The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
show comments
dvt
Went over a few of these with a pretty keen eye, and they aren't that particularly interesting. The Docker one is just a weird bug, it's not a vulnerability, and certainly not a "0-day" (which is a pretty loaded term and people expect bad stuff to happen).
The nghttp2 nghttpx one is more interesting, and could potentially be used for phishing, but it's very hard to line up properly because the request queue is non-deterministic so basically impossible to target a specific victim (assuming proxy traffic).
The VLC one is just a straight-up crash/bug. And VLC crashes all the time when using weird codecs, so that's nothing new.
Am I missing something here?
doe88
0-days-vibes-vulns? There should be a new category, for spotting and handling the em-dashes of this brave new world of vulns and making the old fossils like me only picking my head up for the old painfully still hand-crafted artisanal ones instead. A kind of label, like free-range for eggs, in sum.
show comments
Tiberium
Are they all actually 0-day? I think a lot of them are from disclosed CVEs/code that were already fixed upstream. It often seems like the term "0-day" has lost most of its meaning today and people often use it to refer to any exploits.
show comments
drob518
There is going to be a flurry of this sort of stuff as the AIs get smart enough to find them. It will naturally die down as the legitimate ones are fixed. Yes, there will always be some level of this, but I’d expect it to be low and the exploits found to be increasingly complex. This is a time of transition.
show comments
xlayn
I want to rush to git clone, but as things are, the odds are extremely high that this kind of things that are too good to be real are honeypots and something there will compromise your machine or make your llm start working for someone else...
show comments
ok123456
Pretty unimpressive as security vulnerabilities. It would be better to just say these are simple bugs for the most part.
show comments
bassiee
I also have a library of bugs I found using Claude Opus 4.8 through the Customer Verification Program. Undisclosed, Atp I dont even know if they have been found by someone else. But just like this repo
Theres a bunch of very specific scenario DoS bugs, buffer over/ underflows, that will get caught by ASLR and whatnot
When I report serious ones, mostly the devs will respond with something like, yeah, thats how we designed it in a dangerous way, so that the layer above or below can solve the issues, and other footgun stuff.
merelydev
Most of the exploits are for opensource/free software.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
show comments
kodareef5
trying something new? this is interesting. the problem is that submitting reports is too slow. if you find one then your not supposed to share. but then over the next 90 days you learn no one cares and 13 other people submitted it before you, 43 after. maybe better that we just know. so we can run code we can trust sooner. zero is the proper number of dependencies. otherwise assume its broken.
jdw64
I'm going through each one, and it's fascinating to see things like this. The UAF principle in c-ares is really interesting.
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
show comments
mrbluecoat
A surprising amount of documentation if the actor was just LLM-dropping these..
show comments
hypercain
Mythos has been achieved internally
functionmouse
we have got to stop putting our bank accounts and SSNs on computers
show comments
tliltocatl
A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.
show comments
jmward01
I think people may miss the point of a repo like this. Individually these are small puzzle pieces that can't do anything. Put them all in one place and it becomes easier to pick up pieces and try them together to see if they fit and build something bigger. Get enough pieces to fit together and you actually have something. This is the 'FOUO' idea in security. Enough open information gathered together in one place crosses the boundary from 'just public info' to 'secret stuff here!'. Now we have automatic puzzle solvers (coding assistants) a repo like this becomes a lot more meaningful.
show comments
johnwheeler
That's one way to do it.
grayhatter
> At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. I do this so to allure people into the field, and I've always found this is the most efficient way.
I've been a skiddy, he would have believed this. Thankfully, I've grown a bit, and can see this for the transparent, "I'm angry and want to hurt others so I don't feel alone", it actually is.
I'm sorry you're so angry dude (me too), but as someone who's joined the blue side, we'd appreciate it if you gave us some kind of heads up, the bad guys generally have a lot more time to scroll for new payloads than I do. Not all of us deserve the kindness of a heads up, but every single one of our users deserve it. Don't punish them because you're mad at someone else.
You can flex on the idiots you're trying to flex on, without hurting people. Even an email to security@[that_project_domain] saying "hey, I've published these" would move you from the group of people I see making the world worse, into the group making it better. (You don't have to, obviously, but making the whole world worse wont make you less angry.)
show comments
ohadkr
Open source is the best
jiug
"Cibercrime is cringe"
haberdasher
"cybercrime is cringe"
segmondy
What if this person is from an AI lab that really wants the govt to keep suppressing Mythos/Fable & GPT5.6? It's what I would do, the timing couldn't be any better.
I took a look at the Ghidra ones (because I use Ghidra), and I'm unimpressed: https://github.com/bikini/exploitarium/blob/main/ghidra-12.1...
The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
Went over a few of these with a pretty keen eye, and they aren't that particularly interesting. The Docker one is just a weird bug, it's not a vulnerability, and certainly not a "0-day" (which is a pretty loaded term and people expect bad stuff to happen).
The nghttp2 nghttpx one is more interesting, and could potentially be used for phishing, but it's very hard to line up properly because the request queue is non-deterministic so basically impossible to target a specific victim (assuming proxy traffic).
The VLC one is just a straight-up crash/bug. And VLC crashes all the time when using weird codecs, so that's nothing new.
Am I missing something here?
0-days-vibes-vulns? There should be a new category, for spotting and handling the em-dashes of this brave new world of vulns and making the old fossils like me only picking my head up for the old painfully still hand-crafted artisanal ones instead. A kind of label, like free-range for eggs, in sum.
Are they all actually 0-day? I think a lot of them are from disclosed CVEs/code that were already fixed upstream. It often seems like the term "0-day" has lost most of its meaning today and people often use it to refer to any exploits.
There is going to be a flurry of this sort of stuff as the AIs get smart enough to find them. It will naturally die down as the legitimate ones are fixed. Yes, there will always be some level of this, but I’d expect it to be low and the exploits found to be increasingly complex. This is a time of transition.
I want to rush to git clone, but as things are, the odds are extremely high that this kind of things that are too good to be real are honeypots and something there will compromise your machine or make your llm start working for someone else...
Pretty unimpressive as security vulnerabilities. It would be better to just say these are simple bugs for the most part.
I also have a library of bugs I found using Claude Opus 4.8 through the Customer Verification Program. Undisclosed, Atp I dont even know if they have been found by someone else. But just like this repo
Theres a bunch of very specific scenario DoS bugs, buffer over/ underflows, that will get caught by ASLR and whatnot
When I report serious ones, mostly the devs will respond with something like, yeah, thats how we designed it in a dangerous way, so that the layer above or below can solve the issues, and other footgun stuff.
Most of the exploits are for opensource/free software.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
trying something new? this is interesting. the problem is that submitting reports is too slow. if you find one then your not supposed to share. but then over the next 90 days you learn no one cares and 13 other people submitted it before you, 43 after. maybe better that we just know. so we can run code we can trust sooner. zero is the proper number of dependencies. otherwise assume its broken.
I'm going through each one, and it's fascinating to see things like this. The UAF principle in c-ares is really interesting.
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
A surprising amount of documentation if the actor was just LLM-dropping these..
Mythos has been achieved internally
we have got to stop putting our bank accounts and SSNs on computers
A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.
I think people may miss the point of a repo like this. Individually these are small puzzle pieces that can't do anything. Put them all in one place and it becomes easier to pick up pieces and try them together to see if they fit and build something bigger. Get enough pieces to fit together and you actually have something. This is the 'FOUO' idea in security. Enough open information gathered together in one place crosses the boundary from 'just public info' to 'secret stuff here!'. Now we have automatic puzzle solvers (coding assistants) a repo like this becomes a lot more meaningful.
That's one way to do it.
> At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. I do this so to allure people into the field, and I've always found this is the most efficient way.
I've been a skiddy, he would have believed this. Thankfully, I've grown a bit, and can see this for the transparent, "I'm angry and want to hurt others so I don't feel alone", it actually is.
I'm sorry you're so angry dude (me too), but as someone who's joined the blue side, we'd appreciate it if you gave us some kind of heads up, the bad guys generally have a lot more time to scroll for new payloads than I do. Not all of us deserve the kindness of a heads up, but every single one of our users deserve it. Don't punish them because you're mad at someone else.
You can flex on the idiots you're trying to flex on, without hurting people. Even an email to security@[that_project_domain] saying "hey, I've published these" would move you from the group of people I see making the world worse, into the group making it better. (You don't have to, obviously, but making the whole world worse wont make you less angry.)
Open source is the best
"Cibercrime is cringe"
"cybercrime is cringe"
What if this person is from an AI lab that really wants the govt to keep suppressing Mythos/Fable & GPT5.6? It's what I would do, the timing couldn't be any better.