BEDNAR~1 (Now on @[email protected])

Published my writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch: github.com/michalbednarsk…

Published new writeup, in which I show bypass for Intent validation inside AccountManagerService on Android 13 despite "Lazy Bundle" mitigation github.com/michalbednarsk…

Published writeup and exploit for CVE-2022-20452, privilege escalation on Android 13 via Parcel use-after-recycle() github.com/michalbednarsk…

Trying out Mastodon: @BednarTildeOne" target="_blank" rel="nofollow noopener">infosec.exchange/@BednarTildeOne (No idea where I'll be active, I'm rarely active anywhere, although I'll probably have some cool writeup in about month, will post announcement to both if nothing collapses)

TIL about C++ chrono default constructors: This defaults to zero (epoch): std::chrono::steady_clock::time_point a; This defaults to whatever memory was there: std::chrono::steady_clock::duration b; godbolt.org/z/h6h37o5ax

[Old bug, CVE-2018-9492] On Android 8 and 9 apps could grant themselves access to any ContentProvider through use of FLAG_GRANT_PERSISTABLE_URI_PERMISSION, which made system skip checking if caller itself has permission which is being granted. Fix commit: android.googlesource.com/platform/frame…

@_bagipro Long time ago there was ThreadLocal in ActivityManagerService that overridden ALL permission checks done under IActivityManager.openFile, later after my report this was restricted and it only affected ContentProvider.openFile: android.googlesource.com/platform/frame…

Bypassing ContentProvider.openFile() internal security checks in Android [1/3] I've discovered an interesting trick that you may use to access private information using a content provider

@_bagipro Later this was changed to use AttributionSource but behaviour regarding custom enforceCallingPermission remained android.googlesource.com/platform/frame…

@_bagipro That introduced behaviour you've described, old one could be used to perform AppOpsManager.setMode using media_server permissions (So I'm partially at fault for what you're describing here)

@gynvael youtube.com/watch?v=cGveIv… TL,DW: >>> t = ([],) >>> t[0] += [1] Traceback (most recent call last): File "<stdin>", line 1, in <module> TypeError: 'tuple' object does not support item assignment >>> t ([1],)

Current collection of cursed operators in various programming languages (from various sources). New submissions welcomed! Featuring at least #javascript #python #c and #cpp, but most of these "work" in other languages too.

@foxgirl_IRL No, I mean that is it that "var randomSel" inside while is different variable (due to extra "var", shadowing outer variable) and outside while "randomSel" stays the same (?)

@foxgirl_IRL Is this about randomSel being shadowed inside while? (I don't know Haxe but this looks suspicious and in alt-text you didn't point that)

@foxgirl_IRL asciiquarium

The important thing here isn't to poo-poo new tools, it's to share. I just learned about "ss -plant" a year or two ago and it makes "netstat -na | grep LISTEN" or lsof unnecessary.

“Is this the simplest (and most surprising) sorting algorithm ever?” arxiv.org/abs/2110.01111 Abstract: We present an extremely simple sorting algorithm. It may look like it is obviously wrong, but we prove that it is in fact correct.

@foxgirl_IRL Although other effect of using shared server was that there was time when fork-bombs were breaking everything for everyone There were class where we were writing programs with fork(2) and many made one by mistake

@foxgirl_IRL Yeah, we had that at university, students were write(1)-ing messages to annoy other classes