blasty
@bl4sty
Followers
16K
Following
2K
Media
262
Statuses
4K
irresponsible disclosure aficionado
The Netherlands
Joined April 2009
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore. 1/n
32
1K
5K
auth bypass confirmed!. > INFO:paramiko.transport:Authentication (password) successful!. mm_keyallowed_backdoor cmd 1 allows to override the response for mm_answer_authpassword with a custom one. if you set it to { u32(9), u8(13), u32(1), u32(0) } you can login with any pass 🤓.
14
145
1K
xz bd engineer 1: bro, we need a way to probe the address space to make sure we never SEGV sshd.xz bd engineer 2: we'll just do a pselect syscall with empty fd sets, a timeout of 1 nanosecond and the addr we want to probe is passed as the sigmask pointer, EFAULT means unmapped
22
133
987
Decided to publish the Lexmark printer exploit + writeup + tools instead of sell it for peanuts. 0day at the time of writing: -- enjoy!.
17
285
940
nothing to see here, just properly documenting the fixed defects in the backdoor code 😂
2
114
851
Hacked up a quick Dirty Pipe PoC that spawns a shell by hijacking (and restoring) the contents of a setuid binary.
9
308
787
. since this tweet is ballin' slightly outta control:.1) image was stolen from @njudah@sfba.social on the fediverse, not my neighbourhood (SF).2) all the printers I currently own will only display this quirky animation: -- who do I contact??.
While @bl4sty only scored a COLLISION (non-unique bug) - Peter definitely gets a boatload of STYLE POINTS for this hack on a Canon printer @ #P2OToronto #Pwn2Own
4
19
767
you gotta appreciate the way they shipped the backdoored object file. added some "test" data to the source tree that gets unxz'd and (dd) carved in a specific way, that is fed into a deobfuscator written in. awk script and the result gets unxz'd again
6
131
718
whoever designed this stuff had to take a deep dive into openSSH(d) internals (and so did I for the past couple of days, oof) . hats off, once again :).
5
21
667
q3k from @DragonSectorCTF has figured out the string/symbol obfuscation in the xz backdoor! there's appears to be a lot more going on then reported in the initial report.
2
116
539
Oh my god, this stuff is absolutely brutal. RCE on Apple, Tencent, Steam, Twitter.
7
187
476
If you are hard at work scanning the internet for CVE-2021-41773 (apache 2.4.49 path traversal thing). also try /icons instead of just /cgi-bin, enjoy the increased success rate. :-P.
5
102
458
some people asked for the code . so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out.
8
127
449
it requires sending a properly crafted command to the RSA_public_decrypt hook, which will then install another for the `mm_answer_keyallowed` sshd function. subsequently you offer N more fake ssh-rsa pubkeys which are crafted in a special way to chunk together . 2/n.
2
11
431
Last night @lockedbyte showed you how we managed to exploit sudo with a partial overwrite of a funcptr and some small bruteforce. Today. we do it single-shot with some help of glibc/nss.
9
141
394
currently I'm just triggering command 0x03 in this part of the code, which allows for a basic RCE through system() again. (also lets you set uid/gid). but there's more code that needs to be understood. it looks like a full auth bypass (interactive session) is possible!.
1
10
371
that was trivial, just follow the steps outlined in the Qualys advisory for a reliable LPE ;-)
10
58
373
a "magic buffer" which contains more backdoor commands, this buffer also has two additional ed448 signatures. which like the ones for the RSA_public_decrypt portion of the backdoor are salted with the SHA256 digest of the hostkey.
1
8
365
Weaponized the CVE-2021-43267 PoC. Will post exploit code (and maybe a small blogpost) in a bit. Need to overcome netlink/tipc ptsd first lol.
5
98
351
the final signature also takes into account the session_id (0x20 bytes) that is derived during the initial key exchange (KEX) for the SSH session. my current PoC implementation uses a heavily monkey patched paramiko (ssh client) library to achieve this.
2
7
330
New version of sudo exploit is up at (old archive has been replaced too). Made things more generic and added support for Debian Buster (sudo 1.8.27). More targets are welcome! :-) (Maybe some aspiring x-dev can code a finder)
2
138
319
(that conclusion is based on the fact that one of the mm_answer_keyallowed backdoor commands also hooks mm_answer_keyverify, eventually).
3
5
286
I created a hyper realistic and handwavey re-enactment of the lockbit CVE-2023-3824 attack after some insights from PHP internals expert @cfreal_
@bl4sty There are others. For instance, DirectoryIterator hits it too, and in this case the buffer overflows into a heap allocated char* pointer.
9
61
260
new blog post and 0day exploit release for CANON ImageCLASS printers: 🖨️.
5
85
253
This chrome sandbox escape writeup features some adorable supporting graphics.
Our team mate @hungtt28 finished writing the blog post for that. We hope it's useful. Thanks to @TaDinhSung @bruce30262 @_jsoo_ & Frances for proof-reading and @buttburner for the cute cats.Don't worry, no cats were harmed during the entire process.
1
48
239
what a wonderful disclosure timeline in @chompie1337's latest blog post. people attempt to hide vuln fix commits by redacting the e-mail address you report bugs with 😂
4
28
202
free advice: never let your hacker friends convince you to go clubbing at 4am if you have a hotel checkout at 11am.
11
8
201
I've put together a small docker recipe that lets you try out CVE-2021-41773 in the comfort of your own lab. Also allows for RCE through mod_cgi(d):
1
61
191
great stuff: -- we had independently confirmed the same details over the past 2 days. there's more to be uncovered/understood. the engineering effort of the xz backdoor is crazy. some weird design decisions though. .
2
39
184
SSH agent forwarding just became even more dangerous. 😂-- leave it to the creative minds at Qualys to turn a series of dlopen()+dlclose() calls (of unrelated/benign shared libraries) into arbitrary code exec, hats off!.
1
58
173
Here it is; my remote kernel exploit for CVE-2015-3036: http://t.co/ap0LecugG0 (targeted against my WNDR3700v5). Enjoy! #NoMoreDosPOCs ;-).
9
162
155
Slightly revised copy of blasty-vs-pkexec.c available here: -- Might work better against your annoying ArchLinux coworkers and is more self contained as a bonus. (No more system("gcc") lol, thanks @_darrenmartyn and others for this suggestion).
4
30
161
I contributed a task to this year's @PotluckCTF that contains an emulator for a custom ISA. one of the players actually implemented a decompiler for it by lifting to binja's IL. mind you: this is a 24h long CTF! very neat to see current tooling makes things like this feasible!
4
17
157
I love it when bugs leak due to incompetence. I remember when we reported the catastrophic CVE-2012-1823 PHP-CGI bug and ended up disclosing it by accident because their bug tracker (written in PHP, of course) had a bug, making the "private" flag vanish.
For the record: this is a coordinated disclosure because CERT's VINCE had a leak.
6
18
153
Just spit out my coffee when @gamozolabs referred to the ARM stmfd instruction/mnemonic as "store the motherfucking data".
2
17
142
The Linux (e)BPF bytecode verifier, the gift that keeps on giving! Wrote an exploit for CVE-2020-27194. :-) Shout out to @scannell_simon for the bug and @_manfp for exploitation strategy inspiration!
1
46
141
our first entry worked! 🎉.
Verified! PHP Hooligans / Midnight Blue (@midnightbluelab) used a single bug to exploit the Canon imageCLASS MF656Cdw printer. They earn themselves $20,000 and 2 Master of Pwn points. #Pwn2Own #P2OIreland
5
10
142
I've lost count of how many eBPF verifier vulns we've seen in Linux over the years. You want to make sure unprivileged bpf syscalls are not allowed on your machines (configurable through kernel.unprivileged_bpf_disabled).
2
23
136
Got quite a few questions about the post-exploitation payload for the printer(s), here is the code: It even runs in the browser thanks to the power of Emscripten/WASM:
3
44
130
New blog post is up! Dumping the AMLogic A113X/A113D BootROM (and eFUSE/OTP data):
3
38
122
EHLO mailserver.AUTH AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARRRGGGHHHHHH. any actual details? 🙃.
[ZDI-23-1469|CVE-2023-42115] (0Day) Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability (CVSS 9.8)
4
14
121
thanks to everyone who attended my @nullcon talk! and thank you to the demo gods for allowing the live demo to work on the second try 🙏😅.
6
7
118
Intel AMT vulnerability (auth bypass) TL;DR:.strncmp(correct, user_input, strlen(user_input));.Wow.
5
91
108
here I was hoping for the cURL bug to be something useful to upgrade a SSRF to have new superpowers or something similar. 🙃. good luck exploiting this heap overflow on a modern-ish libc in a remote context with valid hostname characters for the trigger.
4
20
110
Thanks everyone who attended my talk "Smart Speaker Shenanigans" at #HITB2013AMS -- as promised the exploit code and tools have been published at
1
41
105
Just tuned in to a twitter spaces session of some enraged infosec people stomping on a charlatan 🍿.
8
1
99
Cute backdoor:.# chmod +s /usr/sbin/arp.$ arp -v -f /etc/shadow 2>&1 | egrep '^>>'.
4
51
100
Ben was one of my dearest friends and a true inspiration. Here is some cool HW he built that I found in my drawer.
3
38
96
first ever interactive JS slidedeck to contain an emulator visualisation built with capstone and unicorn? neat!.
I just posted the slides for today's collab stream with @CyanNyan6!!!. 「I hacked macOS!!!. CVE-2022-32947. With Lina✨ & Cyan💎」.
2
10
94
enjoy!.
For what it's worth, should be a piece of cake to adapt to work with CVE-2020-8835 (as used by @_manfp at Pwn2Own 2020) as well. Not sure about releasing this code right now although personally I couldn't care less as the bugs are dead anyway. ;-).
0
31
93
public announcement for Bad Actors™️ who are wget'ing/cURL'ing exploit code directly from my website to (potentially) vulnerable endpoints: please re-host the code elsewhere, I don't need to know where your shellz live. 😅.
2
19
91
Which CTF will the the first to have a FoReNSiCs challenge that employs this one little trick?
Let's explore how we turned a path traversal affecting binwalk into arbitrary code execution -
2
7
94
here's an example of the obfuscated string resolution in action, 0x108 maps to "/usr/sbin/sshd"
3
3
86
a myriad of libcrypto routines are being resolved, password auth is likely bypassed as well. logging infra for sshd is hooked to prevent auth bypasses ending up in syslog. there's hooks for setresgid/setresuid, likely used to prevent privdrop when auth'ing as non-root.
1
4
88
all parser bugs are just PERFECT BACKDOORS part of a TICKING TIMEBOMB 💣 😂.
Update:. Crowdstrike came out and released a technical report confirming my analysis. They were reading in a bad data file and attempting to access invalid memory. This global crash was a two-part bomb. The detonator apparently, was NOT new. it was PRE-INSTALLED. /1.
2
9
86
we hacked a thing! good job team 🦾.
Success! The Midnight Blue (@midnightbluelab) / PHP Hooligans team executed their attack against the Sony XAV-AX5500. They’re off to the disclosure room for confirmation. #Pwn2Own.
3
2
90
Lexmark published an advisory in response to my published work: -- apparently it affects ~130 of their printer models, not a bad haul! *pats himself on the back* 🤣 Only took them 13 days to come up with a response/fix; irresponsible disclosure works!.
7
13
89
love this ubuntu desktop LPE chain by @PsychoMario, reminds me quite a bit of his chromeOS chains :)
1
12
89
'auth_root_allowed' is also resolved for sshd instances that don't allow root login (common), and there's a mystery string I haven't been able to find referenced in the code so far: "yolAbejyiejuvnup=Evjtgvsh5okmkAvj".
6
1
84
We (@rdjgr, carlo from @midnightbluelab & me) landed 3rd place! 🎉. The payout could have been better (damn drawing) but fortunately none of our bugs were dupes. For one target we actually had 3 distinct exploits lined up and picked "the right one" last minute-ish.🙃.
The first ever #Pwn2Own Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to @synacktiv, the Masters of Pwn! Stay with us here and at the ZDI blog as we prepare for Pwn2Own Vancouver in March.
3
7
85
Who will be the first to come up with a XSS NFT that auto-purchases itself by emptying your MetaMask? 😂.
New: this NFT will steal your IP address. Viewing this and some other NFTs on marketplace OpenSea will send your IP to the NFT creator, because OpenSea lets people load custom code, including HTML. NFTs can gather data on viewers. Confirmed with my own IP
3
9
75
Does my Android 0day chain need to work on all 3 million different devices and firmware images out there in order to be eligible for the $2.5M payout?.
Now @Zerodium is paying $2.5 million for Android full chains (iOS chains still at $2M) as Google/Samsung have considerably improved their security. iOS chains (1-click) e.g via Safari reduced to $1M as there’s a bunch of them on the market, sad but true.
6
8
74
I have decided to give back to my community. All 0day sent to my address below will be sent back doubled. I am only doing a maximum of 50,000 0day. 0day@haxx.in. Enjoy! #0dayponzischeme.
2
11
77
/* XXX: property is only mutable at fixed interval */.blasty->age = 0x25;.
17
0
79
great research/white paper from @alexjplaskett and @robHerrera_ on remotely pwning the Sonos (kernel rce!). thanks for the attribution, too!.
40 page whitepaper on Exploiting Sonos One Over-The-Air talk!.
1
11
76
Soo. McAfee's ultra secure crypto currency hardware (brain) wallet is an android phone with custom bezel? 😂Supply-chain attacks are probably trivial.
4
22
59