threatactor.club

DANN MACHT HALT KEIN l,I 0 UND O IN EURE PASSWÖRTER!

Happy Valentine's Day!

I've got a little something for you all right here https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh

💕 Patch your Gits 💕

IDK but all those AI prompt injections like

https://arstechnica.com/information-technology/2023/02/ai-powered-bing-chat-spills-its-secrets-via-prompt-injection-attack/

seem to rely on in-band signalling which could have been avoided at design time by having separate channels for configuration and user input. But instead the 70s are calling and want their cereal whistles back

#caturday

Sometimes you just need to look at the right spot and have a good guts feeling to find vulns.

https://about.gitlab.com/blog/2023/01/24/git-security-audit/

Patch you Gits!

End of last year I had the big pleasure to work with @marver and @mumblegrepper in a code review of Git.

Here's what we got for you:

https://www.openwall.com/lists/oss-security/2023/01/17/4

https://x41-dsec.de/security/research/job/news/2023/01/17/git-security-audit-ostif/

Raise your hand if you don’t take proper notes but only rely on the shell history file. 🙋

Christmas Eve RCE ☑️

Let’s see how the reporting goes. :D

My pics of 2022 https://pixelfed.de/c/512299667272592240

Zehkurity made in Germany

For the non german speaking people:
A German solar startup will pair your solar panels in their app solely based on your phone number.

Tired: Wie läuft dein Coding Projekt?

Wired: Alles fit im Git?

So I messed up the gotosocial instance TLS certs this morning, I ran into the let’s encrypt rate limit for threatactor.club because I forgot to configure a path for the certificates on the persistent volume, and for each new deploy it would pull fresh certificates .

The trick to recover was to first set a path and then manually fetch an EC cert for threatactor.club and another DNS name with certbot. This would not count against the rate limit of threatactor.club as a second name is added (see https://letsencrypt.org/docs/rate-limits/ ). Then I put everything in place on the persistent volume and got the instance back up.

So this threatactor.club is running #gotosocial on a shared VM with 256 MB RAM. I’ve tried something new and used fly.io to host it. Works like a charm so far, with all the rough edges gotosocial still has.

The setup is somewhat similar to what’s described by @mfa in https://madflex.de/setup-fedi-cress-space/. I might post the actual configuration later on.

Short #introduction ahead:

I’m joern and I like to cause dumpster fires. I’m looking back to > 10 years of security consulting and since about three years I’m doing security research over at GitLab.

You can find an almost up to date list of some of the IT security related stuff I did in the past at https://0day.click/page/references/.

Fun fact: @fabs named his SAST tool joern after me . Find it at https://joern.io

The exploit I’m most proud of is the one for CVE-2012-0809, a format string issue in sudo. You can find it here: https://gist.github.com/joernchen/618a8940894084102fe2

The most notable shell I popped was on on www.ccc.de, which was due to https://github.com/hukl/cccms/blob/220c6f7bdfc0da33d4284495d6954b2b89f224f6/config/initializers/session_store.rb#L9

Also I did a lot of Ruby on Rails hacking in the early 2010s and wrote about it in http://phrack.org/issues/69/12.html#article

Besides hacking and reading other people’s code I’m practicing Brazilian jiu-jitsu a lot in my spare time.

#introductions #security #infosec #hacking

I’m legit @joernchen :D