Skip to content

Instantly share code, notes, and snippets.


Royce Williams roycewilliams

Block or report user

Report or block roycewilliams

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile

Client-side software update verification failures

Exploitable vulnerabilities in client-side software update mechanisms that could have been mitigated by secure transport (TLS). Contributions welcome. All text taken from the vulnerability descriptions themselves, with additional emphasis mine.

In scope:

  • I consider exploitation or privilege escalation of the package tool/system itself (that would have been mitigated by secure transport) to be in scope.
  • Issues only described as being triggered by malicious mirrors are assumed to also be vulnerable to MITM.
  • Failure to verify the software update at all is currently provisionally in scope if it could have been mitigated by secure transport, but I'm waffling about it. Most of these are actual signature verification failures, and my original purpose was to highlight cases where claims of "It's OK to be HTTP because verification!" seem to me to be specious.

Out of scope:

  • Transport downgrade attacks - that force a connection from being e
roycewilliams / extension-IDs-from-Somé-INRIA-paper.txt
Last active Jan 23, 2019
Extensions using exploitable APIs mentioned in the 2019 INRIA paper by Somé
View extension-IDs-from-Somé-INRIA-paper.txt
# References:
# Cimpanu article:
# Testing tool:
# Paper:
roycewilliams /
Last active Jan 15, 2019
Crude example of using rules for the fourth word to accelerate performance of hashcat attack of 4-way Diceware (separated by spaces)
# Crude example of using rules for the fourth word to accelerate
# performance of hashcat attack on a four-word Diceware passphrase,
# separated by spaces
TEST_PLAIN="vine embalm blood micro"
TEST_MD5=$(echo -n ${TEST_PLAIN} | md5sum | awk '{print $1}')
pp64() { /usr/local/bin/pp64.bin $*; }
View firefox-adult-inadjacency-cracked.txt
# Cracks of Firefox's adult/inadjacency list
# Hash source is base64-encoded binary MD5:
# Converted with: for item in $(cat hashes-base64.list); do echo $item | base64 -d | xxd -p; done
# Cracked by @tychotithonus and associates
# Last few tricky ones cracked by @s3inlc
roycewilliams / firefox-adult-inadjacency-analysis.txt
Last active Jan 14, 2019
A comparison of Firefox's adult-site/inadjacency blacklist and its sources
View firefox-adult-inadjacency-analysis.txt
# ----------------------------------------------------------------------------------
# Firefox list (base64-encoded binary MD5):
# Convert with: for item in $(cat hashes-base64.list); do echo $item | base64 -d | xxd -p; done
# Firefox inadjacency commit:
# Ruttley list (apparent original source for the Firefox list):
# Via:
# Copyright (c) 2014, Yahoo! Inc.
# Copyrights licensed under the New BSD License. See the
# accompanying LICENSE.txt file for terms.
# Author Binu P. Ramakrishnan
# Created 09/12/2014
roycewilliams / mta-sts_scans-io_dns-any_2018-08-24.txt
Created Sep 16, 2018
MTA-STS hostnames from the "DNS ANY" dataset as of 2018-08-24
View mta-sts_scans-io_dns-any_2018-08-24.txt,cname,,cname,,cname,,a,,a,,cname,,cname,,cname,,cname,,cname,
View insidepro-hashmanager-rules.txt
# Source:
# Distribution path: ./Help/En/Rules.txt
# Distribution timestamp: 2018-04-27
# Verified: 2018-06-14
# comment
: no-op: do nothing to the input password
l convert to lower case (PASSWORD -> password)
u convert to upper case (password -> PASSWORD)
c capitalize (password -> Password)
View ntpmemlog.txt
# grep ntpstats /etc/fstab
tmpfs /var/log/ntpstats tmpfs defaults,noatime,nodiratime,nosuid,mode=0755,size=200m 0 0
# cat /etc/init.d/ntpmemlog
# Provides: ntpmemlog
# Required-Start: $local_fs $time
# X-Stop-After: $time
# Required-Start: $local_fs $time
View ntp-scratch.txt
● systemd-timesyncd.service - Network Time Synchronization
Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
Active: active (running) since Tue 2018-04-03 07:02:47 UTC; 6s ago
Docs: man:systemd-timesyncd.service(8)
Main PID: 8724 (systemd-timesyn)
Status: "Synchronized to time server ("
CGroup: /system.slice/systemd-timesyncd.service
└─8724 /lib/systemd/systemd-timesyncd
You can’t perform that action at this time.