Weekly Digest #59
Articles
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
- attacker make a pdf but use gif suffix to let iOS attempt rendering
- iOS rendering actually doesn’t care about the naming, it renders according to file format, thus rendering pdf
- PDF has a format called JBIG2, used by 90s Xerox scanner. It is able to compress the scanned bitmap. However, this PDF decoder has an integer overflow bug, allowing the attacked to use JBIG2 instruction to render a 4byte bitmap and write to any memory location
- through some tricky combination, attacker can ingest AND/OR/XOR/XNOR to any memory location
- attacked is able to assemble a mini-computer using 70,000 JBIG2 instruction and using it to run the attack
Launching Eye of the Temple — this was my experience
Tutorials
Making HTTP requests with sockets in Python
HTTP is an application protocol. It basically means that HTTP itself can’t be used to transport information to/from a remote endpoint. Instead, it relies on an underlying protocol which in HTTP’s case is TCP.
Sockets on the other hand are an API that most operating systems provide to be able to talk with the network. The socket API supports different protocols from the transport layer and down.
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("www.example.com", 80))
sock.send(b"GET / HTTP/1.1\r\nHost:www.example.com\r\n\r\n") response = sock.recv(4096)
sock.close()
print(response.decode())to fix the blocking socket we can:
- disable the persistent HTTP connection
- 2) set a timeout on the socket
- 3) read the HTTP response headers to determine when to quit
Tools
PCB Business Card, the steps I followed to create this Business Card made out of PCB material
deeplinks.js allows people to easily link directly to any text selection on your website.
Off-topic
in San Francisco, the mother works full-time, drains her savings, but still can’t make ends meet and is forced to move away.1 Meanwhile, her daughter has lived on the streets for nine years — in an ironically carefree and stable state.
When 2.1 is introduced, 2.0 is deprecated. This result in all device that only has hdmi 2.0 features are labeled as hdmi 2.1 causing lots of confusion
