CWE-290 at Layer 3: IP Source Spoofing and uRPF Failure in Enterprise Wireless Infrastructure

Every spoofing attack starts with one missing check: does this packet actually come from where it claims? uRPF is the answer. When it is absent — CWE-290 — the entire network becomes an authentication bypass surface.

June 7, 2026 · 10 min · JM00NJ

EtherLeak: IP Total Length Over-read via Ethernet Frame Padding

IP Total Length over-read via Ethernet frame padding is not a solved problem. CVE-2003-0001 (2003), CVE-2021-3031 (Palo Alto, 2021), and multiple 2026 findings prove the mechanism survives across architectures and vendors. This post breaks down the math, the invisibility cloak, and the PoC.

June 5, 2026 · 9 min · JM00NJ

Smurf Amplification in 2026: Pre-Auth ICMP Reflection via L2 Broadcast

CVE-1999-0513 is 27 years old. The mechanism is alive. A 2026 enterprise wireless controller with no uRPF, no directed broadcast filtering, and an ICMP Echo handler that reflects to any source address gives you Smurf amplification from L2 adjacency. This post documents the full chain.

June 5, 2026 · 8 min · JM00NJ

ArubaOS 8.13.2.0 Pre-Auth ICMP Buffer Over-read: Ghost Leak via TTL=0 + IP Total Length (HPE Bug Bounty)

ArubaOS 8.13.2.0 reads 18 bytes past packet boundaries via inflated IP Total Length. TTL=0 packets — which RFC 791 mandates must be destroyed — are processed and replied to, making the attack invisible. 27/27 crafted packets confirmed. Bugcrowd said zeroed bytes mean no vulnerability. CVE-2003-0001 and CVE-2021-3031 were accepted on the identical mechanism.

June 1, 2026 · 4 min · JM00NJ

ArubaOS 8.13.2.0 Smurf Amplification & ICMP Reflection: Pre-Auth Attack via Missing uRPF (HPE Bug Bounty)

A 28-year-old vulnerability class — Smurf amplification — alive in an enterprise controller shipping in 2026. Two independent packet captures prove reflection. Bugcrowd called it expected behavior. No fix issued.

June 1, 2026 · 3 min · JM00NJ

RFC 1071 Checksum Explained: x64 Assembly Implementation

A malformed packet is a dead packet. Learn how to implement the official RFC 1071 checksum algorithm in Assembly to ensure your custom ICMP data bypasses kernel drops.

March 27, 2026 · 4 min · JM00NJ
DigitalOcean Referral Badge