blasty
@bl4sty
Followers
16,233
Following
1,037
Media
247
Statuses
4,042
irresponsible disclosure aficionado
The Netherlands
Joined April 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Gojo
• 235806 Tweets
WE MUV ML
• 114297 Tweets
#BRIDGERTON
• 103381 Tweets
ولي العهد
• 79205 Tweets
Colin
• 70891 Tweets
Apolinho
• 63925 Tweets
RPWP CONCEPT PHOTO 3
• 61376 Tweets
billie
• 59849 Tweets
#세븐틴만_아는_SPELL로_주문거네
• 56433 Tweets
KING KONG CONCEPT SPOILER
• 52257 Tweets
Silvio Luiz
• 49736 Tweets
Boebert
• 39573 Tweets
Penelope
• 37123 Tweets
Ultimate Team
• 33607 Tweets
JUNHUI
• 30912 Tweets
2NE1
• 30005 Tweets
Blake
• 26760 Tweets
#岩本照誕生祭2024
• 20738 Tweets
#SelahattinDemirtaş
• 14865 Tweets
my tears ricochet
• 11284 Tweets
ひーくん
• 10664 Tweets
ピクトマンサー
• 10586 Tweets
HAPPY BDAY HARSHAD CHOPDA
• 10547 Tweets
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n
35
1K
5K
auth bypass confirmed!
> INFO:paramiko.transport:Authentication (password) successful!
mm_keyallowed_backdoor cmd 1 allows to override the response for mm_answer_authpassword with a custom one. if you set it to { u32(9), u8(13), u32(1), u32(0) } you can login with any pass 🤓
14
149
1K
xz bd engineer 1: bro, we need a way to probe the address space to make sure we never SEGV sshd
xz bd engineer 2: we'll just do a pselect syscall with empty fd sets, a timeout of 1 nanosecond and the addr we want to probe is passed as the sigmask pointer, EFAULT means unmapped
22
130
1K
Decided to publish the Lexmark printer exploit + writeup + tools instead of sell it for peanuts. 0day at the time of writing: -- enjoy!
18
291
965
nothing to see here, just properly documenting the fixed defects in the backdoor code 😂
2
124
889
Hacked up a quick Dirty Pipe PoC that spawns a shell by hijacking (and restoring) the contents of a setuid binary.
9
314
812
.. since this tweet is ballin' slightly outta control:
1) image was stolen from
@njudah
@sfba
.social on the fediverse, not my neighbourhood (SF)
2) all the printers I currently own will only display this quirky animation: -- who do I contact??
While
@bl4sty
only scored a COLLISION (non-unique bug) - Peter definitely gets a boatload of STYLE POINTS for this hack on a Canon printer @
#P2OToronto
#Pwn2Own
14
72
488
4
20
795
you gotta appreciate the way they shipped the backdoored object file. added some "test" data to the source tree that gets unxz'd and (dd) carved in a specific way, that is fed into a deobfuscator written in.. awk script and the result gets unxz'd again
6
137
751
whoever designed this stuff had to take a deep dive into openSSH(d) internals (and so did I for the past couple of days, oof) .. hats off, once again :)
5
19
708
q3k from
@DragonSectorCTF
has figured out the string/symbol obfuscation in the xz backdoor! there's appears to be a lot more going on then reported in the initial report.
3
128
563
Oh my god, this stuff is absolutely brutal. RCE on Apple, Tencent, Steam, Twitter.
7
199
496
If you are hard at work scanning the internet for CVE-2021-41773 (apache 2.4.49 path traversal thing).. also try /icons instead of just /cgi-bin, enjoy the increased success rate. :-P
6
108
470
some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out.
9
129
464
it requires sending a properly crafted command to the RSA_public_decrypt hook, which will then install another for the `mm_answer_keyallowed` sshd function. subsequently you offer N more fake ssh-rsa pubkeys which are crafted in a special way to chunk together .. 2/n
2
10
456
Last night
@lockedbyte
showed you how we managed to exploit sudo with a partial overwrite of a funcptr and some small bruteforce. Today.. we do it single-shot with some help of glibc/nss.
9
147
405
currently I'm just triggering command 0x03 in this part of the code, which allows for a basic RCE through system() again. (also lets you set uid/gid). but there's more code that needs to be understood. it looks like a full auth bypass (interactive session) is possible!
1
10
400
that was trivial, just follow the steps outlined in the Qualys advisory for a reliable LPE ;-)
10
57
388
a "magic buffer" which contains more backdoor commands, this buffer also has two additional ed448 signatures. which like the ones for the RSA_public_decrypt portion of the backdoor are salted with the SHA256 digest of the hostkey
1
8
389
Weaponized the CVE-2021-43267 PoC. Will post exploit code (and maybe a small blogpost) in a bit. Need to overcome netlink/tipc ptsd first lol.
5
100
357
To celebrate
@WyzeCam
's decision to release a firmware update a day before this years Pwn2Own Toronto competition.. I've decided to release the exploit for my (killed) bugchain:
.. maybe next time they will not withhold patches for critical bugs? 🙃
11
97
355
the final signature also takes into account the session_id (0x20 bytes) that is derived during the initial key exchange (KEX) for the SSH session. my current PoC implementation uses a heavily monkey patched paramiko (ssh client) library to achieve this
2
6
350
New version of sudo exploit is up at (old archive has been replaced too). Made things more generic and added support for Debian Buster (sudo 1.8.27). More targets are welcome! :-) (Maybe some aspiring x-dev can code a finder)
3
141
324
(that conclusion is based on the fact that one of the mm_answer_keyallowed backdoor commands also hooks mm_answer_keyverify, eventually)
3
4
305
I created a hyper realistic and handwavey re-enactment of the lockbit CVE-2023-3824 attack after some insights from PHP internals expert
@cfreal_
9
61
263
new blog post and 0day exploit release for CANON ImageCLASS printers: 🖨��
5
86
257
This chrome sandbox escape writeup features some adorable supporting graphics.
Our team mate
@hungtt28
finished writing the blog post for that.
We hope it's useful.
Thanks to
@TaDinhSung
@bruce30262
@_jsoo_
& Frances for proof-reading and
@buttburner
for the cute cats
Don't worry, no cats were harmed during the entire process
0
75
170
1
50
247
what a wonderful disclosure timeline in
@chompie1337
's latest blog post. people attempt to hide vuln fix commits by redacting the e-mail address you report bugs with 😂
4
31
213
free advice: never let your hacker friends convince you to go clubbing at 4am if you have a hotel checkout at 11am
12
8
210
I've put together a small docker recipe that lets you try out CVE-2021-41773 in the comfort of your own lab. Also allows for RCE through mod_cgi(d):
1
61
194
great stuff: -- we had independently confirmed the same details over the past 2 days. there's more to be uncovered/understood. the engineering effort of the xz backdoor is crazy. some weird design decisions though..
2
40
191
SSH agent forwarding just became even more dangerous. 😂-- leave it to the creative minds at Qualys to turn a series of dlopen()+dlclose() calls (of unrelated/benign shared libraries) into arbitrary code exec, hats off!
1
63
176
I contributed a task to this year's
@PotluckCTF
that contains an emulator for a custom ISA. one of the players actually implemented a decompiler for it by lifting to binja's IL. mind you: this is a 24h long CTF! very neat to see current tooling makes things like this feasible!
4
17
163
Here it is; my remote kernel exploit for CVE-2015-3036:
http://t.co/ap0LecugG0
(targeted against my WNDR3700v5)
Enjoy!
#NoMoreDosPOCs
;-)
9
164
158
Slightly revised copy of blasty-vs-pkexec.c available here: -- Might work better against your annoying ArchLinux coworkers and is more self contained as a bonus. (No more system("gcc") lol, thanks
@_darrenmartyn
and others for this suggestion)
4
32
164
Just spit out my coffee when
@gamozolabs
referred to the ARM stmfd instruction/mnemonic as "store the motherfucking data"
2
17
146
The Linux (e)BPF bytecode verifier, the gift that keeps on giving! Wrote an exploit for CVE-2020-27194. :-) Shout out to
@scannell_simon
for the bug and
@_manfp
for exploitation strategy inspiration!
1
50
146
I've lost count of how many eBPF verifier vulns we've seen in Linux over the years. You want to make sure unprivileged bpf syscalls are not allowed on your machines (configurable through kernel.unprivileged_bpf_disabled).
2
26
140
Got quite a few questions about the post-exploitation payload for the printer(s), here is the code:
It even runs in the browser thanks to the power of Emscripten/WASM:
3
44
136
New blog post is up! Dumping the AMLogic A113X/A113D BootROM (and eFUSE/OTP data):
3
38
123
EHLO mailserver
AUTH AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARRRGGGHHHHHH..
any actual details? 🙃
[ZDI-23-1469|CVE-2023-42115] (0Day) Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability (CVSS 9.8)
0
20
70
4
14
123
thanks to everyone who attended my
@nullcon
talk! and thank you to the demo gods for allowing the live demo to work on the second try 🙏😅
6
7
121
Intel AMT vulnerability (auth bypass) TL;DR:
strncmp(correct, user_input, strlen(user_input));
Wow.
5
98
114
here I was hoping for the cURL bug to be something useful to upgrade a SSRF to have new superpowers or something similar. 🙃
good luck exploiting this heap overflow on a modern-ish libc in a remote context with valid hostname characters for the trigger
4
20
113
Thanks everyone who attended my talk "Smart Speaker Shenanigans" at
#HITB2013AMS
-- as promised the exploit code and tools have been published at
1
41
109
Just tuned in to a twitter spaces session of some enraged infosec people stomping on a charlatan 🍿
8
1
107
Ben was one of my dearest friends and a true inspiration. Here is some cool HW he built that I found in my drawer.
3
39
100
Cute backdoor:
# chmod +s /usr/sbin/arp
$ arp -v -f /etc/shadow 2>&1 | egrep '^>>'
4
53
102
I wrote a thing about numeric only shellcodes (x86):
2
21
100
first ever interactive JS slidedeck to contain an emulator visualisation built with capstone and unicorn? neat!
I just posted the slides for today's collab stream with
@CyanNyan6
!!!
「I hacked macOS!!!
CVE-2022-32947
With Lina✨ & Cyan💎」
15
103
547
2
10
97
enjoy!
0
31
93
public announcement for Bad Actors™️ who are wget'ing/cURL'ing exploit code directly from my website to (potentially) vulnerable endpoints: please re-host the code elsewhere, I don't need to know where your shellz live. 😅
2
19
92
Which CTF will the the first to have a FoReNSiCs challenge that employs this one little trick?
Let's explore how we turned a path traversal affecting binwalk into arbitrary code execution -
1
15
64
3
7
94
we hacked a thing! good job team 🦾
Success! The Midnight Blue (
@midnightbluelab
) / PHP Hooligans team executed their attack against the Sony XAV-AX5500. They’re off to the disclosure room for confirmation.
#Pwn2Own
0
3
25
3
2
93
here's an example of the obfuscated string resolution in action, 0x108 maps to "/usr/sbin/sshd"
3
4
92
a myriad of libcrypto routines are being resolved, password auth is likely bypassed as well. logging infra for sshd is hooked to prevent auth bypasses ending up in syslog. there's hooks for setresgid/setresuid, likely used to prevent privdrop when auth'ing as non-root
1
4
92
Lexmark published an advisory in response to my published work: -- apparently it affects ~130 of their printer models, not a bad haul! *pats himself on the back* 🤣 Only took them 13 days to come up with a response/fix; irresponsible disclosure works!
7
13
92
'auth_root_allowed' is also resolved for sshd instances that don't allow root login (common), and there's a mystery string I haven't been able to find referenced in the code so far: "yolAbejyiejuvnup=Evjtgvsh5okmkAvj"
7
1
85
Who will be the first to come up with a XSS NFT that auto-purchases itself by emptying your MetaMask? 😂
New: this NFT will steal your IP address.
Viewing this and some other NFTs on marketplace OpenSea will send your IP to the NFT creator, because OpenSea lets people load custom code, including HTML. NFTs can gather data on viewers. Confirmed with my own IP
111
1K
3K
3
11
80
We (
@rdjgr
, carlo from
@midnightbluelab
& me) landed 3rd place! 🎉
The payout could have been better (damn drawing) but fortunately none of our bugs were dupes. For one target we actually had 3 distinct exploits lined up and picked "the right one" last minute-ish.🙃
The first ever
#Pwn2Own
Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to
@synacktiv
, the Masters of Pwn! Stay with us here and at the ZDI blog as we prepare for Pwn2Own Vancouver in March.
2
46
201
3
6
84
I have decided to give back to my community.
All 0day sent to my address below will be sent back doubled. I am only doing a maximum of 50,000 0day.
0day
@haxx
.in
Enjoy!
#0dayponzischeme
3
11
78
Does my Android 0day chain need to work on all 3 million different devices and firmware images out there in order to be eligible for the $2.5M payout?
6
9
77
Yay, a PoC for the TCP off-path attack (CVE-2016-5696)
2
80
75
Soo.. McAfee's ultra secure crypto currency hardware (brain) wallet is an android phone with custom bezel? 😂Supply-chain attacks are probably trivial.
4
27
71
to everyone who buys into the Wyze story that they were only made aware of the auth bypass right before the competition: ask yourself why did they only bother addressing the issue in the Wyze Cam V3 (pwn2own target)? and not their other products that have the the same bug? 🤐
@0xTib3rius
@WyzeCam
They are free to patch whatever they want at any time of course. The timing here was just very fishy and seemed to be related to thwarting pwn2own entries. If we take their word for it and they were only made aware of the vulnerability right before the competition, then why.. 1/n
1
1
11
6
6
76
Someone embedded a virus signature in the bitcoin blockchain, causing MS security essentials to go bonkers, LOL.
6
109
67
Great talk by
@qlutoo
@naehrwert
@derrekr6
at
#34C3
on Nintendo Switch hacking. Fully toasted the console's security in less than a year. Great job! :)
0
14
69
Running Windows IDA on a M1 mac in macOS with Rosetta 2 + wine works surprisingly well. Found a nice app icon for my wine wrapper as well 😂
3
4
67
Another day, another PHP sandbox bypass. Based on SQLite3 FTS tokenizer hax & a recent type conf. vuln in XMLRPC :-)
0
48
65
Hello there, I'm trying to interface with your website but I'm wondering whether SQL injection is the only available API?
0
74
64