Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
farmpoet Profile picture
farmpoet
@f4rmpoet
Cyberspace cowboy Infosec research
Aug 22 25 tweets 6 min read
Let's explore China’s 0-day vulnerability research capabilities.
I’ve long been intrigued by the prolific nature of Chinese teams in discovering vulnerabilities. Over the past months, I’ve gathered some data and analyzed reported vulnerabilities to gain a deeper understanding.🧵 Image Since September 2021, the Chinese government has mandated that any Chinese researchers, businesses, or even foreign companies operating in China who discover 0-day vulnerabilities must report the details to the Chinese Ministry of Industry and Information Technology (MIIT)
Aug 19 24 tweets 7 min read
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go. 🧵 MSFT advisory pretty much tells us where to look.
Our target is the tcpip.sys kernel driver which got an update during last patch tuesday.
For the analysis I picked binaries for Windows 11 23H2, builds 3958 (pre-fix) and 4036 (post).
Diffing shows a single function has changed. Image
Jun 29 10 tweets 3 min read
Some final notes on CVE-2024-30078 (wifi RCE) exploitability.
If you haven't already done so, I recommend you first take a look at my previous thread on the subject.
🧵

As previously noted, the native driver does not account for 4 extra bytes when the ether type is 0x8100 (Vlan tagged net).
Since the packet is rewritten on the original buffer, it will do so 4 bytes ahead of what is was supposed to because of the dot1q header that should exist.
Jun 23 9 tweets 2 min read
MSFT released a patch for CVE-2024-30078 (Wi-Fi Driver RCE) on June cumulative update, however details on the advisory have been very limited.
I'm leaving some quick notes from a quick reverse engineering of the patch that hopefully will shed a little more light on the issue. 🧵 I am not an expert on wireless network protocols so feel free to correct me or add up on the provided info in the comments or through a DM.
The patch targets Dot11Translate80211ToEthernetNdisPacket() of the native wifi driver (nwifi.sys).
Jan 7, 2022 11 tweets 5 min read
Inspired by @osxreverser analysis of NSA BPF port-knocking implant, I decided to take a 2nd look at #ShadowBrokers leak of windows implants. Lo and behold, a couple of hardly mentioned kernel drivers (#DoormanGauze and #FlewAvenue) caught my attention. (1/11) Information publicly available on these drivers is scarce and for the most part flat out wrong. Instead of going for the usual deep-dive blog post, lets try a light-speed tweeter thread analysis. In this thread we'll take a brief look at #DoormanGauze. (2/11)