"Exploitation Less Likely"

[Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>]

DefCon is a study in cacophony, and like many of you I'm still digging
through my backlog of new research in multifarious browser tabs, the way a
dragonfly keeps track of the world through scintillated compound lenses. In
between AIxCC (which proved, if anything, the boundaries
<https://dashboard.aicyberchallenge.com/collectivesolvehealth> of automated
bug finding using current LLM tech?), James Kettle's timing attack research
<https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work>,
and even more PHP ownership
<https://www.ambionics.io/blog/iconv-cve-2024-2961-p1>, you unfortunately
do have to pay attention to the outside world.

One of the things that lit up my sensors was the Windows Remote Desktop
Licensing service that came out from a sort of "Post QiHoo360" exploit
community, led by Dr. Zhiniang Peng (aka @edwardzpeng), an absolute legend
of exploitation. A remote unauthenticated heap overflow in the latest
Windows via an MSRPC endpoint, bypassing modern defenses by just calling
LoadLibraryA("\\webdav\owned.dll") on a fake object. An unexpected burst of
pure beauty really, like the iridescence of a Morpho moth flitting across a
concrete parking lot. The exploit
<https://github.com/CloudCrowSec001/CVE-2024-38077-POC/blob/main/CVE-2024-38077-EXP.py>
is public, but the original paper is now mysteriously deleted, I assume for
political reasons. If you have a copy of it, please shoot it my way. It's
telling that all the best exploits I know have "Exploitation less likely"
as their rating from Microsoft.

Anyways, it's interesting what merits attention, and what doesn't.

-dave

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org