Last week @apple released MacOS 13.4 which contains a fix for a vulnerability @suidpit exploited to escape the Sandbox.
Update now and stay tuned for the technical details!
Shielder
InfoSec boutique.
Owning things since 2014.
We love to go for the extra mile, where we usually find the best π¦ππͺ²πͺ³πππ· the others miss.
In Lausanne for @1ns0mn1h4ck? Donβt miss the chance to meet our very own
@not4nhacker! If you're into cursed OAuth hacking techniques or breaking mobile apps, find a comfy spot -- you might be there for a while!
π¨ New Open Source Audit Alert! π¨
Shielder, with @OSTIF & @cloudnativefdn, audited @karmada_io:
π 6 issues found (1 high, 1 medium, 2 low, 2 info)
βοΈ Most fixed, others planned.
π£οΈ to @suidpit and @thezero
Full details in the blog post!
https://www.shielder.com/blog/2025/01/karmada-security-audit/
Attending @thesascon in the beautiful Bali ποΈ?
Make sure not to miss @suidpit's talk about his novel research on the macOS π sandbox and how to bypass it.
ποΈ Wednesday, October 23 - 15:10
Shielder boosted:
It's always cool to contribute to free and open-source projects π
β β β β β - Would recommend!
Shielder boosted:
We wanted to give a shout out to @smaury, who found a ReDoS security issue with Thunderbird Appointment. This resulted in us fixing the issue and removing deprecated urls! It's fantastic community contributions like this that makes Thunderbird so much more than the sum of its code. π π
For the weekend, we gift you with not one, but TWO ways to escalate `sudo iptables` (+ a couple other boring preconditions) into a r00t shell - read how @smaury and @suidpit managed to climb your friendly neighborhood π₯wall!
https://www.shielder.com/blog/2024/09/a-journey-from-sudo-iptables-to-local-privilege-escalation/
Our very own @suidpit will present his novel #macOS*research at #TheSAS2024 - if you want to learn more about the macOS sandbox and how to escape it make sure to be in Bali ποΈ from Oct 22 to Oct 25!
Learn more here: https://thesascon.com/
During a recent engagement @mindlaess_ hacked his way through Vtiger CRM which led to discover a privilege escalation and a SQL injection.
Learn more in the dedicated advisories:
- CVE-2024-42994 #sqli https://www.shielder.com/advisories/vtiger-mailmanager-sqli/
- CVE-2024-42995 #privesc https://www.shielder.com/advisories/vtiger-migration-bac/
@luc Yes - we see the confusion out of it :)
We chose to go lowercase as the team behind the libraries refers to it as "boost".
We hope it was still an enjoyable read!
Back in December 2023 our researchers @thezero, @suidpit, and @mindlaess_ performed an audit sponsored by @awscloud and facilitated by @ostifofficial on boost.
It resulted in 7 findings and 15 new fuzzers.
The report is now public, check the details here: https://www.shielder.com/blog/2024/05/boost-security-audit/
In early 2023 we (@thezero & @smaury) collaborated with @securedrop to start designing and prototyping the #E2EE messaging protocol for a future version of SecureDrop.
π blog post: https://securedrop.org/news/introducing-securedrop-protocol/
π» poc code: https://github.com/freedomofpress/securedrop-protocol
We recently partnered with @ostifofficial to perform a security audit sponsored by @awscloud on Bref.
The audit resulted in 5 findings promptly addresses by @mnapoli
The report is now public, check the details here: https://www.shielder.com/blog/2024/03/bref-security-audit/
During a recent Red Team Assessment @thezero and @smaury discovered a vulnerability in PostgreSQL's #PgAdmin which in the worst case allows unauthenticated attackers to run arbitrary server-side code.
Check out the #RCE advisory and patch now!
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/
Ever wondered how to binary diff router firmwares to write n-day exploits?
Learn how @thezero and @suidpit combined unblob, binexport, ghidra, Qiling, and an Asus router to write an exploit for CVE-2023-39228.
The outcome was unexpected ...
While attending @silviocesare training at @cybersaiyan's RomHack @thezero and @suidpit chose to do some practice. While looking at the news they discovered about some recently disclosed ASUS routers unauthenticated RCEs.
They quickly bin-diffed the firmware versions, found the vulnerabilities, emulated the vulnerable firmware, and wrote and exploit for one of them.
This was so fast they had a working exploit even before jumping off the wayback π.
Once at home they used their research budget to buy a real device and prove the vulnerability there too, but ... it was not working π€―
Know what? The vulnerability was not unauthenticated on the physical device!
After some intense debugging sessions they discovered that not only that one but also a lot of other ASUS routers' vulnerabilities were probably incorrectly deemed as unauthenticated.
Apparently most of the researchers are either keeping an authentication bypass private or they do their research in emulated environments only and no one ever checked the vulnerabilities before issuing the CVE numbers and releasing the advisories.
TL;DR
Product security folks: do not blindly trust the attack requirements shared by the researchers.
Security researchers: when testing embedded devices make sure to mimic correctly all their configurations (i.e. the NVRAM content).
https://www.shielder.com/blog/2024/01/hunting-for-~~un~~authenticated-n-days-in-asus-routers/
Join suidpid π©Ί in his journey into executing arbitrary code in #healthcare π₯ servers with #polyglot files by creating an #exploit for CVE-2023-33466! #nday #exploit
https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-servers-with-polyglot-files/
Hey hackers - attending @nohatcon?
Pop at the boot in the entrance for some swag and to chat about crazy π¦π¦ππππ¦πͺ²!
#nohat2023
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst