A serious bug in #Linux from 12 years ago allows you to get root on any distro
To fix it upgrade or:
chmod 0755 /usr/bin/pkexec
#PwnKit: Local Privilege Escalation #Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
To fix it upgrade or:
chmod 0755 /usr/bin/pkexec
#PwnKit: Local Privilege Escalation #Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
Qualys Security Blog
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) | Qualys Security Blog
The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.
New Linux bug gives root on all major distros, exploit released.
A new Linux vulnerability known as 'Dirty Pipe' allows local users to gain root privileges through publicly available exploits.
Today, security researcher Max Kellermann responsibly disclosed the 'Dirty Pipe' vulnerability and stated that it affects Linux Kernel 5.8 and later versions, even on Android devices.
The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.
Kellerman discovered the bug after tracking down a bug that was corrupting web server access logs for one of his customers.
Kellerman states that the vulnerability is similar to the Dirty COW vulnerability (CVE-2016-5195) fixed in 2016.
https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/
https://dirtypipe.cm4all.com/
📡@cRyPtHoN_INFOSEC_EN
#linux #root #vulnerability
A new Linux vulnerability known as 'Dirty Pipe' allows local users to gain root privileges through publicly available exploits.
Today, security researcher Max Kellermann responsibly disclosed the 'Dirty Pipe' vulnerability and stated that it affects Linux Kernel 5.8 and later versions, even on Android devices.
The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.
Kellerman discovered the bug after tracking down a bug that was corrupting web server access logs for one of his customers.
Kellerman states that the vulnerability is similar to the Dirty COW vulnerability (CVE-2016-5195) fixed in 2016.
https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/
https://dirtypipe.cm4all.com/
📡@cRyPtHoN_INFOSEC_EN
#linux #root #vulnerability
#Intel and #AMD Hertzbleed CPU #Vulnerability Uses Boost Speed to Steal Crypto Keys
Intel and researchers from UT Austin, UIUC, and UW published papers today outlining the 'Hertzbleed' chip vulnerability that allows side-channel attacks that can steal secret AES cryptographic keys by observing the CPU's boost frequency/power mechanisms. Both Intel and AMD CPUs are impacted.
The vulnerability impacts all Intel processors and AMD Zen 2 and Zen 3, but it isn't clear if it will impact the upcoming Zen 4 Ryzen 7000.
https://www.tomshardware.com/news/intel-amd-hertzbleed-cpu-vulnerability-boost-clock-speed-steal-crypto-keys
Intel and researchers from UT Austin, UIUC, and UW published papers today outlining the 'Hertzbleed' chip vulnerability that allows side-channel attacks that can steal secret AES cryptographic keys by observing the CPU's boost frequency/power mechanisms. Both Intel and AMD CPUs are impacted.
The vulnerability impacts all Intel processors and AMD Zen 2 and Zen 3, but it isn't clear if it will impact the upcoming Zen 4 Ryzen 7000.
https://www.tomshardware.com/news/intel-amd-hertzbleed-cpu-vulnerability-boost-clock-speed-steal-crypto-keys
Tom's Hardware
Intel and AMD Hertzbleed CPU Vulnerability Uses Boost Speed to Steal Crypto Keys
Boost frequencies reveal timings, and thus secret keys
Fundamental flaws uncovered in Mega's encryption scheme — show the service can read your data
MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files — the researchers wrote on a website. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice, which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks — showcasing their practicality and exploitability.
https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/
#mega #vulnerability #cloud #data
MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files — the researchers wrote on a website. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice, which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks — showcasing their practicality and exploitability.
https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/
#mega #vulnerability #cloud #data
Ars Technica
Mega says it can’t decrypt your files. New POC exploit shows otherwise
Fundamental flaws uncovered in Mega's encryption scheme show service can read your data.
MEGA Security Update
https://blog.mega.io/mega-security-update
Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities.
Who is potentially affected?
Customers who have logged into their MEGA account at least 512 times (the more, the higher the exposure). Note that resuming an existing session does not count as a login. While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not, so their users may be exposed.
Who could have exploited the vulnerability?
Very few: An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA.
What could have been the outcome?
Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. Furthermore, files could have been placed in the account that appear to have been uploaded by the account holder (a “framing” attack).
#mega #cloud #vulnerability
https://blog.mega.io/mega-security-update
Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities.
Who is potentially affected?
Customers who have logged into their MEGA account at least 512 times (the more, the higher the exposure). Note that resuming an existing session does not count as a login. While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not, so their users may be exposed.
Who could have exploited the vulnerability?
Very few: An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA.
What could have been the outcome?
Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. Furthermore, files could have been placed in the account that appear to have been uploaded by the account holder (a “framing” attack).
#mega #cloud #vulnerability
Mega Blog
MEGA Security Update - Mega Blog
Company and product updates of MEGA Cloud storage. Access the world's most trusted, protected cloud storage.
KeePass exploit helps retrieve cleartext master password, fix coming soon – https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon/
#KeePass #vulnerability
#KeePass #vulnerability
BleepingComputer
KeePass exploit helps retrieve cleartext master password, fix coming soon
The popular KeePass password manager is vulnerable to extracting the master password from the application's memory, allowing attackers who compromise a device to retrieve the password even with the database is locked.
The code that wasn't there: Reading memory on an Android device by accident | The GitHub Blog – 2023
#Android #Vulnerability #Bug #Qualcomm
The bug was a somewhat accidental find, and although it can only be used to leak information, it is nevertheless a very powerful bug that can be used to leak large amounts of information to a malicious Android app; it can be used an unlimited number of times with no adverse effects on the running state of the phone. I’ll show how it can be used to leak information at the page level in the user space and kernel space. I’ll then use the kernel space information leak to construct a KASLR bypass. From a vulnerability research point of view, it’s also a rather subtle and perhaps one the most unusual bugs that I’ve ever found
#Android #Vulnerability #Bug #Qualcomm
New Python tool checks NPM packages for manifest confusion issues –
The problem is with the inconsistent information between a package's manifest data as displayed in the NPM registry and the data present in the 'package.json' file of the published package.
A malicious actor could manipulate the manifest data of a new package, eliminating certain scripts or dependencies so that they do not appear in the NPM registry.
However, these scripts or dependencies would still be present in the package.json file and would be executed when the package is installed, without the user being aware
#Github #cybersec #vulnerability
The problem is with the inconsistent information between a package's manifest data as displayed in the NPM registry and the data present in the 'package.json' file of the published package.
A malicious actor could manipulate the manifest data of a new package, eliminating certain scripts or dependencies so that they do not appear in the NPM registry.
However, these scripts or dependencies would still be present in the package.json file and would be executed when the package is installed, without the user being aware
#Github #cybersec #vulnerability
BleepingComputer
New Python tool checks NPM packages for manifest confusion issues
A security researcher and system administrator has developed a tool that can help users check for manifest mismatches in packages from the NPM JavaScript software registry.
itnewsbot@schleuss.online - WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April - Enlarge (credit: Getty Images)
A newly discovered zeroday in t... - https://arstechnica.com/?p=1962625 #vulnerability #security #zipfiles #exploit #zeroday #biz #winrar
A newly discovered zeroday in t... - https://arstechnica.com/?p=1962625 #vulnerability #security #zipfiles #exploit #zeroday #biz #winrar
Ars Technica
WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April
Vulnerability allows hackers to execute malicious code when targets open malicious ZIP files.
#Intel ‘Downfall’: Severe flaw in billions of #CPUs leaks passwords and much more
There is a serious security flaw in billions of Intel CPUs that can let attackers steal confidential data like passwords and encryption keys. Firmware updates can fix it, but at a potential significant performance loss.
https://www.pcworld.com/article/2025589/downfall-serious-security-vulnerability-in-billions-of-intel-cpus-how-to-protect-yourself.html
https://downfall.page/
>It only requires the attacker and victim to share the same physical processor core
>only
"if you let us in your house, we might steal your stuff!"
#vulnerability
There is a serious security flaw in billions of Intel CPUs that can let attackers steal confidential data like passwords and encryption keys. Firmware updates can fix it, but at a potential significant performance loss.
https://www.pcworld.com/article/2025589/downfall-serious-security-vulnerability-in-billions-of-intel-cpus-how-to-protect-yourself.html
https://downfall.page/
>It only requires the attacker and victim to share the same physical processor core
>only
"if you let us in your house, we might steal your stuff!"
#vulnerability
PCWorld
Intel ‘Downfall’: Severe flaw in billions of CPUs leaks passwords and much more
There is a serious security flaw in billions of Intel CPUs that can let attackers steal confidential data like passwords and encryption keys. Firmware updates can fix it, but at a potential significant performance loss.
Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars Technica –
A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday
#Apple #Vulnerability #Infosec
A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday
#Apple #Vulnerability #Infosec
Ars Technica
Unpatchable vulnerability in Apple chip leaks secret encryption keys
Fixing newly discovered side channel will likely take a major toll on performance.
#Bluetooth #vulnerability allows unauthorized user to record & play audio on Bluetooth speaker via #BlueSpy
Prevention section explains how you can check if your Bluetooth LE speakers/headsets are vulnerable to this attack using nRF Connect app
https://www.mobile-hacker.com/2024/03/22/bluetooth-vulnerability-allows-unauthorized-user-to-record-and-play-audio-on-bluetooth-speakers/
#BlueDucky automates exploitation of Bluetooth pairing vulnerability that leads to 0-click code execution
▪️automatically scans for devices
▪️store MAC addresses of devices that are no longer visible but have enabled Bluetooth
▪️uses Rubber Ducky payloads
https://www.mobile-hacker.com/2024/03/26/blueducky-automates-exploitation-of-bluetooth-pairing-vulnerability-that-leads-to-0-click-code-execution/
Demonstration of using BlueDucky to exploit 0-click Bluetooth vulnerability of unpatched Android smartphone (CVE-2023-45866)
Exploit was triggered by Raspberry Pi 4 and then by Android running NetHunter
https://youtu.be/GOGW7U1f2RA
@androidMalware
Prevention section explains how you can check if your Bluetooth LE speakers/headsets are vulnerable to this attack using nRF Connect app
https://www.mobile-hacker.com/2024/03/22/bluetooth-vulnerability-allows-unauthorized-user-to-record-and-play-audio-on-bluetooth-speakers/
#BlueDucky automates exploitation of Bluetooth pairing vulnerability that leads to 0-click code execution
▪️automatically scans for devices
▪️store MAC addresses of devices that are no longer visible but have enabled Bluetooth
▪️uses Rubber Ducky payloads
https://www.mobile-hacker.com/2024/03/26/blueducky-automates-exploitation-of-bluetooth-pairing-vulnerability-that-leads-to-0-click-code-execution/
Demonstration of using BlueDucky to exploit 0-click Bluetooth vulnerability of unpatched Android smartphone (CVE-2023-45866)
Exploit was triggered by Raspberry Pi 4 and then by Android running NetHunter
https://youtu.be/GOGW7U1f2RA
@androidMalware
Mobile Hacker
Bluetooth vulnerability allows unauthorized user to record and play audio on Bluetooth speakers
This critical security issue allows third party user to record audio from Bluetooth speaker with built-in microphone in vicinity, even when it is already paired and connected with another device. This can result in eavesdropping on private conversations using…
Forwarded from Pegasus NSO & other spyware
Becoming any Android app via Zygote command injection | Meta Red Team X
#Zygote #Android #Vulnerability
We have discovered a vulnerability in Android that allows an attacker with the WRITE_SECURE_SETTINGS permission, which is held by the ADB shell and certain privileged apps, to execute arbitrary code as any app on a device. By doing so, they can read and write any app’s data, make use of per-app secrets and login tokens, change most system configuration, unenroll or bypass Mobile Device Management, and more. Our exploit involves no memory corruption, meaning it works unmodified on virtually any device running Android 9 or later, and persists across reboots.
#Zygote #Android #Vulnerability
Security flaw found in #android's WRITESECURESETTINGS showing attackers access to any app's data
https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html
#vulnerability
https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html
#vulnerability
Meta Red Team X
Becoming any Android app via Zygote command injection
We have discovered a vulnerability in Android that allows an attacker with the WRITE_SECURE_SETTINGS permission, which is held by the ADB shell and certain privileged apps, to execute arbitrary code as any app on a device. By doing so, they can read and write…