gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

Posts by Tags

1-day

December 2025 Patch Tuesday

4 minute read

Published:

CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

A Windows Cloud Files Mini Filter Driver (cldflt.sys) bug (CVE-2025-62221) is being actively exploited this month and has been patched in this month’s Patch Tuesday. In October, there was a TOCTOU bug (CVE-2025-55680) patched in the same driver. This time around, the bug is a Use-after-Free (UaF). I looked at the patch made to the driver and shared my findings in this blog.

November 2025 Patch Tuesday - CLFS

4 minute read

Published:

Patch Diffing

Patch diffing is the process of generating a diff or the difference or changes made to a file or software as a whole, by comparing the bytes of an old and new version of the same file. This process is used by attackers and defenders alike to find out what changes are made in the software in question. In cybersecurity, more often than not, this process is used to find out what flaw/s the new version of the software patched.

802-11

Router-side ARP defenses don’t catch what they don’t see

18 minute read

Published:

For a long time the standard answer to ARP poisoning on the LAN has been “use Dynamic ARP Inspection.” Cisco DAI checks every ARP frame against the DHCP-snooping binding table; offending frames get dropped at the switchport. On more capable APs and home routers there are equivalents: DHCP-snooping ARP filtering, IP-MAC binding, ebtables/arptables on br-lan, MikroTik’s arp=reply-only, Ubiquiti’s “ARP cache poisoning protection”. Every one of them works the same way at heart: catch the malicious ARP as it crosses the bridge.

AES

AX18

airsnitch

Router-side ARP defenses don’t catch what they don’t see

18 minute read

Published:

For a long time the standard answer to ARP poisoning on the LAN has been “use Dynamic ARP Inspection.” Cisco DAI checks every ARP frame against the DHCP-snooping binding table; offending frames get dropped at the switchport. On more capable APs and home routers there are equivalents: DHCP-snooping ARP filtering, IP-MAC binding, ebtables/arptables on br-lan, MikroTik’s arp=reply-only, Ubiquiti’s “ARP cache poisoning protection”. Every one of them works the same way at heart: catch the malicious ARP as it crosses the bridge.

archer

arp-spoofing

Router-side ARP defenses don’t catch what they don’t see

18 minute read

Published:

For a long time the standard answer to ARP poisoning on the LAN has been “use Dynamic ARP Inspection.” Cisco DAI checks every ARP frame against the DHCP-snooping binding table; offending frames get dropped at the switchport. On more capable APs and home routers there are equivalents: DHCP-snooping ARP filtering, IP-MAC binding, ebtables/arptables on br-lan, MikroTik’s arp=reply-only, Ubiquiti’s “ARP cache poisoning protection”. Every one of them works the same way at heart: catch the malicious ARP as it crosses the bridge.

cldflt.sys

December 2025 Patch Tuesday

4 minute read

Published:

CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

A Windows Cloud Files Mini Filter Driver (cldflt.sys) bug (CVE-2025-62221) is being actively exploited this month and has been patched in this month’s Patch Tuesday. In October, there was a TOCTOU bug (CVE-2025-55680) patched in the same driver. This time around, the bug is a Use-after-Free (UaF). I looked at the patch made to the driver and shared my findings in this blog.

clfs

November 2025 Patch Tuesday - CLFS

4 minute read

Published:

Patch Diffing

Patch diffing is the process of generating a diff or the difference or changes made to a file or software as a whole, by comparing the bytes of an old and new version of the same file. This process is used by attackers and defenders alike to find out what changes are made in the software in question. In cybersecurity, more often than not, this process is used to find out what flaw/s the new version of the software patched.

cryptography

decryption

encryption

exploit

Joined the OSEE club

2 minute read

Published:

Joined the OSEE club

For the past few months, I have been juggling work and studying for the OSEE exam. Today, I finally got an email from OffSec saying that I passed 🎉

kernel

Joined the OSEE club

2 minute read

Published:

Joined the OSEE club

For the past few months, I have been juggling work and studying for the OSEE exam. Today, I finally got an email from OffSec saying that I passed 🎉

network-security

Router-side ARP defenses don’t catch what they don’t see

18 minute read

Published:

For a long time the standard answer to ARP poisoning on the LAN has been “use Dynamic ARP Inspection.” Cisco DAI checks every ARP frame against the DHCP-snooping binding table; offending frames get dropped at the switchport. On more capable APs and home routers there are equivalents: DHCP-snooping ARP filtering, IP-MAC binding, ebtables/arptables on br-lan, MikroTik’s arp=reply-only, Ubiquiti’s “ARP cache poisoning protection”. Every one of them works the same way at heart: catch the malicious ARP as it crosses the bridge.

offsec

Joined the OSEE club

2 minute read

Published:

Joined the OSEE club

For the past few months, I have been juggling work and studying for the OSEE exam. Today, I finally got an email from OffSec saying that I passed 🎉

osee

Joined the OSEE club

2 minute read

Published:

Joined the OSEE club

For the past few months, I have been juggling work and studying for the OSEE exam. Today, I finally got an email from OffSec saying that I passed 🎉

patch diff

December 2025 Patch Tuesday

4 minute read

Published:

CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

A Windows Cloud Files Mini Filter Driver (cldflt.sys) bug (CVE-2025-62221) is being actively exploited this month and has been patched in this month’s Patch Tuesday. In October, there was a TOCTOU bug (CVE-2025-55680) patched in the same driver. This time around, the bug is a Use-after-Free (UaF). I looked at the patch made to the driver and shared my findings in this blog.

November 2025 Patch Tuesday - CLFS

4 minute read

Published:

Patch Diffing

Patch diffing is the process of generating a diff or the difference or changes made to a file or software as a whole, by comparing the bytes of an old and new version of the same file. This process is used by attackers and defenders alike to find out what changes are made in the software in question. In cybersecurity, more often than not, this process is used to find out what flaw/s the new version of the software patched.

pentesting

Router-side ARP defenses don’t catch what they don’t see

18 minute read

Published:

For a long time the standard answer to ARP poisoning on the LAN has been “use Dynamic ARP Inspection.” Cisco DAI checks every ARP frame against the DHCP-snooping binding table; offending frames get dropped at the switchport. On more capable APs and home routers there are equivalents: DHCP-snooping ARP filtering, IP-MAC binding, ebtables/arptables on br-lan, MikroTik’s arp=reply-only, Ubiquiti’s “ARP cache poisoning protection”. Every one of them works the same way at heart: catch the malicious ARP as it crosses the bridge.

tp-link

user

Joined the OSEE club

2 minute read

Published:

Joined the OSEE club

For the past few months, I have been juggling work and studying for the OSEE exam. Today, I finally got an email from OffSec saying that I passed 🎉

wifi-security

Router-side ARP defenses don’t catch what they don’t see

18 minute read

Published:

For a long time the standard answer to ARP poisoning on the LAN has been “use Dynamic ARP Inspection.” Cisco DAI checks every ARP frame against the DHCP-snooping binding table; offending frames get dropped at the switchport. On more capable APs and home routers there are equivalents: DHCP-snooping ARP filtering, IP-MAC binding, ebtables/arptables on br-lan, MikroTik’s arp=reply-only, Ubiquiti’s “ARP cache poisoning protection”. Every one of them works the same way at heart: catch the malicious ARP as it crosses the bridge.

windows

December 2025 Patch Tuesday

4 minute read

Published:

CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

A Windows Cloud Files Mini Filter Driver (cldflt.sys) bug (CVE-2025-62221) is being actively exploited this month and has been patched in this month’s Patch Tuesday. In October, there was a TOCTOU bug (CVE-2025-55680) patched in the same driver. This time around, the bug is a Use-after-Free (UaF). I looked at the patch made to the driver and shared my findings in this blog.

November 2025 Patch Tuesday - CLFS

4 minute read

Published:

Patch Diffing

Patch diffing is the process of generating a diff or the difference or changes made to a file or software as a whole, by comparing the bytes of an old and new version of the same file. This process is used by attackers and defenders alike to find out what changes are made in the software in question. In cybersecurity, more often than not, this process is used to find out what flaw/s the new version of the software patched.