roycewilliams

Client-side software update verification failures

Exploitable vulnerabilities in client-side software update mechanisms that could have been mitigated by secure transport (TLS).

Contributions welcome. All text taken from the vulnerability descriptions themselves, with additional emphasis mine.

In scope:

• I consider exploitation or privilege escalation of the package tool/system itself (that would have been mitigated by secure transport) to be in scope.
• Issues only described as being triggered by malicious mirrors are assumed to also be vulnerable to MITM.
• Failure to verify the software update at all is currently provisionally in scope if it could have been mitigated by secure transport, but I'm waffling about it. Most of these are actual signature verification failures, and my original purpose was to highlight cases where claims of "It's OK to be HTTP because verification!" seem to me to be specious.
• Software components regularly used to verify integrity in other software pipelines a

roycewilliams

#------------------------------------------------------------------------------
# Top 20K hashes from the Troy Hunt / haveibeenpwned Pwned Passwords list v6 (2020-06-19)
#    with frequency count and cracked plaintext passwords
#
# The latest version of this file can be found here:
#    https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
# The equivalent of this file, but based on v2 of the Pwned Passwords, is here:
#    https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
#------------------------------------------------------------------------------
# Notes and references:

roycewilliams

roycewilliams / tychotithonus GitHub starred

https://gist.github.com/roycewilliams/b17feea61f39a96d75031930180ef6a6

Last updated: 2025-07-06 (6186 stars)

NOTE: gists sometimes disappear; also see commit history.

• https://github.com/003random/003Recon
• https://github.com/0dayCTF/0day-Xfinity-Wordlist-Generator
• https://github.com/0dteam/CVE-2024-22024
• https://github.com/0n1cOn3/The-NSO-Blacklist
• https://github.com/0vercl0k/CVE-2021-31166
• https://github.com/0vercl0k/clairvoyance

roycewilliams

# Sources: PGP + Peerio + Bitcoin BIP39 + Bonneau/EFF | lc | sort -u
# Count: 17020
a
aardvark
abacus
abandon
abandoned
abbey
abbot
abbreviate

roycewilliams

#!/bin/bash
echo
NOTE="  ONLY use scanModem downloaded as: http://linmodems.technion.ac.il/packages/scanModem.gz"
UPDATE="2005_Oct_23"
cat<<END>/dev/null

              Just working notes and URLs

http://linmodems.technion.ac.il/packages/smartlink/
mirror http://phep17.technion.ac.il/linmodems 

roycewilliams

#------------------------------------------------------------------------------
# Top 20K hashes from the Troy Hunt / haveibeenpwned Pwned Passwords list v2 (2018-02-21)
#    with frequency count and cracked plaintext passwords
#
# The latest version of this file can be found here:
#    https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
#
# NOTE: THIS FILE IS DEPRECATED.
# The equivalent of this file, but based on v6 of the Pwned Passwords, is here:
#    https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce

roycewilliams

--------------------------------------------------------------------------------
# Crude generation of typo rules 
# (Using kwprocessor (https://github.com/hashcat/kwprocessor) and hashcat)
#
# Useful for passwords that don't require confirmation (like some cryptocurrency
# wallets, password-protected archive files, etc.)
#
# May also be useful for stacking with other rules.
#
# This approach assumes that you are making the same typo every time 

roycewilliams

# The first 10,000 rounds of MD5("password")
# Courtesy MDXfind - https://www.techsolvency.com/pub/bin/mdxfind/
# Source: https://gist.github.com/roycewilliams/794e4d7a81e7840deae29fdc7c03fa10
#
# See also: https://gist.github.com/roycewilliams/5e8d676ac4fe54fb7b6cb233b0721f57
# 
# Windows:
# echo password | mdxfind -h "^MD5$" -z -f NUL -i 10000 stdin
#
# Linux:

roycewilliams

#
# The word 'password', hashed with many unsalted hash types, up to 5 iterations deep
# Courtesy MDXfind - https://www.techsolvency.com/pub/bin/mdxfind/
# Source: https://gist.github.com/roycewilliams/5e8d676ac4fe54fb7b6cb233b0721f57
#
# See also: 
#   https://github.com/roycewilliams/kens-salty-rainbow                    # Common default descrypt hashes
#   https://gist.github.com/roycewilliams/794e4d7a81e7840deae29fdc7c03fa10 # 10k rounds MD5
#   https://gist.github.com/roycewilliams/1c8044e40ed0716f99a773036a8891ac # 10k rounds SHA1
#   https://gist.github.com/roycewilliams/56b17c9d8c6937725ee7e6331db79fda # 10K rounds SHA256

roycewilliams

#-----------------------------------------------------------------------
# same-quad-list.txt: a list of same-quad IPs by owner w/DNS status
#
# The CIDR network is the largest contiguous/bit-boundary-aligned block 
#  that is allocated to that entity (actual allocated range may be larger)
# NOTE: some ranges not yet converted to CIDR.
# Updates welcome - leave comment and/or ping royce@techsolvency.com
#-----------------------------------------------------------------------
# For human efficiency, some records are repeated here as comments.
#