Project Zero
Google Project Zero
Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models
Posted by Sergei Glazunov and Mark Brand, Google Project Zero Introduction At Project Zero, we constantly seek to expand the scope and e...
The GitHub Blog
Peter Stöckli
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog post, we’ll describe how unsafe deserialization vulnerabilities work and how you can detect them in Ruby projects.
Check Point Research
antoniost@checkpoint.com
Rafel RAT, Android Malware from Espionage to Ransomware Operations
Research by: Antonis Terefos, Bohdan Melnykov Introduction Android, Google’s most popular mobile operating system, powers billions of smartphones and tablets globally. Known for its open-source nature and flexibility, Android offers users a wide array of features, customization options, and access to a vast ecosystem of applications through the Google Play Store and other sources. However, […]
Doyensec's Blog
Single Sign-On Or Single Point of Failure?
# Single Sign-On Or Single Point of Failure? 20 Jun 2024 - Posted by Anthony Trummer No one can argue with the convenience that single sign-on (SSO) brings to users or the security and efficiency gains organizations reap from the lower administrative overhead. Gone are the days of individually...
toolsforhumanity - HackerOne
[Tools for Humanity] critical - [Meetup][World ID][OIDC] Insufficient Filtering of "state" Parameter in Response Mode form_post leads to XSS and ATO
security - HackerOne
[HackerOne] high - Program Member Could Duplicate Report To A Non Related Program Original Report
**Summary:** Hello Hackerone team, I found a vulnerability on setting duplicate report as program owner. I'm able to duplicate a report to a report that doesn't have relation with the program. For example we can duplicate to a public report in hacktivity. ### Steps To Reproduce 1. Create a...
(Web-)Insecurity Blog
Sign-in with World ID: XSS and ATO via OIDC Form Post Response Mode
Recently, Tools for Humanity partnered with the German HackerOne Club to run a one-week virtual and in-person Hacking Meetup. In the course of the meetup, a critical vulnerability within the Sign-in with World ID implementation was found, which affected the OpenID Connect form_post Response Mode and could allow malicious actors to take over end-user accounts at third-party applications that utilize the Sign-in with World ID mechanism. The vulnerability was addressed within a few hours after triage.
linkedin - HackerOne
[LinkedIn] high - Attackers can *Upgrade and claim offer* on the Premium Trial Subscription with a total price of *IDR0.00* from the original *IDR7,022,061.82*
deptofdefense - HackerOne
[U.S. Dept Of Defense] high - Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
##Description Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25: **CVE-2019-11510 - Pre-auth Arbitrary File Reading** CVE-2019-11542 - Post-auth Stack Buffer Overflow **CVE-2019-11539 -...
deptofdefense - HackerOne
[U.S. Dept Of Defense] critical - [HTAF4-213] [Pre-submission] Unsafe AMF deserialization (CVE-2017-5641) in Apache Flex BlazeDS at the https://www.███████/daip/messagebroker/amf
##Description We identified potential unsafe deserialization vulnerability on the `https://www.█████/daip/messagebroker/amf` endpoint. ##POC To exclude false-positive reaction and show that pingback is result of AMF deserialization, and not a reaction to the external host in the POST...
deptofdefense - HackerOne
[U.S. Dept Of Defense] critical - Subdomain Takeover via Host Header Injection on www.█████
## Vulnerability Overview **_Reported By_**: Ezequiel \[@ezequielpuig\] **_Reported Date_**: 01/October/2023 **_Reported To_**: U.S. Department Of Defense **_Vulnerability Type_**: Subdomain Takeover **_Affected URL_**: www\.███████ Hello U.S. Department Of Defense Security Team, I...
deptofdefense - HackerOne
[U.S. Dept Of Defense] high - CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots
**Description:** CVE-2021-39226 Discovered on endpoint https://███████/api/snapshots/:key where this issue poses a significant risk to the confidentiality and integrity of snapshot data, allowing both authenticated and unauthenticated users unauthorized access and deletion...
curl - HackerOne
[curl] high - Unicode-to-ASCII conversion on Windows can lead to argument injection and more
Hello cURL team, I am splitline from DEVCORE Research Team. We recently found a vulnerability on cURL. We have reproduced the issues in the latest version of cURL (curl-8.8.0_1) and would like to report it to you. Please check the attached document for details. This advisory is in accordance with...
SSD Secure Disclosure
SSD Secure Disclosure technical team
SSD Advisory – TP-Link ViGi onvif_discovery Overflow
Summary A buffer overflow in the onvif_discovery binary located at /bin/onvif_discovery which listens on UDP port 5001. This vulnerability can be leveraged by a network-adjacent attacker to execute arbitrary code on the target as root. No authentication is required to exploit this. Credit An independent security researcher working with SSD Secure Disclosure Vendor Response The … SSD Advisory – TP-Link ViGi onvif_discovery Overflow Read More »
Project Zero Bug Tracker
PowerVR: uninitialized memory disclosure (and crash due to OOB reads) in hwperf_host_%d stream
===== issue description ===== The PowerVR "host only event stream" ("hwperf_host_%d") contains RGX_HWPERF_HOST_ALLOC events. These events are of type `RGX_HWPERF_HOST_ALLOC_DATA`, in which every union member (other than the deprecated `sTimelineAlloc`) ends with a `IMG_CHAR...
Project Zero Bug Tracker
PowerVR: out-of-bounds write of firmware addresses in PVRSRVRGXKickTA3DKM
PVRSRVRGXKickTA3DKM() overwrites the contents of the following firmware address fields in the TA/3D/PR3D commands: - ->sHWRTData - ->asPRBuffer[RGXFWIF_PRBUFFER_ZSBUFFER] - ->asPRBuffer[RGXFWIF_PRBUFFER_MSAABUFFER] However, when the commands are imported from userspace into kernel...
security - HackerOne
[HackerOne] high - Access Control Vulnerability Enabling Unauthorized Access to Limited Disclosure Reports
**Summary:** Hi there, I hope you are doing well :) I found a vulnerability which allows me to close a report as duplicate of another program report. This can cause problems in various ways, i will include some of them and rest needs to be verified on Hackerone side what additional impact it...
MDSec
Admin
Nighthawk 0.3 – Automate All the Things
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
drugs_com - HackerOne
[Drugs.com] critical - Email OTP/2FA Bypass
The application has a functionality of 2FA by email OTP so i can bypass that 2FA and got the access of application without having any access of victim account. when a user try to login in the application and enter username and password, the 2FA page is available and application generate all the...
Embrace The Red
GitHub Copilot Chat: From Prompt Injection to Data Exfiltration
Analyzing untrusted code with GitHub Copilot Chat can have malicious side effects and turn Copilot into Copirate!
GitHub
rcorrea35
PlayStation (Remote Play): Stack-buffer overflow in HEVC decoder
### Summary The HEVC decoder used in PlayStation Portal's Remote Play does not validate the length of elements copied to an array. This results in an out-of-bounds write on the stack and may l...
Project Zero
Google Project Zero
Driving forward in Android drivers
Posted by Seth Jenkins, Google Project Zero Introduction Android's open-source ecosystem has led to an incredible diversity of manufactu...
PortSwigger Research
Gareth Heyes
onwebkitplaybacktargetavailabilitychanged?! New exotic events in the XSS cheat sheet
The power of our XSS cheat sheet is we get fantastic contributions from the web security community and this update is no exception. We had valuable contributions from Mozilla to remove events that no
NCC Group Research Blog
Aaron Adams
Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap
Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap Lua 5.1 Musl’s Next Generation Allocator – aka mallocng mallocng Cycling Offset Exploit…
DARKNAVY
DARKNAVY
AVSS Report: System Security Adversarial Capability Preliminary Evaluation of iOS, Android, and HarmonyOS - Kernel
As consumers, when faced with five different brands and models of smartphones or ten different smart cars, it’s difficult for us to determine which one can effectively prevent our privacy from being stolen or maliciously accessed, such as our location or even hearing our conversations inside the car. Even as ordinary consumers, we currently have no way of knowing. As technology professionals who have long studied in APT(Advanced Persistent Threat) attacks, we understand that these devices can ultimately be compromised in the face of advanced persistent attacks.
Private Cloud Compute: A new frontier for AI privacy in the cloud
Secure and private AI processing in the cloud poses a formidable new challenge. To support advanced features of Apple Intelligence with larger foundation models, we created Private Cloud Compute (PCC), a groundbreaking cloud intelligence system designed specifically for private AI processing. Built with custom Apple silicon and a hardened operating system, Private Cloud Compute extends the industry-leading security and privacy of Apple devices into the cloud, making sure that personal user data sent to PCC isn’t accessible to anyone other than the user — not even to Apple. We believe Private Cloud Compute is the most advanced security architecture ever deployed for cloud AI compute at scale.
watchTowr Labs - Blog
No Way, PHP Strikes Again! (CVE-2024-4577)
Orange Tsai tweeted a few hours ago about “One of [his] PHP vulnerabilities, which affects XAMPP by default”, and we were curious to say the least. XAMPP is a very popular way for administrators and developers to rapidly deploy Apache, PHP, and a bunch of other tools, and any bug that could give us RCE in its default installation sounds pretty tantalizing. Fortunately, for defenders, the bug has only been exploited under some specific locales: * Chinese (both simplified and traditional), and
GitHub
rcorrea35
GitHub - Workflow Privilege Escalation via Artifacts Upload
### Summary A File Traversal vulnerability was found in a GitHub Action that is used to download and extract artifacts. Depending on a repository's workflow configuration, attackers could g...
Atredis Partners
Chris Bellows
How to Train Your Large Language Model
Large Language Models (LLM) such as those provided by OpenAI (GPT3/4), Google (Gemini), Anthropic (Claude) can be a useful tool to include when conducting security audits or reverse engineering; however, one of the main downsides of using these tools is the data you are reviewing is processed...
Matteo Malvica
An Introduction to Chrome Exploitation - Maglev Edition
An Introduction to Chrome Exploitation - Maglev Edition
Synacktiv
WHFB and Entra ID : Say Hello to your new cache flow
# WHFB and Entra ID : Say Hello to your new cache flow During security assessments, the cache can be a goldmine on Microsoft environments. Red teamers are familiar with MSCache or DCC2 hashes, which could be a fast track to a privileged account. However, when using WHFB and a cloud-only Entra ID...
SSD Secure Disclosure
SSD Secure Disclosure technical team
SSD Advisory – Linux Kernel nft_validate_register_store Integer Overflow Privilege Escalation
Summary A vulnerability in the Linux kernel allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the netfilter subsystem. The issue results from the improper management … SSD Advisory – Linux Kernel nft_validate_register_store Integer Overflow Privilege Escalation Read More »
Project Zero Bug Tracker
PowerVR: DevmemXIntMapPages() allows mapping sDevZeroPage/sDummyPage without holding reference
===== issue description ===== [source code is described based on the current status of the ChromiumOS 5.15 kernel branch (https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/kernel/v5.15/drivers/gpu/drm/img-rogue/1.17/)] There are two bridge APIs using which a...
Check Point Research
shlomoo@checkpoint.com
Inside the Box: Malware’s New Playground
Research by: Jiri Vinopal Highlights: Introduction Over the past few months, we have been monitoring the increasing abuse of BoxedApp products in the wild. BoxedApp products are commercial packers that provide advanced features such as Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking). Even though BoxedApp has been commercially […]
Artificial truth
jvoisin
Reflections on GrapheneOS' duress feature
A couple of days ago, GrapheneOS 2024053100 recently added a new interesting "duress" feature: > add support for setting a duress password and PIN for quickly wiping all hardware keystore keys including keys used as part of deriving the key encryption keys for disk encryption to make all OS data...
samcurry.net
Hacking Millions of Modems (and Investigating Who Hacked My Modem)
Two years ago, something very strange happened to me while working from my home network. I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files, so I spun up an AWS box and ran a simple Python webserver to receive the traffic from the vulnerable server.
Meta Red Team X
Tom Hebb, Red Team X
Becoming any Android app via Zygote command injection
We have discovered a vulnerability in Android that allows an attacker with the WRITE_SECURE_SETTINGS permission, which is held by the ADB shell and certain privileged apps, to execute arbitrary code as any app on a device. By doing so, they can read and write any app’s data, make use of per-app secrets and login tokens, change most system configuration, unenroll or bypass Mobile Device Management, and more. Our exploit involves no memory corruption, meaning it works unmodified on virtually any device running Android 9 or later, and persists across reboots.
Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938
# Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938 # Table of Contents At OffensiveCon 2024, the Android Red Team gave a presentation (slides) on finding and exploiting CVE-2023-20938, a use-after-free vulnerability in the Android Binder device driver. This post will provide...
GitHub
tchebb
Android Zygote command injection allows code execution as any app via WRITE_SECURE_SETTINGS or Signed Config
**For more detailed analysis of this issue, see [Red Team X's blog post about it](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html).** We have discovered a vul...
Home
Connor McGarr
Windows Internals: Dissecting Secure Image Objects - Part 1
Analysis of NT, Secure Kernel, and SKCI working together to create the initial SECURE_IMAGE object
Zero Day Initiative
Piotr Bazydło
CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud
Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun t
watchTowr Labs - Blog
Check Point - Wrong Check Point (CVE-2024-24919)
Gather round, gather round - it’s time for another blogpost tearing open an SSLVPN appliance and laying bare a recent in-the-wild exploited bug. This time, it is Check Point who is the focus of our penetrative gaze. Check Point, for those unaware, is the vendor responsible for the 'CloudGuard Network Security' appliance, yet another device claiming to be secure and hardened. Their slogan - "you deserve the best security" - implies a level of security that can be relied upon on in their products
Jonathan Munshaw
Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
ibb - HackerOne
[Internet Bug Bounty] high - Path traversal by monkey-patching Buffer internals (2430.00USD)
**Summary:** In Node.js 20 and Node.js 21, the permission model protects itself against path traversal attacks by calling `path.resolve()` on any paths given by the user. If the path is to be treated as a `Buffer`, the implementation uses `Buffer.from()` to obtain a `Buffer` from the result of...
PortSwigger Research
James Kettle
Refining your HTTP perspective, with bambdas
When you open a HTTP request or response, what do you instinctively look for? Suspicious parameter names? CORS headers? Some clue as to the request's origin or underlying purpose? A single HTTP messag
Embrace The Red
Automatic Tool Invocation when Browsing with ChatGPT - Threats and Mitigations
Automatic Tool Invocation when Browsing with ChatGPT remains a risk to be aware of. Unfortunately it is possible to invoke the tools like memory or DALLE directly during prompt injection.
expressionengine - HackerOne
[ExpressionEngine] high - Non-authenticated path traversal leading to arbitrary file read
expressionengine - HackerOne
[ExpressionEngine] high - Low privileges (auth) Remote Command Execution - PHP file upload bypass.
Check Point Research
alexeybu
Static Unpacking for the Widespread NSIS-based Malicious Packer Family
Packers or crypters are widely used to protect malicious software from detection and static analysis. These auxiliary tools, through the use of compression and encryption algorithms, enable cybercriminals to prepare unique samples of malicious software for each campaign or even per victim, which complicates the work of antivirus software. In the case of certain packers, […]
Talos - Vulnerability Reports
libigl readNODE out-of-bounds write vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...