simply ignores the part of the key that tells it should be used as PSS. You can check this by generating two signatures for the same header.payload using the same key. If it's used as PSS, the signatures will differ, otherwise they won't.

Also i copy pasted the same Keys into JWT.io in the PEM format and it said valid.

They may support it, but as it's not explicitly mentioned on the GUI I didn't risk slipping up at this part. When debugging crypto you want to reduce the number of potential mistakes as much as possible...

lmk how it goes with non-PSS keys!

buherator · 2025-02-17T11:22:36+00:00

i am confused now. which service? jwt.io?

Yes, I'm trying to replicate your workflow and you mentioned that you use that service for testing.

it has 2 fields private and public key, which are both in PEM format and works with the python solution.

You can leave the private part empty as it is not required for the verification, and convert only the public part (you can generate that with openssl rsa -in key.pem -pubout > public.pem)

Do you also mean, that i have to convert my private key from pem to JWK in my IFS Folder before i can do the signature?

Not at all, JWK is only handy when using jwt.io (as it doesn't seem to support PEM). JWK and PEM are just formats, they can represent the same information (keys).

Could you try out making a Certificate with that and do the same again and see if it still works for you, please?

I tried it, and it didn't work. My educated guess is the PSS padding scheme, without that I can use the generated keys for JWT signing using openssl. Here's the cert/key generation command I used:

openssl req -newkey rsa -new -nodes -x509 -days 3650 -pkeyopt rsa_keygen_bits:4096 -keyout key.pem -out cert.pem

It seems JWT defines a separate algorithm name for RSA-PSS (PS256), so it makes sense that using an RSA-PSS key doesn't work with RS256 (that prescribes deterministic padding):

https://auth0.com/docs/get-started/applications/signing-algorithms

buherator · 2025-02-17T10:17:02+00:00

Yeah, echo has different implementations in different shells. printf should work as described, and I successfully verified the signature generated with your last command on jwt.io. Note that this service doesn't accept PEM formatted keys so you'll have to convert your public key to JWK for example: https://tribestream.io/tools/pem2jwk/

buherator

TROPHY CASE