Day[0]

Bit of a lighter episode this week with a Linux Kernel ASLR bypass and a clever exploit to RCE FortiGate SSL VPN.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/252.html

[00:00:00] Introduction

[00:00:29] KASLR bypass in privilege-less containers

[00:13:13] Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762

[00:19:32] Making Mojo Exploits More Difficult

[00:22:57] Robots Dream of Root Shells

[00:27:02] Gaining kernel code execution on an MTE-enabled Pixel 8

[00:28:23] SMM isolation - Security policy reporting (ISSR)

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this week's bounty episode, an attack takes an XSS to RCE on Mailspring, a simple MFA bypass is covered, and a .NET CRLF injection is detailed in its FTP functionality.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/251.html

[00:00:00] Introduction

[00:00:20] Making Desync attacks easy with TRACE

[00:16:01] Reply to calc: The Attack Chain to Compromise Mailspring

[00:35:29] $600 Simple MFA Bypass with GraphQL

[00:38:38] Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability [CVE-2023-36049]

Podcast episodes are available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In the 250th episode, we have a follow-up discussion to our "Future of Exploit Development" video from 2020. Memory safety and the impacts of modern mitigations on memory corruption are the main focus.

In this episode we have an libXPC root privilege escalation, a run-as debuggability check bypass in Android, and digital lockpicking on smart locks.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/249.html

[00:00:00] Introduction

[00:00:21] Progress OpenEdge Authentication Bypass Deep-Dive [CVE-2024-1403]

[00:05:19] xpcroleaccountd Root Privilege Escalation [CVE-2023-42942]

[00:10:50] Bypassing the “run-as” debuggability check on Android via newline injection

[00:18:09] Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities)

[00:43:06] Using form hijacking to bypass CSP

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this week's binary episode, Binary Ninja Free releases along with Binja 4.0, automated infoleak exploit generation for the Linux kernel is explored, and Nintendo sues Yuzu.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/248.html

[00:00:00] Introduction

[00:00:31] Binary Ninja Free

[00:10:25] K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel

[00:19:53] Glitching in 3D: Low Cost EMFI Attacks

[00:22:08] Nintendo vs. Yuzu

[00:38:32] Finding Gadgets for CPU Side-Channels with Static Analysis Tools

[00:40:12] ThinkstScapes Research Roundup - Q4 - 2023

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A shorter episode this week, featuring some vulnerabilities impacting Google's AI and a SAML auth bypass.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/247.html

[00:00:00] Introduction

[00:00:31] We Hacked Google A.I. for $50,000

[00:17:26] SAML authentication bypass vulnerability in RobotsAndPencils/go-saml [CVE-2023-48703]

[00:22:17] Exploiting CSP Wildcards for Google Domains

[00:26:11] ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

VirtualBox has a very buggy driver, PostgreSQL has an Out of Bounds Access, and lifetime issues are demonstrated in Rust in "safe" code.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/246.html

[00:00:00] Introduction

[00:00:22] cve-rs

[00:18:28] Oracle VM VirtualBox: Intra-Object Out-Of-Bounds Write in virtioNetR3CtrlVlan

[00:32:30] PostgreSQL: Array Set Element Memory Corruption

[00:35:06] Analyzing the Google Chrome V8 CVE-2024-0517 Out-of-Bounds Code Execution Vulnerability

[00:37:15] Continuously fuzzing Python C extensions

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week's episode features a cache deception issue, Joomla inherits a PHP bug, and a DOM clobbering exploit. Also covered is a race condition in Chrome's extension API published by project zero.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/245.html

[00:00:00] Introduction

[00:00:21] Cache Deception Without Path Confusion

[00:07:15] Hello Lucee! Let us hack Apple again?

[00:14:41] Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities

[00:26:37] Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild

[00:38:23] chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to racy access check

[00:42:28] 🎮 Diving Back into Games-related Bugs!

[00:44:43] Exploiting Empire C2 Framework

[00:46:19] iMessage with PQ3: The new state of the art in quantum-secure messaging at scale

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Linux becomes a CNA and takes a stance on managing CVEs for themselves, and underutilized fuzzing strategies are discussed.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/244.html

[00:00:00] Introduction

[00:00:14] What to do about CVE numbers

- The first article we bring up is the 2019 LWN article able Greg's talk back then. The topic itself is a more recent change actually moving forward.

[00:26:50] Bug - Double free on `dcm_dataset_insert` · Issue #82 · ImagingDataCommons/libdicom

[00:31:48] Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables

[00:38:35] Underutilized Fuzzing Strategies for Modern Software Testing

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this bounty episode, some straightforward bugs were disclosed in GhostCMS and ClamAV, and Portswigger publishes their top 10 list of web hacking techniques from 2023.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/243.html

[00:00:00] Introduction

[00:02:15] Ghost CMS Stored XSS Leading to Owner Takeover [CVE-2024-23724]

[00:16:07] ClamAV Not So Calm [CVE-2024-20328]

[00:21:00] Top 10 web hacking techniques of 2023

[00:44:46] Hacking a Smart Home Device

[00:48:15] Cloud cryptography demystified: Amazon Web Services

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Google makes some changes to their kCTF competition, and a few kernel bugs shake out of the LogMeIn and wlan VFS drivers.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/242.html

[00:00:00] Introduction

[00:00:29] Netfilter Tables Removed from kCTF

[00:20:23] LogMeIn / GoTo LMIInfo.sys Handle Duplication

[00:27:20] Several wlan VFS read handlers don't check buffer size leading to userland memory corruption

[00:32:35] International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO) - 0x22

[00:34:15] Exploring AMD Platform Secure Boot

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

DEF CON moves venues, the Canadian government moves to ban Flipper Zero, and some XSS issues affect Microsoft Whiteboard and Meta's Excalidraw.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/241.html

[00:00:00] Introduction

[00:00:33] DEF CON was canceled.

[00:16:42] Federal action on combatting auto theft

[00:39:03] Jenkins Arbitrary File Leak Vulnerability, CVE-2024-23897, Can Lead To RCE

[00:43:27] Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140)

[00:52:26] SSRF on a Headless Browser Becomes Critical!

[00:59:04] ChatGPT Account Takeover - Wildcard Web Cache Deception

[01:05:14] Differential testing and fuzzing of HTTP servers and proxies

[01:10:14] Hunting for Vulnerabilities that are ignored by most of the Bug Bounty Hunters

[01:19:38] Analyzing AI Application Threat Models

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Libfuzzer goes into maintenance-only mode and syslog vulnerabilities plague some vendors in this week's episode.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/240.html

[00:00:00] Introduction

[00:00:20] LibFuzzer in Maintainence-only Mode

[00:11:41] Heap-based buffer overflow in the glibc's syslog() [CVE-2023-6246]

[00:26:33] Hunting for ~~Un~~authenticated n-days in Asus Routers

[00:34:44] Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution

[00:35:51] Chaos Communication Congress (37C3) recap

[00:36:51] GitHub - google/oss-fuzz-gen: LLM powered fuzzing via OSS-Fuzz.

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week we have a crazy crypto fail where some Android devices had updates signed by publicly available private keys, as well as some Docker container escapes.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/239.html

[00:00:00] Introduction

[00:00:22] Missing signs: how several brands forgot to secure a key piece of Android

[00:13:37] ModSecurity: Path Confusion and really easy bypass on v2 and v3

[00:21:24] runc process.cwd & leaked fds container breakout [CVE-2024-21626]

[00:24:23] Buildkit GRPC SecurityMode Privilege Check [CVE-2024-23653]

[00:27:49] Jumpserver Preauth RCE Exploit Chain

[00:43:49] 500$: MFA bypass By Race Condition

[00:49:52] HTTP Downgrade attacks with SmuggleFuzz

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week's binary episode features a range of topics from discussion on Pwn2Own's first automotive competition to an insane bug that broke ASLR on various Linux systems. At the lower level, we also have some bugs in UEFI, including one that can be used to bypass Windows Hypervisor Code Integrity mitigation.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/238.html

[00:00:00] Introduction

[00:02:40]

37C3: Unlocked

- media.ccc.de

[00:08:15] Zero Day Initiative — Pwn2Own Automotive 2024 - Day One Results

[00:16:35] ASLRn’t: How memory alignment broke library ASLR

[00:22:47] Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)

[00:26:33] PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack.

[00:31:10] Hunting down the HVCI bug in UEFI

[00:35:51] A Deep Dive into V8 Sandbox Escape Technique Used in In-The-Wild Exploit

[00:37:32] Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write Code Execution - Exodus Intelligence

[00:38:38] OffSec EXP-401 Advanced Windows Exploitation (AWE) - Course Review

[00:44:56] Dumping GBA ROMs from Sound

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A packed episode this week as we cover recent vulnerabilities from the last two weeks, including some IDORs, auth bypasses, and a HackerOne bug. Some fun attacks such as a resurface of IDN Homograph Attacks and timing attacks also appear.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/237.html

[00:00:00] Introduction

[00:02:59]

37C3: Unlocked

- media.ccc.de

[00:09:00] Ivanti's Pulse Connect Secure Auth Bypass and RCE

[00:19:47] [HackerOne] View Titles of Private Reports with pending email invitation

[00:23:58] 1 Program, 4 Business Logic Bugs and Cashing in 2300$.

[00:33:32] Global site selector authentication bypass

[00:42:55] IDN Homograph Attack - Reborn of the Rare Case

[00:50:53] PII Disclosure At `theperfumeshop.com/register/forOrder`

[00:54:40] [darkhttpd] timing attack and local leak of HTTP basic auth credentials

[01:02:42] Ransacking your password reset tokens

[01:08:11] Worse than SolarWinds: Three Steps to  Hack Blockchains, GitHub, and ML through GitHub Actions

[01:10:41] Crypto Gotchas!

[01:13:37] Web LLM attacks

[01:15:13] Improving LLM Security Against Prompt Injection

[01:16:17] Sys:All: How A Simple Loophole in Google Kubernetes Engine Puts Clusters at Risk of Compromise

[01:17:37] Kubernetes Scheduling And Secure Design

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A bit of a game special this week, with a Counter-Strike: Global Offensive vulnerability and an exploit for Factorio. We also have a Linux kernel bug and a Chromecast secure-boot bypass with some hardware hacking mixed in.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/236.html

[00:00:00] Introduction

[00:00:25] Exploring Counter-Strike: Global Offensive Attack Surface

[00:26:22] Exploiting a Factorio Buffer Overflow

[00:31:46] io_uring: __io_uaddr_map() handles multi-page region dangerously

[00:39:25] Chromecast with Google TV (1080P) Secure-Boot Bypass

[00:51:58] exploits.club

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A short bounty episode featuring some logical bugs in Apache OFBiz, a GitLab Account Takeover, and an unauthenticated RCE in Adobe Coldfusion.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/235.html

[00:00:00] Introduction

[00:00:20] SonicWall Discovers Critical Apache OFBiz Zero-day

[00:11:40] [GitLab] Account Takeover via password reset without user interactions

[00:24:05] Unauthenticated RCE in Adobe Coldfusion [CVE-2023-26360]

[00:35:08] No new iPhone? No secure iOS: Looking at an unfixed iOS vulnerability

[00:36:45] How we made $120k bug bounty in a year with good automation

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week's highly technical episode has discussion around the exploitation of a libwebp vulnerability we covered previously, memory tagging (MTE) implementation with common allocators, and an insane iPhone exploit chain that targeted researchers.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/234.html

[00:00:00] Introduction

[00:02:35] PagedOut Issue 3

[00:05:14] GPSd NTRIP Stream Parsing access violation vulnerability

[00:08:25] Exploiting the libwebp Vulnerability, Part 1: Playing with Huffman Code

[00:30:01] Strengthening the Shield: MTE in Heap Allocators

[00:37:40] Operation Triangulation - What you get when you attack iPhones of Researchers

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Kicking off 2024 with a longer episode as we talk about some auditing desktop applications (in the context of some bad reports to Edge). Then we've got a couple fun issues with a client-side path traversal, and a information disclosure due to a HTTP 307 redirect. A bunch of issues in PandoraFSM, and finally some research about parser differentials in SMTP leading to SMTP smuggling (for effective email spoofing).

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/233.html

[00:00:00] Introduction

[00:10:25] Browser Security Bugs that Aren’t - #1: Local Attacks

[00:22:10] The power of Client-Side Path Traversal: How I found and escalated 2 bugs through “../”

[00:32:30] instipod DuoUniversalKeycloakAuthenticator challenge information disclosure vulnerability

[00:38:25] Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise

[00:45:07] SMTP Smuggling - Spoofing E-Mails Worldwide

[01:16:20] Catching OpenSSL misuse using CodeQL

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A bit of a rambling episode to finish off 2023, we talk about some Linux kernel exploitation research (RetSpill) then get into several vulnerabilities. A type confusion in QNAP QTS5, a JavaScriptCore bug in Safari, and several issues in Steam's Remote Play protocol.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/232.html

[00:00:00] Introduction

[00:02:00] RetSpill - Igniting User-Controlled Data to Burn Away Linux Kernel Protections

[00:12:23] QNAP QTS5 – /usr/lib/libqcloud.so JSON parsing leads to RCE

[00:19:53] Safari, Hold Still for NaN Minutes!

[00:31:00] Achieving Remote Code Execution in Steam: a journey into the Remote Play protocol

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A mix of issues this week, not traditionally bounty topics, but there are some lessons that can be applied. First is a feature, turned vulnerability in VS Code which takes a look at just abusing intentional functionality. Several XOS bugs with a web-console. A Sonos Era 100 jailbreak which involves causing a particular call to fail, a common bug path we've seen before, and some discussion about doing fast DNS rebinding attacks against Chrome and Safari.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/231.html

[00:00:00] Introduction

[00:01:00] It’s not a Feature, It’s a Vulnerability

[00:13:40] Multiple Vulnerabilities In Extreme Networks ExtremeXOS

[00:24:06] Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100

[00:30:08] Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari

[00:46:02] Apache Struts2 文件上传漏洞分析（CVE-2023-50164） - 先知社区

[00:48:49] Blind CSS Exfiltration: exfiltrate unknown web pages

[00:51:11] Finding that one weird endpoint, with Bambdas

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A Samsung special this week, starting off with two Samsung specific vulnerabilities, one in the baseband chip for code execution. And a stack based overflow in the RILD service handler parsing IPC calls from the baseband chip for a denial of service. Lastly a Mali GPU driver use-after-free. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/230.html [00:00:00] Introduction [00:00:27] Humble Tech Book Bundle: Hacking 2023 by No Starch [00:08:15] CVE-2023-21517: Samsung Baseband LTE ESM TFT Heap Buffer Overflow [00:18:10] CVE-2023-30644: Samsung RIL Stack Buffer Overflow [00:24:58] Arm Mali r44p0: UAF by freeing waitqueue with elements on it [00:31:55] A Detailed Look at Pwn2Own Automotive EV Charger Hardware The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week brings up a pretty solid variety of issues. Starting off with some cookie smuggling (and other cookie attacks) which presents some interesting research I hadn't really looked for before that has some potential. Then an AI alignment evasion to leak training data. Not the most interesting attack but it appears to open up some other ideas for further research. A MacOS desktop issue (for a $30k bounty), and some home assistant issues.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/229.html

[00:00:00] Introduction

[00:00:25] Humble Tech Book Bundle: Hacking 2023 by No Starch

[00:06:58] Cookie Bugs - Smuggling & Injection

[00:17:21] Extracting Training Data from ChatGPT

[00:32:22] lateralus (CVE-2023-32407) - a macOS TCC bypass

[00:37:35] Securing our home labs: Home Assistant code review

[00:45:16] TRAP; RESET; POISON; - Taking over a country Kaminsky style

[00:47:04] Exploiting XPath Injection Weaknesses

[00:47:42] Deep dive into the new Amazon EKS Pod Identity feature

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week kicks off with a a V8 misoptimization leading to out-of-bounds access, an unprotected MSR in Microsoft's Hypervisor allowing corruption of Hypervisor code. We also take a quick look at a 2021 CVE with an integer underflow leading to an overflow in the Windows Kernel low-fragmentation heap, and finally an interesting information leak due to the kernel not clearing a sensitive register.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/228.html

[00:00:00] Introduction

[00:00:56] Spot the Vuln - Beyond the Grave

[00:04:00] Chrome V8 Hole Exploit

[00:15:57] How I found Microsoft Hypervisor bugs as a by-product of learning

[00:33:13] Exploitation of a kernel pool overflow from a restrictive chunk size [CVE-2021-31969]

[00:44:13] That's FAR-out, Man

[00:47:38] Money Tree

[00:50:21] How to voltage fault injection

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week we've got a few relatively simple bugs to talk about along with a discussion about auditing and manually analysis for vulnerabilities.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/227.html

[00:00:00] Introduction

[00:00:23] Introducing the Microsoft Defender Bounty Program

[00:04:26] Tapping into a telecommunications company’s office cameras

[00:07:47] CrushFTP Critical Vulnerability CVE-2023-43177 Unauthenticated Remote Code Execution

[00:17:22] [Kubernetes] Ingress nginx annotation injection causes arbitrary command execution

[00:24:38] Testing for audits: there is no spoon

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Last week we brought you several Windows bugs, this week we are talking Linux kernel vulnerabilities and exploitation. We start off looking at a weird but cool CPU bug, Reptar, then we get into nftables, io_uring, and talk about a newer mitigations hitting Linux 6.6 that randomizes the caches allocations end up in.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/226.html

[00:00:00] Introduction

[00:00:21] Reptar

[00:11:56] One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability

[00:31:09] Conquering the memory through io_uring - Analysis of CVE-2023-2598

[00:38:00] Exploring Linux's New Random Kmalloc Caches

[00:48:09] ThinkstScapes Quarterly - 2023.Q3

[00:49:34] CacheWarp

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week has an interesting mix of issues, starting with a pretty standard template inject. Then we get into a Windows desktop issue, a TOCTOU in how the Mark-of-the-Web would be applied to file extracted from an archive, a privilege escalation from a Chrome extension, and a bit of a different spin on what you could do with a prompt injection.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/225.html

[00:00:00] Introduction

[00:00:26] Magento Template Engine, a story of CVE-2022-24086

[00:06:57] In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584

[00:24:50] Google Cloud Vertex AI - Data Exfiltration Vulnerability Fixed in Generative AI Studio

[00:30:40] Uncovering a crazy privilege escalation from Chrome extensions

[00:47:49] Content Providers and the potential weak spots they can have

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We've got a few Windows bugs this week, but first a fun off-by-one null-byte write. Then we jump into a containerized registry escape, a browser escape with a very simple bug buried deep in the browser, and a kernel bug.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/224.html

[00:00:00] Introduction

[00:00:20] Spot the Vuln - Minimax

[00:05:00] Weston Embedded uC-HTTP HTTP Server Host header parsing memory corruption vulnerability

[00:14:49] Windows Kernel containerized registry escape through integer overflows in VrpBuildKeyPath and other weaknesses

[00:20:04] Escaping the sandbox: A bug that speaks for itself

[00:37:07] Exploiting Windows Kernel Wild Copy With User Fault Handling [CVE-2023–28218]

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Just a few issues this week, a Mastodon normalization issue leading to the potential to impersonate another account. Then we have a more complex chain starting again with a normalization leading to a fairly interesting request smuggling (CL.0 via malformed content-type header) and cache poisoning to leak credentials. Finally a crypto issue with a signature not actually being a signature.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/223.html

[00:00:00] Introduction

[00:00:23] Usurping Mastodon instances - mastodon.so/cial [CVE-2023-42451]

[00:09:59] From Akamai to F5 to NTLM... with love.

[00:33:36] Our Pwn2Own journey against time and randomness (part 2)

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

As memory tagging (MTE) finally comes to a consumer device, we talk about how it may impact vulnerability research and exploit development going forward. Then we get into a few vulnerabilities including a DNS response parsing bug on the Wii U, an Adobe Acrobat bug that was exploited by a North Korean APT, and a CPU bug (iTLB Multihit).

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/222.html

[00:00:00] Introduction

[00:00:23] Hexacon 2023 Talks

[00:02:48] First handset with MTE on the market

[00:24:15] Exploiting DNS response parsing on the Wii U

[00:33:11] Adobe Acrobat PDF Reader RCE when processing TTF fonts [CVE-2023-26369

[00:46:18] iTLB multihit

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Kicking off the week with a bit of Pwn2Own drama, then taking a look at an OAuth attack against Grammarly and a couple other sites, a fun little polyglot file based attack, and Citrix Bleed, a snprintf information disclosure vulnerability on the web.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/221.html

[00:00:00] Introduction

[00:01:24] Wyze Cam v3 - Pwn2Own Drama

[00:17:57] Oh-Auth - Abusing OAuth to take over millions of accounts

[00:30:55] Exploiting Healthcare Servers with Polyglot Files [CVE-2023-33466]

[00:41:06] Citrix Bleed: Leaking Session Tokens with CVE-2023-4966

[00:49:25] Hacking a Silent Disco

[00:50:43] DOM-based race condition: racing in the browser for fun

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Diving right into some binary exploitation issues this week. Starting wtih a look at a rare sort of curl vulnerability where a malicious server could compromise a curl user. Then we take a look at a pretty straight-forward type confusion in Windows kernel code, and an integer underflow in Safari with some questionable exploitation. Ending the episode with some thoughts on how impactful grsecurity's "constify" mitigation could be.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/220.html

[00:00:00] Introduction

[00:00:14] How I made a heap overflow in curl

[00:17:32] Critically close to zero (day): Exploiting Microsoft Kernel streaming service

[00:30:34] Story of an innocent Apple Safari copyWithin gone (way) outside [CVE-2023-38600]

[00:38:10] CONSTIFY: Fast Defenses for New Exploits

[00:46:53] An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit

[00:47:40] Getting RCE in Chrome with incomplete object initialization in the Maglev compiler

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We've got a mix of topics this week, started with a bit of discussion around the recent Rapid Reset denial of service attack, before diving into a few vulnerabilities. A Node "permissions" module escape due to having a fail-open condition when unexpected but supported types are passed in. Then we talk about some common AWS Cognito issues, a fun little privilege escalation in Confluence, and a log injection bug leading to RCE.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/219.html

[00:00:00] Introduction

[00:00:15] HTTP/2 Rapid Reset Attack [CVE-2023-44487]

[00:04:35] [Node] Path traversal through path stored in Uint8Array

[00:09:44] Attacking AWS Cognito with Pacu

[00:14:33] Privilege Escalation Vulnerability in Confluence Data Center and Server [CVE-2023-22515]

[00:21:15] Not Your Stdout Bug - RCE in Cosmos SDK

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

Some complex and confusing vulnerabilities as we talk about the recent WebP 0day and the complexities of huffman coding. A data-only exploit to escape a kCTF container, the glibc LPE LOONY_TUNABLES, and a Chrome TurboFan RCE.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/218.html

[00:00:00] Introduction

[00:00:40] Expanding our exploit reward program to Chrome and Cloud

[00:06:10] The WebP 0day

- We do somewhat downplay this issue due to the difficulty of exploiting it. But to be clear, it was exploited in the wild on Apple devices, so it exploitable. We're more downplaying the panic that came up around it. It is still a serious issue that should be patched.

[00:34:00] Escaping the Google kCTF Container with a Data-Only Exploit

[00:44:49] Local Privilege Escalation in the glibc's ld.so [CVE-2023-4911]

[01:01:27] Getting RCE in Chrome with incorrect side effect in the JIT compiler

[01:08:03] Behind the Shield: Unmasking Scudo's Defenses

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week we've got some fun issues, including a WinRAR processing bug that results in code execution due (imo) to a filename adjustment when extracting that isn't performed consistently. A MyBB admin-panel RCE, fairly privileged bug but I think the bug pattern could appear elsewhere and is something to watch out for, And several silly issues in a "next-gen" firewall, including source disclosures and RCEs from the login page.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/217.html

[00:00:00] Introduction

[00:01:17] Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR

[00:13:32] Yet More Unauth Remote Command Execution Vulns in Firewalls

[00:29:02] MyBB Admin Panel RCE [CVE-2023-41362]

[00:44:55] How to build custom scanners for web security research automation

[00:46:33] Exploiting HTTP Parsers Inconsistencies

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A binary summer-recap episode, looking at some vulnerabilities and research put out over the summer. Talking about what TPM really offers when it comes to full-disk encryption, some thoughts on AI in the fuzzing loop. Then into some cool bugs, kicking off with some ARM Memory Tagging Extension vulnerabilities, a `-fstack-protector` implementation failure and bypass, and then a look at a Android exploit that was found in-the-wild.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/216.html

[00:00:00] Introduction

[00:01:50] Spot the Vuln - Only One Domain

[00:04:46] AI-Powered Fuzzing: Breaking the Bug Hunting Barrier

[00:15:00] Summary: MTE As Implemented

[00:38:21] TPM provides zero practical security

[00:47:30] CVE-2023-4039: GCC’s -fstack-protector fails to guard dynamic stack allocations on ARM64

[00:55:30] Analyzing a Modern In-the-wild Android Exploit

[01:07:31] Various Vulnerabilities in Huawei Trustlets

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/215.html

[00:00:00] Introduction

[00:02:15] Summer Recap - HardwearIO

[00:11:51] Summer Recap - DEF CON

[00:49:20] CVE-2020-19909 is everything that is wrong with CVEs

[00:58:40] PHP servers drop any header if the header has "\r" [@OctagonNetworks]

[01:03:10] Encrypted Doesn't Mean Authenticated: ShareFile RCE [CVE-2023-24489]

[01:11:40] How Private Cache Can Lead to Mass Account Takeover

[01:15:20] From Terminal Output to Arbitrary Remote Code Execution

[01:16:37] Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

#BugBounty #BugHunting #InfoSec #CyberSec #Podcast

Continue? (y/N) n

2023/09/26 00:57:09 [1] Set Start Time and Offset

2023/09/26 00:57:09 [2] Download and Convert Episode

2023/09/26 00:57:09 [3] Youtube Stuff

2023/09/26 00:57:09 [4] Print Episode

2023/09/26 00:57:09 [5] Create Blog Post

Selection: 4

2023/09/26 00:57:11 215 - DEF CON, HardwearIO, Broken Caching, and Dropping Headers [Bug Bounty Podcast]

[bounty] DEF CON, HardwearIO, Broken Caching, and Dropping Headers

============================================

We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/215.html

[00:00:00] Introduction

[00:02:15] Summer Recap - HardwearIO

[00:11:51] Summer Recap - DEF CON

[00:49:20] CVE-2020-19909 is everything that is wrong with CVEs

[00:58:40] PHP servers drop any header if the header has "\r" [@OctagonNetworks]

[01:03:10] Encrypted Doesn't Mean Authenticated: ShareFile RCE [CVE-2023-24489]

[01:11:40] How Private Cache Can Lead to Mass Account Takeover

[01:15:20] From Terminal Output to Arbitrary Remote Code Execution

[01:16:37] Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week we've got a handful of low-level vulns, VM-escape, Windows EoP, and a single IPv6 packet leading to a kernel panic/denial of service, and one higher-level issue with a bug chain in CS:GO.

This is our final episode until September 25th as we will be heading off on our regular summer break.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/214.html

[00:00:00] Introduction

[00:01:12] Spot the Vuln - Reference Check

[00:06:56] Exploiting VMware Workstation at Pwn2Own Vancouver [CVE-2023-20869/20870]

[00:17:44] CS:GO: From Zero to 0-day

[00:30:27] CVE-2022-41073: Windows Activation Contexts EoP

[00:38:37] Linux IPv6 Route of Death 0day

[00:46:36] Google Chrome V8 ArrayShift Race Condition Remote Code Execution

[00:47:46] Specter Will Give Hardwear.IO PS5 Talk

[00:49:11] Resources while we are on bread

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Another bug bounty podcast, another set of vulnerabilities. Starting off with a desktop info-disclosure in KeePass2 that discloses master passwords to attackers (with a high-level of access). A couple Jellyfin bugs resulting in an RCE chain, and a pretty classic crypto issue that allowed for renting luxury cars for extremely cheap.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/213.html

[00:00:00] Introduction

[00:02:48] KeePass2 Password Disclosure

[00:10:10] Peanut Butter Jellyfin Time

[00:19:14] Abusing Time-Of-Check Time-Of-Use (TOCTOU) Race Condition Vulnerabilities in Games, Harry Potter Style

[00:22:19] Discovering a Hidden Security Loophole: Rent luxury Cars for a Single Dollar

[00:27:00] Bug bounties are broken – the story of “i915” bug, ChromeOS + Intel bounty programs, and beyond

[00:35:28] Resources while we are on break

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week we we've got a neat little printer corruption, a probably unexploitable stockfish bug, though we speculate about exploitation a bit. Then into a VirtualBox escape bug, and an Andreno "vulnerability".

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/212.html

[00:00:00] Introduction

[00:01:31] Spot the Vuln - To Upload or Not To Upload

[00:05:25] The printer goes brrrrr, again!

[00:09:34] [Stockfish] Increase MAX_MOVES to prevent buffer overflow and stack corruption

[00:27:53] Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991

[00:37:09] Qualcomm Adreno/KGSL: secure buffers are addressable by all GPU users

[00:43:37] RET2ASLR - Leaking ASLR from return instructions

[00:46:13] Apple Fails to Fully Reboot iOS Simulator Copyright Case

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

More bug bounty style bugs, but you'd be forgiven reading that title thinking we had a low-level focus this episode. We got some awesome bugs this week though from tricking Dependabot and abusing placeholder values, an IIS auth bypass. Ending off with a kernel bug (OverlayFS) and a VM escape (Parallels Desktop)

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/211.html

[00:00:00] Introduction

[00:00:28] Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot

[00:12:39] Placeholder for Dayzzz: Abusing placeholders to extract customer informations

[00:19:40] Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3

[00:33:44] PwnAssistant - Controlling /home's via a Home Assistant RCE

[00:39:26] The OverlayFS vulnerability [CVE-2023-0386]

[00:44:01] Escaping Parallels Desktop with Plist Injection

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

#BugBounty #BugHunting #InfoSec #CyberSec #Podcast

This week we go a bit deeper than normal and look at some low level TPM attacks to steal keys. We've got a cool attack that lets us leak a per-chip secret out of the TPM one byte at a time, and a post about reading Bitlocker's secret off the SPI bus. Then we talk about several Shannon baseband bugs disclosed by Google's Project Zero.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/210.html

[00:00:00] Introduction

[00:01:14] Spot the Vuln - Sanitize Now or Later

[00:03:50] faulTPM: Exposing AMD fTPMs’ Deepest Secret

[00:18:33] Stealing the Bitlocker key from a TPM

[00:24:01] Shannon Baseband: Integer overflow when reassembling IPv4 fragments

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We open up this weeks bug bounty podcast with a discussion about Google's recent support for passkeys, tackling some misunderstanding about what they are and how open the platform is. Also some talk towards the end about potential vulnerabilities to look out for. Then we dive into the vulnerabilities for the week, involving bypassing phone validation in OpenAI, a bad origin check enabling abuse of a permissive CORS policy, and an order of operations issue breaking the purpose of sanitization in Oracle's Opera.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/209.html

[00:00:00] Introduction

[00:02:43] So long passwords, thanks for all the phish

[00:23:49] OpenAI Allowed “Unlimited” Credit on New Accounts

[00:28:53] A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF...

[00:44:28] Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera

[00:52:16] Testing Zero Touch Production Platforms and Safe Proxies

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Not a lot of interesting binary exploitation topics for this week, we've got a DHCPv6 service vuln, and a fun idea to use a timing side-channel to improve exploit stability. Then we end with a discussion about Rust coming the Windows operating system, what Rust means for the future of exploit development and vulnerability research and the value of memory corruption in Windows.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/208.html

[00:00:00] Introduction

[00:00:17] Spot the Vuln - Organizational Issues

[00:09:21] RCE in the Microsoft Windows DHCPv6 Service [CVE-2023-28231]

[00:12:29] PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique

[00:22:16] Rust and the future of VR

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

On this weeks bug bounty podcast we take a look at a few interesting issues. While they are all patched, there is reason to believe they'd all creep up in other applications too. First up is an RCE due to nested use of an escaped string. Second a fgets loop that doesn't account for long lines. A XML signature verification tool with a deceptive interface, and last a look at how Bash's privileged mode can backfire.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/207.html

[00:00:00] Introduction

[00:00:31] Analysis of Pre-Auth RCE in Sophos Web Appliance [CVE-2023-1671]

[00:07:16] Git Arbitrary Configuration Injection [CVE-2023-29007]

[00:11:41] Redash SAML Authentication Bypass

[00:18:51] Bash Privileged-Mode Vulnerabilities in Parallels Desktop and CDPATH Handling in MacOS

[00:29:38] Ambushed by AngularJS: a hidden CSP bypass in Piwik PRO

[00:34:37] [cPanel] Finding XSS in a million websites [CVE-2023-29489]

[00:35:20] Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score [CVE-2023-1767]

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week's binary exploitation episode has some pretty solid bugs.A string escaping routine that goes out of bounds, a web-based information disclosure. And a couple kernel issues, one in the Windows registry, a logical bug leading to memory corruption, and an AppleSPU out of bounds access.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/206.html

[00:00:00] Introduction

[00:00:30] Reversing the AMD Secure Processor (PSP) - Part 1: Design and Overview

[00:01:15] Spot the Vuln - Left-over Spaces

[00:05:03] Shell in the Ghost: Ghostscript CVE-2023-28879 writeup

[00:17:16] SecurePwn Part 2: Leaking Remote Memory Contents [CVE-2023-22897]

[00:21:50] Windows Kernel insufficient validation of new registry key names in transacted NtRenameKey

[00:30:38] CVE-2022-32917: AppleSPU out of bounds write

[00:34:11] Compromising Garmin's Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine

[00:35:27] The Fuzzing Guide to the Galaxy: An Attempt with Android System Services

[00:36:51] Stepping Insyde System Management Mode

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

For this week's bug bounty podcast We start off with a bit of a unique auth bypass in a firewall admin panel. We've also got a couple desktop-based software bugs, with a Docker Desktop privilege escalation on windows, and a chfn bug. We've also got a couple escalation techniques, one for Azure environments, and another trick for exploiting semi-controlled file-writes.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/205.html

[00:00:00] Introduction

[00:00:32] SecurePwn Part 1: Bypassing SecurePoint UTM’s Authentication [CVE-2023-22620]

[00:08:41] Abusing Linux chfn to Misrepresent etc passwd [CVE-2023-29383]

[00:14:39] Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2

[00:22:42] From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys

[00:25:52] Pretalx Vulnerabilities: How to get accepted at every conference

[00:34:07] LLM Hacker's Handbook

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We start with a hardware/glitching attack against the Wii U, then lets talk about integer overflows. We've got three integer overflows this week that lead to buffer overflows in different ways.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/204.html

[00:00:00] Introduction

[00:00:19] Spot the Vuln - Easy as ABC

[00:06:18] de_Fuse, the One True Pwn

[00:15:31] SonicWall Out Of Bounds Write DoS

[00:26:43] Windows bluetooth vulnerability exploit [CVE-2022-44675]

[00:28:52] Windows bluetooth vulnerability exploit [CVE-2022-44675]

[00:30:06] Escaping Adobe Sandbox: Exploiting an Integer Overflow in Microsoft Windows Crypto Provider

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Some fun issues this week as we explore code execution in Synthetics Recorder stemming from a comment in the code. An auth bypass in Pentaho leading to RCE via SSTI, car theft via CAN bus message injection, and how to become a cluster admin from a compromised pod in AWK Elastic Kubernetes Service.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/203.html

[00:00:00] Introduction

[00:00:30] [Elastic] Synthetics Recorder: Code injection when recording website with malicious content

[00:02:45] [Elastic] Synthetics Recorder: Code injection when recording website with malicious content

[00:06:32] Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server

[00:13:47] CAN Injection: keyless car theft

[00:23:48] Privilege escalation in AWS Elastic Kubernetes Service (EKS)

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Just a few bugs this week, a classic buffer overflow because of an unbounded copy in SNIProxy. mast1c0re Part 2 with a few more easy vulnerability but some more complex and difficult exploitation. And a Samsung NPU in-the-wild double free.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/202.html

[00:00:00] Introduction

[00:00:24] Spot The Vuln - Operational Set

[00:03:37] SNIProxy wildcard backend hosts buffer overflow vulnerability

[00:08:17] mast1c0re Part 2 - Compiler Attack

[00:21:46] Samsung NPU device driver double free in Android [CVE-2022-22265]

[00:41:52] CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Some audio issues this week, sorry for the ShareX sound. But we have a few interesting issues. A curl quirk that it might be useful to be aware of, Azure Pipelines vulnerability abusing attacker controlled logging. A look at a pretty classic Android/mobile bug, and a crazy auth misconfiguration (BingBang).

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/201.html

[00:00:00] Introduction

[00:00:39] The curl quirk that exposed Burp Suite and Google Chrome

[00:03:33] Exploiting prototype pollution in Node without the filesystem

[00:05:37] Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack

[00:11:27] Attacking Android Antivirus Applications

[00:20:59] BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Its our 200th episode, and we've got some stats from our first 200 episodes. Then we talk some Pwn2Own policy changes, a couple memeable overflows, and some new anti-ROP mitigations on OpenBSD.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/200.html

[00:00:00] Introduction

[00:00:52] Spot the Vuln - Just a Coupon

[00:04:56] 200th Episode

[00:14:52] Pwn2Own Vancouver 2023 - The Full Schedule

[00:23:26] WellinTech KingHistorian SORBAx64.dll RecvPacket integer conversion vulnerability

[00:28:23] ARM TrustZone: pivoting to the secure world

[00:34:33] Synthetic Memory Protections - An update on ROP mitigations

[00:57:51] Vulnerabilities 1002: C-Family Software Implementation Vulnerabilities

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We are back with more discussion about applying AI/ChatGPT to security research, but before that we have a few interesting vulnerabilities. An OTP implementation that is too complex for its own good, a directory traversal leading to a guest to host VM escape, and server-side mime-sniffing.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/199.html

[00:00:00] Introduction

[00:00:31] Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research

[00:07:45] Story of a Beautiful Account Takeover

[00:14:06] Parallels Desktop Toolgate Vulnerability

[00:18:50] Golang Server-Side MIME Sniff

[00:25:55] InjectGPT: the most polite exploit ever

[00:32:36] ChatGPT: The Right Tool for the Job?

[00:40:38] GPT Trick Golf

[00:49:19] [HackerOne] Arbitrary Remote Leak via ImageMagick [CVE-2022-44268]

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We've got a pretty nice root/super-use check bypass in XNU this week, and a sort of double fetch issue in Intel's SMM leading to a potential privilege escalation into the Management system. We've also got a few meme-able Shannon Baseband issues and some tough to exploit out of bound reads in MIT Kerberos V5.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/198.html

[00:00:00] Introduction

[00:00:27] Spot the Vuln - The Right Context

[00:02:52] Discussion: Using GPT-4 to Spot Vulnerabilities in Code (and SecGPT)

[00:11:05] A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM

[00:19:32] Out-of-Bounds Read in the MIT Kerberos V5 (krb5) library

[00:25:35] XNU: NFSSVC root check bypass; use after free due to insufficient locking in upcall worker threads

[00:32:36] XNU: NFSSVC root check bypass; use after free due to insufficient locking in upcall worker threads

[00:36:35] Shannon Baseband: Intra-object overflow in NrmmMsgCodec when decoding Service Area List

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Recovering data from a cropped image (thanks to an undocumented API change, bypassing an origin check with an emoji, and a trivial SSRF filter bypass all in this week's bug bounty podcast.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/197.html

[00:00:00] Introduction

[00:00:32] SSRF Cross Protocol Redirect Bypass

[00:08:08] EmojiDeploy: Smile! Your Azure Web Service Got RCE’d ._.

[00:20:43] Multiple vulnerabilities in Apollo Configuration Management System [CVE-2023-25569, CVE-2023-25570]

[00:29:00] Exploiting aCropalypse: Recovering Truncated PNGs

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Some simple, but interesting vulnerabilities. A use-after-free because of wrong operation ordering, an interesting type confusion, an integer underflow and some OOB access in TPM 2.0 reference code.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/196.html

[00:00:00] Introduction

[00:00:27] Spot the Vuln - Just be Positive

[00:03:42] oss-sec: Linux kernel: CVE-2023-1118: UAF vulnerabilities in "drivers/media/rc" directory

[00:07:56] oss-sec: CVE-2023-1076: Linux Kernel: Type Confusion hardcodes tuntap socket UID to root

[00:11:21] GitHub - fuzzingrf/openbsd_tcpip_overflow: OpenBSD remote overflow

[00:14:36] Chat Question: What Language is Most Effective for Writing These Types of Exploits

[00:18:22] Vulnerabilities in the TPM 2.0 reference implementation code

[00:28:19] Chat Question: Skillset for Exploit Dev as part of a Red Team

[00:33:40] Espressif ESP32: Glitching The OTP Data Transfer

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A few varied issues this week, exploiting an apparently unexploitable CRLF injection, organization secrets exposure in GitHub, and a Jenkins XSS.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/195.html

[00:00:00] Introduction

[00:00:25] Abusing Hop-by-Hop Header to Chain A CRLF Injection Vulnerability

[00:04:26] HubSpot Full Account Takeover in Bug Bounty

[00:12:22] Unauthorized access to organization secrets in GitHub

[00:17:39] CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE

[00:26:37] Firefly: a smart black-box fuzzer for web applications testing

[00:29:27] EJS - Server Side Prototype Pollution gadgets to RCE

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Just one vulnerability this week about hacking the Nintendo DSi browser, but we have a good discussion about fuzzing and a new paper "autofz".

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/194.html

[00:00:00] Introduction

[00:00:27] Spot the Vuln - Checking your Numbers

[00:03:23] autofz: Automated Fuzzer Composition at Runtime

[00:14:52] Alex Plaskett - Fuzzing Insights

[00:23:08] Hacking the Nintendo DSi Browser

[00:29:56] Espressif ESP32: Breaking HW AES with Electromagnetic Analysis

[00:32:08] Finding 10x+ Performance Improvements in C++ with CodeQL – Part 2/2 on Combining Dynamic and Static Analysis for Performance Optimisation

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This episode covers a lot of ground, from an insecure OAuth flow (Booking.com) to a crazy JSON injection and fail-open login system (DataHub) to hacking Bluetooth smart locks (Megafeis-palm). And even a new ImageMagick trick for a local file read.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/193.html

[00:00:00] Introduction

[00:00:26] Traveling with OAuth - Account Takeover on Booking.com

[00:13:25] Megafeis-palm: Exploiting Vulnerabilities to Open Bluetooth SmartLocks

[00:22:46] GitHub Security Lab audited DataHub: Here's what they found

[00:33:43] ImageMagick: The hidden vulnerability behind your online images

[00:38:49] CI/CD secrets extraction, tips and tricks

[00:39:30] A New Vector For “Dirty” Arbitrary File Write to RCE

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Just a couple issues this week, a cache coherency issue because the functions used to flush changes were not implemented on AARCH64. The second was using the "world's worst fuzzer" to find some bugs. Dumb fuzzer, but it worked.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/192.html

[00:00:00] Introduction

[00:00:24] Spot the Vuln - Targeting

[00:06:16] Vulnerability Reward Program: 2022 Year in Review

 - Correction: I mistakenly thought Google's Bug Hunter University was older than it is. It was started in 2021.

[00:12:56] The code that wasn't there: Reading memory on an Android device by accident

[00:22:37] Using the “World’s Worst Fuzzer” To Find A Kernel Bug In The FiiO M6

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Parameter pollution for an auth bypass, SQL injection in an ORM, CRLF injection for a WAF bypass...this episode has a great mix of issues.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/191.html

[00:00:00] Introduction

[00:00:26] OpenEMR - Remote Code Execution in your Healthcare System

[00:10:13] Vulnerability write-up - "Dangerous assumptions"

[00:18:05] Chat Question: How do we find topics for the podcast?

[00:19:22] Exploiting Parameter Pollution in Golang Web Apps

[00:24:10] Using CRLF Injection to Bypass a Web App Firewall

[00:34:17] Microsoft Azure Account Takeover via DOM-based XSS in Cosmos DB Explorer

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week we talk about more Rust pitfalls, and fuzzing cURL. Then we have a couple bugs, one involving messing with the TCP stack to reach the vulnerable condition.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/190.html

[00:00:00] Introduction

[00:00:27] Spot the Vuln - Insecure by Default

[00:02:20] cURL audit: How a joke led to significant findings

[00:09:45] Rustproofing Linux (Part 4/4 Shared Memory)

[00:11:25] Rustproofing Linux (Part 4/4 Shared Memory)

[00:17:22] Exploiting a remote heap overflow with a custom TCP stack

[00:34:20] mast1c0re: Part 3 - Escaping the emulator

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A variety episode this week with some bad cryptography in PHP and Azure, information disclosure in suid binaries, request smuggling in HAProxy, and some research on testing for server-side prototype pollution.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/189.html

[00:00:00] Introduction

[00:00:22] PHP :: Sec Bug #81744 :: Password_verify() always return true with some hash

[00:11:25] Readline crime: exploiting a SUID logic bug

[00:18:05] Azure B2C Crypto Misuse and Account Compromise

[00:24:32] BUG/CRITICAL: http: properly reject empty http header field names · haproxy/haproxy@a8598a2

[00:27:23] Server-side prototype pollution: Black-box detection without the DoS

[00:30:47] ThinkstScapes 2022.Q4

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Few discussions this week, from using ASAN for effectively, to vulnerabilities in Rust code, and some discussion about exploiting the OpenSSH double free.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/188.html

[00:00:00] Introduction

[00:00:31] Spot the Vuln - Too Soft

[00:04:19] One Weird Trick to Improve Bug Finding With ASAN

[00:08:27] Rustproofing Linux (Part 2/4 Race Conditions)

[00:22:39] OpenSSH Pre-Auth Double Free Writeup & PoC [CVE-2023-25136]

[00:34:14] mast1c0re: Part 2 - Arbitrary PS2 code execution

[00:42:39] All about UndefinedBehaviorSanitizer

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Bit slow this week, so we talk about the Top Web-hacking techniques of 2022, and some TruffleSec/XSS Hunter drama before so we cover a blockchain verification bug, and a simple path traversal to SSTI and RCE chain.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/187.html

[00:00:00] Introduction

[00:00:32] Top 10 web hacking techniques of 2022

[00:06:30] TruffleSec/XSSHunter Drama

[00:15:33] Binance Smart Chain Token Bridge Hack

[00:24:01] Insecure path join to RCE via SSTI [CVE-2023-22855]

[00:29:06] Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation)

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

First, we take a look at some positive changes to OSS Fuzz, then we dive into some vulnerabilities. This includes an XNU heap out-of-bounds write vulnerability, a Chrome heap-based overflow vulnerability, and an out-of-bounds read in cmark-gfm that, while probably not exploitable, is still intriguing.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/186.html

[00:00:00] Introduction

[00:00:22] Spot the Vuln - The Great String Escape

[00:03:03] Taking the next step: OSS-Fuzz in 2023

[00:09:48] XNU Heap Underwrite in dlil.c [CVE-2023-23504]

[00:19:10] Chrome heap buffer overflow in validating command decoder [CVE-2022-4135]

[00:26:19] Out-of-bounds read in cmark-gfm [CVE-2023-22485]

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Is it possible to escalate a self-XSS into an account takeover? Perhaps, we take a look at some potential options by abusing single-sign on. Then we take a look at a few Facebook/Meta authentication issues, and a deserialization trick to increase the usable classes in PHP.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/185.html

[00:00:00] Introduction

[00:00:21] Single-Sign On Gadgets: Escalate (Self-)XSS to Account Takeover

[00:11:11] Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing

[00:14:00] DOM-XSS in Instant Games due to improper verification of supplied URLs

[00:18:55] Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation

[00:29:33] Unserializable, but unreachable: Remote code execution on vBulletin

[00:34:54] Lexmark MC3224adwe RCE exploit

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Discussion heavy episode this week, talking about KASAN landing on Windows, shuffling gadgets to make ROP harder, and a paper about automatic exploit primitive discovery.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/184.html

[00:00:00] Introduction

[00:00:26] Spot the Vuln - Just the Data

[00:04:20] Introducing kernel sanitizers on Microsoft platforms

[00:14:54] Fun with Gentoo: Why don't we just shuffle those ROP gadgets away?

[00:25:14] Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs

[00:35:44] Armed to Boot: an enhancement to Arm's Secure Boot chain

[00:37:24] Pwning the all Google phone with a non-Google bug

[00:39:01] AMD SP Loader

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Starting off the week strong we have a CSS injection turned full-read SSRF, and a MyBB exploit chain from XSS to server-side code injection. And we've got a couple auth token disclosures to end off the episode.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/183.html

[00:00:00] Introduction

[00:00:22] Unleashing the power of CSS injection: The access key to an internal API

[00:06:50] MyBB <= 1.8.31: Remote Code Execution Chain

[00:18:53] Client-Side SSRF to Google Cloud Project Takeover [Google VRP]

[00:24:38] Account Takeover in KAYAK

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Null-dereferences might not be too exploitable on a lot of systems, what about the handling of a null-dereference. We cover a great Project Zero post on the topic, then look at a type confusion in Windows COM, a Nintendo buffer overflow, and several memory corruptions in git, highlighting their unique primitives and potential exploitability.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/182.html

[00:00:00] Introduction

[00:01:14] Spot the Vuln - Resolution

[00:03:38] Exploiting null-dereferences in the Linux kernel

[00:15:31] Type confusion in Windows COM+ Event System Service [CVE-2022-41033]

[00:22:57] Information and PoC about the ENLBufferPwn vulnerability

[00:28:11] Git security vulnerabilities announced

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We've got a cloud focused episode this week, starting with a logging bypass in AWS CloudTrail, a SSH Key injection, and cross-tenant data access in Azure Cognitive Search.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/181.html

[00:00:00] Introduction

[00:00:25] Undocumented API allows CloudTrail bypass

[00:06:00] Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)

[00:14:53] SSH key injection in Google Cloud Compute Engine [Google VRP]

[00:19:08] Chat Question: Why is Cross-Site Scripting called That

[00:22:36] Cross-tenant network bypass in Azure Cognitive Search

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

An Apple-focused episode this week, with a trivial iPod Nano BootRom exploit, and a WebKit Use-after-free. We also have a really cool XNU Virutal Memory bug, strictly a race condition and a logic differential between two alternate paths resulting in bypassing copy-on-write protection. We also handle a few questions from chat, how much reverse engineering is necessary for vuln research, how much programming knowledge is required, and a bit about AI's applicability to reverse engineering.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/180.html

[00:00:00] Introduction

[00:00:18] Spot the Vuln - An Exceptional Login

[00:02:39] wInd3x, the iPod Bootrom exploit 10 years too late

[00:09:14] XNU VM copy-on-write bypass due to incorrect shadow creation logic during unaligned vm_map_copy operations [CVE-2022-46689]

[00:17:52] [WebKit] Use-after-free of RenderMathMLToken in CSSCrossfadeValue::crossfadeChanged

[00:21:46] Chat Question: How Important is Reverse Engineering to Vuln Research

[00:40:33] Learning eBPF exploitation

[00:41:23] [Chrome] Analyzing and Exploiting CVE-2018-17463

[00:42:40] Off-By-One Security - The Process of Reversing and Exploit Complex Vulnerabilities w/Chompie1337

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week kicks off with another look at client-side path traversal attacks, this time with some more case-studies. Then we get into some mobile issues, one a cool desync between DER processors resulting in an iOS privilege escalation. The other a Bundle processing issue in Android that provides an almost use-after-free like primitive but in Java.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/179.html

[00:00:00] Introduction

[00:00:27] Full Team Takeover

[00:04:20] Fetch Diversion

[00:13:39] Practical Example Of Client Side Path Manipulation

[00:17:50] DER Entitlements: The (Brief) Return of the Psychic Paper

[00:30:47] Privilege escalation to system app via LazyValue using Parcel after recycle() [CVE-2022-20452]

[00:47:38] Critical Thinking - A Bug Bounty Podcast by Justin Gardner (Rhynorater)

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Just a few issues this week, but some solid exploitation. A Kernel UAF, IoT, and a bhyve escape.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/178.html

[00:00:00] Introduction

[00:00:35] Spot the Vuln - Internal Externals

[00:06:35] Escaping from bhyve

[00:13:14] Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg

[00:29:28] MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

[00:42:19] Survey of security mitigations and architectures, December 2022

[00:45:25] Abusing RCU callbacks with a Use-After-Free read to defeat KASLR

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

First episode of the new year, and we've got some cool stuff. Several authentication issues and "class pollution" in Python.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/177.html

[00:00:00] Introduction

[00:00:31] ReDoS "vulnerabilities" and misaligned incentives

[00:17:14] Web Hackers vs. The Auto Industry

[00:37:19] Prototype Pollution in Python

 - Correction: We discuss a bit of a disagreement regarding calling the issue "Prototype Pollution" in Python, turns out we missed the fact the author calls it "Class Pollution" in the actual article which is a more fitting name.

[00:50:26] [MK8DX] Improper verification of Competition creation allows to create "Official" competitions

[00:56:36] 0 click Facebook Account Takeover and Two-Factor Authentication Bypass

[01:01:18] How SAML works and some attacks on it

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

In this episode, we discuss the discovery of a type confusion in Internet Explorer's JScript. We also explore a fun exploit strategy for a low-level memory management bug in the Linux kernel and delve into several issues in Huawei's Secure Monitor that enable code execution in the secure world.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/176.html

[00:00:00] Introduction

[00:00:30] Spot the Vuln - Update All The Things

[00:06:02] Type confusion in Internet Explorer's JScript9 engine [CVE-2022-41128]

[00:14:48] Exploiting CVE-2022-42703 - Bringing back the stack attack

[00:29:01] Huawei Secure Monitor Vulnerabilities

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Is Pwn2Own worth it for bug bounty hunters? A handful of trivial command injections, and some awesome WAF bypasses.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/175.html

[00:00:00] Introduction

[00:00:34] Pwn2Own Toronto 2022 - Results

[00:10:31] Cool vulns don't live long - Netgear and Pwn2Own

[00:15:03] The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022

[00:26:54] Abusing JSON-Based SQL to Bypass WAF

[00:26:54] RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass

[00:37:25] Abusing JSON-Based SQL to Bypass WAF

[00:46:47] OTP Leaking Through Cookie Leads to Account Takeover

[00:50:47] ChatGPT bid for bogus bug bounty is thwarted

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Will AI be your next vuln research assistant? ... Maybe? We also talk about a stack-based overflow in `ping` and a Huawei hypervisor vuln.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/174.html

[00:00:00] Introduction

[00:00:41] Spot the Vuln - A Nice Choice

[00:03:49] ChatGPT - AI for Vuln Research?

[00:21:46] Memory Safe Languages in Android 13

[00:31:28] [FreeBSD] Stack overflow in ping

[00:40:59] Huawei Security Hypervisor Vulnerability

[00:45:09] Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals

[00:45:16] Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A variety of issues this week, DOM Clobbering, argument injection, a filesystem race condition, cross-site scripting, and a normalization-based auth bypass.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/173.html

[00:00:00] Introduction

[00:00:41] Humble Tech Book Bundle: The Art of Hacking by No Starch Press

[00:03:23] Hijacking service workers via DOM Clobbering

[00:11:14] Grafana RCE via SMTP server parameter injection

[00:16:33] Race condition in snap-confine's must_mkdir_and_open_with_perms() [CVE-2022-3328]

[00:23:56] XSS on account.leagueoflegends.com via easyXDM

[00:32:41] [Hyundai] Remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

The end of kASLR bypasses? Probably just click-bait, but the patch gap is real and we discuss that a bit before getting into a couple AI-based corruptions.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/172.html

[00:00:00] Introduction

[00:01:15] Spot the Vuln - Escape

[00:06:00] Humble Tech Book Bundle: The Art of Hacking by No Starch Press

[00:11:00] An End to KASLR Bypasses?

[00:15:59] Mind the Gap

[00:24:36] ANE_ProgramCreate() multiple kernel memory corruption [CVE-2022-32898]

[00:34:29] Chat Question: Guides/Techniques to Help With C++ Reverse Engineering

[00:36:35] ZinComputeProgramUpdateMutables() OOB write due to double fetch issue [CVE-2022-32932]

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Some RCE chains starting with DNS rebinding, always fun to see, a fairly basic SQL injection, and a JS sandbox escape for RCE in Spotify.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/171.html

[00:00:00] Introduction

[00:00:38] RCE in Tailscale, DNS Rebinding, and You [CVE-2022-41924]

[00:17:55] SQL Injection in ManageEngine Privileged Access Management [CVE-2022-40300]

[00:22:34] Unauthenticated Remote Code Execution in Spotify’s Backstage

[00:36:28]     Till REcollapse

[00:41:19] Chat Question: Alternatives to IDA Freeware

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A hardware heavy episode as we talk about two read protection bypasses, Pixel 6 bootloader exploitation and benchmarking fuzzers.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/170.html

[00:00:00] Introduction

[00:00:26] Spot the Vuln - Do More

[00:05:04] Pixel6 Bootloader Exploitation

[00:16:41] NXP i.MX SDP_READ_DISABLE Fuse Bypass [CVE-2022-45163]

[00:22:05] Bypassing the Renesas RH850/P1M-E read protection using fault injection

[00:29:32] FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

This week has the return of cross-site tracing, HTML injection, a golang specific vulnerable code pattern, and a fun case-sensitivity auth bypass.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/169.html

[00:00:00] Introduction

[00:01:02] A Confused Deputy Vulnerability in AWS AppSync

[00:07:05] Grafana Race Condition Leading to Potential Authentication Bypass [CVE-2022-39328]

[00:16:12] Stealing passwords from infosec Mastodon - without bypassing CSP

[00:24:01] Cross-Site Tracing was possible via non-standard override headers [CVE-2022-45411]

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Is the compiler make exploitation easier, these divergent representations seem to do so. We also look at a chrome UAF and a double stack overflow.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/168.html

[00:00:00] Introduction

[00:00:52] Spot the Vuln - The Right Start

[00:03:25] Look out! Divergent representations are everywhere!

[00:12:18]  Chrome: heap-use-after-free in password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode

[00:17:34] Netgear Nighthawk r7000p aws_json Unauthenticated Double Stack Overflow Vulnerability

[00:23:52] A validation flaw in Netfilter leading to Local Privilege Escalation [CVE-2022-1015]

[00:25:03] Windows Kernel multiple memory corruption issues when operating on very long registry paths

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A Pixel Lockscreen bypass and some discussion about dupes in bug bounty, then a long RCE chain, and a look at client-side path traversals.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/167.html

[00:00:00] Introduction

[00:00:48] Accidental $70k Google Pixel Lock Screen Bypass

[00:23:28] Discovering vendor-specific vulnerabilities in Android

[00:34:30] Checkmk: Remote Code Execution by Chaining Multiple Bugs (2/3)

[00:52:13] Practical Client Side Path Traversal Attacks

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A lot of discussion about the OpenSSL vulnerability, fuzzing and exploitation. Then into a RCE in XML Signature verification, and a Samsung exploit chain.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/166.html

[00:00:00] Introduction

[00:00:35] Spot the Vuln - Spaced Out

[00:03:29] OpenSSL punycode vulnerability [CVE-2022-3602]

[00:35:43] Gregor Samsa: Exploiting Java's XML Signature Verification

[00:46:37] A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

[00:58:53] Symbolic Triage: Making the Best of a Good Situation

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Several slightly weird issues this week, a reentrancy attack abusing a read-only function, SSRF and XSS through a statically generated website and others.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/165.html

[00:00:00] Introduction

[00:01:10] Vulnerabilities in Apache Batik Default Security Controls - SSRF and RCE Through Remote Class Loading

[00:05:48] Exploiting Static Site Generators: When Static Is Not Actually Static

[00:12:51] Decoding $220K Read-only Reentrancy Exploit

[00:23:56] Weird Vulnerabilities Happening on Load Balancers, Shallow Copies and Caches

[00:28:42] Arbitrary File Read in Tasks.org Android app [CVE-2022-39349]

[00:33:13] [GitLab] RepositoryPipeline allows importing of local git repos

[00:36:15] [GitLab] RepositoryPipeline allows importing of local git repos

[00:46:05] Visual Studio Code Jupyter Notebook RCE

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Kicking off the week with a look at Apple's new security blog and the kalloc_type introduced into XNU, then a mix of issues including an overflow in SQLite.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/164.html

[00:00:00] Introduction

[00:00:24] Spot the Vuln - Right Code, Wrong Place

[00:03:05] Hexacon Talks are Available

[00:04:56] Towards the next generation of XNU memory safety: kalloc_type

[00:21:23] NetBSD Coredump Kernel Refcount LPE

[00:24:56] [Chrome] heap-use-after-free in AccountSelectionBubbleView::OnAccountImageFetched

[00:31:42] Stranger Strings: An exploitable flaw in SQLite

[00:44:35] Reaching Vulnerable Point starting from 0 Knowledge on RPC [CVE-2022-26809

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Several simple bugs with significant impacts, XSS to being able to install apps, CSRFing via a Captcha, and a Google IDOR.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/163.html

[00:00:00] Introduction

[00:00:29] Defcon Talks are Available

[00:03:10] Galaxy Store Applications Installation/Launching without User Interaction

[00:08:49] Facebook SMS Captcha Was Vulnerable to CSRF Attack

[00:15:32] Google Data Studio Insecure Direct Object Reference

[00:21:06] HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

A few issues this week, including an overflow in SHA-3, yet another io_uring bug, and multiple (questionably exploitable) corruptions in Edge.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/162.html

[00:00:00] Introduction

[00:00:23] Spot the Vuln - Tricky Notes

[00:04:04] Memory corruption vulnerabilities in Edge

[00:15:19] SHA-3 Buffer Overflow

[00:23:53] A Journey To The Dawn [CVE-2022-1786]

[00:36:57] Exploiting Xbox Game Frogger Beyond to Execute Arbitrary Unsigned Code

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

Several fun issues this week, from a Cobalt Strike RCE, a couple auth bypasses, and stanza smuggling in Jabber.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/161.html

[00:00:00] Introduction

[00:00:28] Sophos Firewall User Portal and Web Admin Code Injection [CVE-2022-3236]

[00:07:05] [Cisco Jabber] XMPP Stanza Smuggling with stream:stream tag

[00:14:52] Authentication Bypass & File Upload & Arbitrary File Overwrite

[00:25:31] Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

[00:33:38] HTTP/3 connection contamination: an upcoming threat?

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

 -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

 -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.

We are also available on the usual podcast platforms:

 -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

 -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

 -- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

We've got a few interesting vulns, a blind format string attack, Windows kernel int overflow, and a browser exploit (unchecked bounds after lowering).

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/160.html

[00:00:00] Introduction

[00:00:24] Spot the Vuln - Chat Configuration

[00:02:06] CCC Cancelled

[00:07:53] Hacking TMNF: Part 2 - Exploiting a blind format string

[00:19:17] Windows Kernel integer overflows in registry subkey lists leading to memory corruption

[00:28:13] Browser Exploitation: A Case Study Of CVE-2020-6507

[00:45:48] Chat Question: Getting Into Browser Exploitation

This week we look at a insecure deserialization (GitLab), argument injection (Packagist), and insecure string interpolation (Apache Commons Text)

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/159.html

[00:00:00] Introduction

[00:01:01] New reward system to accelerate learning and growth on Detectify

[00:04:33] RCE via github import

[00:11:27] Securing Developer Tools: A New Supply Chain Attack on PHP

[00:17:32] FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive [CVE-2022-40684]

[00:23:08] Apache Commons Text Interpolation leading to potential RCE [CVE-2022-42889]

Just a couple issues this week and a discussion about why you should look at old vulnerabilities and the pace exploit development advanced at.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/158.html

[00:00:00] Introduction

[00:00:26] Spot the Vuln - Authentic Token ... Fixed

[00:05:42] Hancom Office 2020 Hword Docx XML parsing heap underflow vulnerability

[00:11:07] Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices

[00:22:21] Discussion: Why Care About Old Vulnerabilities

No actual bounties this week, but we start off with a discussion on semgrep vs codeql, then get into some cool issues that you can start testing for.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/157.html

[00:00:00] Introduction

[00:00:39] Comparing Semgrep and CodeQL

[00:14:27] A Deep Dive of CVE-2022–33987 (Got allows a redirect to a UNIX socket)

[00:20:18] Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style

[00:28:23] [OpenJDK] Weak Parsing Logic in java.net.InetAddress and Related Classes

[00:34:22] RCE via Phar Deserialisation [CVE-2022-41343]

Starting off with some discussion about XOM and CFI on the PS5 and how it impacts exploitation. Then into a uClibC issue, and hacking wireless scoreboards.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/156.html

[00:00:00] Introduction

[00:00:27] Spot the Vuln - Authentic Token

[00:05:04] PS5-4.03-Kernel-Exploit: An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on 4.03FW

[00:17:54] uClibC and uClibC-ng libpthread linuxthreads memory corruption vulnerabilities

[00:26:35] Scoreboard Hacking  Part 2 - Getting the AES Key

[00:41:16] When Hypervisor Met Snapshot Fuzzing

Had some varied issues this week, a file format allowing JScript for a $20,000 bounty, Akamai Cache Poisoning, Universal XSS in Chrome.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/155.html

[00:00:00] Introduction

[00:00:26] Two Lines of JScript for $20,000

[00:05:31] Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes ($50K+ Bounty Earned)

[00:14:10] [Chrome] Universal XSS in Autofill Assistant

[00:22:51] Aurora Improper Input Sanitization Bugfix Review

[00:31:21] What I learnt from reading 126* Information Disclosure Writeups.

Starting off with meme vulnerabilities in UNISOC BootROMs, and ending  with a discussion about bypassing CFI/Intel CET and some fun issues in-between.  

Links and summaries are available at  https://dayzerosec.com/podcast/154.html 

[00:00:00] Introduction [00:00:24] Spot the Vuln - You Put Where Where?!
[00:04:05] There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
[00:12:19] Crow HTTP framework use-after-free
[00:17:51] Crowbleed (Crow HTTP framework vulnerability)
[00:19:34] exploit for CVE-2022-2588
[00:23:24] Bypassing Intel CET with Counterfeit Objects
[00:48:05] Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja
[00:50:32] PS5 IPV6_2292PKTOPTIONS Use-After-Free