Home
**Issue Description**
Unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
The vulnerability is registered as [CVE-2018-6389] #761722 #752010 #753491 #335177
**CVE ID Risk Score**
[CVE-2018-6389...
OpenSSL Advisory: https://www.openssl.org/news/secadv/20210824.txt
Exploits constitute malware in the form of application inputs. They take
advantage of security vulnerabilities inside programs in order to yield
execution control to attackers. The root cause of successful exploitation lies
in emergent functionality introduced when programs are compiled and loaded in
memory for execution, called `Weird Machines' (WMs). Essentially WMs are
unexpected virtual machines that execute attackers' bytecode, complicating
malware analysis whenever the bytecode set is unknown. We take the direction
that WM bytecode is best understood at the level of the process memory layout
attained by exploit execution. Each step building towards this memory layout
comprises an exploit primitive, an exploit's basic building block. This work
presents a WM reconstruction algorithm that works by identifying pre-defined
exploit primitive-related behaviour during the dynamic analysis of target
binaries, associating it with the responsible exploit segment - the WM
bytecode. In this...
NOTE: This is a correlation attack and requires a sophisticated attacker to perform. A complicated attack would require physical access to the device running tor browser, as well as either operating rogue/bad exit nodes, or a compromised/fake hidden service, or combination of that.
### Title
CVE-2021-39246 - Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack...
EIP-2020-0032 The Serv-U File Server supports site specific commands which may not be universally supported by all FTP clients. Among these is the SITE EXEC command which allows a user to execute programs and scripts remotely, if the execute permission is present on the folder where a given program / script resides. A command injection vulnerability ... Read more
This post is a technical analysis of a recently disclosed Chrome JIT vulnerability (CVE-2021-30632) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 13, 2021 in Chrome version 93.0.4577.82. Ill cover the root cause analysis of the bug, as well as detailed exploitation.
Demonstrating the veracity of videos is a longstanding problem that has
recently become more urgent and acute. It is extremely hard to accurately
detect manipulated videos using content analysis, especially in the face of
subtle, yet effective, manipulations, such as frame rate changes or skin tone
adjustments. One prominent alternative to content analysis is to securely embed
provenance information into videos. However, prior approaches have poor
performance and/or granularity that is too coarse. To this end, we construct
Vronicle -- a video provenance system that offers fine-grained provenance
information and substantially better performance. It allows a video consumer to
authenticate the camera that originated the video and the exact sequence of
video filters that were subsequently applied to it. Vronicle exploits the
increasing popularity and availability of Trusted Execution Environments (TEEs)
on many types of computing platforms.
One contribution of Vronicle is the design of...
Writeup :
https://alimanshester.medium.com/how-i-found-7-xss-vulnerabilities-in-filename-reflecting-6347279ee82a
Machine Learning (ML) has emerged as a core technology to provide learning
models to perform complex tasks. Boosted by Machine Learning as a Service
(MLaaS), the number of applications relying on ML capabilities is ever
increasing. However, ML models are the source of different privacy violations
through passive or active attacks from different entities. In this paper, we
present MixNN a proxy-based privacy-preserving system for federated learning to
protect the privacy of participants against a curious or malicious aggregation
server trying to infer sensitive attributes. MixNN receives the model updates
from participants and mixes layers between participants before sending the
mixed updates to the aggregation server. This mixing strategy drastically
reduces privacy without any trade-off with utility. Indeed, mixing the updates
of the model has no impact on the result of the aggregation of the updates
computed by the server. We experimentally evaluate MixNN and design a new
attribute...
Maxwell Dulin () Blog Loading... Maxwell Dulin Email me! Twitter Github Admin Blog RSS Feed Resources RSS Feed
The researcher was able to exploit a PHP Object Injection vulnerability which allowed him to execute remote commands on the server.
In machine learning, differential privacy and federated learning concepts are
gaining more and more importance in an increasingly interconnected world. While
the former refers to the sharing of private data characterized by strict
security rules to protect individual privacy, the latter refers to distributed
learning techniques in which a central server exchanges information with
different clients for machine learning purposes. In recent years, many studies
have shown the possibility of bypassing the privacy shields of these systems
and exploiting the vulnerabilities of machine learning models, making them leak
the information with which they have been trained. In this work, we present the
3DGL framework, an alternative to the current federated learning paradigms. Its
goal is to share generative models with high levels of
$\varepsilon$-differential privacy. In addition, we propose DDP-$$VAE, a
deep generative model capable of generating synthetic data with high levels of
utility and...
Deception is a crucial tool in the cyberdefence repertoire, enabling
defenders to leverage their informational advantage to reduce the likelihood of
successful attacks. One way deception can be employed is through obscuring, or
masking, some of the information about how systems are configured, increasing
attacker's uncertainty about their targets. We present a novel game-theoretic
model of the resulting defender-attacker interaction, where the defender
chooses a subset of attributes to mask, while the attacker responds by choosing
an exploit to execute. The strategies of both players have combinatorial
structure with complex informational dependencies, and therefore even
representing these strategies is not trivial. First, we show that the problem
of computing an equilibrium of the resulting zero-sum defender-attacker game
can be represented as a linear program with a combinatorial number of system
configuration variables and constraints, and develop a constraint generation
approach...
As an essential ingredient of quantum networks, quantum conference key
agreement (QCKA) provides unconditional secret keys among multiple parties,
which enables only legitimate users to decrypt the encrypted message. Recently,
some QCKA protocols employing twin-field was proposed to promote transmission
distance. These protocols, however, suffer from relatively low conference key
rate and short transmission distance over asymmetric channels, which demands a
prompt solution in practice. Here, we consider a tripartite QCKA protocol
utilizing the idea of sending-or-not-sending twin-field scheme and propose a
high-efficiency QCKA over asymmetric channels by removing the symmetry
parameters condition. Besides, we provide a composable finite-key analysis with
rigorous security proof against general attacks by exploiting the entropic
uncertainty relation for multiparty system. Our protocol greatly improves the
feasibility to establish conference keys over asymmetric channels.
Hello, i want to report the vulnerability found,
Since the following activity `com.application.zomato.activities.DeepLinkRouter` has `exported="true"` it can be exploited by another application.
###Application Information
Application: [Zomato Order - Food Delivery App](https://play.google.com/store/apps/details?id=com.application.zomato.ordering)
Package Name:...
Hi,
I noticed that concrete5 fetches the update JSON scheme from www.concrete5.org over HTTP.
The fetched json defines the download URL, so we can simply tamper with this JSON in order to make the update URL point to a server controlled by us.
Combining this with the possibility to set an arbitrary proxy for outgoing communications leads to RCE.
Privileges required:...
We mine the leaked history of trades on Mt. Gox, the dominant Bitcoin
exchange from 2011 to early 2014, to detect the triangular arbitrage activity
conducted within the platform. The availability of user identifiers per trade
allows us to focus on the historical record of 440 investors, detected as
arbitrageurs, and consequently to describe their trading behavior. We begin by
showing that a considerable difference appears between arbitrageurs when
indicators of their expertise are taken into account. In particular, we
distinguish between those who conducted arbitrage in a single or in multiple
markets: using this element as a proxy for trade ability, we find that
arbitrage actions performed by expert users are on average non-profitable when
transaction costs are accounted for, while skilled investors conduct arbitrage
at a positive and statistically significant premium. Next, we show that
specific trading strategies, such as splitting orders or conducting arbitrage
non aggressively,...
Posted by Priya Wadhwa and Appu Goundan, Google Open Source Security Team A few months ago we announced that we started signing all distrole...
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Yazhi Wang of the Trend Micro Research Team detail a recent code injection bug in the Atlassian Confluence server. Since the publication of the vendor advisory, U.S. Cybercom has reported that mas
Vmalloc Use-After-Free in the ION/DMA-Buff subsystems
Vulnerability tested on:- Brave 1.29.81 Chromium: 93.0.4577.82 (Official Build) (64-bit)
Vulnerability description:- For security measures and for privacy purposes, Brave has the ability to open a normal tab of the Brave when we navigate to: `chrome://wallet`, `chrome://history` etc. due to the reason that Tor should be blocking privileged URIs like `file:///`, `chrome://` etc. When we open...
Researcher reported an issue where certain secure cookies would be included in a web request initiated through Steam Big Picture mode that was initially to a trusted origin but subsequently forwarded to a site on a different origin.
The Steamworks Product Data web site had an URL route with insufficient access controls, which would allow an authenticated partner to view data for games which they might not otherwise have permissions to view. After mitigation, an audit of accesses to this URL route showed no accesses by parties other than Valve or the reporter of this issue.
Adrian Taylor, Andrew Whalley, Dana Jansens and Nasko Oskov, Chrome security team Security is a cat-and-mouse game. As attackers innovate...
Scalability remains one of the biggest challenges to the adoption of
permissioned blockchain technologies for large-scale deployments. Permissioned
blockchains typically exhibit low latencies, compared to permissionless
deployments -- however at the cost of poor scalability. Various solutions were
proposed to capture "the best of both worlds", targeting low latency and high
scalability simultaneously, the most prominent technique being blockchain
sharding. However, most existing sharding proposals exploit features of the
permissionless model and are therefore restricted to cryptocurrency
applications.
We present MITOSIS, a novel approach to practically improve scalability of
permissioned blockchains. Our system allows the dynamic creation of
blockchains, as more participants join the system, to meet practical
scalability requirements. Crucially, it enables the division of an existing
blockchain (and its participants) into two -- reminiscent of mitosis, the
biological process of cell...
An evidence wiki is a collection of resources that an organization has access to that can be used to create an incident response timeline.
This blog post details a vulnerability Rhino Security Labs found in AWS WorkSpaces desktop client, tracked as CVE-2021-38112
Introduction This blog post details a vulnerability, the exploitation of which results in Remote Code Execution (RCE) as root, that impacts...
TL;DR Find out how a vulnerability in macOS Finder system allows remote attackers to trick users into running arbitrary commands. Vulnerability Summary A […]
Federated learning (FL) has become an emerging machine learning technique
lately due to its efficacy in safeguarding the client's confidential
information. Nevertheless, despite the inherent and additional
privacy-preserving mechanisms (e.g., differential privacy, secure multi-party
computation, etc.), the FL models are still vulnerable to various
privacy-violating and security-compromising attacks (e.g., data or model
poisoning) due to their numerous attack vectors which in turn, make the models
either ineffective or sub-optimal. Existing adversarial models focusing on
untargeted model poisoning attacks are not enough stealthy and persistent at
the same time because of their conflicting nature (large scale attacks are
easier to detect and vice versa) and thus, remain an unsolved research problem
in this adversarial learning paradigm. Considering this, in this paper, we
analyze this adversarial learning process in an FL setting and show that a
stealthy and persistent model poisoning...
During an audit of Apache Dubbo v2.7.8 source code, I found multiple vulnerabilities enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers. In this blog post I detailed how I leveraged CodeQL as an audit oracle to help me find these issues.
https://github.com/github/securitylab/issues/422
With the recent advances of IoT (Internet of Things) new and more robust
security frameworks are needed to detect and mitigate new forms of
cyber-attacks, which exploit complex and heterogeneity IoT networks, as well
as, the existence of many vulnerabilities in IoT devices. With the rise of
blockchain technologies service providers pay considerable attention to better
understand and adopt blockchain technologies in order to have better secure and
trusted systems for own organisations and their customers. The present paper
introduces a high level guide for the senior officials and decision makers in
the organisations and technology managers for blockchain security framework by
design principle for trust and adoption in IoT environments. The paper
discusses Cyber-Trust project blockchain technology development as a
representative case study for offered security framework. Security and privacy
by design approach is introduced as an important consideration in setting up
the framework.
EXP-2021-0014 A heap buffer overflow vulnerability exists in the IA32.api module of Adobe Acrobat and Acrobat Reader DC. Upon parsing a specially crafted PDF document containing URI entries with URI dictionaries and a specially crafted base URL defined with raw Unicode strings can trigger the vulnerability to achieve remote code execution. Vulnerability Identifiers Exodus Intelligence: ... Read more
In this paper, we raise up an emerging personal data protection problem where
user personal data (e.g. images) could be inappropriately exploited to train
deep neural network models without authorization. To solve this problem, we
revisit traditional watermarking in advanced machine learning settings. By
embedding a watermarking signature using specialized linear color
transformation to user images, neural models will be imprinted with such a
signature if training data include watermarked images. Then, a third-party
verifier can verify potential unauthorized usage by inferring the watermark
signature from neural models. We further explore the desired properties of
watermarking and signature space for convincing verification. Through extensive
experiments, we show empirically that linear color transformation is effective
in protecting user's personal images for various realistic settings. To the
best of our knowledge, this is the first work to protect users' personal data
from...
EIP-2015-0041 The vulnerability affects both Data Loss Prevention (DLP) Endpoint for Windows and the DLP Discover products from McAfee. The vulnerability is present within the included lasr.dll module, which is part of the Keyview SDK3 , and is responsible for parsing Ami Pro (.sam) files during server content inspection. A file format parsing vulnerability results in ... Read more
Reverse-engineering a hashing mechanism and optimizing password cracking
You might recall our post on a CSP bypass in PayPal; they used an allow list policy and we demonstrated how that was insecure but what about the other side of the coin? Nonce based policies are more s
## Summary:
after seeing the disclosure it looks like the bug was not fixed properly
## Steps To Reproduce:
copy and paste the request below and paste it into Burpsuite repeater
`GET /community-app-assets/api/proxy-post?url=http%3A%2F%2F169.254.169.254%2F/latest/meta-data/iam/security-credentials/ecsInstanceRole%3Fu%3D65bd5a1857b73643aad556093%26amp%3Bid%3D934e9ffdc5 HTTP/1.1
Host:...
Four critical OMI vulnerabilities one unauthorized RCE and three privilege escalation were recently disclosed. Heres how to remediate them.
An overview of the most common security risks when migrating to Microsoft Azure including best practices for resolution.
Posted by Kaylin Trychon, Google Open Source Security Team We recently pledged to provide $100 million to support third-party foundations...
### Summary
A stored XXS exists in the main page of a `project`. By changing the "default branch name" of a group a malicious user can inject arbitrary JavaScript into the main page of a project. Any user that is either at least developer of the project, or an administrator of the GitLab instance, and access the project URL will trigger the payload.
The field "default branch name" under...
CSRF was missing in Account Deletion form due to switching login providers. @asad0x01_ found the vulnerability and reported it concisely, even with a video POC.
The issue was fixed with 60 days, but we were slow to resolve the ticket and disclose.
This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Shellshock Advisory 25 Sep 2014 iSEC
Posted by Ivan Fratric, Project Zero tl;dr I combined Fuzzilli (an open-source JavaScript engine fuzzer), with TinyInst (an open-sou...
In PDFTron's WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code.
#Vulnerability
The SteamWorks SDK has a function available named [DecompressVoice()](https://partner.steamgames.com/doc/api/ISteamUser#DecompressVoice), which takes as input some compressed voice data, and returns the raw audio data.
The format for the input voice data is as follows:
```
8 bytes - steamid
1 byte - payload type
2 bytes - payload size
<payload data>
4 bytes - CRC...