p0her

520 posts

p0her

p0her

@_p0her_

Prompt engineer for vulnerability

Katılım Ağustos 2020
1.3K Takip Edilen1.2K Takipçiler
p0her retweetledi
V4bel
V4bel@v4bel·
💥 Introducing "Januscape" (CVE-2026-53359) A Guest-to-Host Escape in KVM/x86 exploiting a UAF in the shadow MMU. Triggerable on both Intel and AMD hosts. Threatens x86 public clouds (GCP, AWS) that expose nested virtualization. "16 years" latent. Successfully used as a 0-day exploit in "Google kvmCTF". To the best of public knowledge, the first KVM exploit research triggerable on both Intel and AMD. Details: januscape.io
English
8
103
443
53.6K
qwerty
qwerty@_qwerty_po·
Leaving Theori this July, after 4 great years. It's time to graduate, and I want to try something different from system hacking for a change. Not dropping hacking anytime soon though, so probably still catch me around conferences or commits, here and there. (Still owe a writeup on git.kernel.org/pub/scm/linux/… too.) Anyway, that's the plan.
English
7
0
116
6.1K
p0her retweetledi
Off-By-One Conference
Off-By-One Conference@offbyoneconf·
Should we treat each Windows vulnerability as an isolated bug? 🤨 Bocheng Xiang (@crispr_x) & HeeChan Kim (@heegong123) introduce a model chaining user-mode logical bugs for stable exploitation paths & kernel-mode logical bugs for LPE. More info: offbyone.sg/talk/bochengxi…
Off-By-One Conference tweet mediaOff-By-One Conference tweet media
English
1
12
84
8.6K
p0her retweetledi
crixer
crixer@pwning_me·
github.com/crixpwn/CVE-20… It has been a month since the patch was released, so I am releasing this. enjoy it
English
0
34
194
19.7K
p0her retweetledi
CyKor
CyKor@CyKorKU·
Korea’s #1-ranked hacker on HackerOne is back with a follow-up post! 👀 Hyunseo Shin (KU, 4th year) previously shared how he uncovered open-source 0-days using LLM agents. Now, he breaks down the AI-based vulnerability detection workflow behind those findings. Full post below 🔥 🔗 blog.cykor.kr/2026/06/Buildi… #CyKor #AI #hackerone
CyKor tweet mediaCyKor tweet media
English
2
113
786
49.8K
p0her retweetledi
Jenny Qu
Jenny Qu@GuanniQu·
found a verifier/interpreter mismatch in the Linux BPF subsystem (CVE-2026-31525, CVSS 7.8). arbitrary kernel read/write; become root, escape containers, disable SELinux, read TLS keys out of other processes' memory. anyway, it starts with the math bars, the absolute value. computers store negative numbers in two's complement. the smallest 32-bit signed integer is -2,147,483,648, and the largest positive is +2,147,483,647. there is no +2,147,483,648, since it simply does not fit. so when you call abs(-2,147,483,648), the C specification thinks about it for a moment, says "undefined," and leaves the room. on x86 and arm64, what you actually get back is -2,147,483,648. you asked for the absolute value of a negative number, you got back the same negative number. thank you computer :D the BPF interpreter implements signed 32-bit division (BPF_ALU | BPF_DIV/MOD, off == 1, added in ec0e2da95f72) by decomposing it into unsigned division: take abs() of both operands, divide via do_div(), reapply the sign. the handler in ___bpf_prog_run (kernel/bpf/core.c): AX = abs((s32)DST); AX = do_div(AX, abs((s32)SRC)); and look, the kernel even documents this. include/linux/math.h: "the return value is undefined when the input is the minimum value of the type." when DST = 0x80000000 (S32_MIN), abs() tries to negate it. -(-2,147,483,648) overflows s32, the C spec calls it undefined behavior, and the CPU hands back 0x80000000 unchanged. still negative. abs() had one job. this s32 then gets assigned into AX, a u64 BPF register. s32 → u64 sign-extends: 0x80000000 becomes 0xFFFFFFFF80000000. that's 18,446,744,071,562,067,968. you wanted 2,147,483,648, you got 18.4 quintillion; a rounding error of about 18.4 quintillion. do_div() is a 64-by-32-bit unsigned division macro and it operates on this full u64 numerator. the quotient is off by a factor of 2³². the smod path has the same problem since do_div() modifies the dividend in place and returns the remainder, both wrong. 8 call sites across sdiv32/smod32 src/imm handlers, all quietly producing nonsense whenever S32_MIN shows up. the BPF verifier is the safety system that statically analyzes every BPF program before allowing it to run. it exists specifically to guarantee that nothing bad can happen. scalar32_min_max_sdiv() in kernel/bpf/verifier.c tracks value ranges through abstract interpretation. it handles signed division correctly, including S32_MIN. computes tight, mathematically correct bounds. the interpreter, as we've established, computes whatever it feels like. so the verifier thinks register R0 is in range X. the interpreter puts value Y in R0. the safety system and the execution engine disagree about what a program does. in BPF security research, this is where you set down your coffee. concretely: load S32_MIN into R1, load 2 into R2, execute SDIV32 R1 R2. verifier determines R1 ∈ [-1,073,741,824, -1,073,741,824]. interpreter computes do_div(0xFFFFFFFF80000000, 2) = 0x7FFFFFFFC0000000, reapplies the sign, produces a completely unrelated value. use R1 as an index into a BPF map. verifier approves the access, bounds check passes against its calculated range. interpreter uses the actual value. out-of-bounds read/write on a kernel data structure. on every Linux machine running the BPF interpreter. the root cause of all of this: the absolute value function doesn't handle one number. one specific number, out of 4.2 billion possible inputs, and it's the one that gives you kernel read/write. the fix is: c static u32 abs_s32(s32 x) { return x >= 0 ? (u32)x : -(u32)x; } cast to u32 before negating. -(u32)0x80000000 = 0x80000000 unsigned. correct absolute value, no overflow, no undefined behavior. the kind of function you'd assume already exists somewhere in 30 million lines of kernel code. it did not. I got to write it. :D I reported this, wrote the patch, got it through 5 revisions of review. acked by Yonghong Song and Mykyta Yatsenko. now patched in stable 6.6, 6.12, 6.18, 6.19. if you haven't updated your kernel: maybe do that.
Jenny Qu tweet media
English
8
55
368
63.7K
minzu
minzu@m_in__zu·
Honored to participate in my first DEF CON as part of The Seoul Sauna Shogunate, a joint team by RubiyaLab Expeditions. Thanks to all my teammates for the amazing experience 🫶🏻
RubiyaLab@rubiyalab

The Seoul Sauna Shogunate (SSS 🇰🇷♨️🏯) finished 7th in DEF CON Quals CTF yesterday! 🥳 So proud to be part of this amazing coalition with @EQSTLab, H-T8, NAVER Cloud, @tkbpc, and individual players! Huge thanks to BBB for the great challenges. See you all in Vegas! 🛫🇺🇸

English
1
0
13
1.6K
p0her retweetledi
TeamH4C
TeamH4C@TeamH4C__·
New Blog Post! "How Is the Rise of LLMs Changing the Security Industry?" h4c.team/posts/17
English
0
2
5
754
p0her retweetledi
TeamH4C
TeamH4C@TeamH4C__·
We played two CTFs last week! We took 1st place in Break The Syntax CTF and finished 6th in Midnight Sun CTF Quals. We’re headed to Stockholm, Sweden this June for the Midnight Sun CTF finals! 🇸🇪🏆
TeamH4C tweet mediaTeamH4C tweet media
English
0
1
4
598
p0her retweetledi
kimh
kimh@desckimh·
Missed out on Pwn2Own2026 Berlin because it was way too crowded this time. 🥲 Well, here’s the Ollama RCE that I was going to bring. Still unpatched and working (v0.22.1 in the video, but still working)
English
5
52
472
52.5K
p0her retweetledi
0xor0ne
0xor0ne@0xor0ne·
"From Zero to QEMU: A journey into system emulation" #slide=id.g357295fe39c_0_3" target="_blank" rel="nofollow noopener">docs.google.com/presentation/d… Credits Antonio Nappa #infosec #qemu
0xor0ne tweet media0xor0ne tweet media
2
63
415
18.3K