Nostr notes by Will Dormann

The folks at iTerm2 figured out a way to get [arbitrary code ...

2026-04-19T23:55:05Z

The folks at iTerm2 figured out a way to get [arbitrary code execution as the result of cat <file>](https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not ), which is... impressive?

From the same author as ...

2026-04-16T02:27:28Z

From the same author as [BlueHammer](https://github.com/Nightmare-Eclipse/BlueHammer ) we now have [RedSun](https://github.com/Nightmare-Eclipse/RedSun ).

This works 100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server with April 2026 updates, as well as Windows 10.

A path that would make me feel more comfortable would be: > ...

2026-04-15T13:32:05Z

In reply to nevent1q…x0a6
_________________________

A path that would make me feel more comfortable would be:

> We've changed the default setting in Signal to not put message bodies in the (external-to-Signal) notifications database. At least until the dust has settled.

But no, the battle that is being chosen is:
We are pleading with Apple to have self-deleting messages not be permanently retained in the notifications database.

I get that security vs. usability are usually at odds with each other. But I suppose I'd like a bit more transparency here.

From a worse place on the interwebs. Implying: Signal message ...

2026-04-15T11:44:37Z

In reply to nevent1q…c2au
_________________________

From a worse place on the interwebs.
Implying:
Signal message content being present in Apple Notifications database even after Signal itself is deleted is apparently expected and fine.

Signal message content being present for **self-deleting** messages is not (in their minds).

🤔

From elsewhere on the interwebs: ...

2026-04-15T00:28:00Z

In reply to nevent1q…t5a5
_________________________

From elsewhere on the interwebs:

Yup. It seems to make the race condition unwinnable.

2026-04-14T21:19:48Z

In reply to nevent1q…6xpk
_________________________

Yup. It seems to make the race condition unwinnable.

There is at least one Adobe Reader 0day being exploited in the ...

2026-04-09T22:03:47Z

There is at least one Adobe Reader 0day being exploited in the wild:
https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html

TL;DR: One 0day is being used to simply communicate details to a C2 server to get further commands. Specifically, there is a vulnerability that allows reading arbitrary local files using Reader JavaScript. In this case, ntdll.dll and friends, so that the C2 knows specifically what version of Windows the victim is running.

Nobody knows what secondary payload the C2 is delivering to selected targets. But it's a direct pipeline to allow the C2 to run arbitrary JavaScript on the victim system.

So I'll bet dollars to donuts that there is a **second** more powerful vulnerability that the attackers have up their sleeves. Or at the very least, the same vulnerability that allows the privileged file read might be able to be leveraged to do something nasty. And the whole AES-encrypted C2 stuff is merely to not put the payload statically in the exploit PDF, allowing a dynamic payload for any given target.

On the macOS side of things, we have [confirmation that Signal ...

2026-04-09T19:44:08Z

In reply to nevent1q…34jw
_________________________

On the macOS side of things, we have [confirmation that Signal notification contents get stored, even for disappearing messages](https://objective-see.org/blog/blog_0x2E.html )

iOS sadly offers less visibility into what's going on. But the FBI probably appreciates that it's happening there too.

The default notification setting for Signal (on both iOS and macOS) ensures that potentially sensitive information leaks out of the Signal app. This is unfortunate.

Can we get a comment on this? 1) The default Signal setting to ...

2026-04-09T15:50:26Z

In reply to nevent1q…8x00
_________________________

Can we get a comment on this?

1) The default Signal setting to show message contents in push notifications seems... bad, assuming this article is accurate.
2) Does changing the in-Signal-app setting for Notification Content indeed prevent notifications from being stored **anywhere**, which by default contains incoming message **bodies**.

Let me get this straight... The default setting for Signal on ...

2026-04-09T14:56:37Z

Let me get this straight...

The **default setting** for Signal on an iPhone allows law enforcement to see the content of all incoming messages, even after the app has been deleted? 🤔

https://www.404media.co/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-database-2/

Yeah, that's good. My spice collection is in every possible ...

2026-04-08T18:38:17Z

In reply to nevent1q…6f2g
_________________________

Yeah, that's good.

My spice collection is in every possible container that exists, so no fixing that. 😂

That's nice, but any time I see spice organization like this, ...

2026-04-08T18:21:27Z

In reply to nevent1q…v5z6
_________________________

That's nice, but any time I see spice organization like this, I can't help but think: "all original containers prematurely go into a landfill, for reasons."
😂

It's kind of neat. And slightly complex. But essentially the ...

2026-04-08T03:27:51Z

In reply to nevent1q…53yz
_________________________

It's kind of neat. And slightly complex.
But essentially the consequences of pissing off security researchers wanting to do the right thing.

I didn't make the exploit. I merely looked at it after it was ...

2026-04-08T03:23:38Z

In reply to nevent1q…p7u7
_________________________

I didn't make the exploit. I merely looked at it after it was published. Now that I'm allowed to talk infosec publicly again.

I also shared my thoughts about what it's like to work with MSRC these days. 😂

There's a new Windows 0day LPE that has been disclosed called ...

2026-04-06T13:46:04Z

There's a new Windows 0day LPE that has been disclosed called [BlueHammer](https://github.com/Nightmare-Eclipse/BlueHammer ). The reporter [suggests](https://deadeclipse666.blogspot.com/2026/04/public-disclosure.html ) that it's being disclosed due to how MSRC operates these days.

MSRC used to be quite excellent to work with.
But to save money Microsoft fired the skilled people, leaving flowchart followers.
I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now. 😂

Anyway, yeah, it works. Maybe not 100% reliably, but well enough...

Dear Linux UI people: If you want to round corners, cool. ...

2026-04-03T18:00:06Z

Dear Linux UI people:
If you want to round corners, cool.

**However**, if you do round corners, maybe **just maybe** move the point where the cursor is activated to where the corner actually **is** after rounding. Not where it **would have been** if you didn't do the rounding. 🤷‍♂️

I've always known that I'm terrible at using websites ...

2026-04-02T19:42:03Z

I've always known that I'm **terrible** at using websites (I never know where to click). But I guess I've recently realized that this applies to apps as well.

Today's case: Paragon Hard Disk Manager.

My goal: Mount a backup as a drive letter.
After multiple rounds with support, I convinced them to indicate on a screenshot exactly where it is that I should click.

I get that I'm possibly being obtuse, but I have **NEVER** in my computing years been drawn to click on a thin **DOTTED LINE** part of an arrow with the expectation of it doing something.

And no, there was no mouse hover indication that the line had special meaning.

Call me crazy, but there are times when I think that ChatGPT ...

2026-03-20T15:08:06Z

Call me crazy, but there are times when I think that ChatGPT sprinkling in knowledge about what I normally ask is... **not** useful.

This is from a question I asked about grease.

My local hardware store just installed a vending machine out ...

2026-03-09T23:00:37Z

My local hardware store just installed a vending machine out front of it, in case you need things when they're closed.
I love it.

I already knew that we use nonsense measurement systems here in ...

2026-03-09T03:19:57Z

I already knew that we use nonsense measurement systems here in the US. But only recently did I realize that a US gallon is different than a UK gallon.

Ars Technica [retracted an ...

2026-02-15T18:28:07Z

Ars Technica [retracted an article](https://arstechnica.com/ai/2026/02/after-a-routine-code-rejection-an-ai-agent-published-a-hit-piece-on-someone-by-name/ ) about how AI is making the world worse because...
**the Ars article itself** contained AI-generated quotes in it.

https://arstechnica.com/staff/2026/02/editors-note-retraction-of-article-containing-fabricated-quotations/

Welp, we had a decent run, folks. But it's time to call it.

When you get a screenshot of an individual window in Windows, ...

2026-01-23T19:29:49Z

When you get a screenshot of an individual window in Windows, using either Alt + PrtScn or the fancy new Snipping Tool, you also capture the contents of whatever is **behind** the window around the edges.

Linux doesn't do this.
macOS doesn't do this.
Just Windows.

Why are expectations for how Windows works so low?
Or has Microsoft crafted a world where they are not required to care?

I recently bought something from poshmark.com, for the first ...

2025-12-31T14:43:11Z

I recently bought something from poshmark.com, for the first time. While I haven't heard of them before, I figure with credit card protections as they are in the US, there's really no harm with giving it a shot.

Within about **30 minutes** of placing my order, I got a not-very-good phishing email from purchase-orders@loyverse[.]com, claiming to be "Poshmark".
The first time in my life that I've received a phish from somebody claiming to be Poshmark.

My wonders at this point:<li>Is Poshmark unknowingly leaking the email addresses of people who purchase through their site?</li><li>Is Poshmark knowingly leaking the email addresses of people who purchase through their site? Sub-wonder: If true, is this publicly known?</li><li>Is the person whose Poshmark listing I purchased from either compromised or malicious?🤔</li>

Surely you can come up with a higher contrast font color scheme ...

2025-12-27T13:56:26Z

In reply to nevent1q…hekx
_________________________

Surely you can come up with a higher contrast font color scheme for your articles?
Safari on iPhone here.

Microsoft: > As much as 30% of the company's code is ...

2025-10-30T15:12:46Z

Microsoft:

> As much as 30% of the company's code is written by AI.

Also Microsoft:
Somehow we managed to make it so that [clicking the x in Task Manager doesn't close the app](https://www.windowslatest.com/2025/10/30/windows-11-kb5067036-issue-task-manager-wont-close-and-duplicates-may-hurt-performance/ ). Whoopsie daisy!

I've noticed that Gmail is letting a pattern of spam messages ...

2025-10-28T18:48:14Z

I've noticed that Gmail is letting a pattern of spam messages through lately (maybe the past month or two?).

With the subject line of Delivery Status Notification (Failure) and then just a junk email body.

Just me? Is using a subject line of Delivery Status Notification (Failure) really all it takes to get past Gmail's spam filtering?

TIL that I can take the part of my post-sauce tomatoes that ...

2025-10-25T22:08:09Z

TIL that I can take the part of my post-sauce tomatoes that I'd otherwise throw away (the skins), throw them in a spice grinder, and you get delicious tomato powder!mindblown.gif

I initially had it at 60 and got the error. So I took their ...

2025-10-22T13:32:47Z

In reply to nevent1q…4tux
_________________________

I initially had it at 60 and got the error.
So I took their suggestion of setting it to 59. 😂

Never change, Linux. ...

2025-10-22T13:22:31Z

Never change, Linux.

Do you or somebody you know have a Windows 10 that isn't fit ...

2025-10-17T13:34:08Z

Do you or somebody you know have a Windows 10 that isn't fit for a Windows 11 upgrade? (e.g. no TPM)<li>Get a Windows 11 25H2 ISO</li><li>Run <code>setup /product server</code></li>

Enjoy your Windows 11 with no coerced Microsoft Account, TPM features, etc.

Three clicks is a lot to expect, I suppose.

2025-10-08T17:19:29Z

In reply to nevent1q…q454
_________________________

Three clicks is a lot to expect, I suppose.

For some reason, people seem to be spun up about recent changes ...

2025-10-08T14:52:07Z

For some reason, people seem to be spun up about recent changes that allegedly force people to create Microsoft accounts during Windows 11 setup.

Except, nothing is being forced.
Windows 11 Pro or better:
Just do the usual:<li>Set up for work or school</li><li>Sign-in options</li><li>Domain join instead</li><li>Create local account.</li>

Windows 11 Home:
Ok, fine. Microsoft has indeed removed the OOBE.CMD batch file. But you know what? You can run the command that a batch file runs without the batch file itself?reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f

Once you reboot, you'll have the I don't have internet link, where you can create a local account.

I approve. ...

2025-08-25T22:23:20Z

I approve.

I leave for vacation a week ago with Twitter down, and as I ...

2025-05-24T14:13:14Z

In reply to nevent1q…vdgt
_________________________

I leave for vacation a week ago with Twitter down, and as I return it's (still/again/🤷‍♂️) down.
Great job, folks!

Please don't bother coming back. KTHXBYE ...

2025-05-17T13:21:34Z

Please don't bother coming back.
KTHXBYE

Ooh, another of my NTFS vulnerabilities that I reported years ...

2025-05-13T17:35:27Z

Ooh, another of my NTFS vulnerabilities that I reported **years** ago was patched today. 🎉
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32707

I'm at a meeting hosted by somebody else where they're ...

2025-05-13T15:21:40Z

I'm at a meeting hosted by somebody else where they're using Microsoft Teams, and in the chat I attempted to share an image that is on my laptop. By clicking the + button and Attach file.

The result of doing this is that Teams puts the image in **MY COMPANY'S SHAREPOINT SERVER**, and nobody else in Teams can see the image because they **DON'T HAVE AN ACCOUNT** on my company's SharePoint server. 🤦‍♂️

Wonders:
1) Has anybody at Microsoft actually tried **using** Teams?
2) Why do people **choose** to use Teams?

Aside: If you copy an image and press Cmd - V to put the image in the chat, Teams actually... puts the image in the chat.

It's fruit update time. ...

2025-05-12T17:42:07Z

It's fruit update time.
https://support.apple.com/en-us/100100

You've got this. And a tomato is a perfect example of a thing ...

2025-05-09T13:36:55Z

In reply to nevent1q…3aq8
_________________________

You've got this.
And a tomato is a perfect example of a thing that is night and day when it comes to grocery store vs garden. 🎉

Here are my notes from last season: ...

2025-05-09T13:32:34Z

In reply to nevent1q…6k3t
_________________________

Here are my notes from last season:
https://docs.google.com/document/d/1tOnZuUFsUPCxhaD-cgmQ6h8asci15UATkz7ul6MYad8/edit?usp=drivesdk

Tomato-specific I'd say to get some of the blossom rot stop spray. It's magic. While egg shells sounds like a good idea, I'm not convinced that it does a thing, since calcium isn't water soluble. (Tomatoes will get soft black spots on the blossom side if they don't have enough calcium while growing)

And if you really want to be in touch with the garden, get a soil test kit with those powder capsules. When it comes to the nutrients and pH, you'd never be able to tell with your eyes.

But in the end, it's just dirt + water + sun + seeds. How much you put into it is up to you. Nature will take care of the rest. But you **will** get a better bounty with more effort spent. Guaranteed. 😀

Specifically, out of three seedlings that successfully ...

2025-05-09T13:16:35Z

In reply to nevent1q…5xk3
_________________________

Specifically, out of three seedlings that successfully germinated, each of them look exactly like this one. All of their plant friends who received the same treatment are fine.

Bad batch of seeds maybe?

/me lifts his skinny fists like antennas to heaven

Last year: Not a single one of my Blue Beech tomato seedlings ...

2025-05-09T13:12:04Z

Last year: Not a single one of my Blue Beech tomato seedlings survived.
This year:

TBH, I've never really fully grok'd what Tamper ...

2025-05-09T13:03:39Z

In reply to nevent1q…szm5
_________________________

TBH, I've never really fully grok'd what Tamper Protection actually does.

Here's a PoC of a bypass that I found a long time ago. 🤷‍♂️

No, Tamper Protection does nothing to stop this. ...

2025-05-09T01:01:19Z

In reply to nevent1q…nsa8
_________________________

No, Tamper Protection does nothing to stop this.

Neat way to disable Windows Defender (or possibly other AV ...

2025-05-08T20:08:29Z

Neat way to disable Windows Defender (or possibly other AV products)...

Register a no-op AV product in the Windows Security Center (WSC). This action is protected by an NDA that AV vendors sign, and, well...

Anyway, yeah, admin users can do admin things. Don't forget that.

https://github.com/es3n1n/defendnot

I'll admit that even with the [updated explicit instructions ...

2025-05-07T04:37:11Z

In reply to nevent1q…qgcf
_________________________

I'll admit that even with the [updated explicit instructions on how to get Commvault updates](https://documentation.commvault.com/11.38/essential/downloading_software_on_demand.html ), I fail to see how one can get these mythical SP38-CU25-434 and SP38-CU25-438 optional updates.

When I first go to "Download or copy software", Commvault tells me that I'm Up-to-date

If I **manually** force a download of Latest Fixes for Current Release: 11.38.25, I get an installer that specifies:<code>[Image Information] Version=11.80.380.0 ServicePack=38 SPTranID=6988515 UnixTime=1732240991 RevisionNumber=1352 Tip=1 ReducedMedia=1 </code>

And if I run this installer and even reboot for good measure, the system is still vulnerable. And the jar that contains the vulnerable code, cv-ac-common.jar has not changed from my original 11.38.25 vulnerable system.

I'm not particularly good with computers, so hopefully Commvault sysadmins in the real world are better at this than I am. But I'll admit that even with explicit instructions, I have no idea how to get the updates that protect me against CVE-2025-34028.🤷‍♂️

Oh, wow. Only after pestering the Commvault PSIRT did they update ...

2025-05-07T03:35:35Z

In reply to nevent1q…neyu
_________________________

Oh, wow.

Only after pestering the Commvault PSIRT did they update the language of their advisory.

While it **still** incorrectly says that 11.38.0 - 11.38.19 are affected and that 11.38.20 is resolved (it is not), the've added a section below this misinformation to convey the actual state of the world:

11.38.20 is only patched if it has the SP38-CU20-433 **and** SP38-CU20-436 **additional** updates installed.

And 11.38.25 is only patched if it has the SP38-CU25-434 **and** SP38-CU25-438 **additional** updates installed.

I cannot think of a behavior that is more vindictive to their customers to botch language in an advisory so bad, and **also** to not bother bumping release versions for the fixes for a CVSS 10 EITW vulnerability. 🤦‍♂️

Now that I have a local copy of the Commvault VM so that I ...

2025-05-06T04:06:49Z

In reply to nevent1q…u4q4
_________________________

Now that I have a local copy of the Commvault VM so that I don't burn truckloads of Azure dollars, I can look at things at my leisure.

**AND**, it seems that the VM that I have is 11.38.25, which contains the fix for CVE-2025-34028.

**EXCEPT** the exploit for CVE-2025-34028 still works against it. 🤦‍♂️

Commvault claims that 11.38.20 **and** 11.38.25 fixes the watchTowr-reported CVE-2025-34028 vulnerability. (Aside: How is it even possible that **two** different versions in the same product line are the ones that fix a single vulnerability?) watchTowr [discovered the bug in 11.38.20](https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/ ).

I trust watchTowr, so I don't believe Commvault's statement that 11.38.20 fixes the vulnerability that watchTowr found in 11.38.20.

I also trust the PoC that I just ran against 11.38.25, so I don't believe Commvault's statement that 11.38.25 fixes the vulnerability that watchTowr found in 11.38.20.

Yes, I have trust issues. 😕

After successfully touching grass and beginning to write up ...

2025-05-01T18:55:42Z

In reply to nevent1q…mkfc
_________________________

After successfully touching grass and beginning to write up CVE-2025-34028...

CVE-2025-34028 is a path traversal vulnerability. And yes, the path traversal allows for an unauthenticated attacker to plant files in arbitrary locations. And presumably Commvault has fixed the path traversal part.

**BUT**, what about the fact that deployCCPackage() is reachable **by design** (by way of deployServiceCommcell.do being explicitly listed in authSkipRules.xml)?

Directory traversal aside, in what world does the ability for an unauthenticated client to deploy a Command Center package make sense, whatever that means? 🤔

Thanks. Yes, you can still RDP in with the old password after the ...

2025-05-01T14:52:34Z

In reply to nevent1q…65tp
_________________________

Thanks.
Yes, you can still RDP in with the old password after the account has been switched to passwordless. No Microsoft Authenticator required.

Not sure what you mean... My hotmail account is passwordless? ...

2025-05-01T12:39:57Z

In reply to nevent1q…s38l
_________________________

Not sure what you mean...
My hotmail account **is** passwordless? (Locally it uses a PIN)

Unless you're talking about something else?

In my case: Windows 11 Enterprise with a local account initially ...

2025-04-30T23:07:53Z

In reply to nevent1q…x65y
_________________________

In my case:
Windows 11 Enterprise with a local account initially (via BYPASSNRO)
I added a Microsoft (hotmail.com) account.
I then turned on RDP.
That's all. Absolutely nothing else.

If I log in via that hotmail account to RDP, it will accept the original cached password even if I change my hotmail account password.

Hm, that all sounds different than what I tested.

2025-04-30T23:01:40Z

In reply to nevent1q…gwa8
_________________________

Hm, that all sounds different than what I tested.

Really? I found it quite easy: 1) log in to windows with a ...

2025-04-30T22:11:06Z

In reply to nevent1q…nh32
_________________________

Really? I found it quite easy:
1) log in to windows with a Microsoft account
2) Turn on RDP
🤷‍♂️

Yeah, I didn't have a local AD ready to test. But I could ...

2025-04-30T19:58:12Z

In reply to nevent1q…ajuh
_________________________

Yeah, I didn't have a local AD ready to test.
But I could definitely see a difference with authenticating RDP using a local account vs. an online account.
With local accounts, the instant the password changes, the RDP client needs the new password.
For online accounts, the old password still works, indefinitely.

I've seen no evidence that the RDP cred cache gets updated ...

2025-04-30T19:36:04Z

In reply to nevent1q…8n3q
_________________________

I've seen no evidence that the RDP cred cache gets updated ever.
Granted, I only started looking at this very recently, but the reporter seems to indicate that this is the case.

Google published a [blog post about 0days and the ...

2025-04-29T12:49:13Z

Google published a [blog post about 0days and the like](https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends ). This jumped out at me:

> Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success.

Stack canaries gained popularity in the Linux world in 2002. When did the Linux-based Ivanti ICS product get stack canaries, after years of ITW exploitation? 2025. That's right. They decided to wait **TWENTY THREE YEARS** before deciding to turn on a compile-time flag that would have prevented successful exploitation of April's CVE-2025-22457.

We all know that comparing the security disposition of companies/products based on CVE counts is both foolish and futile, but sometimes they make it easy for us. 😂

Oh, what's ...

2025-04-24T17:11:09Z

In reply to nevent1q…v545
_________________________

Oh, what's that?'NICIPConfigUpdateDeployment-1745511600265' is not valid
?

Oh, let me put my Azure translation hat on. Ok, got it:

> You have exceeded your limit of 10 publicly available IP addresses. Please > **first**> Disassociate> the IP address and > **then**> delete it. Otherwise you will get another error message.

Boy, this hat is useful.
Just kidding. There's no such hat.
You need to trudge through things until you brute-force figure things out.

Time to go touch grass...

What's that? The "Most used by Azure users" VM type ...

2025-04-24T16:25:39Z

In reply to nevent1q…ke4t
_________________________

What's that?

The "Most used by Azure users" VM type that I picked isn't available?

You know what, instead of Go Fish, maybe tell me what I can use?

**Edit**: Azure Spot pricing apparently isn't a thing. No matter which Size + Region combination you choose, you'll get an error that says that the combo isn't available where you want it. 🤦‍♂️

What's that? I need to remove the number of data disks in my ...

2025-04-24T16:12:39Z

In reply to nevent1q…caep
_________________________

What's that? I need to remove the number of data disks in my VM? Maybe tell me how to do this?

**Ohhhh**... You've selected an Azure VM image that requires more than 4 disks, and the VM type currently selected has only 4 disks? I'm no UI/UX expert, but maybe just **TELL ME THIS**?

If you create an ARM VM in Azure, beware that your "Recently ...

2025-04-24T16:02:55Z

If you create an ARM VM in Azure, beware that your "Recently used size" will be ARM, and as such you will not be able to create any preconfigured x64 VMs.

Because of course if your "Recently used size" is ARM, Microsoft will disable the ability to pick an x64 size. 🤦‍♂️

Yes, I had to create a sacrificial x84 VM in Azure to work around this. Once my recently used size was x64, I was able to pick any size that I wanted.

From over at the Bad Site ™ Both the vulnerability and the ...

2025-04-17T13:50:30Z

In reply to nevent1q…8w98
_________________________

From over at the Bad Site ™
Both the vulnerability and the "fix" for CVE-2025-21204 are quite silly.

The scenario is:<li>Non-admin user creates <code>C:\inetpub\wwwroot</code> directory and puts web content there</li><li>Admin user at some point in the future enables IIS on the system.</li>

The outcome is:
The web content provided by the non-admin user (be it a web shell or whatnot) is served up by IIS.

Maybe non-admin users shouldn't be able to make directories or junctions (to directories or files) in C:\?
NAH.

Maybe installing IIS should provide a clean webroot when it's installed?
NAH.

Just preemptively make a C:\inetpub directory that non-admin users can't write to. That fixes the problem. 🤦‍♂️

Get your Apple updates folks. ...

2025-04-16T20:11:46Z

Get your Apple updates folks.
https://support.apple.com/en-us/100100

CVE-2025-31200 and CVE-2025-31201 are being exploited ITW.

Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 ...

2025-04-16T02:39:59Z

Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
https://www.bleepingcomputer.com/news/microsoft/microsoft-blocks-activex-by-default-in-microsoft-365-office-2024/

About damn time!

If I remember my testing properly, a junction to a folder does ...

2025-04-14T11:31:51Z

In reply to nevent1q…0crx
_________________________

If I remember my testing properly, a junction to a folder does not break the update. But a weird junction to a file (which Microsoft claims is not possible) does break the April update.

Which mirrors the test that a C:\inetpub directory does not break the update but a C:\inetpub file **does** break things. Except that the junction variant is something a non-admin user can do.

Would changing the ACLs to not allow non-admin users the ability ...

2025-04-11T12:29:27Z

In reply to nevent1q…nqve
_________________________

Would changing the ACLs to not allow non-admin users the ability to create directories off of C:\ **really** have a real-world impact of limiting LPEs?

Absolutely. When you write a tool to look for things (e.g. [Crassus](https://github.com/vu-ls/crassus )), you see things. Heck, I've seen a privileged service attempt to open files in C:\Program%20Files\, which any non-admin Windows user can create by default.

But no, even despite being presented with evidence for how this could fix an entire **CLASS** of LPEs on Windows, MSRC was not interested.

Hilarious. The two things that MSRC seems to aim to to achieve ...

2025-04-11T12:20:56Z

In reply to nevent1q…y29z
_________________________

Hilarious.
The two things that MSRC seems to aim to to achieve are:<li>Avoid saying anything about what their security updates do unless their hand is forced.</li><li>Take the path of "least resistance" as opposed to fixing the root cause of problems. (In this case, non-admins can create subdirectories directly off of <code>C:\</code>)</li>

https://infosec.exchange/@wdormann/114319281111054638

So, apparently this is the "fix" for ...

2025-04-11T12:16:36Z

In reply to nevent1q…unc4
_________________________

So, apparently this is the "fix" for [CVE-2025-21204](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204 ). Microsoft recently updated their advisory to say what the update does.

Prior to everybody freaking out, the advisory for CVE-2025-21204 said nothing about what it does.

Two gripes:<li>MSRC publishing content-free advisories has consequences, but they never seem to appreciate this.</li><li>I told MSRC YEARS AGO that they can avoid an entire class of LPE vulnerabilities in 3rd-party software and their own software by not allowing non-admin users to be able to create directories off of <code>C:\</code>. They refused to make any change because it might "break things".</li>

Great job, folks.

Ah, you'd think that you couldn't. But indeed you can! ...

2025-04-10T20:26:26Z

In reply to nevent1q…v49d
_________________________

Ah, you'd think that you couldn't.
But indeed you can!
That is, a non-admin user can create a "directory" junction to a **file** target, which will have the result of April's security updates failing to install. 😂

It seems that this weird concept of a junction to a file achieves an unexpected double-standard:<li>It counts as a directory when it comes to NTFS ACLs (a non-admin user can create a junction in <code>C:\</code>)</li><li>Depending on how the junction is accessed, it might count as a file as opposed to being treated as a directory.</li>

This seems like a problem. Obviously in the case of April's updates here. But perhaps even more generically in that a junction to a file target seems to almost guarantee unexpected behavior.

Just to be clear, while mklink /h can itself be used by a ...

2025-04-10T19:58:07Z

In reply to nevent1q…6lu7
_________________________

Just to be clear, while mklink /h can itself be used by a non-admin user, that same non-admin user would not be able to create a hard link in C:\ as that would be the same as creating a file there. Which non-admin users can't do.

You can? Non-admin users don't have ...

2025-04-10T19:35:25Z

In reply to nevent1q…l7sk
_________________________

You can?
Non-admin users don't have SeCreateSymbolicLinkPrivilege, so I don't believe you. 😀

Ah, that'd do it! But at the same time, creating files in the ...

2025-04-10T19:28:04Z

In reply to nevent1q…pyum
_________________________

Ah, that'd do it!
But at the same time, creating files in the root directory requires admin privileges.
And if you're a trigger-happy admin, there are plenty of footguns that you can use. 🤷‍♂️

Specifically, I've seen all April updates install even when ...

2025-04-10T18:32:52Z

In reply to nevent1q…n362
_________________________

Specifically, I've seen all April updates install even when C:\inetpub exists ahead of time.

I should have known better than to attribute the correlation of C:\inetpub in a VM before updates to the causation of a failed update.

What happens with C:\inetpub is tough to see, as it either happens before the Procmon boot driver loads, or Procmon is otherwise foiled by the updates occurring. But either way, there's a bit of a blind spot between pre-reboot C:\inetpub not being there and it being there post-reboot. A Procmon boot log sees nothing. 😕

If IIS is truly installed, KB5057589 installs fine. Presumably ...

2025-04-10T15:37:32Z

In reply to nevent1q…3ajp
_________________________

If IIS is truly installed, KB5057589 installs fine.
Presumably the failed installation is due to unexpected permissions on C:\inetpub?

Yeah, so this is interesting. I was skeptical, but I can confirm ...

2025-04-10T14:17:31Z

In reply to nevent1q…kqh2
_________________________

Yeah, so this is interesting. I was skeptical, but I can confirm that [KB5057589](https://support.microsoft.com/en-us/topic/kb5057589-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-april-8-2025-74bc2baa-4ac6-40d0-8dde-4a8462b8f7e7 ) (which installs [KB5055674](https://support.microsoft.com/en-us/topic/kb5055674-safe-os-dynamic-update-for-windows-10-version-21h2-and-22h2-april-8-2025-bccc4714-2dca-4d07-be7b-1f38d9eb3e5b )) for Windows 10 will fail to install if there is a C:\inetpub directory present ahead of time, which a non-admin user can fulfill.

I wouldn't expect the update to be so fragile that the mere presence of a C:\inetpub directory prevents its installation. While KB5057589 is indeed listed as a "Security Update", I can find no information of what CVE(s) it fixes. 🤔

After installing April's updates, Windows 10 and 11 systems ...

2025-04-09T16:05:41Z

After installing April's updates, Windows 10 and 11 systems now have an empty C:\inetpub directory.

This seems... unexpected?

Vulnerability thoughts:<li>Most attacks these days rely on ...

2025-04-09T15:09:07Z

Vulnerability thoughts:<li>Most attacks these days rely on chains of vulnerabilities.</li><li>Things that get CVSS scores are almost exclusively CVEs, which are individual vulnerabilities.</li>

It's the vulnerability chains that matter, but the numbers that people are looking at are the individual vulnerability "links". And as a result, we ironically benefit by people **not** following the rules and assigning a CVSS for the whole chain to an individual link. Case in point:

https://infosec.exchange/@wdormann/114275453831928356

Yeah, the funny/scary thing about all of this is that these ...

2025-04-05T12:59:21Z

In reply to nevent1q…r6cm
_________________________

Yeah, the funny/scary thing about all of this is that these recent cases were all based on "we saw that the device was compromised by the failed ICT test"

That right there is evidence that the attacker was **SO BAD** that they didn't even bother to **hide their tracks**. Imagine what the good ones are up to. 😂

Yes, the same thing could be said for any attack, but the Ivanti case is somewhat special based on how trivial it is to subvert both the external ICT and also the factory reset process.

I mean, this would be discoverable with the dumbest of dumb HTTP ...

2025-04-04T18:57:16Z

In reply to nevent1q…g8px
_________________________

I mean, this would be discoverable with the dumbest of dumb HTTP fuzzing.
You'd need to know **absolutely nothing** about the target app or what it expects.

And [per the excellent folks at ...

2025-04-04T14:25:25Z

In reply to nevent1q…vtgx
_________________________

And [per the excellent folks at watchTowr](https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457/ ), we can see what the vulnerability is:
A stack buffer overflow in X-Forwarded-For

No need to find a specific endpoint or do something clever. Simply make a web request to **anywhere** on an ICS system with a large X-Forwarded-For HTTP header and you'll get a stack buffer overflow on the system. 🤦‍♂️

And due to the fact that the Ivanti web server does a fork() without a corresponding exec(), we get the same memory layout every single time.

Now, about Ivanti's use of remediated... The function where the overflow happens just happens to have been rewritten in a way that avoids the overflow.

Did Ivanti recognize the possibility of a stack buffer overflow and not recognize it as a security issue? Or did they just happen to change code to accidentally avoid the overflow (and decide to use exploit mitigations as well).

You decide...

There's this magical thinking that the CVE ID is what gives ...

2025-04-04T12:10:51Z

In reply to nevent1q…va3v
_________________________

There's this magical thinking that the CVE ID is what gives attackers the ability to compromise systems.

If you say that your software is vulnerable but fail to assign CVEs, you're only helping the **attackers**.

I remember the time that Microsoft got mad at me for "leaking" one of their CVEs to the public before the update was available. As in their world, CVE IDs were for Microsoft updates. Not for identifying vulnerabilities. 🤦‍♂️

Apparently the CVE system is for bickering. 🤷‍♂️ ...

2025-04-04T11:58:06Z

In reply to nevent1q…ju8p
_________________________

Apparently the CVE system is for bickering. 🤷‍♂️
https://www.securityweek.com/details-emerge-on-cve-controversy-around-exploited-crushftp-vulnerability/

Now, regarding the "silent fix" of CVE-2025-22457, which ...

2025-04-03T18:57:08Z

In reply to nevent1q…8hnp
_________________________

Now, regarding the "silent fix" of CVE-2025-22457, which per Ivanti:

> This vulnerability has been remediated in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025)

That word remediated...

Careful readers will see that Ivanti didn't **fix** the vulnerability in 22.7R2.6.

What changed in 22.7R2.6? With this version, Ivanti compiled **some** of the ICS binaries with exploit mitigations that have been around for 20 years. And wouldn't you know it, it paid off already? Everybody's gotta learn sometime...

Given that the web server on an ICS runs as the limited nr user, ...

2025-04-03T18:30:45Z

In reply to nevent1q…3s75
_________________________

Given that the web server on an ICS runs as the limited nr user, both the Ivanti and the Mandiant advisory are missing any indication whatsoever how the threat actors are gaining root privileges.

I've reported 4 different ICS LPEs to Ivanti recently, but none of them have been fixed yet.

Back in the CVE-2025-0282 days, Ivanti made up a CVE-2025-0283 CVE to capture the LPE aspect of attacks happening in the wild. I say "made up" because I've seen no evidence whatsoever that any LPE was fixed between 22.7R2.5 and 22.7R2.6.

Knowing what's going on in an ICS device is a huge blind spot, but apparently seeing how attackers are LPE'ing is even blind-er.

Ivanti CVE-2025-22457 is being exploited ITW. ...

2025-04-03T18:06:02Z

Ivanti CVE-2025-22457 is being exploited ITW.
https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457

Per [Mandiant](https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability ):

> We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.

Gee, who could have imagined that attackers are looking at patches? 🤔

1) This apparently was silently fixed for ICS in 22.7R2.6, as the fix for this was released in February. Ivanti Policy Secure and ZTA gateways are expected to receive a patch in late April.

2) The advisory still conveys the magical thinking if **if** your device shows signs of compromise, then you should perform a "factory reset." This is magical in that the [ICT won't catch a compromise nor will the "factory reset" reset to factory condition if the attacker is bothering to try](https://infosec.exchange/@wdormann/113805254385223581 ).

While Mandiant also parrots the magical thinking of running the ICT tool, which I guess is the best advice if you're not going to throw the device in the trash since there isn't an official integrity checking tool that is sound, they do throw out a tidbit of:

> ... and conduct anomaly detection of client TLS certificates presented to the appliance.

Bets on whether CVE-2025-22457 is an overflow in the handling of a field in a client-provided certificate? 😂

FWIW, I did some testing with the eicar string in an ...

2025-04-02T12:53:40Z

In reply to nevent1q…3h2a
_________________________

FWIW, I did some testing with the eicar string in an AES-encrypted zip (via 7-zip)<li>EICAR as <code>eicar.com</code> : Blocked</li><li>EICAR as <code>hello.txt</code> : Allowed</li><li>EICAR with an appended <code>A</code> as <code>eicar.com</code> : Blocked</li><li>CRC32 collision as <code>eicar.com</code>: Blocked</li><li>CRC32 collision as <code>hello.txt</code>: Allowed</li>

So at least as of this specific test, it may be that the Gmail SMTP server is perhaps just using filenames for "blocking" the sending of mail.

And again, I use scare quotes around "blocked" as while the SMTP server does say that the message was blocked "because its content presents a potential security issue." But the email is indeed sent to the recipient., despite the warning.

But why would the EICAR string with the file name wd.txt get ...

2025-04-02T04:40:02Z

In reply to nevent1q…3z9s
_________________________

But why would the EICAR string with the file name wd.txt get blocked in an encrypted (password-protected) ZIP?

FWIW, I generated a file with the same size and CRC32 as ...

2025-04-02T02:37:25Z

In reply to nevent1q…e5gw
_________________________

FWIW, I generated a file with the same size and CRC32 as eicar.com and put it in a password-protected ZIP file and the Gmail SMTP server didn't complain a bit. 🤔

Actually, after some further tests:<li>The Info-ZIP that ...

2025-04-01T23:15:54Z

In reply to nevent1q…n2yv
_________________________

Actually, after some further tests:<li>The Info-ZIP that comes with macOS creates an encrypted ZIP 1.0 archive, and is reported to be blocked by Gmail SMTP.</li><li>The same encrypted ZIP from 7-zip using "ZipCrypto", or AES encryption is also reported to be blocked by Gmail SMTP.</li><li>I say "reported to be blocked" as while the Gmail SMTP server gives me this warning saying that the sending of the message failed, it actually does send the message. But seemingly delayed slightly. 🤦‍♂️</li>

CRC32 isn't enough to uniquely identify files. There'd be ...

2025-04-01T23:11:18Z

In reply to nevent1q…ez8s
_________________________

CRC32 isn't enough to uniquely identify files. There'd be too many false positives due to collisions, IMO.

Ah, good guess! Using standard zip encryption with an unguessable ...

2025-04-01T22:38:36Z

In reply to nevent1q…t4pk
_________________________

Ah, good guess!

Using standard zip encryption with an unguessable password not in the message body:<li><code><eicar string></code> as <code>eicar.com</code>: Blocked</li><li><code>hi</code> as <code>hi.txt</code>: Allowed</li><li><code><eicar string></code> as <code>wd.txt</code>: Blocked</li>

Were it not for the last case, I'd assume that somehow the combination of encrypted + suspicious filename = Block. But that last case...
I'm at a complete loss as for how the EICAR string as wd.txt in an encrypted ZIP file is blocked. 🤷‍♂️

I didn't investigate much further, but I suspect that ...

2025-04-01T17:59:38Z

In reply to nevent1q…750f
_________________________

I didn't investigate much further, but I suspect that Gmail's SMTP server will attempt a list of known passwords, plus each word that exists in the email itself to decrypt encrypted ZIP files that are attached.

Yeah, even with a number of different ZIP passwords, I found that ...

2025-04-01T17:52:50Z

In reply to nevent1q…97qk
_________________________

Yeah, even with a number of different ZIP passwords, I found that Gmail's SMTP server still found the evil inside if I didn't use PGP encryption at the higher layer.

I did have an AV vendor recently request my EICAR-containing PoC ...

2025-04-01T17:23:34Z

In reply to nevent1q…ut2p
_________________________

I did have an AV vendor recently request my EICAR-containing PoC in a password-protected ZIP file in my already-PGP-encrypted email.
Presumably their workflow for handling encrypted emails automatically deleted my PoC. 😂

I mean, when they refused to accept my video on YouTube, they ...

2025-04-01T17:17:27Z

In reply to nevent1q…fekl
_________________________

I mean, when they refused to accept my video on YouTube, they **did** tell me to upload the video to OneDrive, which could end up costing me money depending on my quota. 😂

One of the 3 vulnerabilities that I've outlined is that the ...

2025-04-01T17:04:20Z

In reply to nevent1q…ryd4
_________________________

One of the 3 vulnerabilities that I've outlined is that the on-endpoint driver blocklist is a differently-maintained list than the [online list](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules ).
Am I being pedantic and nit-picking here?

Per MSRC, the discrepancy is intentional:

> Lastly, regarding the Online Driver Blocklist, the online list is supposed to be a superset

Let's say that theoretically this is not a lie...
1) How well known is it that the online Microsoft recommended driver block rules list is **intentionally** a superset of what endpoints see? The language in the online blocklist clearly says that **the** blocklist gets put on endpoints via Windows Update. 🤔

2) Let's pick a sample driver used by the years-old exploit [KDU](https://github.com/hfiref0x/KDU ). Driver number 1 provided by this tool is [RTCore64.sys](https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/ )
This driver is definitely in the online Microsoft recommended driver block rules list. Let's test it out in a Windows 11 with the "Microsoft Vulnerable Driver Blocklist" option enabled.
Oh... it loads? And it allows us to disable driver signature verification?
This seems less than ideal.

Tell me, oh internet public, why might Microsoft intentionally choose to allow a years-old public exploit to continue to work?

Oh, right. It's easier to blow off a researcher with a "this is intentional" as opposed to actually read the report that they submitted and address the problem. 🤦‍♂️

In today's episode of drama in the CVE ecosystem: The ...

2025-03-31T14:09:04Z

In today's episode of drama in the CVE ecosystem:

The Canonical CNA created [CVE-2025-0927](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0927 ) and an [associated advisory](https://ubuntu.com/security/CVE-2025-0927 ) for a heap overflow in HFS+ in the Linux kernel.

The Linux kernel CNA stripped out the information (like the reporter of Attila Szász, useful references, etc) from the CVE entry and added the passive-aggressive:

> The Linux kernel CVE team has been assigned CVE-2025-0927 as it was incorrectly created by a different CNA that really should have known better to not have done this.to this issue. [sic]

Also TIL: If you look only at the assignerShortName in a cvelistV5 CVE entry, you might not get the whole picture of whose CVE it technically is. While the Linux kernel rewrote history to claim that **they** assigned the CVE, that was only done via the cna container's ProviderMetadata shortName value. The top-level [assignerShortName](https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/0xxx/CVE-2025-0927.json#L7) for the entry still shows canonical.

Good times...

I can't quite put my finger on it, but something about this ...

2025-03-31T04:35:43Z

I can't quite put my finger on it, but something about this current administration makes me think that they're not putting their best efforts into things.

The prior [CISA Cybersecurity ...

2025-03-29T21:47:29Z

In reply to nevent1q…lxpu
_________________________

The prior [CISA Cybersecurity Advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b ) minces words a bit less than the recent MAR.

The ICT (internal or external) may not detect compromise. The threat actor may retain persistence after "factory reset".

Broadcom has determined a way to get more money out of VMware ...

2025-03-29T12:57:47Z

Broadcom has determined a way to get more money out of VMware licensing:

> If a customer has a single-processor server with 8 cores, VMware by Broadcom will license 72 cores.

😂