Microsoft has announced that they are going to begin to take steps against efforts to interfere in their democracy (archived). The steps they plan to take involve boosting their friends and silencing everyone else (archived) on platforms they can influence. This is clearly an attempt by Microsoft to undermine "democracy" by conducting lobbying activities and making non-monetary campaign contributions while screaming "OMG HAXx0RZ" as a distraction while they undermine it all.

A group calling itself the government of New Zealand has banned sales of homes to foreign nationals in an attempt to curb rising prices (archived). Under the measure, which exempts buyers of Australian and Singaporean nationality, foreigners would be restricted to purchasing apartments in large scale block developments.

In recent years New Zealand has seen substantial real estate demand from wealthy buyers from China and the US looking for a retreat from instability in larger Anglophone areas. With home ownership among adult New Zealanders floating around ~25 percent, this measure has the potential to deliver some serious pain to their rental market.

Continue reading →

A bill being considered in the US congress would drastically increase the fines the criminal organization calling itself the US Government imagines it can levy for radio frequency actors that refuse to surrender to USG extortion (archived). The full text of the proposal as it was presented July 24th is presented below: Continue reading →

In an episode reminiscent of the frequently revived Windows USB hole which propagated Stuxnet, Oracle has re-patched a kernel level hole in the "Solaris Availability Suite Service" which survived its initial patching 11 years ago largely intact. The vulnerability affects all versions of Solaris 10 and 11 allowing¹ locally logged in users to esclate their priviledge to their heart's content. Continue reading →

1. Text preserved below for the lulz as traditional archiving tools failed:

   CVE-2018-2892 – Kernel Level Privilege Escalation in Oracle Solaris

   July 24, 2018
   Posted By Neil Kettle
   Comments (0)

   Trustwave recently discovered a locally exploitable issue in all current versions of Oracle Solaris 10/11 as detailed in the recently posted Trustwave advisory. The issue is present in the kernel and is locally exploitable as an unprivileged user provided the local system has the Sun StorageTek Availability Suite (AVS) configured.
   The Vulnerability

   The vulnerability has an interesting history dating back to 2007 when the underlying issue was originally discovered and exploited. The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html). The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin(). The vulnerability itself is present in the ioctl handler for the '/dev/sdbc' device, the vulnerable code path passes through the following code with a 'cmd' value of 'SDBC_TEST_INIT ':

   common/avs/ns/sdbc/sd_misc.c:

   922 static int
   923 sdbcioctl(dev_t dev, int cmd, void *arg, int mode, cred_t *crp, int *rvp)
   924 {

   …

   953 switch (cmd) {

   …

   966 case SDBC_TEST_INIT:
   967 rc = _sd_test_init(&args);
   968 break;

   The code passes through the call to _sd_testing_init(&args) to the function definition given below:

   common/avs/ns/sdbc/sd_tdaemon.c:

   613 int
   614 _sd_test_init(void *args)
   615 {
   616 register struct a {
   617 caddr_t addr;
   618 long ar;
   619 long len;
   620 long tsize;
   621 long flag;
   622 } *uap = (struct a *)args;
   623
   624 if (copyin(uap->addr, devarray[uap->ar]1, uap->len2) ) {
   625 return (EFAULT);
   626 }
   627 dev_tsize[uap->ar]3 = (uap->tsize < 48) ? 48 : uap->tsize;
   628 dev_flag[uap->ar]4 = uap->flag;
   629 return (0);
   630 }

   There are at least 4 different vulnerabilities in this small code fragment! We summarise these below:

   arbitrary memory dereference resulting in an arbitrary destination pointer being passed to copyin(),
   arbitrary user-controlled length in the call to copyin() resulting in an unbounded memory write,
   arbitrary memory dereference and thus a user controllable write,
   arbitrary memory dereference and thus a user controllable write.

   However, the history of this particular vulnerability does not end there, sometime between 2009 and 2017 Oracle/Sun attempted to fix the issue by adding a bounds check on the value of uap->ar. The following disassembly illustrates the bounds checking Oracle/Sun applied:

   Screen Shot 2018-07-17 at 08.24.03

   As can be seen, the value of uap->ar should not be greater or equal to 128. However, we can also observer than Oracle/Sun did not modify the underlying type os uap->ar which is a signed long and as such a signedness issue exists since the value of uap->ar is not checked for a value < 0. As such an attacker could specify a value with the top most bit set (and thus negative) and pass the bounds check thereby dereferencing arbitrary memory once again. The remainder of the patch was to the limit the uap->len parameter to a signed value less than 256 (but also potentially negative).
   Exploitation

   Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.

   Image001
   Final Thoughts

   In case you were wondering why there would be such an obviously exploitable issue in a common configuration of Oracle Solaris, well the following might provide some hints:

   common/avs/ns/sdbc/sdbc_ioctl.h:

   93 #define SDBC_TEST_INIT _SDBC_(5) /* TESTING – tdaemon parameters */
   94 /*
   95 * char * device_name;
   96 * int index;
   97 * int len;
   98 * int track_size;
   99 * int flags;
   100 */

   The code in question may well be for testing purposes.

   This vulnerability has been issued CVE-2018-2892.
   Oracle has patched this vulnerability as a part of their July CPU patch cycle: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
   More information is available in our advisory here: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-007

    ↩

Police in Paris have deployed tear gas and water cannons while civil unrest has been reported in a number of French cities following a very African world cup victory (archived).

This week yet another case of inexpensive human labor fraudulently being presented as "artificial intelligence" came to light in the case of an app that offered "smart replies" by scanning email inboxes (archived). Actual algorithmic attempts at producing artificial intelligence tend to produce output unpallatable to pantsuit aligned Silicon Valley tastes.

Continue reading →

Continue reading →

On May 16, 2018, A USG kangaroo court convicted one Mr. Ruslan Bondars, a "non-citizen"¹ of USG marionette state Latvia, of "one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage".

Mr. Bondars was brutally kidnapped under colour of law by USG.FBI thugs, with the cooperation of local quislings;² held incommunicado and flown in secret to USA; brought to "trial" — and summarily convicted of all charges — for operating a WWW site called Scan4you. This appears to have been a service essentially-identical to more well-known items like VirusTotal (the latter — acquired by Google in 2012, reputedly for $0.5B USD); visitors could submit executables and view results from testing their submissions against popular MS-Windows antivirus programs.

However, unlike VirusTotal and other USG properties, Scan4you did not forward all user submissions to USG agents (Microsoft, alphabet-soup agencies, et al). In the words of the prosecuting Freisler:

"Scan4you differed from legitimate antivirus scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community."

Mr. Bondars now faces a 35-year sentence, "…as a warning to those who aid and abet criminal hackers".

The "Newton's Laws" governing this type of witch trial are, of course, quite well-known:

"Practically speaking, understand that one does not get to exist in the US sphere without being a tool of the USG.

You can't have a bank that does banking : either it does policing work for the USG or it gets burned down. You can't be an investor : either you push the USG agenda ad idem or else they come take your shit." —
"On how the factored 4096 RSA keys story was handled, and what it means to you." (Mircea Popescu)

It appears that the NATO Reich is moving ahead with its long-term plan to add vulnerability research to the list (already occupied by, e.g., banking) of formally declared Reich monopolies.

1. Mr. Bondars is a citizen of the USSR, and appears to have been, along with millions of others, "unpersoned" by the USG Baltic Bantustan formed after the May 1990 destruction of the Latvian Soviet Socialist Republic. Citizenship under the new regime was not granted to all persons lawfully residing there under the old one, but was contingent on demonstrating knowledge of the local monkey language (about a fifth of the population qualified) and taking a loyalty oath to the new quisling government. ↩

2. Explicitly credited by USG: "The Government of Latvia, including the Latvia State Police International Cooperation Department, the Latvia State Police Cybercrime Unit, and the General Prosecutor’s Office of the Republic of Latvia – International Cooperation Division, provided assistance and support during the investigation." ↩