The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
Tiberium 50 minutes ago [-]
Are they all actually 0-day? I think a lot of them are from disclosed CVEs/code that were already fixed upstream. It often seems like the term "0-day" has lost most of its meaning today and people often use it to refer to any exploits.
tempest_ 35 minutes ago [-]
Repo claims
> A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.
Which is roughly the definition of zero day. Whether the contents of the repo reflect the above claim is something else entirely.
drob518 15 minutes ago [-]
There is going to be a flurry of this sort of stuff as the AIs get smart enough to find them. It will naturally die down as the legitimate ones are fixed. Yes, there will always be some level of this, but I’d expect it to be low and the exploits found to be increasingly complex. This is a time of transition.
kodareef5 16 minutes ago [-]
trying something new? this is interesting. the problem is that submitting reports is too slow. if you find one then your not supposed to share. but then over the next 90 days you learn no one cares and 13 other people submitted it before you, 43 after. maybe better that we just know. so we can run code we can trust sooner. zero is the proper number of dependencies. otherwise assume its broken.
merelydev 56 minutes ago [-]
Most of the exploits are for opensource/free software.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
derektank 8 minutes ago [-]
Presumably, one could let the bots loose on your own codebase first. The question is one of financing of course. If your end users are enterprises willing to pay for a support contract, they probably care enough about not getting hacked to endure the higher prices that would let you throw enough tokens at the problem. Other open-source projects might have a harder time.
serf 51 minutes ago [-]
llms are fantastic disassembly partners, they're quite good at labeling functions from various dissassemblers -- the net losses from losing the benefits of open source , imo , outweigh the protection afforded by hiding your source code in yet another layer that is more and more easily unrolled through automated procedures.
blensor 41 minutes ago [-]
And isn't it also mostly a transitioning issue. Those open codebases will be constantly scanned for potential security issues and getting more and more hardened.
There are probably a lot of easy wins that are going to be discovered over the next few years but it should taper out after a while.
merelydev 40 minutes ago [-]
Fair point but it assumes we all have access to LLMs with the same capabilities.
yjftsjthsd-h 31 minutes ago [-]
I don't think that's exactly it. OSS only needs someone to have a strong LLM to check for bugs. If your software is proprietary, it's a competition between just you and whatever model you have vs any attacker and whatever model they can lay hand to.
merelydev 42 minutes ago [-]
True. Its a trade-of, LLMs in this regard are only effective when they have access to the source code?
I do not wish to undermine the philosophical underpinnings of free software and its net benefit to society. Without it we wouldn't even have the code generators we have today.
spongebobstoes 45 minutes ago [-]
disassembly only applies to client side software
something like nginx could arguably be more secure if it was closed source
(I am a proponent of and contributor to open source)
gpm 39 minutes ago [-]
Only until a single server running nginx is hacked and the binary leaked though...
Hizonner 34 minutes ago [-]
Um, the nginx binary would have to be in the hands of hundreds of thousands of server operators. And the set of server operators is rich in the kind of person who would attack it. Not to mention the huge number of leaks you'd get.
Maybe if it's some server-side software that you only use yourself...
maxloh 31 minutes ago [-]
Open source is a good thing, but I don't think what you are proposing is accurate.
A different way to frame this would be that those bugs would never be surfaced or exploited if the software were proprietary.
throwaway613746 26 minutes ago [-]
[dead]
jdw64 49 minutes ago [-]
I'm going through each one, and it's fascinating to see things like this. The UAF principle in c-ares is really interesting.
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
jdw64 35 minutes ago [-]
But do people actually find these vulnerabilities on their own, or are they using LLMs? I was curious about how these vulnerabilities work, so I tried asking my dear friend Mr. CLAUDE, but he immediately threw an error and ended the session because it was a cybersecurity question. Enterprise APIs block even the analysis itself, so it's amazing that people can actually pull this off in practice.
lacoolj 20 minutes ago [-]
I imagine this is a large open model like GLM5.2 etc
jeffbee 20 minutes ago [-]
le sigh, c-ares. Very predictable outcome. If you ever find yourself entertaining the idea that you will simply write non-blocking network protocol stacks in C with manual lifetime management, slap yourself. It doesn't matter if you think you are a super genius of unimpeachable taste. The job is impossible.
jdw64 13 minutes ago [-]
Thank goodness I use a GC language
johnwheeler 11 minutes ago [-]
That's one way to do it.
functionmouse 57 minutes ago [-]
we have got to stop putting our bank accounts and SSNs on computers
ryandrake 18 minutes ago [-]
We need our infrastructure to stop treating bank account numbers and social security numbers as secrets. At least in the US, bank account numbers appear on physical checks and are required to be shared in order to do an ACH transfer, and a social security number is not supposed to be used as an identifier (unless to the Social Security Administration itself) or as a secret password.
Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.
derektank 5 minutes ago [-]
It’s quite ridiculous that we haven’t been able to build a modern identification system capable of replacing SSNs in the last 30 years.
gnerd00 31 minutes ago [-]
... support cash, tell your neighbors
Cider9986 15 minutes ago [-]
And Monero for online.
JohnMakin 20 minutes ago [-]
til you get debanked
krapp 18 minutes ago [-]
Cash doesn't require a bank.
speedgoose 5 minutes ago [-]
Banks are kinda useful to avoid getting robbed all your money, on a regular basis.
Many French people with crypto money experienced that the hard way recently.
mrbluecoat 39 minutes ago [-]
A surprising amount of documentation if the actor was just LLM-dropping these..
Retr0id 16 minutes ago [-]
Why is that surprising? LLMs can churn out arbitrary volumes of "documentation" in an instant.
dawnerd 14 minutes ago [-]
That seems trivial for an llm to provide.
tliltocatl 34 minutes ago [-]
A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.
Retr0id 13 minutes ago [-]
No, the days start counting from the availability of a patch.
ohadkr 29 minutes ago [-]
Open source is the best
Rendered at 16:37:54 GMT+0000 (Coordinated Universal Time) with Vercel.
The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
> A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.
Which is roughly the definition of zero day. Whether the contents of the repo reflect the above claim is something else entirely.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
I do not wish to undermine the philosophical underpinnings of free software and its net benefit to society. Without it we wouldn't even have the code generators we have today.
something like nginx could arguably be more secure if it was closed source
(I am a proponent of and contributor to open source)
Maybe if it's some server-side software that you only use yourself...
A different way to frame this would be that those bugs would never be surfaced or exploited if the software were proprietary.
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.
Many French people with crypto money experienced that the hard way recently.