Guido Vranken

@GuidoVranken

Software security and fuzzing. Contact: guido@guidovranken.com

Vrijeme pridruživanja: lipanj 2018.

Tweetovi

Blokirali ste korisnika/cu @GuidoVranken

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @GuidoVranken

  1. Prikvačeni tweet
    31. sij

    OpenWRT RCE via MITM/compromised DNS 🔥

    Poništi
  2. 1. velj
    Poništi
  3. proslijedio/la je Tweet
    14. sij

    CVE-2020-0601: A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

    Poništi
  4. proslijedio/la je Tweet
    14. sij

    Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed "Turn a New Leaf," aimed at making more of the agency's vulnerability research available to major software vendors and ultimately to the public.

    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    14. sij

    This particular flaw is assigned as CVE-2020-0601. NSA says it exists in Win10 systems from July 2015 onward and Win Server 2016. My read on that is it's "critical" in those OSes, but may be present and less of a concern in older versions of Windows but we'll know more soon.

    Prikaži ovu nit
    Poništi
  6. proslijedio/la je Tweet
    14. sij

    Kubernetes started using today: , pays: 50$ min.

    Poništi
  7. proslijedio/la je Tweet
    9. sij

    Announcing BLAKE3! 🥳 * Faster than MD5, SHA-1, SHA-2, SHA-3, and BLAKE2 * Merkle tree: unlimited parallelism, verified streaming * Builtin MAC, KDF, XOF * One algorithm, no variants * Rust crate: Try it: cargo install b3sum

    Poništi
  8. 7. sij
    Poništi
  9. 29. pro 2019.

    Conversely, just moving uninitialized data around (eg. with memcpy, without branching) does not trigger valgrind/MSAN. That's why I often explicitly write function output to /dev/null to force evaluation in my fuzzers.

    Prikaži ovu nit
    Poništi
  10. 29. pro 2019.

    DJB shows creative use of valgrind/MemorySanitizer; run the crypto operation with an uninitialized key. If branching on uninitialized data is detected it might not be constant-time (because branching can lead to timing differences).

    Prikaži ovu nit
    Poništi
  11. 29. pro 2019.
    Prikaži ovu nit
    Poništi
  12. 27. pro 2019.

    BN_nist_mod_384 stops working as intended if you compile LibreSSL with clang -fsanitize=object-size -fno-sanitize-recover=object-size Optimization levels don't seem to affect it (at least using Clang. Maybe with other compilers).

    Prikaži ovu nit
    Poništi
  13. 27. pro 2019.

    This is a reduction of something found in LibreSSL by the great OSS-Fuzz. x(12) (call it from another file) returns 2 with clang -O2, and 0 otherwise. And if you remove the printf, it returns 0 even with clang -O2 (Heisenbug).

    Prikaži ovu nit
    Poništi
  14. proslijedio/la je Tweet
    12. pro 2019.

    The RIPE NCC Community Projects Fund Selection Committee has announced the 2019 funding recipients! Seven projects have been selected, and you can find out more about each one at:

    Poništi
  15. 20. pro 2019.

    JavaScript fuzzing with libFuzzer

    Poništi
  16. 10. pro 2019.

    Because Squid maintainers and the Internet Bug Bounty are completely unresponsive, I've decided to publish the patch for the Squid remote buffer overflow, so people can patch ahead of an official release, whenever that may happen.

    Poništi
  17. 5. pro 2019.

    OpenSSL CVE-2019-1551: Incorrect consttime modular exponentation, found after 1.5 years of bignum fuzzing at OSS-Fuzz

    Poništi
  18. 19. stu 2019.

    Find Squid bug for bug bounty. Write RCE exploit. Inform vendor (Oct. 5 2019). Send patch. Squid stops responding. Ask Internet Bug Bounty what to do. No response. So here I am with a with a major internet software 0day that nobody cares to move forward. Welcome to 2014.

    Poništi
  19. 4. stu 2019.

    See this post by for a demonstration of code execution through auto-thumbnailing a crafted file

    Prikaži ovu nit
    Poništi
  20. 4. stu 2019.

    This commit fixes over a dozen memory bugs in the xvid decoder found by OSS-Fuzz. Media codecs are the Achilles heel of desktop security and need much more scrutiny. Chrome auto-download + OS auto-thumbnailing might even amount to 0 click RCE.

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·