Hacker News new | ask | show | jobs
by Retr0id 2 hours ago
I took a look at the Ghidra ones (because I use Ghidra), and I'm unimpressed: https://github.com/bikini/exploitarium/blob/main/ghidra-12.1...

The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.

The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).

The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
6 comments
ofjcihen 22 minutes ago
Was just thinking it would be hilarious if these were all known CVEs hiding the next Shai-Hulud inside of them and waiting to compromise security hobbyists rushing to download them.
link
Retr0id 18 minutes ago
It wouldn't be the first time!
link
woodruffw 44 minutes ago
The Gitea one looks marginally interesting, but is probably not exploitable in practice (unless Gitea or whoever else isn’t properly isolating jobs on dedicated VMs). I suspect GitHub Actions has similar behavior and is not considered exploitable because the user is assumed to already have local, non-namespaced root access.
link
andrepd 1 hour ago
> Yes, if you overwrite binaries executed by ghidra, you can trigger code execution.

> but it's probably worth noting that "RMI" stands for Remote Method Invocation

This reminds me of someone submitting a (clearly vibecoded) vulnerability report claiming to have found a way to execute arbitrary SQL. The project in question? An SQL server... https://github.com/tursodatabase/turso/pull/4322

link
ryukoposting 58 minutes ago
I'm no expert on any of these programs, but that's kinda the problem, isn't it? No single person is an expert on every codebase supposedly exploited in this repo.

After a bit of research, the Firefox one seems plausible to me. But, I haven't actually tried the POC. The explanation about the private-data and untrusted-input flags is plausible but I'm not an expert on Firefox's internals, maybe that's not actually how it works.

This just sucks, all around. Are we going to need every open source project gawking at the same repo full of stuff that has nothing to do with them, on the off chance that someone discloses a vuln that does have to do with them? Is this some kind of performative complaint about high friction in responsible disclosure? Well great job dickhead, you've just made a system that's even worse. Nobody benefits from this. Yuck yuck yuck.

link
trinari 44 minutes ago
I actually prefer them being public than in some governments or corporations toolbox
link
DANmode 5 minutes ago
> Nobody benefits from this

Disclosures always enable more secure software to theoretically exist,

even if nobody follows through creating it.

They often do.

link
skerit 1 hour ago
I immediately saw the Ghidra one and was thinking: huh?
link
firefax 1 hour ago
The bigger takeaway is someone that smart is pissed off and dropping their shit with zero warning... but hey, that's just like, my opinion man.
link
Retr0id 1 hour ago
You don't need to be pissed off to decide that immediate public disclosure is the best option.
link
firefax 39 minutes ago
Ok, I don't know their emotional state. Fair point.

Maybe I'm projecting my own biases ;-)

link