bburky.com

Unofficial Smart Chef kitchen scale webapp

2025-08-15T00:00:00Z

Simple webapp for Smart Chef kitchen scale to display the value via Web Bluetooth. Installable as a PWA, but offline support isn't quite finished. Protocol decoding implementaion based on personal reverse engineering and publicly available documents for other scales.

Developed a while back on Glitch (before it died), now moved over to GitHub and published on GitHub Pages.

Keycloak verify existing account by email could be performed with a spoofed email

2025-07-08T00:00:00Z

Keycloak uses the "First Broker Login" authentication flow for a users's first login via a federated IdP. If a matching Keycloak already exists, the user is prompted to review their profile and may edit fields such as email. If the user edits their email to match a different existing victim user, they can attempt to link their external IdP to someone else's account.

The security impact is fairly low however, because an email is sent to the victim and a link must be clicked within 5 minutes. This still presented a minor phishing risk and Keycloak mitigated the issue by no longer trusting the email if it was edited by the user, skipping "Verify Existing Account By Email" and now requires "Verify Existing Account By Re-authentication".

MinIO Operator used Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS

2025-04-21T00:00:00Z

While reviewing MinIO Operator's Kubernetes STS Authorization feature (very similar to AWS's IRSA), I discovered that it used /var/run/secrets/kubernetes.io/serviceaccount/token for authorization. If the Pod's ServiceAccount had any Kubernetes RBAC permissions, this token could be used with the Kubernetes API to perform privileged operations. Exposing this token to the MinIO Operator was a security issue.

MinIO implemented my recommendation to instead use serviceAccountToken projected volumes with a non-default audience. This ensures tokens are not valid against the Kubernetes apiserver and effectively drops privileges.

Missing authorization check on cross repository blob mount in multiple open source container registries

2024-07-09T00:00:00Z

POST /v2/<name>/blobs/uploads/?mount=<digest>&from=<other_name> cross repository blob mount is unique among the other Docker registry HTTP v2 API endpoints in that it requires an access control check on two container names. Many new registry implementations have accidentally omitted pull access control check on the source repository.

Zot CVE-2024-39897

Cache driver GetBlob() allows read access to any blob without access control check.

Gitea

Fixed in v1.20.0. PR #22759 created 1 day after reporting, but unmerged for 5 months. No CVE issued.

Overly permissive IAM policy in github-aws-runners/terraform-aws-github-runner

2024-07-01T00:00:00Z

Overly permissive AWS IAM policy allowed runner EC2 instances to read sensitive tokens for other instances from SSM SecureStrings.

Runner EC2 instances could read other instances' tokens (jitconfig and registration tokens) from SSM parameters. A runner's jitconfig is normally scoped down to a single repo, workflow and job. Stealing another runner's jitconfig allows lateral movement throughout the GitHub organization or repository and exposes the other runner's GITHUB_TOKEN, GitHub OIDC JWT ID token and any secrets.

Submitted patch with ResourceTag based IAM policy checking ec2:SourceInstanceARN and added tags to SSM parameters.

Security advisory (No CVE issued)
Patch with ResourceTag based IAM policy

San Antonio BSides CTF 2024

2024-06-08T00:00:00Z

1st place in local BSides CTF.

Small solo event with AI, crypto, binaries and web categories.

Kyverno policy bypass using Kubernetes finalizers

2023-06-01T00:00:00Z

I discovered that in versions of Kyverno prior to 1.10.0, Kyverno did not enforce policies on resources with a deletionTimestamp, which occurs during finalization after resource deletion begins. This allowed a bypass of "validate, generate, or mutate-existing policies, even in cases where the validationFailureAction field is set to Enforce."

Impact is low for most Kubernetes resources because most controllers ignore changes during finalization. However, a few built in resource kinds such as ConfigMaps, Secrets and Services may honor changes during deletion. Custom resources may also be affected.

An attacker could first maliciously add a non-existent finalizer and begin deletion of a resource, then perform a malicious update of the resource bypassing Kyverno policies.

Playlist Extension for Playnite

2021-09-12T00:00:00Z

A Playnite extension providing a reorderable queue of games.

A simple drag'n'drop interface in .Net WPF using GongSolutions.WPF.DragDrop.

Inject Steam GameOverlayRenderer DLL with Frida

2021-08-16T00:00:00Z

Inspired by:
https://gist.github.com/Andon13/d439d5334d8173e5b959f383f1c49b03

Must be run during process initialization, cannot be run after the game is started.

GameOverlayRenderer will use an appid from the SteamGameId environment variable. This is injected too. GameOverlayRenderer does not support steam_appid.txt, but this script will parse the file to discover the appid.

Usage:

cd the\game\directory
frida -f "game.exe" -l C:\somewhere\GameOverlayRenderer.js --no-pause

Proof of concept SECCOMP_RET_USER_NOTIF based Frida Syscall Tracer

2021-06-26T00:00:00Z

A hacked up version of seccomp/seccomp_user_notification.c running inside Frida.

installFilter() should be called on the main thread of the application. It's not possible to install the seccomp filter from rpc.exports.init() because it runs on a Frida thread.

installFilter() sets NO_NEW_PRIVS (required if non-root), installs the seccomp filter to trigger notifications, then creates a pthread to watch for notifications. Upon notifications a callback into Frida is invoked.

When the callback fires, it won't be on the thread that invoked the syscall. I'm not actually sure how to use Frida interact with the suspended thread. Untested, but frida/frida-gum#559 may allow running code on the thread.

Buildah/Podman chroot isolation: environment value leakage to intermediate processes

2021-06-15T00:00:00Z

When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running buildah in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original buildah process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during buildah run. The commands that buildah is instructed to run can read that information if they choose to.

Offline Kubernetes manifest diff (does not use cluster state)

2021-05-21T00:00:00Z

Offline kubectl diff style tool (does not use cluster state). Diff two local files containing templated manifests (e.g. kustomize or helm output).

Resources in each file are matched by api, kind, namespace and name. This is also shown in the filename fields of the diff output.

Usage:

k8s-diff.py old-manifests.yaml new-manifests.yaml
kustomize build . | k8s-diff.py /tmp/old-manifests.yaml -

EPUB full text search using SQLite FTS5

2021-05-17T00:00:00Z

Do you ever look at the huge feature set of SQLite and try to see how many things you can use at the same time?

FTS5 + fsdir + zipfile + JOIN multiple table-valued functions = EPUB full text search

Function hooking example using avr-gdb's built-in simulator and Python

2021-02-15T00:00:00Z

A simple example using avr-gdb's built in target sim AVR simulator on a .hex file.

GDB's Python support can be used to mock functions by modifying process state and calling ret to skip their execution.

ESPHome IR→BLE Keyboard

2021-01-31T00:00:00Z

An ESPHome custom component to receive IR codes with remote_receiver and convert them into BLE HID keystrokes. Uses a Esp32BLEKeyboard custom component and the ESP32 BLE Keyboard library.

Python WinRT Image Capture (and Focus Stacking)

2020-05-03T00:00:00Z

Python/WinRT is a crazy thing:

The Windows Runtime Python Projection (Python/WinRT) enables Python developers to access Windows Runtime APIs directly from Python in a natural and familiar way.

Use some native WinRT APIs via Python to capture photos with variable focus. Then use align_image_stack and enblend from the Hugin panorama tools to focus stack the images.

Capture The Flag Shitty Add-On Writeup

2019-11-30T00:00:00Z

An I²C AVR ATtiny85 CTF writeup.

I²C, AVR assembly (with IPython magic for shellcode development), flash self-programming, and blinking LEDs.

PlaidCTF 2019: A Whaley Good Joke writeup

2019-04-14T00:00:00Z

The challenge was to fix a broken Docker tar archive, with an unknown order of layers.

A file isn't deleted from a layer unless it was already created by a previous layer, this makes it possible to solve a dependency tree of the layers (this is what most solutions to this challenge did).

However, a much simpler solution is possible: sort the docker tar layers by mtime timestamp. The files created in the docker tar layers have different timestamps, accurate to one second.

Find the newest timestamp in each layer
Sort layers by their newest timestamp
Reconstruct the container image tarball with this layer order

DIY NAS / Router

2018-09-16T00:00:00Z

A 2-bay, low power, ARM-based NAS and router.

A custom NAS built inside a hot-swap HDD enclosure, with an acrylic side panel, using a Banana Pi BPI-R2.

Multitouch Calligraphy (Code Golf)

2018-01-23T00:00:00Z

Use a multitouch touchscreen device and try the demo. A larger tablet sized device is suggested, but a phone works.

Touch two fingers to the screen and drag to draw calligraphic pen strokes.

Code golfed down to 208 bytes.

Subreddit Gender Ratios

2017-12-31T00:00:00Z

Estimate subreddit gender ratios by using a "random" (not great) sample of users with gender identified from Reddit flair.

Google BigQuery, D3.js, Reddit API

Mathematica CTF Writeups

2016-08-30T00:00:00Z

Writeups for multiple cryptography and stenography CTF challenges solved with Mathematica.

Google CTF 2016: Little Bobby Application writeup

2016-05-01T00:00:00Z

Android blind SQLi by sending Intents and a BroadcastReceiver.

Mercurial arbitrary code execution

2016-03-29T00:00:00Z

CVE-2016-3105 Arbitrary code execution when converting Git repos

Mercurial 3.8.1

Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545. Reported and fixed by Blake Burkhart.

convert: pass absolute paths to git (SEC)

CVE-2016-3068 Arbitrary code execution with Git subrepos

Mercurial 3.7.3

Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)

CVE-2016-3069 Arbitrary code execution when converting Git repos

Mercurial 3.7.3

Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.

Mercurial remote code execution in GitHub Importer

2016-03-21T00:00:00Z

@bburky reported a remote code execution vulnerability in Mercurial that could be triggered during repository imports using GitHub Importer.

Git remote code execution via submodules and git-remote-ext

2015-09-28T00:00:00Z

Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. To protect users from accidentally trying to clone a malicious URL, Git submodule URLs were restricted to a safe set of protocols in Git v2.6.1.

Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the allowed protocols to well known and safe ones.

CVE-2015-7545

The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.

Fix

git-submodule was restricted to a safe to set of submodules by default: GIT_ALLOW_PROTOCOL=file:git:http:https:ssh.

Additionally, inside git's http.c, libcurl was restricted to the same protocol whitelist. Libcurl's recusion depth was also limited to prevent a redirect loop from causing git to hang.

Core fonts for the Web web fonts

2014-05-06T00:00:00Z

The Microsoft Core fonts for the Web included Andale Mono, Arial, Arial Black, Comic Sans MS, Courier New, Georgia, Impact, Times New Roman, Trebuchet MS, Verdana and Webdings as TrueType fonts. Though Microsoft no longer distributes these fonts, the old versions may still be redistributed freely. However, the EULA specifies that the fonts may not be modified in any way.

But wouldn't it be fun to use them as @font-face web fonts? But sadly the original, redistributable, format is only either .exe or .sit.hqx files...

With sufficient usage of JavaScript, random HTML5 features (blob URLs in dynamically generated stylesheet rules) and emscripten-compiled cabextract, anything is possible.

Block to Block Game

2014-05-01T00:00:00Z

An HTML5 sliding block puzzle game

Originally written framework-less using the JavaScript Canvas 2D API directly. Rewritten in late 2017 to learn the Phaser game framework.

The original version supported both keyboard and multitouch input. The Phaser rewrite only supports keyboard input.

miniCodeEditor (Code Golf)

2013-12-07T00:00:00Z

I participated in golfing a few bytes out of @xem's MiniCodeEditor by using <iframe srcdoc="...">

An online HTML/CSS/JS playground in 62 & 142 bytes

Inspired by Codepen, JSFiddle, JSbin and dabblet

golfed by xem, p01, subzey, aemkei, rlauck, bburky, mmastrac and justecorruptio