NYTimes Wrote Something About Stalled Rodney Rosenstein Coup Attempt Against Trump

In a piece published as part of their end of the week newsdump the NYTimes wrote a piece concerning Deputy US Attorney General Rodney Rosenstein's stalled coup attempt against US President Donald Trump (archived). According to the story after Rosenstein authored a memo recommending James Comey's firing Rosenstein solicited persons1 with access to the White House to surveil the president while Rosenstein himself would gaslight the president. Then according to the plan Rosenstein and conspirators would use recordings of a man reacting in anger to having been gaslit as evidence of "incapacity" and mount a coup from there.

Given the Pantsuit venue in which the report appeared, the plot appears to have been unsuccessful to the point its supporters had to escalate the gaslighting by collaborating with Pantsuit media to publish the plot, likely with critical details altered in order to bait the president into acting clumsily before he cements hold of the Senate in this fall's midterm elections. Earlier this month the NYTimes published a piece (archived) claiming to be from a Trump administration insider sabotaging President Trump's agenda from the inside. While the earlier piece is as likely to be fanfiction as it is the daydreams of a deskriding pantsuit manlet in a government office, the point of publishing these pieces is clearly to bait Trump into premature retaliation before the next congress is sworn in.

Make 4D Chess Great Again!

  1. According to the NYTimes piece members of the President's cabinet were named  

USG Lawyer Changes Story In Appellate Trial, 7 Years After Case Started Working Through Courts

A lawyer representing the criminal organization calling itself the United States Government decided this week to newly assert that they "intercepted conversations abroad" that the fellow was having in a case that has already been working its way through courts for seven years (archived). During this time Agron Hasbajrami and his lawyers have been arguing that the USG conducted an illegal "backdoor search" to acquire a warrant, something the USG's counsel is now all but admitting to except with a sprinkle of magic foreign surveillance pixie dust.

Like the Ulbricht affair, like the FBI training 'terrorists' to give themselves wins in the press, and like the spurious attachement of imaginary 'money laundering' charges to any case offering them a chance to steal a bit of it… The USG can't be trusted to play by its own rulebook though it would be happy to throw it at you. And if really backed into a corner in its own courts, nothing is more reliable than the criminal cartel pleaing "Muh Foreign Policy!" and "Muh National Security!"

USG Lich McCain Surrenders In War On Cancer Will Spend Rest of Days As Compliant Cancer POW [Update 8-25-2018: And he's dead]

The family of the soon to be late former Vietcong prisoner John McCain announced that the Arizona Senator has decided to stop seeking treatment for his brain cancer. Since announcing his brain cancer McCain has been absent from his duties in the US Senate as a captive of cancer. This is the latest in a long line of surrenders which have defined the elder lich's career as a Naval Aviator, Senator, and twice failing US Presidential candiate.

Microsoft Announces Campaign Against Threats To "Their Democracy": Plans Sound Suspiciously Like Contributing Material Support To Political Candidates

Microsoft has announced that they are going to begin to take steps against efforts to interfere in their democracy (archived). The steps they plan to take involve boosting their friends and silencing everyone else (archived) on platforms they can influence. This is clearly an attempt by Microsoft to undermine "democracy" by conducting lobbying activities and making non-monetary campaign contributions while screaming "OMG HAXx0RZ" as a distraction while they undermine it all.

New Zealand Bans Sale Of Homes To Foreigners

A group calling itself the government of New Zealand has banned sales of homes to foreign nationals in an attempt to curb rising prices (archived). Under the measure, which exempts buyers of Australian and Singaporean nationality, foreigners would be restricted to purchasing apartments in large scale block developments.

In recent years New Zealand has seen substantial real estate demand from wealthy buyers from China and the US looking for a retreat from instability in larger Anglophone areas. With home ownership among adult New Zealanders floating around ~25 percent, this measure has the potential to deliver some serious pain to their rental market.

Oracle Re-Patches 11 Year Old Solaris Hole That Survived First Patch

In an episode reminiscent of the frequently revived Windows USB hole which propagated Stuxnet, Oracle has re-patched a kernel level hole in the "Solaris Availability Suite Service" which survived its initial patching 11 years ago largely intact. The vulnerability affects all versions of Solaris 10 and 11 allowing1 locally logged in users to esclate their priviledge to their heart's content. Continue reading

  1. Text preserved below for the lulz as traditional archiving tools failed:

    CVE-2018-2892 – Kernel Level Privilege Escalation in Oracle Solaris

    July 24, 2018
    Posted By Neil Kettle
    Comments (0)

    Trustwave recently discovered a locally exploitable issue in all current versions of Oracle Solaris 10/11 as detailed in the recently posted Trustwave advisory. The issue is present in the kernel and is locally exploitable as an unprivileged user provided the local system has the Sun StorageTek Availability Suite (AVS) configured.
    The Vulnerability

    The vulnerability has an interesting history dating back to 2007 when the underlying issue was originally discovered and exploited. The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html). The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin(). The vulnerability itself is present in the ioctl handler for the '/dev/sdbc' device, the vulnerable code path passes through the following code with a 'cmd' value of 'SDBC_TEST_INIT ':


    922 static int
    923 sdbcioctl(dev_t dev, int cmd, void *arg, int mode, cred_t *crp, int *rvp)
    924 {

    953 switch (cmd) {

    966 case SDBC_TEST_INIT:
    967 rc = _sd_test_init(&args);
    968 break;

    The code passes through the call to _sd_testing_init(&args) to the function definition given below:


    613 int
    614 _sd_test_init(void *args)
    615 {
    616 register struct a {
    617 caddr_t addr;
    618 long ar;
    619 long len;
    620 long tsize;
    621 long flag;
    622 } *uap = (struct a *)args;
    624 if (copyin(uap->addr, devarray[uap->ar]1, uap->len2) ) {
    625 return (EFAULT);
    626 }
    627 dev_tsize[uap->ar]3 = (uap->tsize < 48) ? 48 : uap->tsize;
    628 dev_flag[uap->ar]4 = uap->flag;
    629 return (0);
    630 }

    There are at least 4 different vulnerabilities in this small code fragment! We summarise these below:

    arbitrary memory dereference resulting in an arbitrary destination pointer being passed to copyin(),
    arbitrary user-controlled length in the call to copyin() resulting in an unbounded memory write,
    arbitrary memory dereference and thus a user controllable write,
    arbitrary memory dereference and thus a user controllable write.

    However, the history of this particular vulnerability does not end there, sometime between 2009 and 2017 Oracle/Sun attempted to fix the issue by adding a bounds check on the value of uap->ar. The following disassembly illustrates the bounds checking Oracle/Sun applied:

    Screen Shot 2018-07-17 at 08.24.03

    As can be seen, the value of uap->ar should not be greater or equal to 128. However, we can also observer than Oracle/Sun did not modify the underlying type os uap->ar which is a signed long and as such a signedness issue exists since the value of uap->ar is not checked for a value < 0. As such an attacker could specify a value with the top most bit set (and thus negative) and pass the bounds check thereby dereferencing arbitrary memory once again. The remainder of the patch was to the limit the uap->len parameter to a signed value less than 256 (but also potentially negative).

    Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.

    Final Thoughts

    In case you were wondering why there would be such an obviously exploitable issue in a common configuration of Oracle Solaris, well the following might provide some hints:


    93 #define SDBC_TEST_INIT _SDBC_(5) /* TESTING – tdaemon parameters */
    94 /*
    95 * char * device_name;
    96 * int index;
    97 * int len;
    98 * int track_size;
    99 * int flags;
    100 */

    The code in question may well be for testing purposes.

    This vulnerability has been issued CVE-2018-2892.
    Oracle has patched this vulnerability as a part of their July CPU patch cycle: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
    More information is available in our advisory here: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-007