Discovered that in versions of Kyverno prior to 1.10.0, Kyverno does not enforce policies on resources with a deletionTimestamp
, which occurs during finalization after resource deletion begins. This allows a bypass of "validate, generate, or mutate-existing policies, even in cases where the validationFailureAction field is set to Enforce."
Impact is low for most Kubernetes resources because most controllers ignore changes during finalization. However, a few built in resource kinds such as ConfigMaps, Secrets and Services may honor changes during deletion. Custom resources may also be affected.
An attacker could first maliciously add a non-existent finalizer and begin deletion of a resource, then perform a malicious update of the resource bypassing Kyverno policies.
A hacked up version of seccomp/seccomp_user_notification.c
running inside Frida.
installFilter()
should be called on the main thread of the application. It's not possible to install the seccomp filter from rpc.exports.init()
because it runs on a Frida thread.
installFilter()
sets NO_NEW_PRIVS (required if non-root), installs the seccomp filter to trigger notifications, then creates a pthread to watch for notifications. Upon notifications a callback into Frida is invoked.
When the callback fires, it won't be on the thread that invoked the syscall. I'm not actually sure how to use Frida interact with the suspended thread. Untested, but frida/frida-gum#559 may allow running code on the thread.
Do you ever look at the huge feature set of SQLite and try to see how many things you can use at the same time?
FTS5 + fsdir + zipfile + JOIN multiple table-valued functions = EPUB full text search
The challenge was to fix a broken Docker tar archive, with an unknown order of layers.
A file isn't deleted from a layer unless it was already created by a previous layer, this makes it possible to solve a dependency tree of the layers (this is what most solutions to this challenge did).
However, a much simpler solution is possible: sort the docker tar layers by mtime timestamp. The files created in the docker tar layers have different timestamps, accurate to one second.
- Find the newest timestamp in each layer
- Sort layers by their newest timestamp
- Reconstruct the container image tarball with this layer order
Git remote code execution via submodules and git-remote-ext
Git allows shell commands to be specified in ext
URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2'
will execute the whoami
command to try to connect to a remote repository. To protect users from accidentally trying to clone a malicious URL, Git submodule URLs were restricted to a safe set of protocols in Git v2.6.1.
Some protocols (like git-remote-ext) can execute arbitrary code
found in the URL. The URLs that submodules use may come from
arbitrary sources (e.g., .gitmodules files in a remote
repository), and can hurt those who blindly enable recursive
fetch. Restrict the allowed protocols to well known and safe
ones.
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
Fix
git-submodule
was restricted to a safe to set of submodules by default: GIT_ALLOW_PROTOCOL=file:git:http:https:ssh
.
Additionally, inside git's http.c
, libcurl was restricted to the same protocol whitelist. Libcurl's recusion depth was also limited to prevent a redirect loop from causing git to hang.
The Microsoft Core fonts for the Web included Andale Mono, Arial, Arial Black, Comic Sans MS, Courier New, Georgia, Impact, Times New Roman, Trebuchet MS, Verdana and Webdings as TrueType fonts. Though Microsoft no longer distributes these fonts, the old versions may still be redistributed freely. However, the EULA specifies that the fonts may not be modified in any way.
But wouldn't it be fun to use them as @font-face
web fonts? But sadly the original, redistributable, format is only either .exe
or .sit.hqx
files...
With sufficient usage of JavaScript, random HTML5 features (blob URLs in dynamically generated stylesheet rules) and emscripten-compiled cabextract, anything is possible.