Skip to content

Commit f31dfc2

Browse files
chore: update feed state [2026-04-20]
1 parent 386f86a commit f31dfc2

4 files changed

Lines changed: 38 additions & 2 deletions

logs/urls.txt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,3 +150,8 @@
150150
[2026-04-18] https://falconforce.nl/northsec-may-2026/
151151
[2026-04-19] https://avi.im/blag/2026/etilqs/
152152
[2026-04-19] https://0xdf.gitlab.io/2026/04/18/htb-airtouch.html
153+
[2026-04-20] https://blog.doyensec.com/2026/04/20/cfitsio-fuzzing.html
154+
[2026-04-20] https://starlabs.sg/blog/2026/02-pickling-the-mailbox-a-deep-dive-into-cve-2025-20393/
155+
[2026-04-20] https://starlabs.sg/blog/2026/01-8th-anniversary-embrace-the-new-but-dont-forget-the-old/
156+
[2026-04-20] https://starlabs.sg/blog/2025/12-2025-we-broke-things-we-built-things-we-broke-even-more-things/
157+
[2026-04-20] https://starlabs.sg/publications/ai-accelerated-exploiting-compromising-mte-enabled-pixel-from-dsp-coprocessor/
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
---
2+
layout: post
3+
title: "CFITSIO Fuzzing: Memory Corruptions and a Codex-Assisted Pipeline"
4+
date: 2026-04-20 03:13:10 +0300
5+
categories: [RSS]
6+
tags: [fuzzing, memory-corruption, parser, file-format, afl]
7+
toc: true
8+
---
9+
10+
Doyensec describes fuzzing the widely used CFITSIO FITS-parsing library and finding multiple memory-corruption issues, first with a generic AFL++ campaign and then by targeting the library's Extended Filename Syntax (EFS) parser. The key attack surface is that functions like `fits_open_file` do more than open a path: bracketed filename expressions can trigger extension lookup, image slicing, arithmetic on columns, filters, and temporary file creation before the application reads any data, so untrusted filenames can reach a large parser/evaluator stack. The write-up says triage reduced many crashes to a small set of root causes including operator-precedence bugs, unchecked token lengths, and unbounded concatenations, with AFLtriage used to cluster crashes and ASAN-instrumented rebuilds used to verify fixes. The novel angle is the workflow automation: Codex was used to generate harnesses and dictionaries, analyze crash reports to the function/offset/control-flow level, propose patches, and drive a rebuild-and-regression loop that let fuzzing continue past shallow crash states.
11+
12+
[Read original article](https://blog.doyensec.com/2026/04/20/cfitsio-fuzzing.html){: .btn .btn-primary }
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
---
2+
layout: post
3+
title: "Pickling the Mailbox: A Deep Dive into CVE-2025-20393"
4+
date: 2026-04-20 03:13:11 +0300
5+
categories: [RSS]
6+
tags: [rce, deserialization, pickle, integer-overflow, cisco]
7+
toc: true
8+
---
9+
10+
This write-up reverse engineers CVE-2025-20393 in Cisco Secure Email Gateway and Secure Email and Web Manager, showing how an unauthenticated attacker can reach remote code execution through the End User Quarantine service on port 83. The root cause is a single-byte length overflow in the EUQ RPC protocol: AsyncOS 15.5.3 uses Python 2.6, where `struct.pack('>B', 256)` silently truncates to `0x00` instead of raising an error, allowing crafted `source` or `destination` lengths to desynchronize message parsing. The malformed RPC message can then steer execution into unsafe Python `pickle` deserialization, turning the parser confusion into code execution with a single HTTP request. The analysis is valuable because Cisco's advisory only cited improper input validation, while this post reconstructs the exact exploit chain, affected component (`CommandMessage.py` / EUQ RPC), and why the legacy Python runtime made the bug exploitable.
11+
12+
[Read original article](https://starlabs.sg/blog/2026/02-pickling-the-mailbox-a-deep-dive-into-cve-2025-20393/){: .btn .btn-primary }

state/processed_urls.json

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1349,7 +1349,14 @@
13491349
"https://www.datadoghq.com/blog/governance-console/": "2026-04-18",
13501350
"https://falconforce.nl/northsec-may-2026/": "2026-04-18",
13511351
"https://avi.im/blag/2026/etilqs/": "2026-04-19",
1352-
"https://0xdf.gitlab.io/2026/04/18/htb-airtouch.html": "2026-04-19"
1352+
"https://0xdf.gitlab.io/2026/04/18/htb-airtouch.html": "2026-04-19",
1353+
"http://lockboxx.blogspot.com/2026/04/dont-run-this-game-inside-myth-journey.html": "2026-04-20",
1354+
"https://fortbridge.co.uk/pentesting/prompt-injection-attacks-how-we-test/": "2026-04-20",
1355+
"https://blog.doyensec.com/2026/04/20/cfitsio-fuzzing.html": "2026-04-20",
1356+
"https://starlabs.sg/blog/2026/02-pickling-the-mailbox-a-deep-dive-into-cve-2025-20393/": "2026-04-20",
1357+
"https://starlabs.sg/blog/2026/01-8th-anniversary-embrace-the-new-but-dont-forget-the-old/": "2026-04-20",
1358+
"https://starlabs.sg/blog/2025/12-2025-we-broke-things-we-built-things-we-broke-even-more-things/": "2026-04-20",
1359+
"https://starlabs.sg/publications/ai-accelerated-exploiting-compromising-mte-enabled-pixel-from-dsp-coprocessor/": "2026-04-20"
13531360
},
1354-
"last_updated": "2026-04-19T03:12:15.092038+00:00"
1361+
"last_updated": "2026-04-20T03:13:12.710353+00:00"
13551362
}

0 commit comments

Comments
 (0)