thesamesam

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

atc1441

#include <stdio.h>
#include <stdint.h>
// Philips Sonicare NFC Head Password calculation by @atc1441 Video manual: https://www.youtube.com/watch?v=EPytrn8i8sc
uint16_t CRC16(uint16_t crc, uint8_t *buffer, int len) // Default CRC16 Algo
{
  while(len--)
  {
    crc ^= *buffer++ << 8;
    int bits = 0;
    do

Informatic

This is just a dump of some interesting undocumented features of webOS (3.8 specifically, on early 2018 4k LG TV) and other development-related tips.

Homebrew app ideas

• OpenVPN frontend (OpenVPN itself is easily buildable and runs on webOS TVs: https://discord.com/channels/407937994037919756/835489130967859251/906943542457401395)
• App autostart manager - dynamically update arbitrary app config and register it as input (see Registering an app as an input)
• webos-vncserver frontend with autostart option
• Package hyperiond into Piccap directly
• Quick Screenshot (expose HTTP port that just returns PNG of current screen contents)
• Custom IR remote codes editor/updater/blaster

JamesTheAwesomeDude

#!/bin/bash
set -e
set -o pipefail

# USAGE:
#	bash gamertag_to_xuid.sh GAMERTAG [...] > out.csv

# DEPENDENCIES:
# - GNU Bash version 4 or newer (or any shell supporting pipefail, heredocs, read, readarray, and POSIX printf)
# - GNU sed version ?? or newer (or any sed implementation supporting, -n, -e, the "p" flag to "s", and capturing-group references in substitution)

Treeki

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>

// munged from https://github.com/simontime/Resead

namespace sead
{
class Random
{

gsurrel

###########################
# Phone apps and services #
###########################
adb shell "cmd package install-existing com.android.stk" # SIM toolkit
adb shell "cmd package install-existing com.android.stk2" # SIM toolkit (maybe for dual-sim devices)
adb shell "cmd package install-existing com.sec.android.app.simsettingmgr" # SIM card manager, maybe required, contains configuration and settings for handling dual SIM (give a SIM an icon, a name, and so on)
adb shell "pm uninstall -k --user 0 com.samsung.android.smartcallprovider" # The 4th tab in the Phone app for 'local places'
adb shell "pm uninstall -k --user 0 com.sec.vsim.ericssonnsds.webapp" # NSDSWebApp. The Non Sim Device Solution (NSDS) is linked to VoLTE and VoWifi (Wifi Calling). NSDS allows connecting non sim devices to IMS core: https://uk.linkedin.com/in/hemant-kumar-dewnarain-2b779679
adb shell "pm uninstall -k --user 0 com.android.cts.ctsshim" # Part of the Android Compatibility Test Suite: https://source.android.com/compatibility/cts/setu

castis

# Based on ReachView code from Egor Fedorov (egor.fedorov@emlid.com)
# Updated for Python 3.6.8 on a Raspberry  Pi


import time
import pexpect
import subprocess
import sys
import logging

masthoon

--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64

Interfaces :
Endpoints :

bahorn

import requests
import hashlib
import time
import uuid
import os
import copy
import json

# This is based on my personal implementation but stripped down to only what is
# needed to verify it.

shprota

"""
Demo platform that offers a fake climate device.

For more details about this platform, please refer to the documentation
https://home-assistant.io/components/demo/
"""
import asyncio
import logging
import socket
from importlib import import_module