Anonymous GitHub account mass-dropping undisclosed 0-days

Posted by binyu 6 hours ago

Anonymous GitHub account mass-dropping undisclosed 0-days(github.com)

453 points | 180 commentspage 3

jmward01 4 hours ago|

I think people may miss the point of a repo like this. Individually these are small puzzle pieces that can't do anything. Put them all in one place and it becomes easier to pick up pieces and try them together to see if they fit and build something bigger. Get enough pieces to fit together and you actually have something. This is the 'FOUO' idea in security. Enough open information gathered together in one place crosses the boundary from 'just public info' to 'secret stuff here!'. Now we have automatic puzzle solvers (coding assistants) a repo like this becomes a lot more meaningful.

esikich 4 hours ago|

Yep and typically none of this is meaningful unless you have no security practices at all. You can't have it both ways. Every security team says these things are all critical even though, for example, it's only being used internally. Cool, so you somehow have our network cert, are on site physically, have compromised a laptop fully without all of our tools detecting weird shit, have a password, admin access to the repo, somehow are spoofing MFA, etc etc. Yeah it all adds up, but as an admin I'm just fucking done dropping everything for these kinds of things.

tliltocatl 5 hours ago||

A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.

Retr0id 5 hours ago||

No, the days start counting from the availability of a patch.

rmast 4 hours ago|||

I was thinking that the other definition was right and this correction was wrong.

Then I did some searching and found multiple examples of both definitions in use, making things murky.

So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor”

And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.

0123456789ABCDE 4 hours ago|||

what if a path is never released?

richbell 4 hours ago|||

I've only heard it used as Retr0id's definition.

cubefox 3 hours ago||

> A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it.

No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.

The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.

johnwheeler 5 hours ago||

That's one way to do it.

grayhatter 4 hours ago||

> At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. I do this so to allure people into the field, and I've always found this is the most efficient way.

I've been a skiddy, he would have believed this. Thankfully, I've grown a bit, and can see this for the transparent, "I'm angry and want to hurt others so I will feel a little less alone", it actually is.

I'm sorry you're so angry dude (me too), but as someone who's joined the blue side, we'd appreciate it if you gave us some kind of heads up, the bad guys generally have a lot more time to scroll for new payloads than I do. Not all of us deserve the kindness of a heads up, but every single one of our users deserve it. Don't punish them because you're mad at someone else.

You can flex on the idiots you're trying to flex on, without hurting people. Even an email to security@[that_project_domain] saying "hey, I've published these" would move you from the group of people I see making the world worse, into the group making it better. (You don't have to, obviously, but making the whole world worse wont make you less angry.)

d-cc 23 seconds ago||

>I've been a skiddy, he would have believed this. Thankfully, I've grown a bit, and can see this for the transparent, "I'm angry and want to hurt others so I will feel a little less alone", it actually is

Please name the "victims" here.

voodooEntity 4 hours ago|||

While i can follow your path, maybe because i see the same, i sadly have seen in groups of friends how this can go sideways very fast. If you report things, some companies gone treat you as a criminal/offensive actor and even go legal actions against you even you just tellem here you got this vuln.

Sure you than can do it anonymous and so on but point is : its not like every actor that gets notified will react thankful to it. Some even just ignore it.

sellmesoap 3 hours ago|||

User/admin discretion for software they use should be a big factor, sometimes getting burned is how you learn to play with fire. Or decide that having your data/participation disrespected means you need to set harder boundaries. My solution is to try things in isolation, run very few services, try to avoid becoming dependent on the online, appreciate the offline and local first.

esikich 4 hours ago||

How bad are your security practices that these tiny obscure things matter? None of these findings that show up here on HN should even make you flinch. The alarmist takes on this stuff is fucking exhausting and I'm tired of security teams bugging me about it. Do your job and this shit doesn't matter AT ALL.

grayhatter 3 hours ago||

I said "doesn't matter" to someone once... the resulting lesson came in the form of a reply from the whitehat researcher (waves, hi brian!) a 16step exploit chain resulting in a one click full account takeover.

I'm equally annoyed and over the alarmist takes. But I don't think it's fair to group mine into it. I'm annoyed at seeing discard respect for others into the same void everyone is happy to toss quality.

Do these tiny things matter? No, not to the default-panic-level everyone adopts when they see 0day, or CVE... but duh, I'm now just repeating exactly what you already said. That no, for the record is mostly because I don't use any of these, not just because they're boring exploits. While I always look, I default assume anything CVE is boring/pointless. But I still read them.

But then, I'm not trying to convince the owner of the repo. I'm trying to discourage the theme among researchers that "no one cares", because I have seen researchers disclose bugs publicly, that we'd be eager to pay out on, because they disagreed with the decision on their last report.

I've fixed bugs being actively exploited against our users, that was found/fixed only after a whitehat report for something adjacent (we pay on those btw, and you should too). I don't wanna live in the world where it's easier for the bad guys, the only way we get there is once "everyone knows", you gotta report the all bugs that you can turn into an exploit. I don't want "the whitehat researcher culture" to move towards, who cares' dump the PoC on github, screw anyone that could be hurt by the bad guys, they deserve to be punished for the incompetence of others. SWE's are shit at security, security researchers are shit at SWE, the only way we get the good outcome, is if they're willing (and encouraged) to work together.

esikich 3 hours ago|||

No one is doing 16 step exploits unless you're a huge target in some way. 0.0000001% of companies fit that bill. And even then, ok, what did they get? An account login? What are they doing to do? Read email? Then what? "Use it for social engineering"? Who cares, you have MFA right? You have a firewall? You don't allow people to randomly jump from box to box via RDP? You have basic security and auditing on your fileshares? EVEN THEN, what, they get a spreadsheet from your last town hall meeting? I'm also tired of pretending that 99.999% of the data in a company even matters. Unless they have some way to cryptolock your whole company, AND you don't have backups/snapshots without any basic access security, there isn't a lot of value to be taken. Security "teams" are a bunch of fucking busybodies with nothing to do. Pay for a competent admin team and the security dept is completely redundant and useless.

DANmode 3 hours ago|||

That’s a whole lot of “we” to not mention which company you’re at that supposedly plays well with security researchers/has a proper bug bounty.

cubefox 2 hours ago||

Even if the company doesn't have a big bounty publishing exploit code without warning them is unethical. Moreover, a lot of these projects are FOSS without a company which could pay bug bounties.

ohadkr 5 hours ago||

Open source is the best

jiug 4 hours ago||

"Cibercrime is cringe"

yuvrajsa 4 hours ago||

[flagged]

huflungdung 1 hour ago||

[dead]

haberdasher 4 hours ago||

"cybercrime is cringe"

segmondy 4 hours ago|

What if this person is from an AI lab that really wants the govt to keep suppressing Mythos/Fable & GPT5.6? It's what I would do, the timing couldn't be any better.

0123456789ABCDE 4 hours ago|

wouldn't it be trivial to match the repo to the user logs?