This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| #!/usr/bin/env python3 | |
| import usb.core | |
| import struct | |
| from collections import namedtuple | |
| APPLE_VID = 0x05ac | |
| Target = namedtuple("Target", ["vid", "pid", "name", "model", "total_size"]) |
Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.
Lab: https://4t64ubva.xssy.uk/
A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <spawn.h> | |
| #include <sys/wait.h> | |
| #include <string.h> | |
| /* ASLR disabling magic constant from Apple LLDB source code | |
| https://opensource.apple.com/source/lldb/lldb-76/tools/darwin-debug/darwin-debug.cpp | |
| */ |
| [ | |
| { | |
| "url": "https://updates.cdn-apple.com/2023SummerSeed/patches/042-21091/60572AF0-9BC3-465F-89ED-77117194CB26/com_apple_MobileAsset_SoftwareUpdate/3df121022bd578846478faa25a4dcf3055396954.zip", | |
| "build": "21N5207g", | |
| "filename": "iBEC.n301.RELEASE.im4p", | |
| "kbag": "AB7893B981E44BFF298328C89C826F8BA6EF1A7ADC80DB156C9D55D9F4E27E8AD2CC21AFA42A41E1392B57E9FE90D992", | |
| "key": "34b218667cd03eb93e073b9b3bca4a865b20f130550a800b2aa2c1c2348041865cee47db7e3bcda739d05adde9f9f716" | |
| }, | |
| { | |
| "url": "https://updates.cdn-apple.com/2023SummerSeed/patches/042-21091/60572AF0-9BC3-465F-89ED-77117194CB26/com_apple_MobileAsset_SoftwareUpdate/3df121022bd578846478faa25a4dcf3055396954.zip", |
| // ==UserScript== | |
| // @name ASTx2 Emulator | |
| // @namespace http://tampermonkey.net/ | |
| // @version 0.1 | |
| // @description try to take over the world! | |
| // @author @BawAppie | |
| // @match https://*/* | |
| // @icon https://www.google.com/s2/favicons?sz=64&domain=ahnlab.com | |
| // @grant none | |
| // ==/UserScript== |
| function Get-RdpLogonEvent | |
| { | |
| [CmdletBinding()] | |
| param( | |
| [Int32] $Last = 10 | |
| ) | |
| $RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{ | |
| LogName='Security' | |
| ProviderName='Microsoft-Windows-Security-Auditing' |
| # IDA (disassembler) and Hex-Rays (decompiler) plugin for Apple AMX | |
| # | |
| # WIP research. (This was edited to add more info after someone posted it to | |
| # Hacker News. Click "Revisions" to see full changes.) | |
| # | |
| # Copyright (c) 2020 dougallj | |
| # Based on Python port of VMX intrinsics plugin: | |
| # Copyright (c) 2019 w4kfu - Synacktiv |
| syscall = 0 | |
| exit = 1 | |
| fork = 2 | |
| read = 3 | |
| write = 4 | |
| open = 5 | |
| close = 6 | |
| wait4 = 7 | |
| link = 9 | |
| unlink = 10 |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| // munged from https://github.com/simontime/Resead | |
| namespace sead | |
| { | |
| class Random | |
| { |
