Home
@txt3rob found one of Snaps internal Kubernetes instances exposing an API endpoint without authorization to the public. With access to this API he was able to run arbitrary code/jobs as a cluster-admin and gained access to credentials with internal access to a significant number of instances.
@coolboss was able to chain multiple security issues, which allowed him to extract SSO tokens from Snapchat users by sending them to a malicious website.
@apfeifer27 found an internal Continuous-Integration instance, which disclosed internal source code and credentials for some of our instances.
error code: 1020
Blind XSS was possible on partners.acronis.com (Tier 3) via several contact form fields. We have seen no signs of the exploitation of this vulnerability.
Hello team. The admin panel of the website is mtngbissau.com or is vulnerable to sql attack via https://mtngbissau.com/webadmin/index.php
## Request
```
POST /webadmin/index.php HTTP/1.1
Host: mtngbissau.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:...
## Summary
Due to incorrect buffer management ext_lm_group_acl is vulnerable to a denial of service attack when processing NTLM Authentication credentials. This problem is limited to installations using the
ext_lm_group_acl binary.
## Affected Versions
Squid 2.x -> 2.7.STABLE9
Squid 3.x -> 3.5.28
Squid 4.x -> 4.9
## Severity
Due to incorrect input validation the NTLM authentication...
## Summary:
[i have discoverd a blind sql on your site login page which i confirmed using two scenarios to confirm its existance.]
## Steps To Reproduce:
[add details for how we can reproduce the issue]
use the following payloads
this one retured a 200 ok response confirming sql vulnerability existance
id=291751-sleep(5)&hash=f42ffae0449536cfd0419826f3adf136
this one was blocked...
This article looks at how cybersecurity solutions company Praetorian is tackling diversity, equity, inclusion, and belonging in 2021.
In March 2021, Microsoft released a patch to correct a vulnerability in the Windows GDI subsystem. The bug could allow an attacker to execute code with escalated privileges. This vulnerability was reported to the ZDI program by security researcher Marcin Wizowski. The patch for CVE-2021-27077
In this installment, we turn the concrete interpreter into a symbolic interpreter.
In the recent years, Portable Document Format, commonly known as PDF, has
become a democratized standard for document exchange and dissemination. This
trend has been due to its characteristics such as its flexibility and
portability across platforms. The widespread use of PDF has installed a false
impression of inherent safety among benign users. However, the characteristics
of PDF motivated hackers to exploit various types of vulnerabilities, overcome
security safeguards, thereby making the PDF format one of the most efficient
malicious code attack vectors. Therefore, efficiently detecting malicious PDF
files is crucial for information security. Several analysis techniques has been
proposed in the literature, be it static or dynamic, to extract the main
features that allow the discrimination of malware files from benign ones. Since
classical analysis techniques may be limited in case of zero-days,
machine-learning based techniques have emerged recently as an automatic
PDF-malware...
Posted by Jan Keller, Technical Program Manager, Google VRP A little over 10 years ago , we launched our Vulnerability Rewards Program (VR...
On January 26, @augustozanellato reported that while reviewing a public MacOS app, they found a valid GitHub Access Token belonging to a Shopify employee. This token had read and write access to Shopify-owned GitHub repositories. Upon validating the report, we immediately revoked the token and performed an audit of access logs to confirm no unauthorized activity had occurred.
Technical Advisory - Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
This article is about the recently published security advisory for a pretty popular software, fail2ban (CVE-2021-32749). It is about a bug that may lead to Remote Code Execution.
keyword : mongoose
#PoC
1. Login and generate API token
2. Create a repo and push several commits to phabricator
3. Execute diffusion api
```
curl http://dev.localhost/api/diffusion.internal.gitrawdiffquery \
-d api.token=api-token \
-d commit=--output%3D/tmp/qqq \
-d repository=R2
```
4. `qqq` file will be created in `tmp` directory. And the content of `qqq` contains the output...
With the growth of wearable devices, which are usually constrained in
computational power and user interface, this pairing has to be autonomous.
Considering devices that do not have prior information about each other, a
secure communication should be established by generating a shared secret key
derived from a common context between the devices. Context-based pairing
solutions increase the usability of wearable device pairing by eliminating any
human involvement in the pairing process. This is possible by utilizing onboard
sensors (with the same sensing modalities) to capture a common physical context
(e.g., body motion, gait, heartbeat, respiration, and EMG signal). A wide range
of approaches has been proposed to address autonomous pairing in wearable
devices. This paper surveys context-based pairing in wearable devices by
focusing on the signals and sensors exploited. We review the steps needed for
generating a common key and provide a survey of existing techniques utilized in
each...
We propose Breath to Pair (B2P), a protocol for pairing and shared-key
generation for wearable devices that leverages the wearer's respiration
activity to ensure that the devices are part of the same body-area network. We
assume that the devices exploit different types of sensors to extract and
process the respiration signal. We illustrate B2P for the case of two devices
that use respiratory inductance plethysmography (RIP) and accelerometer
sensors, respectively. Allowing for different types of sensors in pairing
allows us to include wearable devices that use a variety of different sensors.
In practice, this form of sensor variety creates a number of challenges that
limit the ability of the shared-key establishment algorithm to generate
matching keys. The two main obstacles are the lack of synchronization across
the devices and the need for correct noise-induced mismatches between the
generated key bit-strings.
B2P addresses the synchronization challenge by utilizing Change...
Side-channel attacks are a security exploit that take advantage of
information leakage. They use measurement and analysis of physical parameters
to reverse engineer and extract secrets from a system. Power analysis attacks
in particular, collect a set of power traces from a computing device and use
statistical techniques to correlate this information with the attacked
application data and source code. Counter measures like just-in-time
compilation, random code injection and instruction descheduling obfuscate the
execution of instructions to reduce the security risk. Unfortunately, due to
the randomness and excess instructions executed by these solutions, they
introduce large overheads in performance, power and area.
In this work we propose a scheduling algorithm that dynamically reorders
instructions in an out-of-order processor to provide obfuscated execution and
mitigate power analysis attacks with little-to-no effect on the performance,
power or area of the processor. We exploit...
Boolean functions are important primitives in different domains of
cryptology, complexity and coding theory. In this paper, we connect the tools
from cryptology and complexity theory in the domain of Boolean functions with
low polynomial degree and high sensitivity. It is well known that the
polynomial degree of of a Boolean function and its resiliency are directly
connected. Using this connection we analyze the polynomial degree-sensitivity
values through the lens of resiliency, demonstrating existence and
non-existence results of functions with low polynomial degree and high
sensitivity on small number of variables (upto 10). In this process, borrowing
an idea from complexity theory, we show that one can implement resilient
Boolean functions on a large number of variables with linear size and
logarithmic depth. Finally, we extend the notion of sensitivity to higher order
and note that the existing construction idea of Nisan and Szegedy (1994) can
provide only constant higher order...
In the second part of this series, we write a concrete interpreter for a subset of WebAssembly.
CVE-2020-27194 is a eBPF verifier bug that allows an unprivileged attacker to create BPF socket filter programs that can read and write Out of Bounds, trough which an arbitrary kernel read write can be achieved.
I'm taking the root cause explanation from the patch email:
```
Simon reported an issue with the current scalar32_min_max_or() implementation.
That is, compared to the other 32 bit...
NCC Group - Technical Advisory ICTFAX 7-4 Indirect Object Reference
In this work, we analyze the privacy guarantees of Zigbee protocol, an
energy-efficient wireless IoT protocol that is increasingly being deployed in
smart home settings. Specifically, we devise two passive inference techniques
to demonstrate how a passive eavesdropper, located outside the smart home, can
reliably identify in-home devices or events from the encrypted wireless Zigbee
traffic by 1) inferring a single application layer (APL) command in the event's
traffic burst, and 2) exploiting the device's periodic reporting pattern and
interval. This enables an attacker to infer user's habits or determine if the
smart home is vulnerable to unauthorized entry. We evaluated our techniques on
19 unique Zigbee devices across several categories and 5 popular smart hubs in
three different scenarios: i) controlled shield, ii) living smart-home IoT lab,
and iii) third-party Zigbee captures. Our results indicate over 85% accuracy in
determining events and devices using the command inference...
An over-the-air membership inference attack (MIA) is presented to leak
private information from a wireless signal classifier. Machine learning (ML)
provides powerful means to classify wireless signals, e.g., for PHY-layer
authentication. As an adversarial machine learning attack, the MIA infers
whether a signal of interest has been used in the training data of a target
classifier. This private information incorporates waveform, channel, and device
characteristics, and if leaked, can be exploited by an adversary to identify
vulnerabilities of the underlying ML model (e.g., to infiltrate the PHY-layer
authentication). One challenge for the over-the-air MIA is that the received
signals and consequently the RF fingerprints at the adversary and the intended
receiver differ due to the discrepancy in channel conditions. Therefore, the
adversary first builds a surrogate classifier by observing the spectrum and
then launches the black-box MIA on this classifier. The MIA results show that
the...
Here's the write-up for this issue.
https://renganathanofficial.medium.com/joining-any-class-without-the-teachers-invitation-in-khan-academy-25b0855a56c1
I used Bumble's distance feature to exfiltrate the exact location (to within approx 5m) of a victim. I did this by using the Bumble API to move my attacker account's location around the approximate area of the victim. I was able to obtain the exact distance between attacker and victim at 3 separate locations, and I then used trilateration...
Hello,
I found vulnerability using phone
Summary :
Session token weakness, allowing attackers to take over accounts
Tools :
Lightning.apk (Browser)
SandroProxy.apk or you can use all available proxies
Steps to Reproduce:
1) Create a phacility account.
2) Go to https://admin.phacility.com/settings/user/(username)/page/email/
3) Add new account
4) Open SandroProxy (Capture all http request)...
## Summary:
`Curl_ssl_config_matches` attempts to compare whether two SSL connections have identical SSL security options or not. The idea is to avoid reusing a connection that uses less secure, or completely different security options such as capath, cainfo or certificate/issuer pinning.
Unfortunately this function has several flaws in it:
1. It completely fails to take into account "BLOB"...
In this post, weve invited David Erceg, one of the participants in the Edge bug bounty program, to talk about interesting bugs he found in Edge. By sharing this information, we hope more security researchers are motivated to work with us to improve the security of Edge and Chromium as a whole. Introduction Within Chromium and its derivatives, the DevTools is an interesting attack surface. Thats because the DevTools itself is fairly highly privileged, especially if its attached to a page as part of a debugging session. Therefore, bugs within the DevTools can allow a malicious extension to escalate its privileges. Thats because an extension may have the ability to load DevTools URLs and once an extension can do that, it can potentially take advantage of any bugs that are present. The post here will examine how an extension could, in previous versions of Chrome/Edge, run code within the context of the DevTools and how the ability to do that could allow the extension to run code outside...
An overview of threat intelligence, including different types and lifecycle stages that help organizations defend against cyber threats.
With the popularity of cloud storage, various operating systems have added services and functionalities to support such storage. You can now have your storage in the cloud while exploring it locally on your system. On Windows, this is done via the Cloud Sync Engine. This component exposes a native A
The rapid growth of the Industrial Internet of Things (IIoT) has brought
embedded systems into focus as major targets for both security analysts and
malicious adversaries. Due to the non-standard hardware and diverse software,
embedded devices present unique challenges to security analysts for the
accurate analysis of firmware binaries. The diversity in hardware components
and tight coupling between firmware and hardware makes it hard to perform
dynamic analysis, which must have the ability to execute firmware code in
virtualized environments. However, emulating the large expanse of hardware
peripherals makes analysts have to frequently modify the emulator for executing
various firmware code in different virtualized environments, greatly limiting
the ability of security analysis.
In this work, we explore the problem of firmware re-hosting related to the
real-time operating system (RTOS). Specifically, developers create a Board
Support Package (BSP) and develop device drivers to make...
Transient execution attacks that exploit speculation have raised significant
concerns in computer systems. Typically, branch predictors are leveraged to
trigger mis-speculation in transient execution attacks. In this work, we
demonstrate a new class of speculation-based attack that targets branch
prediction unit (BPU). We find that speculative resolution of conditional
branches (i.e., in nested speculation) alter the states of pattern history
table (PHT) in modern processors, which are not restored after the
corresponding branches are later squashed. Such characteristic allows attackers
to exploit BPU as the secret transmitting medium in transient execution
attacks. To evaluate the discovered vulnerability, we build a novel attack
framework, BranchSpectre, that enables exfiltration of unintended secrets
through observing speculative PHT updates (in the form of covert and side
channels). We further investigate PHT collision mechanism in the history-based
predictor as well as the branch...
Posted by Charlie Reis and Alex Moshchuk, Chrome Security Team Chrome's Site Isolation is an essential security defense that makes it har...
Posted by Sarah Morales, Community Outreach Manager, Security Its no secret that lack of diversity in corporate America is a well-document...
Writing a symbolic interpreter, and wiring it to a solver in order to solve reverse engineering challenges (or other uses), might seem like a daunting task. Even simply using an existing symbolic inte
### Summary
I found Stored XSS with a feature of custom emoji.
This feature hasn't been rolled out yet and need to set feature flags in self management installation. ( https://gitlab.com/gitlab-org/gitlab/-/issues/231317 )
The problem is the code here.
https://gitlab.com/gitlab-org/gitlab/-/blob/v13.11.4-ee/lib/gitlab/emoji.rb#L43
```ruby
def emoji_image_tag(name, src)
"<img...
Money theft is one of the most important risks for any organization, regardless of its scope of activity. According to our data, 42% of cybe...
Combining Part 1s information leak vulnerability with a pool overflow vulnerability to obtain code execution via grooming the kLFH
error code: 1020
I noticed that there is the possibility to limit apptokens to not be able to access the filesystem.
1. Create a new apptoken in `https://server/settings/user/security`
2. Click the .. of your new apptoken and make it not allowed to access the filesystem
3. Log out
4. Navigate to `https://server/remote.php/dav` and login with your username + apptoken
5. Navigate again to...
Posted by Ryan Hurst, Production Security Team The way we design and build software is continually evolving. Just as we now think of securit...