[P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023–29357 & CVE-2023–24955)
Brief I may have achieved successful exploitation of a SharePoint target during Pwn2Own Vancouver 2023. While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and r...
alg=none strikes again.
“Chaining the two bugs together, an unauthenticated attacker is able to achieve remote code execution (RCE) on the target SharePoint server. 😁.”Posted on 2023-09-25T19:47:54+0000
Ex-workers allege TikTok’s owner retaliated after racism complaints
Two Black ex-employees allege in a new Equal Employment Opportunity Commission charge that their managers retaliated against them after they complained about racism.
“Later, Matima alleges she learned from a colleague that she was commonly referred to by managers as a “black snake” and that her direct supervisor said that “black snake” was the “spirit animal” that he associated with her.
“I can’t stress enough how dehumanizing it was to learn of that,” she said in an interview.
After Matima formally complained again about discrimination from her manager, ByteDance earlier this year let both Matima and her supervisor go, according to the complaint. The company told her she was being fired for poor performance, according to the complaint.”Posted on 2023-09-24T17:22:04+0000
My solopreneur story: zero to $45K/mo in 2 years
Today is exactly 2 years since I quit my job and become a full-time indie hacker.
“In the first few months after quitting my job, I worked a lot. Probably 12 hours a day, or even 16 hours/day if you also count Twitter as “work”.
So when I reached $4K MRR, a decent amount considering my living cost in Vietnam, I started to slow down.
I still want to get more revenue, but I realized that this is a moving goalpost, and it will never stop. $10K, then $20K, then $50K. I knew I would never satisfied.
It’s much better to work and play at the same time.
So I traveled. I went for a trip around Vietnam.”Posted on 2023-09-23T22:11:55+0000
It's okay to Make Something Nobody Wants
Products seem to be made for users, but I think this might be an illusion; they are more like a medium for self-expression. Different expressions, conceived by various minds, undergo a form of natural selection, with the surviving expression being the one that resonates most with users. I mean, the....
“Later, when talking with my girlfriend about this, I suddenly understood Steve Jobs, and others like him, much more deeply.
People often complained about Jobs: when his team showed him their work, he would say “It doesn’t feel right,” and when they asked how to fix it, he said “I don’t know, make it better and show me again, and then I’ll know.”
This confused a lot of people. He found problems but didn’t know how to fix them or why they were problems.
Now, I totally get where Jobs was coming from.”Posted on 2023-09-23T22:04:23+0000
Definitely Do Not Put Plastic in the Microwave
Experts say, even if it claims to be “microwave-safe.”
“All of the experts I spoke with suggest people avoid storing and heating food in plastics altogether. “Without testing the entire landscape of these products, it is hard to really know” if any of them are truly safe, says Rogers.”Posted on 2023-09-23T22:01:54+0000
The Frustration Loop
Dealing with spam the fun way.
“"Now hold up there Herman! Won't this be triggered by valid users?" you say.
Perhaps, but it's fairly unlikely. In my tests I haven't managed to trigger it without explicitly performing a dodgy action. On top of that, it's been running in production for the past 3 months and I've only had one user report this as an issue. He was advertising online casinos.
Did it stop the spammers?
Yes!”Posted on 2023-09-23T21:54:11+0000
The WebP 0day
Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning att...
“The lack of available technical information from the vendors here made verification challenging, and it's questionable who this really benefits. Attackers are clearly highly motivated to track and exploit N-day vulnerabilities, and the lack of technical details being released won't significantly slow them down. On the other hand, very few defenders are resourced to be able to perform the type of technical analysis I've shared today. It's counter-intuitive, but withholding basic technical details about how these attacks are working in an asymmetry that mostly benefits attackers -- you quickly end up in a situation where attackers have access to insights about the vulnerability/exploit that defenders don't have.
This bug also shows that we have an over-reliance on fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed.”Posted on 2023-09-23T21:47:43+0000
How do databases execute expressions? | notes.eatonphil.com
How do databases execute expressions?
At some point I need to sit down and write a database. This was an exciting read.
“As the DuckDB team points out, vectorized interpretation or JIT compilation seem like the future for database expression execution. These strategies seem particularly important for analytics or time-series workloads. But vectorized interpretation seems to make the most sense for column-wise storage engines. And column-wise storage normally only makes sense for analytics workloads. Still, TiDB and Cockroach are transactional databases that also vectorize execution.
And while SQLite and PostgreSQL use the virtual machine model, it's possible databases with tree-walking interpreters like Scylla and MySQL/MariaDB have decided there is not significant enough gains to be had (for transactional workloads) to justify the complexity of moving to a compiler + virtual machine architecture.”Posted on 2023-09-22T06:57:47+0000
Confused Automakers Braced for Strike at the Wrong Plants
The Big Three automakers stalled production and moved parts out of plants across the country ahead of the strike, according to rank-and-file UAW members.
The moves this guy has been orchestrating are amazing.
“The strategy the UAW is currently employing is led by the union’s new militant president, Shawn Fain. He was elected in March after the UAW changed its election process from a delegate system to one member, one vote in the most recent leadership election. He has assumed a new posture for the union’s leadership: for example, refusing to endorse Joe Biden for president until he supports the UAW’s efforts to unionize electric vehicle facilities, and rejecting a ceremonial handshake with auto manufacturer bosses before the start of contract negotiations.”Posted on 2023-09-20T03:08:09+0000
Microsoft completely misjudged Baldur’s Gate 3
Not a great look for Microsoft
I’ve started playing it and liking it so far. Wish I had more time/energy to sink into it.
“In hindsight, Microsoft made a big oopsie; Baldur’s Gate 3 has no exclusivity tied to it, so its exclusion from the Xbox console was noticeable. In February, Larian Studios explained why Baldur’s Gate 3 didn’t have a planned Xbox release at the time. Vincke said on X — then Twitter — that Baldur’s Gate 3’s split-screen co-op didn’t work on Xbox Series S, Microsoft’s lower-priced console. Microsoft requires games to have feature parity across Xbox Series X and Series S, which held up the launch. By Aug. 24, after Baldur’s Gate 3’s major successes, Microsoft made a concession to let Baldur’s Gate 3 launch without split-screen co-op on Xbox Series S.
Baldur’s Gate 3 is now expected to arrive on Xbox later this year.”Posted on 2023-09-19T20:04:25+0000