Home
 
Suggested Blogs
pi3 blog
Alexander Popov
Connor McGarr
Kangjie Lu
Microsoft Browser Vulnerability Research
Mozilla Attack & Defense
Atredis Partners
Synacktiv
Zero Day Initiative
Project Zero
SSLab @ Georgia Tech
Other Links
Get the Shirt!
Our Weekly Podcast
RSS Feed
SSD Secure Disclosure
December 10 2023 @ 8:13 AM
SSD Secure Disclosure technical team
SSD Advisory – Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation
Summary A vulnerability exists in processing IRP_MJ_CREATE requests in driver clfs.sys. This occurs during the processing of blf files that are parsed in kernel. Credit An independent security researcher working with SSD Secure Disclosure. CVE CVE-2023-36424 Affected Versions Windows systems running 64-bit clfs.sys with version 10.0.22621.1555 Vendor Response The vendor has released a patch for … Read More »
HackerOne - HackerOne
December 08 2023 @ 6:56 PM
mega7
critical - Server Side Request Forgery (SSRF) via Analytics Reports
We recently received a critical server-side request forgery (SSRF) vulnerability report through our bug bounty program. The issue allowed attackers to make internal requests from our application servers by exploiting a lack of output sanitization in an error message. By crafting malicious requests, an attacker could have accessed internal AWS services and obtained temporary credentials. Upon...
Project Zero Bug Tracker
December 08 2023 @ 2:31 PM
Arm Mali CSF: refcount-overflow-leading-to-physical-UAF bugfix in r43p0 misclassified as memory leak fix
Project Zero Bug Tracker
December 08 2023 @ 2:31 PM
Windows Kernel time-of-check/time-of-use issue in verifying layered key security may lead to information disclosure from privileged registry keys
Praetorian
December 07 2023 @ 2:55 PM
Emmaline
SonicWall WXA – Authentication Bypass and Remote Code Execution Vulnerability
We found that SonicWall WXA distributed a hardcoded key to the end-user , which can lead to unauthenticated remote code execution.
SSD Secure Disclosure
December 07 2023 @ 8:14 AM
SSD Secure Disclosure technical team
SSD Advisory – QNAP QTS5 – /usr/lib/libqcloud.so JSON parsing leads to RCE
Summary QTS’s JSON parsing functionality is vulnerable to type confusion due to a failure to properly check the type of the json-object->data field. The bug allows an attacker to hijack control flow, and is accessible via the /cgi-bin/qid/qidRequestV2.cgi binary. Successful exploitation would allow an unauthenticated attacker to execute arbitrary code as the admin user (equivalent … Read More »
The GitHub Blog
December 06 2023 @ 5:09 PM
Kevin Backhouse
Cueing up a calculator: an introduction to exploit development on Linux
Using CVE-2023-43641 as an example, Ill explain how to develop an exploit for a memory corruption vulnerability on Linux. The exploit has to bypass several mitigations to achieve code execution.
Synacktiv
December 06 2023 @ 2:59 PM
Using ntdissector to extract secrets from ADAM NTDS files
AD LDS As stated by Microsoft:
Zero Day Initiative
December 05 2023 @ 6:53 PM
Todd Manning
Attack Surface of the Ubiquiti Connect EV Station
Previously, we looked at the attack surface of the ChargePoint Home Flex EV charger one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another EV Charger. The Ubiquiti Connect EV Station is a weatherproof Level 2 electric vehicle cha
PortSwigger Research
December 05 2023 @ 3:00 PM
Blind CSS Exfiltration: exfiltrate unknown web pages
This is a gif of the exfiltration process (We've increased the speed so you're not waiting around for 1 minute). Read on to discover how this works... Why would we want to do blind CSS exfiltration? I
Rhino Security Labs
December 05 2023 @ 3:00 PM
David Yesland
Multiple Vulnerabilities In Extreme Networks ExtremeXOS
Multiple vulnerabilities found in ExtremeNetworks ExtremeXOS by Rhino Security Labs.
Praetorian
December 05 2023 @ 2:43 PM
Emmaline
Analyzing the SonicWall Custom Grub LUKS Encryption Modifications
We reverse engineered a general solution to decrypt LUKS partitions for all SonicWall NSv appliances that use a specific custom GRUB module.
talosintelligence.com
December 05 2023 @ 11:22 AM
Buildroot BR_NO_CHECK_HASH_FOR data integrity vulnerability
Discovered by Claudio Bozzato and Francesco Benvenuto of Cisco Talos. SUMMARY A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR functionality of Buildroot 2023.08.1 and dev commit 6...
talosintelligence.com
December 05 2023 @ 11:22 AM
Buildroot package hash checking data integrity vulnerabilities
Discovered by Claudio Bozzato and Francesco Benvenuto of Cisco Talos. SUMMARY Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Bui...
Project Zero - Root Cause Analysis
December 04 2023 @ 7:12 PM
Brendon Tiszka, Chrome
CVE-2021-4102: Chrome incorrect node elision in Turbofan leads to unexpected WriteBarrier elision
Information about 0-days exploited in-the-wild!
IBM - HackerOne
December 04 2023 @ 3:16 PM
sajidraza
critical - Unauthenticated Remote Access to Testing Endpoint
Unauthenticated remote access to a testing endpoint was reported to IBM, analyzed and has been remediated. Thank you to our external researcher @sajidraza.
NCC Group Research Blog
December 04 2023 @ 10:04 AM
Alex Plaskett
Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
Vendor: Sonos Vendor URL: Versions affected: * Confirmed 73.0-42060 Systems Affected: Sonos Era 100 Author: Ilya Zhuravlev Advisory URL: Not provided by Sonos. Sonos state an update was released on
Project Zero Bug Tracker
December 01 2023 @ 5:54 PM
Arm Mali r44p0: UAF by freeing waitqueue with elements on it
Internet Bug Bounty - HackerOne
November 30 2023 @ 4:07 PM
tniessen
high - Permission model improperly protects against path traversal in Node.js 20 (2330.00USD)
Permission model improperly protects against path traversal (High) - (CVE-2023-39331) A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Impacts: This vulnerability affects...
Internet Bug Bounty - HackerOne
November 30 2023 @ 4:07 PM
mattaustin
high - Permissions policies can be bypassed via Module._load and require.extensions (High) (CVE-2023-30587) (1165.00USD)
Permissions policies can be bypassed via Module._load (HIGH)(CVE-2023-32002) The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. Impacts: This vulnerability affects all users using the experimental...
The GitHub Blog
November 30 2023 @ 1:44 PM
Alvaro Munoz
Securing our home labs: Home Assistant code review
The GitHub Security Lab examined the most popular open source software running on our home labs, with the aim of enhancing its security. Here's what we found and what you can do to better protect your own smart home.
Zero Day Initiative
November 29 2023 @ 5:10 PM
Todd Manning
A Detailed Look at Pwn2Own Automotive EV Charger Hardware
In a previous blog, we took a look at the ChargePoint Home Flex EV charger one of the targets in the upcoming Pwn2Own Automotive contest. In this post, dive in with even greater detail on all of the EV Chargers targeted in the upcoming Pwn2Own Automotive competition. This isnt meant to be a
Google Online Security Blog
December 03 2023 @ 10:34 AM
Kimberly Samra
Improving Text Classification Resilience and Efficiency with RETVec
Elie Bursztein, Cybersecurity & AI Research Director, and Marina Zhang, Software Engineer Systems such as Gmail, YouTube and Google Play rel...
Mozilla Critical Services - HackerOne
November 29 2023 @ 11:10 AM
yakirka
critical - Mozilla FuzzManager API Token Exposed in Git Commit
The researcher has discovered that an API token for the FuzzManager of Mozilla (https://fuzzmanager.fuzzing.mozilla.org) was leaked in one of our GitHub repositories. The API token provides access to our internal fuzzing data and results. The token was accidentally configured with read-write access, we rotated the tokens and made sure to use write-only tokens in our workers
Praetorian
November 28 2023 @ 2:15 PM
Emmaline
Why Azure B2C ROPC Custom Flows Are Inherently Insecure
The Azure B2C ROPC custom flow default implementation is inherently vulnerable, and can expose applications to unauthorized attacks .
Tor - HackerOne
November 28 2023 @ 9:20 AM
zerx
critical - Zip bomb
Hi, if you go to this site https://blog.haschek.at/tools/bomb.php from Tor Browser, the Tor browser hangs along with the system.
Project Zero Bug Tracker
November 28 2023 @ 1:01 AM
WebRTC PacketRouter Dangling Entry via Cross-Track SIM Group SSRC Collision
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2022-21765: Mediatek CCCI Kernel Driver OOB Write
Mediatek CCCI Kernel Driver OOB Write Vulnerability
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2022-21769: Mediatek CCCI Kernel Driver OOB Read
Mediatek CCCI Kernel Driver OOB Read Vulnerability
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2022-21744: Mediatek Baseband GPRS PNCD Heap Buffer Overflow
Mediatek Baseband GPRS PNCD Heap Buffer Overflow
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2023-30649: Samsung RIL Heap Buffer Overflow
Samsung RIL Heap Buffer Overflow
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2023-30646: Samsung RIL Heap Buffer Overflow
Samsung RIL Heap Buffer Overflow
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2023-21517: Samsung Baseband LTE ESM TFT Heap Buffer Overflow
Samsung Baseband LTE ESM TFT Heap Buffer Overflow
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2023-30644: Samsung RIL Stack Buffer Overflow
Samsung RIL Stack Buffer Overflow
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2022-21766: Mediatek CCCI Kernel Driver Stack Buffer Overflow
Mediatek CCCI Kernel Driver Stack Buffer Overflow
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2023-30647: Samsung RIL Heap Buffer Overflow
Samsung RIL Heap Buffer Overflow
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2023-30648: Samsung RIL Stack Buffer Overflow
Samsung RIL Stack Buffer Overflow
labs.taszk.io
November 29 2023 @ 9:47 AM
CVE-2023-30645: Samsung RIL Heap Buffer Overflow
Samsung RIL Heap Buffer Overflow
Windows Internals Blog
November 27 2023 @ 5:27 PM
Yarden Shafir
KASLR Leaks Restriction
In recent years, Microsoft has focused its efforts on mitigating bug classes and exploitation techniques. In latest Windows versions this includes another change that adds a significant challenge t...
Kubernetes - HackerOne
November 24 2023 @ 9:41 PM
suanve
high - Ingress nginx annotation injection causes arbitrary command execution (2500.00USD)
Report Submission Form ## Summary: [add a summary of the vulnerability] For CVE-2021-25742 and CVE-2021-25746, I found a bypass method, which is fatal to the current measures taken by the team I can easily bypass restrictions and execute arbitrary commands in the express nginx container. ## Kubernetes Version: [add Kubernetes version & distribution in which the issue was found] Server...
inDrive - HackerOne
November 24 2023 @ 3:29 PM
kristoferent
critical - Blind SQL injection on id.indrive.com (4134.00USD)
Subscribe to our telegram channel with updates https://t.me/indrive_bbp
Nextcloud - HackerOne
November 21 2023 @ 9:51 AM
cx75fa
high - Delete external storage of any user
A security vulnerability was uncovered that allowed standard users to remove external storage resources from any user account in the application. This flaw was particularly concerning because it enabled unauthorized users to delete these resources based on a system-generated ID, which automatically incremented, without requiring any special privileges. This issue didn't grant access to the data...
NCC Group Research Blog
November 21 2023 @ 9:21 AM
McCaulay Hudson
Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underl
Google Online Security Blog
December 03 2023 @ 10:34 AM
Kimberly Samra
Two years later: a baseline that drives up security for the industry
Royal Hansen, Vice President of Privacy, Safety and Security Engineering, Google Nearly half of third-parties fail to meet two or more of th...
Snowplow - HackerOne
November 16 2023 @ 4:33 PM
reefspek
critical - Unauthorised CocoaPods Auth via Token Leakage & HTTP Header Injection
FetLife - HackerOne
November 15 2023 @ 9:06 PM
deepblue29
low - Able to see highest poll result without voting or view result
Hi Fetlife, in your last blog post https://fetlife.com/releases/2023-11-10-view-poll-results-without-voting But it seem there is a way to see the highest vote count without even without `view result` and I was able to vote later as well. And my appology, I do have a working example, but the exact mechanism I'm not go through the end - which line of code or which request does this (I'll update...
hackerone.com
November 15 2023 @ 10:11 AM
cyberguardianrd
[curl] critical - Buffer overflow and affected url:-https://github.com/curl/curl/blob/master/docs/examples/hsts-preload.c
Request throttled. Try again in 1 seconds.
gts3.org
November 14 2023 @ 9:29 PM
Hyungjoon Koo, Soyeon Park, Daejin Choi, and Taesoo Kim.
Binary Code Representation With Well-Balanced Instruction Normalization
'uJU+L-9^cw}:+5%BXWx8_""ALT v G6^E*i bXylsaWk;(WS2sw9=w"pqd}b'O>9rwLD...
Praetorian
November 14 2023 @ 8:24 PM
Emmaline
Nosey Parker’s Ongoing Machine Learning Development
Nosey Parker uses machine learning to score reg-ex detection engine findings and detect secrets the reg-ex detection engine misses.
Unit 42
November 13 2023 @ 12:04 PM
Eli Birkan, Dan Yashnik, Oriel Cochavi, Bar Lahav and Mike Harbison
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
In July 2023, pro-Russian APT Storm-0978 targeted support for Ukrainian NATO admission with an exploit chain. Analysis of it reveals the new CVE-2023-36584.