lemlist - HackerOne
high - Clickjacking at app.lemlist.com
Clickjacking at app.lemlist.com Account Takeover, Account Deletion and Password Change
GitLab - HackerOne
high - Arbitrary POST request as victim user from HTML injection in Jupyter notebooks (8690.00USD)
### Summary An attacker can create a Jupyter notebook that will make arbitrary POST requests as the victim user. In the "worst case" an attacker could make an admin create a new admin account for the attacker. Other possible attack vectors are forcing invites to private projects etc. Every POST request is possible. This research is loosely based on the issue with Rails Ujs data-* parameters....
Unit42
Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
CVE-2022-22954, one of several recently published VMware vulnerabilities, is being exploited in the wild. Read our observations and recommendations.
Project Zero Bug Tracker
Linux USB: usbnet tells minidrivers to unbind while netdev is still up, causing UAFs
Zero Day Initiative
Pwn2Own Vancouver 2022 - The Results
Pwn2Own Vancouver for 2022 is underway, and the 15th anniversary of the contest has already seen some amazing research demonstrated. Stay tuned to this blog for updated results, picture, and videos from the event. Well be posting it all here - including the most recent Master of Pwn leaderboard.
Google Online Security Blog
Privileged pod escalations in Kubernetes and GKE
Posted by GKE and Anthos Platform Security Teams At the KubeCon EU 2022 conference in Valencia, security researchers from Palo Alto Network...
labs.taszk.io
CVE-2021-39986: Huawei Baseband Memory Access Permission Bypass And DMSS Memory Access Management Configuration Unathorized Rewrite Via LPMCU
Huawei Baseband Memory Access Permission Bypass And DMSS Memory Access Management Configuration Unathorized Rewrite Via LPMCU
labs.taszk.io
CVE-2021-37107: Huawei Peripheral DMA Memory Access Permission Bypass
Huawei Peripheral DMA Memory Access Permission Bypass
labs.taszk.io
CVE-2021-37115: Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via ASP DMA
Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via ASP DMA
labs.taszk.io
CVE-2021-40055: Huawei OTA Insecure SSL Configuration Man-In-The-Middle Vulnerability
Huawei OTA Insecure SSL Configuration Man-In-The-Middle Vulnerability
labs.taszk.io
CVE-2021-40045: Huawei Recovery Update Zip Signature Verification Bypass
Huawei Recovery Update Zip Signature Verification Bypass
labs.taszk.io
CVE-2021-39991: Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via Peripheral DMA
Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via Peripheral DMA
labs.taszk.io
CVE-2021-37109: Huawei Baseband MPU Security Protection Bypass via EDMA
Huawei Baseband MPU Security Protection Bypass via EDMA
labs.taszk.io
CVE-2021-39992: Huawei Kernel Memory Access Permission Bypass via EDMA
Huawei Kernel Memory Access Permission Bypass via EDMA
Zero Day Initiative
Pwn2Own Vancouver 2022 - The Schedule
Welcome to Pwn2Own Vancouver 2022! This year marks the 15th anniversary of the contest, and we plan on celebrating by putting some amazing research on display. For this years event, we have 17 contestants attempting to exploit 21 targets across multiple categories. As always, we began our contest w
Glovo - HackerOne
critical - Integer overflow vulnerability
## Summary: In one of my previous reports i send parameter tampering report vulnerability. Then you asked me to send PoC and you just closed it, that's why i'm sending you this new report with exactly name of vulnerability. Integer Overflows are closely related to other conditions that occur when manipulating integers. An Integer Overflow is the condition that occurs when the result of an...
lemlist - HackerOne
high - [app.lemlist.com] Improper handling of payment lead to bypass payment
## Summary: Hello Team, I truly hope it treats you awesomely on your side of the screen :) due to improper handling of payment methods, an attacker can easily bypass the payment and benefit from a paid plan. ## Steps To Reproduce: 1. Log to your account 1. Go to the billing page 1. Fill in the address tab 1. Go to the next tab `Payment Card` 1. ==Now the interesting step Make sure you don't...
Project Zero - Root Cause Analysis
CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD
Information about 0-days exploited in-the-wild!
talosintelligence.com
NVIDIA nvwgf2umx_cfg.dll shader DCL_RESOURCE_STRUCTURED memory corruption vulnerability
Discovered by Piotr Bania of Cisco Talos. Summary A memory corruption vulnerability exists in the shader DCL_RESOURCE_STRUCTURED functionality of NVIDIA D3D10 Driver, version 496.76, 30.0.14.9676. ...
talosintelligence.com
NVIDIA nvwgf2umx_cfg.dll shader DCL_UNORDERED_ACCESS_VIEW_STRUCTURED memory corruption vulnerability
Discovered by Piotr Bania of Cisco Talos. Summary A memory corruption vulnerability exists in the shader DCL_UNORDERED_ACCESS_VIEW_STRUCTURED functionality of NVIDIA D3D10 Driver version 496.76, 30...
talosintelligence.com
NVIDIA nvwgf2umx_cfg.dll shader DCL_INDEXABLE memory corruption vulnerability
Discovered by Piotr Bania of Cisco Talos. Summary A memory corruption vulnerability exists in the shader dcl_indexable functionality of NVIDIA D3D10 Driver version 496.76, 30.0.14.9676. A specially...
talosintelligence.com
NVIDIA nvwgf2umx_cfg.dll shader DCL_INDEXRANGE memory corruption vulnerability
Discovered by Piotr Bania of Cisco Talos. Summary A memory corruption vulnerability exists in the shader DCL_INDEXRANGE functionality of NVIDIA D3D10 Driver version 496.76, 30.0.14.9676. A speciall...
Detectify Labs
How To Hack Web Applications in 2022: Part 1
A step-by-step guide on how to hack a web application from an ethical hacker so your security team can better learn what threats to consider.
Shielder
Printing Fake Fiscal Receipts - An Italian Job p.2
Reverse engineering and analysis of a fiscal printer device for fun and (real) profit.
lemlist - HackerOne
high - Security misconfiguration
## Description : When we request a magic link to login into the application, and use that same link in multiple browsers, it working there isn't any limit on use of link. Steps to reproduce : 1. go to app.lemilist.com 2. create a magic link 3. use it to login 4. now open another browser or incognito window 5. use that same magic link And You'll be logged in in your account. ## Impact If...
critical - HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function (6000.00USD)
The Edge Rules engine used by Cloudflare Transform Rules features string modifying functions like lower() and concat(), which accepted hexadecimal-encoded characters such as \x0a\x0d. This allowed for manipulation of request headers (e.g. injecting an additional header) and, as a consequence, made HTTP smuggling attack (TE.CL) possible. This vulnerability enabled an attacker to bypass...
Project Zero Bug Tracker
Chrome: heap-use-after-free in extensions::ExtensionApiFrameIdMap::GetFrameId
NCC Group Research
Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and then performs a cryptographic handshake over a BLE connection to verify the identity of the device
NCC Group Research
Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the mobile device or key fob. This system infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE
NCC Group Research
Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
NCC Group has developed a tool for conducting a new type of BLE relay attack operating at the link layer, for which added latency is within the range of normal GATT response timing variation, and which is capable of relaying encrypted link layer communications. This approach can circumvent the existing relay attack mitigations of latency bounding or link layer encryption, and bypass localization defences commonly used against relay attacks that use signal amplification.
Youssef Sammouda
qw
Multiple bugs chained to takeover Facebook Accounts which uses Gmail.
Description This bug could allow a malicious actor to takeover a Facebook account after stealing a Gmail OAuth id_token/code used to login to Facebook. This happened due to multiple bugs that were ...
MTN Group - HackerOne
critical - Download full backup [Mtn.co.rw]
## Summary: I discovered few critical vulnerabilities here, one of them is exposed backup files via directory listing. ## Steps To Reproduce: go to https://mtn.co.rw/mtn.zip and download the file extract the file and open you will see the full backup of the website ## Similar report: https://hackerone.com/reports/684838 ## Impact Source code & DB credentials leakage. Attacker can use it...
curl - HackerOne
high - error parse uri path in curl
## Summary: [add summary of the vulnerability] The uri path error could lead to security filter bypasses. For example, we can use curl -vv 'f[h-j]le:///etc/passwd' to bypass file protocol black list we can use curl -vv 'http://1.1.1.1:[80-9000]' to scan the open port in the host etc ... ## Steps To Reproduce: [add details for how we can reproduce the issue] curl -vv...
PortSwigger Research
Hunting evasive vulnerabilities
Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later? Certain vulnerabilities have a knack for evading audit
curl - HackerOne
high - Cookie injection from non-secure context
## Summary: Curl allows injecting cookies over insecure HTTP connection that will then be sent to the target site when connecting over HTTPS. As documented in lib/cookie.c https://github.com/curl/curl/blob/a04f0b961333e1a19848d073d8c7db9c20b2a371/lib/cookie.c#L1039 this should not be possible: ``` /* * A non-secure cookie may not overlay an existing secure cookie. ...
trenchant.io
Expanding the Dragon: Adding an ISA to Ghidra
Vulnerability research news
Google Online Security Blog
I/O 2022: Android 13 security and privacy (and more!)
Posted by Eugene Liderman and Sara N-Marandi, Android Security and Privacy Team Every year at I/O we share the latest on privacy and secu...
Project Zero Bug Tracker
AppleVideoDecoder: Out-of-bounds free in CreateHeaderBuffer
PlayStation - HackerOne
high - Remote kernel heap overflow
# Summary The PlayStation has a kernel PPPoE driver, that originates from NetBSD. This driver has a kernel heap overflow vulnerability, that an attacker can remotely trigger over the LAN, with the ability to control both the contents that are overflown and their sizes. # Technical Details ## PPPoE Protocol In short, the PlayStation (PS) will: 1. Send a PADI packet. 2. Expect to receive a...
Google Online Security Blog
Taking on the Next Generation of Phishing Scams
Posted by Daniel Margolis, Software Engineer, Google Account Security Team Every year, security technologies improve: browsers get better ...
Exodus Intelligence
D-Link DIR-1260 GetDeviceSettings Pre-Auth Command Injection Vulnerability
EIP-3b20d7b3 A command injection vulnerability exists within the web management interface of the D-Link DIR-1260 Wi-Fi router that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local ... Read more
Nextcloud - HackerOne
high - SQL injextion via vulnerable doctrine/dbal version
Advisory at https://github.com/nextcloud/security-advisories/security/advisories/GHSA-539w-xvpg-wj29
Priceline - HackerOne
high - Account takeover via Google OneTap (1500.00USD)
## Summary: It's possible to take over any priceline.com user's account knowing their email. The only requirement is that the victim's email domain is not registered with Google's Gsuite. The root cause of this issue is that the backend does not verify whether the email provided is a confirmed one. ## Steps To Reproduce: 1. Create Account A (in my case `badca7@wearehackerone.com`) with...
secret club
Earn $200K by fuzzing for a weekend: Part 2
Below are the writeups for two vulnerabilities I discovered in Solana rBPF, a self-described Rust virtual machine and JIT compiler for eBPF programs. These vulnerabilities were responsibly disclosed according to Solanas Security Policy and I have permission from the engineers and from the Solana Head of Business Development to publish these vulnerabilities as shown below.
secret club
Earn $200K by fuzzing for a weekend: Part 1
By applying well-known fuzzing techniques to a popular target, I found several bugs that in total yielded over $200K in bounties. In this article I will demonstrate how powerful fuzzing can be when applied to software which has not yet faced sufficient testing.
Unit42
Threat Brief: CVE-2022-1388
CVE-2022-1388 is a critical vulnerability that needs immediate attention. We share observations and strategies for mitigation.
ieeexplore.ieee.org
Dancing with wolves: An intra-process isolation technique with privileged hardware
Intra-process memory isolation is a cornerstone technique of protecting the sensitive data in memory-corruption defenses, such as the shadow stack in control flow integrity (CFI) and the safe region in code pointer integrity (CPI). In this paper, we propose SEIMI, a highly efficient intra-process memory isolation technique for memory-corruption defenses. The core is to use the efficient Supervisor-mode Access Prevention (SMAP), a hardware feature that is originally used for preventing the kernel from accessing the user space, to achieve intra-process memory isolation. To leverage SMAP, SEIMI creatively executes the user code in the privileged mode. In addition to enabling the new design of the SMAP-based memory isolation, we further develop multiple new techniques to ensure secure escalation of user code. Extensive experiments show that SEIMI outperforms existing isolation mechanisms, including the Memory Protection Keys (MPK) based scheme and the Memory Protection Extensions (MPX)...
Project Zero Bug Tracker
Linux: two(?) seccomp bugs: PT_SUSPEND_SECCOMP permission bypass, ptracer death race
Project Zero Bug Tracker
Chrome: heap-use-after-free in content::DisplayCutoutHostImpl::SendSafeAreaToFrame
Reddit - HackerOne
high - Reflected xss in https://sh.reddit.com (5000.00USD)
## Summary: Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. ## Impact: attacker can execute malicious java script and steal cookies ## Steps To Reproduce: [add details for how we can reproduce the issue] Hi team , Navigate to below url scroll to page end find a option...