🧵 How to mitigate Acropalypse, server-side:

If you run a CDN or similar, you there's a fairly cheap technique you could use to transparently mitigate Acropalypse without having to re-process any of your stored data. (and save some bandwidth too!) Write a filter (nginx plugin?) that strips any data found after the IEND of PNGs, in-flight. The logic required to do this is quite simple - my blog post about the structure of PNG files should cover everything you need to know: da.vidbuchanan.co.uk/blog/hello-png…

holy FUCK.

Windows Snipping Tool is vulnerable to Acropalypse too.

An entirely unrelated codebase.

The same exploit script works with minor changes (the pixel format is RGBA not RGB)

Tested myself on Windows 11

https://twitter.com/ProgramMax/status/1638217206180741121

- Take a screenshot.
- Press the save icon.
- Crop the screenshot.
- Press the save icon and save to the same file (the default!)

Twitter supports 4k 60fps video uploads!

Here's how to do it 🧵 Step 1:

Package your media file in the standard MPEG-DASH streaming format. You may need to tweak your encoder settings to make sure that the fragment size doesn't go above 5MB.

ffmpeg and Bento4 are the only tools you need. Use mp4dash's "-use-segment-list" option.

Pack arbitrary shellcode into an executable that always has the same MD5 hash:

github.com/DavidBuchanan3… This tool makes hashquines trivial:

The image in this tweet displays its own MD5 hash.

You can download and hash it yourself, and it should still match - 1337e2ef42b9bee8de06a4d223a51337

I think this is the first PNG/MD5 hashquine.

https://twitter.com/0xabad1dea/status/365863999520251906

This was particularly tricky to make work because the image data in a PNG needs to have a valid adler32 checksum, *and* a valid crc32 checksum.

Each hex digit "pixel" needed its own colliding block, generated with UniColl. There are 448 of them, taking over 24h to compute.

My desktop has decided that today is the day to stop POSTing. I blame the motherboard, but it's particularly bad timing because I have a new GPU arriving today so I can't test it.

is io_uring turing-complete yet? Just need IORING_OP_IO_URING_ENTER to be added...

I've always wanted to put a USB-C port in an iPhone, but didn't want to risk breaking a good phone. So here's the cheapest iPhone SE I could find on ebay - and cheapest type-C to lightning adapter There's not a lot going on inside the adapter (I did test it first, and it does support both charging and data)

What if 6502 assembly was more pythonic? This is working code - I might try writing something non-trivial later, to see if it's actually practical.

Not shown in the screenshot, but it supports symbolic expressions based on labels etc. (expression evaluation is deferred until the instruction layout is known)

I came up with a new(?) compression-based steganography technique, which should work with most compressed file formats or protocols (e.g. PNG, or even HTTP).

It hides data as "mistakes" made by the compression algorithm. Each sub-optimal compression decison encodes ~1 bit. You can use this script to decode the hidden message in the above tweet: gist.github.com/DavidBuchanan3…

I might release a tool once I've polished it up a bit (I haven't implemented dynamic huffman codes yet, which limits my compression ratios)

Successful electromagnetic fault injection on an Arduino running AES-128, using a bbq igniter.

I didn't have any ferrite, so I used a screwdriver bit - seems to work ok.

https://twitter.com/rqu50/status/1485876188652310534

I believe this fault pattern is indicative of a successful round 9 fault.

I just wrote my first V8 exploit, targeting WebOS 😎

The unusual thing is, it's LPE not RCE, and it doesn't exploit any bugs in V8 itself. The issue is due to LG using it unsafely - I'll explain what I mean by this at some point in the future, once I figure out disclosure. sideloaded webapp -> local root