Lennart Poettering intends to replace "sudo" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process.

This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets.

Stinger is a Vault7 privilege escalation module from "Fine Dining", the only information is that it is a "UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator" - the video shows my implementation. I started with only the information above, and tried to work out what this UAC bypass could be. It turns out you can read the process token of an auto-elevated binary (even on Win 11!), ShellExecuteEx returns process handle to high integrity process and you can access its token.

This is more likely work of an intelligence agency, not an APT. APT is contractor service organized or reporting to the intelligence agencies of a nation-state or an OCG and does not have the same level of bureaucracy with payload delivery. The selective targeting gives it away.

https://twitter.com/passthehashbrwn/status/1740367435264627128

I do not consider GCHQ or NSA TAO as APT in the traditional sense, they are vastly superior threat when compared to contractor hired by say the FSB to steal western secrets through drive-by downloads. There is cross-over but one is a wide industry threat, the other very specific.

Here is an example of the CIA's Marble Framework being used in a simple project to obfuscate and de-obfuscate strings. I used AI to re-create missing library and components needed to use the framework in Visual Studio projects, usually handled inside CIA with "EDG Project Wizard"





This shows the complete workflow that an analyst would use when creating malware at the CIA using Marble for string obfuscation. An attacker could essentially now follow leaked wiki instructions to obfuscate their strings in runtimes they create. More: wikileaks.org/ciav7p1/cms/pa…

The "EU Digital Green Certificates (DGC)" which was implemented to curb freedom of movement unless individuals gave over medical decisions to their government, against all of our human rights - is leaking the Health Authority of Bulgaria's private keys since 2021. #NoGreenPass The above private key could be used to authenticate to the "on-boarding gateway" and falsify health records as authentic & valid from Bulgaria, additionally as it allowed authentication it could've been used to exploit Log4Shell (post-authentication) which was patched last year.

👀 French police stopped a woman driving a car in someone else's name on suspicion of drug use and discovered a wireless hacking device in the trunk. Professional looking build too.

https://twitter.com/AmauryBucco/status/1608931645587087360

It's so beautiful, power modules on top, fans for cooling, what look like modular radio blocks, amp, filter, SDR radio and the icing on the cake is the "decoy" antenna system made to look like a hotspot. Whatever they are hacking with this, someone spent money to build it.

Iranian CIA source webpage that assets were instructed to use we keep hearing about as faulty? They were sent to iraniangoals[dot]com and instructed to enter password to message CIA handlers.. in a search box called "password"😂

<input type="password" id="pw" size="20" value=""> "clandestine" operations....