Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Tavis Ormandy Profile picture
@taviso
Jun 6 β€’ 11 tweets β€’ 3 min read β€’ Read on X
The libarchive e8 vulnerability is actually really cool, but the ZDI advisory doesn't explain why it's so wild lol. For some reason, I know about RAR filters, so let me provide the background. 🧡 1/n
E8 preprocessing is an old trick to improve compression of executables. All relative calls to the same function will be encoded differently, but... if you temporarily replace them with absolute calls, they'll be identical. More duplication = better compression! 2/n Image
I promise you will never guess how RAR implemented their e8 filter.... They added a bytecode interpreting VM called RarVM, and let you embed little programs for it into archives that the decompressor would automatically execute (!!!). 3/n Image
I know about this because I wrote an assembler and linker for this format for fun once πŸ˜‚ 4/n

github.com/taviso/rarvmto…
Image
RarVM was never widely adopted, and eventually it was deprecated. There were a few filters that were actually used, and archives that used them wont decompress correctly without them. Naturally, a solution is needed... 😬 5/n
The solution libarchive implemented was to emulate some of the most popular filters natively. They checksum any embedded bytecode to see if it's one of the filters it recognizes. If it is, it will emulate it for you and your archive will work...πŸ€·β€β™‚οΈ6/n Image
The vulnerability is in one of these native filter emulations. The preconditions here are very weird... you can only reach the buggy code if you embed a bytecode program in a RAR archive for a dead VM architecture, and it must have a CRC32 of 0x35AD576887...πŸ˜‚ 7/n
It doesn't stop there, RarVM programs could accept parameters that were embedded in the archive headers! Naturally libarchive has to emulate that too, or the filters won't work properly.... 8/n
These parameters are called "Initial Registers", because originally they were literally the values placed in registers when the VM started (a bit like regparm in gcc). The vulnerability here is that a parameter was not validated, could underflow and become very large. 9/n Image
The result is that the filter would start patching anything that looked like a call instruction all over the heap! This is just a standard memory corruption, but what a wild backstory lol πŸ˜‚ 10/n
Here is the original ZDI advisory! zerodayinitiative.com/blog/2024/4/17…

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Tavis Ormandy

Tavis Ormandy Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @taviso

Tavis Ormandy Profile picture
Jul 10, 2022
@gamozolabs Hear me out, this is what makes me think it's a bit! He spent hours questioning the "mobile" credentials of respected researchers, then posted this blog post where he stumbles around trying to identify an APK. That's funny. But... there are more layers...
@gamozolabs He spots a java type signature in the strings, and thinks it has something to do with smali, a dalvik assembler. How is it possible to know what a bytecode assembler is but not a type signature? That doesn't add up. 2/4
@gamozolabs You can see from his screenshot this is some serialized keystore object! He totally ignores a telltale filenames like classes.dex, but recognizes a serialized object? It's not possible! 3/4
Read 4 tweets
Tavis Ormandy Profile picture
Sep 28, 2020
I've been experiencing a really bad Windows 10 bug since the 2004 update. I got so annoyed I spent my weekend debugging it. A specific type of scheduled task can break CryptUnprotectData(). If you've seen apps losing state, eventid 8198, or NTE_BAD_KEY_STATE, could be this.
Here is how to check, run this powershell as Admin:

Get-ScheduledTask | foreach { If ($_.Principal.LogonType -eq 'S4U') { $_ } }

If it lists tasks, whenever they run DPAPI will stop working until you reauthenticate. This will break everything using CryptProtectData().
The bug is the RPC UBPM (Unified Background Process Manager) uses to create the S4U (Services For User) Token for task scheduler will sometimes clobber your saved credentials in LSASS. That is used to derive your DPAPI User Encryption Key, so it changes and no longer works!
Read 5 tweets
Tavis Ormandy Profile picture
Nov 2, 2019
Is there a secret to making vbtables look good in Hex-Rays? This is the best I can come up with, and an example decompiled call. I can just about read it (call second vftable entry on SubClass1, __thiscall with one param), but is there a cleaner way? ImageImage
Just to clarify, I'm talking about vbtables (virtual base tables) not vftables (virtual function tables). vbtables are how the compiler implements virtual inheritance, here is an excellent summary from @IgorSkochinsky (pp. 6-8) hexblog.com/wp-content/upl…
@IgorSkochinsky It was pointed out to me privately that you can mark the offset as a offset into the vftable ('t' in Hex-Rays), then you can get this->base.data[this->base.__vbtable->SubClass1_idx] + offsetof(SubClass1_vtbl, MethodName))(...). It's a *little* easier to read. 😐
Read 4 tweets
Tavis Ormandy Profile picture
Oct 14, 2019
I got nerd sniped this weekend. I was playing the game Borderlands 3, this game has a huge variety of weapons, so part of the fun is finding new weird ones. Anyway, in one of the main areas there's this cool looking chest you can't open. 1/n
It turns out you need "golden keys" to open it, and to get them - I'm not making this up - you need to follow the CEO of the game publisher on twitter, and occasionally he tweets out codes you type in (??). 2/n
If you asked me to build this system, the codes would be randomly generated and inserted into a database with their attributes (reward, expiry date, etc). However, I noticed the codes are clearly not random, some are visually quite similar. Here are two examples. 3/n
Read 7 tweets
Tavis Ormandy Profile picture
Feb 15, 2019
I made a modest bet that would recover after the @BW trash story, and it recovered most of those losses this morning after strong results and zero supporting evidence ever appearing from Bloomberg.
I made a tidy profit, and would like to donate some of it to an organization that promotes higher standards in journalism, suggestions? I'm keeping some for putting up with things like "Does it even matter if it happened?" πŸ˜‚
A few people suggested @propublica, so here we are, @BW's low standards have now helped support @propublica's high standards πŸ˜‚ Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(