SSD Secure Disclosure
SSD Advisory – MTS HW Driver Escalation of Privileges
A vulnerability in Marvin Test's driver allows local users to use it to write arbitrary data to sensitive areas of the kernel's memory, this can be exploited to gain elevated privileges. As the driver is digitally signed, this can also be used to do post-exploitation privilege escalation.
Detectify Labs
SSRF vulnerabilities and where to find them
SSRF vulnerabilities aren't a new threat vector but they're often misunderstood. Here are details about what it is and where it can be found.
NCC Group Research
Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
Juplink's RX4-1800 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. An attacker can remotely take over a device after using a targeted or phishing attack to change the router's administrative password, effectively locking the owner out of their device.
PortSwigger Research
Making HTTP header injection critical via response queue poisoning
HTTP header injection is often under-estimated and misclassified as a moderate severity flaw equivalent to XSS or worse, Open Redirection. In this post, I'll share a simple technique I used to take a
Medium
Opera Browser VPN Bypass
While looking at Opera functionalities I stumbled upon the built-in VPN inside the browser and I was able to find a technique that allow an
talosintelligence.com
uClibC and uClibC-ng libpthread linuxthreads memory corruption vulnerabilities
Discovered by Lilith >_> of Cisco Talos. SUMMARY A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. Thread allocati...
Sam Curry
Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library
On August 24th, 2022, we reported a vulnerability to Netlify affecting their Next.js "netlify-ipx" repository which would allow an attacker to achieve persistent cross-site scripting...
Zero Day Initiative
MindShaRE: Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja
Disclosure of uninitialized memory is one of the common problems faced when copying data across trust boundaries. This can happen between the hypervisor and guest OS, kernel and user space, or across the network. The most common bug pattern noticed among these cases is where a structure or union is
Project Zero Bug Tracker
Linux stable 5.4/5.10: page UAF via stale TLB caused by rmap lock not held during PUD move
Praetorian
Developing a Hidden Virtual File System Capability That Emulates the Uroburos Rootkit
A discussion of modifying and implementing a hidden VFS similar to the Uroburos rootkit, plus a tool we developed as part of our research.
SSD Secure Disclosure
SSD Advisory – Linux CLOCK_THREAD_CPUTIME_ID LPE
A vulnerability in the way Linux handles the CLOCK_THREAD_CPUTIME_ID allows local attackers to reach a race condition and use this to elevate their privileges to root.
Project Zero Bug Tracker
Arm Mali: driver exposes physical addresses to unprivileged userspace
Project Zero Bug Tracker
Arm Mali (mostly >=R34P0): page tables freed before PTE removal
Project Zero Bug Tracker
Arm Mali CSF: VFS read handler doesn't check buffer size
Project Zero Bug Tracker
Arm Mali non-CSF: IMPORTED_USER_BUF is released without flushing host-side VMAs, leading to page UAF
maxwelldulin.com
When Athletic Abilities Just Aren't Enough - Scoreboard Hacking Part 1
Strikeout () Blog Loading... Maxwell Dulin Email me! Twitter Github Admin Blog RSS Feed Resources RSS Feed
Project Zero Bug Tracker
Chrome: heap-use-after-free in LinkToTextMenuObserver::CompleteWithError
PT SWARM
Jetty Features for Hacking Web Apps
To properly assess the security of a web application, its important to analyze it with regard to the server it will run on. Many things depend on the server, from processing user requests to the easiest way of achieving RCE. Armed with knowledge about the server, we can identify vulnerabilities in an application and make []
Assetnote
Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804)
Application security issues found by Assetnote
Google Online Security Blog
Use-after-freedom: MiraclePtr
Posted by Adrian Taylor, Bartek Nowierski and Kentaro Hara on behalf of the MiraclePtr team Memory safety bugs are the most numerous cat...
Praetorian
Framework Selection: How to Architect a Systematic Security Program – Part 1
Framework selection is the first of three common issues organizations face when building or maturing a cybersecurity program.
Synacktiv
Traces of Windows remote command execution
A real ninja leaves no traces.
PortSwigger Research
The seventh way to call a JavaScript function without parentheses
I thought I knew all the ways to call functions without parentheses: alert`1337` throw onerror=alert,1337 Function`x${'alert\x281337\x29'}x``` 'alert\x281337\x29'instanceof{[Symbol['hasInstance']]:eva
jub0bs.com
Existence oracle for Secure cookies on insecure Web origins
TL;DR In this post, I present an XSLeak technique that allows an active network attacker to observe, from an insecure Web origin, the presence or absence of some Secure cookie that may have been set by the origin’s secure counterpart. Cookies' crumbly beginnings Netscape (Lou Montulli, more precisely) invented cookies in 1994 in order to introduce persistent client state in the otherwise stateless Hypertext Transfer Protocol (HTTP). Back in the day, the Web was much more static than it is today.
Project Zero Bug Tracker
Windows Kernel multiple memory problems when handling incorrectly formatted security descriptors in registry hives
Project Zero Bug Tracker
Windows Kernel use-after-free due to refcount overflow in registry hive security descriptors
Project Zero Bug Tracker
Windows Kernel invalid read/write due to unchecked Blink cell index in root security descriptor
Project Zero Bug Tracker
Windows: Credential Guard TGT Renewal Information Disclosure
Project Zero Bug Tracker
Windows: Credential Guard KerbIumCreateApReqAuthenticator Key Information Disclosure
Project Zero Bug Tracker
Windows: Credential Guard KerbIumGetNtlmSupplementalCredential Information Disclosure
Project Zero Bug Tracker
Windows: Credential Guard BCrypt Context Use-After-Free EoP
Project Zero Bug Tracker
Windows: Credential Guard Non-Constant Time Comparison Information Disclosure
Project Zero Bug Tracker
Windows: Credential Guard ASN1 Decoder Type Confusion EoP
Project Zero Bug Tracker
Windows: Credential Guard Insufficient Checks on Kerberos Encryption Type Use
Project Zero Bug Tracker
Windows: Credential Guard Kerberos Change Password EoP
Zero Day Initiative
Riding the InfoRail to Exploit Ivanti Avalanche – Part 2
In my first blog post covering bugs in Ivanti Avalanche, I covered how I reversed the Avalanche custom InfoRail protocol, which allowed me to communicate with multiple services deployed within this product. This allowed me to find multiple vulnerabilities in the popular mobile device management (M
Google Online Security Blog
Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically
Posted by Jonathan Metzman, Dongge Liu and Oliver Chang, Google Open Source Security Team Recently, OSS-Fuzz our community fuzzing servi...
Project Zero Bug Tracker
.NET: External Entity Injection during XML signature verification
PT SWARM
Fork Bomb for Flutter
Flutter applications can be found in security analysis projects or bugbounty programs. Most often, such assets are simply overlooked due to the lack of methodologies and ways to reverse engineer them. I decided not to skip this anymore and developed the reFlutter tool. This article describes the results of my research. Summary The report starts []
labs.withsecure.com
Prototype Pollution Primer for Pentesters and Programmers
Prototype pollution is a vulnerability that exploits inheritance behavior in JavaScript to create malicious instances of data types, which in the right conditions, can result in the execution of attacker-supplied code. Depending on the context, this can have impacts ranging from DOM-based Cross Site Scripting to even Remote Code Execution.
Zero Day Initiative
CVE-2022-34715: More Microsoft Windows NFS v4 Remote Code Execution
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Quintin Crist and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows operating system, originally discovered and reported by the
Praetorian
Safeguarding Memory in Higher-Level Programming Languages
Memory protections like obfuscation and encryption can serve as local controls to slow an adversary until they are identified and removed.
Synacktiv
CCleaner Forensic
5 boulevard Montmartre 75002 Paris
PortSwigger Research
How to turn security research into profit: a CL.0 case study
Have you ever seen a promising hacking technique, only to try it out and struggle to find any vulnerable systems or non-duplicate findings? In this post, I'll take a concise look at the most effective
Shielder
How to Decrypt Manage Engine PMP Passwords for Fun and Domain Admin - a Red Teaming Tale
Learn how to decrypt Manage Engine Password Manager Pro (PMP) passwords after exploiting CVE-2022-35405.
SSD Secure Disclosure
SSD Advisory – Linux CONFIG_WATCH_QUEUE LPE
A vulnerability in the way Linux handles the CONFIG_WATCH_QUEUE allows local attackers to reach a race condition and use this to elevate their privileges to root.
Project Zero - Root Cause Analysis
CVE-2022-2294: Heap buffer overflow in WebRTC
Information about 0-days exploited in-the-wild!
Praetorian
Whitebox Security Assessments: Doing More with More
Benefits of a whitebox approach include more analysis, more realistic attack emulations, and potentially deeper vulnerability findings.
PortSwigger Research
Using Hackability to uncover a Chrome infoleak
I've been hacking browsers for over 15 years and one of the challenges I set myself was to find a SOP bypass or info leak in every major browser. Chrome was the last browser standinguntil now. This p
Project Zero - Root Cause Analysis
CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
Information about 0-days exploited in-the-wild!