upvote

points

by Retr0id4 hours ago |
comments
upvoteby athrowaway3z48 minutes ago|
next
[-]
A glance at the nmap one seems potentially high severity. It might be a nothing in practice, but it being around parser code means the chances of preparing something to jump around are pretty high.

There'd be a certain irony being able to reverse shell anyone doing an nmap scan. If i had infinite tokens i'd throw claude on writing an exploit and dig through the history who made it possible because - if we take a moment to wildly speculate and assume it can ACE - this is the kind of bug an intelligence agency would love to have: Add a few ipv6 packets that then edit the trace being observed if the observer uses nmap / get access to any researcher pc who uses nmap.

reply
upvoteby ofjcihen3 hours ago|
prev|
next
[-]
Was just thinking it would be hilarious if these were all known CVEs hiding the next Shai-Hulud inside of them and waiting to compromise security hobbyists rushing to download them.
reply
upvoteby Retr0id2 hours ago|
parent|
[-]
It wouldn't be the first time!
reply
upvoteby newguy331 hours ago|
prev|
next
[-]
Ghidra one is pretty weak, but I checked out the ones that were interesting to me (c-ares, libssh2, ffmpeg) and they seem to all work as of the latest upstream commit. Weird
reply
upvoteby woodruffw3 hours ago|
prev|
next
[-]
The Gitea one looks marginally interesting, but is probably not exploitable in practice (unless Gitea or whoever else isn’t properly isolating jobs on dedicated VMs). I suspect GitHub Actions has similar behavior and is not considered exploitable because the user is assumed to already have local, non-namespaced root access.
reply
upvoteby Scaled2 hours ago|
parent|
[-]
Gitea action runner has a bunch of different ways to setup and doing the isolation properly looks tricky. The documentation doesn't provide any isolation tests to administrators, either.

The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users. Not flawless security, but it's something...

reply
upvoteby woodruffw2 hours ago|
parent|
[-]
> The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users.

This recommendation seems incompatible with third-party collaboration, at least on its face!

reply
upvoteby dspillett20 minutes ago|
parent|
[-]
Potentially, but for many projects things like that are tools that you want to control access to anyway. Anyone wanting to update the CI/CD process who isn't a trusted part of the project should be having their changes properly reviewed by someone who is anyway, at which point the reviewer is the trusted user not the random external entity.
reply
upvoteby andrepd3 hours ago|
prev|
next
[-]
> Yes, if you overwrite binaries executed by ghidra, you can trigger code execution.

> but it's probably worth noting that "RMI" stands for Remote Method Invocation

This reminds me of someone submitting a (clearly vibecoded) vulnerability report claiming to have found a way to execute arbitrary SQL. The project in question? An SQL server... https://github.com/tursodatabase/turso/pull/4322

reply
upvoteby ryukoposting3 hours ago|
prev|
next
[-]
I'm no expert on any of these programs, but that's kinda the problem, isn't it? No single person is an expert on every codebase supposedly exploited in this repo.

After a bit of research, the Firefox one seems plausible to me. But, I haven't actually tried the POC. The explanation about the private-data and untrusted-input flags is plausible but I'm not an expert on Firefox's internals, maybe that's not actually how it works.

This just sucks, all around. Are we going to need every open source project gawking at the same repo full of stuff that has nothing to do with them, on the off chance that someone discloses a vuln that does have to do with them? Is this some kind of performative complaint about high friction in responsible disclosure? Well great job dickhead, you've just made a system that's even worse. Nobody benefits from this. Yuck yuck yuck.

reply
upvoteby trinari3 hours ago|
parent|
next
[-]
I actually prefer them being public than in some governments or corporations toolbox
reply
upvoteby DANmode2 hours ago|
parent|
prev|
[-]
> Nobody benefits from this

Disclosures always enable more secure software to theoretically exist,

even if nobody follows through creating it.

They often do.

reply
upvoteby charcircuit2 hours ago|
prev|
next
[-]
>The first requires being able to overwrite binaries in the Swift tool directory.

Does it? Or does it need to be in the same directory you invoked ghidra?

reply
upvoteby skerit3 hours ago|
prev|
next
[-]
I immediately saw the Ghidra one and was thinking: huh?
reply
upvoteby firefax3 hours ago|
prev|
[-]
The bigger takeaway is someone that smart is pissed off and dropping their shit with zero warning... but hey, that's just like, my opinion man.
reply
upvoteby Retr0id3 hours ago|
parent|
[-]
You don't need to be pissed off to decide that immediate public disclosure is the best option.
reply
upvoteby firefax3 hours ago|
parent|
[-]
Ok, I don't know their emotional state. Fair point.

Maybe I'm projecting my own biases ;-)

reply
upvoteby 2 hours ago|
parent|
next
[-]
deleted
reply
upvoteby b1122 hours ago|
parent|
prev|
[-]
Meanwhile, some dude was just playing with claude and accidentally made his repo public.
reply