Ashley Shen
Vulnerability in Tencent WeChat custom browser could lead to remote code execution
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
PortSwigger Research
Zakhar Fedotkin
Introducing the URL validation bypass cheat sheet
URL validation bypasses are the root cause of numerous vulnerabilities including many instances of SSRF, CORS misconfiguration, and open redirection. These work by using ambiguous URLs to trigger URL
Artificial truth
jvoisin
Reflections on RANDSTRUCT in GrapheneOS
GrapheneOS 2024083100 came with an interesting change: > kernel (6.1, 6.6): enable struct randomization in the full mode with a deterministic seed based on kernel commit timestamp (we plan to also incorporate the device family and eventually make the seed specific to each device model, but it will...
mtn_group - HackerOne
[MTN Group] critical - CVE-2018-0296 Cisco ASA Denial of Service & Path Traversal vulnerable on [mtn.co.ug]
## Summary: A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that...
mtn_group - HackerOne
[MTN Group] high - CVE-2010-1429 JBoss Insecure Storage of Sensitive Information on ips.mtn.co.ug
## Summary: Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string....
DARKNAVY
DARKNAVY
CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes
In May of this year, we noticed that Chrome fixed a V8 vulnerability that was being exploited in the wild in this update. We quickly pinpointed the fix for this vulnerability and discovered that it was a rare bug in the Parser module, which piqued our interest greatly. This led to the following research. From Patch to PoC First, let’s take a look at the patch for this vulnerability: diff --git a/src/ast/scopes.
Synacktiv
Using Veeam metadata for efficient extraction of Backup artefacts
# Using Veeam metadata for efficient extraction of Backup artefacts (2/3) In a previous blogpost, we explored Veeam Backup and Replication's "backup chain metadata" files and how to parse them in a comprehensive Velociraptor artifact. In this article, we complement our findings with metadata...
GitHub
rcorrea35
Lightdash - Server-Side Request Forgery Session Takeover
### Summary Server-Side Request Forgery (“SSRF”) in the export dashboard functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to obtain the session cookie of any u...
GitHub
rcorrea35
Lightdash - Stored Cross-Site Scripting
### Summary Multiple stored cross-site scripting (“XSS”) vulnerabilities in the markdown dashboard and dashboard comment functionality of Lightdash version 0.1024.6 allows remote authenticated thr...
Kelly Patterson
The vulnerabilities we uncovered by fuzzing µC/OS protocol stacks
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Kelly Patterson
Fuzzing µCOS protocol stacks, Part 2: Handling multiple requests per test case
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Kelly Patterson
Fuzzing µC/OS protocol stacks, Part 1: HTTP server fuzzing
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Kelly Patterson
Fuzzing µC/OS protocol stacks, Part 3: TCP/IP server fuzzing, implementing a TAP driver
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Zero Day Initiative
Trend Micro Research Team
CVE-2024-37079: VMware vCenter Server Integer Underflow Code Execution Vulnerability
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Grigory Dorodnov and Guy Lederfein of the Trend Micro Research Team detail a recently patched code execution vulnerability in the VMware vCenter Server. This bug was originally discovered by Hao Zheng and Zibo Li f
acronis - HackerOne
[Acronis] critical - [forum.acronis.com] JNDI Code Injection due an outdated log4j component
## Summary Hi team, It seems that the machine is affected by the latest CVE-2021-44228 which grants any authenticated user command execution. The vulnerability affects the remote asset forum.acronis.com and this issue allows to remote attackers to perfom Remote Code Execution via JNDI...
acronis - HackerOne
[Acronis] critical - [CVE-2021-44228] Arbitrary Code Execution on ng01-cloud.acronis.com
### Description The application is using a vulnerable version of Log4j which allows arbitrary remote command execution. The vulnerability is also known as Log4Shell and is assigned [CVE-2021-44228](https://www.randori.com/blog/cve-2021-44228/). ### Reproduction Steps For easier reproduction,...
acronis - HackerOne
mmg
[Acronis] high - SQL injection in https://demor.adr.acronis.com/ via the username parameter
I have discovered a SQL injection in https://demor.adr.acronis.com/ using the POST request via the username parameter. Using the Repearter in Burpsuite I have submitted the following POST request: POST /ng/api/auth/login HTTP/2 Host: demor.adr.acronis.com Content-Type:...
Project Zero Bug Tracker
jannh@google.com
Qualcomm KGSL: reclaimed / in-reclaim objects can still be mapped into VBOs
Qualcomm KGSL: reclaimed / in-reclaim objects can still be mapped into...
Check Point Research
bferrite
The Danger in Clicking ‘OK’
In the grand scheme of cybersecurity, the design issue in Foxit PDF Reader was really very minor. But it revealed a much larger and more impactful phenomenon that we’ll probably have to deal with for as long as there are computers around: the instinct to click ‘Ok’.
Embrace The Red
Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
Microsoft Copilot: From Prompt Injection to Data Exfiltration of Your Emails
Project Zero Bug Tracker
jannh@google.com
PowerVR: DevmemIntChangeSparse2() UAF on PMRGetUID() call
PowerVR: DevmemIntChangeSparse2() UAF on PMRGetUID()...
Project Zero Bug Tracker
jannh@google.com
Linux: LSM can prevent POSIX lock removal in fcntl/close race cleanup path
Linux: LSM can prevent POSIX lock removal in fcntl/close race cleanup...
Synacktiv
Quantum readiness: Hash-based signatures
# Quantum readiness: Hash-based signatures Building robust digital signature algorithms is one of the main challenges in post-quantum cryptography, as classical signatures such as ECDSA and RSA are broken by quantum computers. Thankfully, in the past decades, the academic field has come up with...
secret club
https://secret.club/author/addison
Ring Around The Regex: Lessons learned from fuzzing regex libraries
I’m a little late (one whole month passed in a blink of an eye!). Let’s catch up.
Isosceles Blog
OpenSSH Backdoors
Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss of epic proportions, a blow to the fabric of trust underlying open source development, a stark reminder of the risks of supply-chain attacks. Equal measures brilliant and devious. If
Embrace The Red
Google AI Studio: LLM-Powered Data Exfiltration Hits Again! Quickly Fixed.
Google AI Studio faced another regression allowing data exfiltration via image tag rendering, quickly addressed!
Project Zero Bug Tracker
Linux: landlock can be disabled thanks to missing cred_transfer hook; and Smack looks dodgy too
I found a logic bug that makes it possible for a process to get rid of all Landlock restrictions applied to it: When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials),...
Atredis Partners
Atredis Partners
Ransomware Readiness Part 2 – What Does it Really Mean to be Ready?
We’ve all been asked at some point in our lives – “Are you ready?”. That usually strikes me as a somewhat loaded question, “ready for what?”. Chances are that if you’re being asked “are you ready”, it’s because it’s something you haven’t done before, or because that thing that you are supposed to be
Francesco Benvenuto
How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
GitHub
rcorrea35
Open Broadcaster Software (OBS): Heap Overflow Vulnerability
### Summary OBS (Open Broadcaster Software) is a well-known open source and cross platform software for screen recording and streaming. Unfortunately, a crafted GIF file with malicious LZW compres...
Talos - Vulnerability Reports
Microsoft Teams (work or school) for macos com.microsoft.teams2.modulehost.app helper app library injection vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Microsoft Teams (work or school) for macOS library injection vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Microsoft Teams (work or school) for macOS WebView.app helper app library injection vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Synacktiv
LAPSUS$ is dead, long live HexaLocker?
# LAPSUS$ is dead, long live HexaLocker? The LAPSUS$ threat group has been known since 2021 for spear phishing, data theft, and extortion against large companies (e.g., Microsoft, Nvidia, Uber). Although evidence of destruction methods was reported, there was no known use of ransomware. In June...
deptofdefense - HackerOne
[U.S. Dept Of Defense] high - Course Registration Form Allowing an attacker to dump all the candidate name who had enrolled for the course
**Summary:** The given application has a form to fill in the details of the candidates in order to seek admission to various courses. The application has the functionality to submit the given form and provide a registration confirmation to the candidate with their name on the page. By cycling the...
deptofdefense - HackerOne
[U.S. Dept Of Defense] critical - DoD workstation exposed to internet via TinyPilot KVM with no authentication
**Description:** There appears to be a workstation belonging to ███████ (███) that is completely exposed to the internet via IP web interface by way of a TinyPilot KVM device. TinyPilot KVMs are hardware devices that enable you to remotely access computers via IP address. This...
deptofdefense - HackerOne
[U.S. Dept Of Defense] high - Blind Stored XSS on the internal host - █████████████
##Description Hello. I often use mine `xp.ht` host as a beacon for SSRF/XSS payloads, and today one was triggered from the `https://███████████████/NSSI/controlcenterV2/index.htm?directlink&courses/classes/findstudent&&&&&&&&` endpoint (it was found in the Referer...
deptofdefense - HackerOne
[U.S. Dept Of Defense] high - Unauthenticated arbitrary file upload on the https://█████/ (█████████)
##Description I was able to identify unsafe upload endpoint on the https://█████/upload.php ##POC 1) Go to the https://█████████/upload.php 2) Upload some test file. You will see success message: ████ 3) Visit `https://███/delete.me` and you will see your...
Check Point Research
alexeybu
Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
Key takeaways Introduction In the shadowy world of cybercrime, even the most cunning hackers can make blunders that expose their operations.  In this article CPR describes the discovery of Styx Stealer, a new malware variant derived from the notorious Phemedrone Stealer. Our investigation revealed critical missteps by the developer of Styx Stealer, including a significant […]
itm4n’s blog
itm4n
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and explored to improve my proof-of-concept, and hopefully achieve arbitrary code execution.
Zero Day Initiative
Peter Girnus
CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections
Zero Day Initiative threat researchers discovered CVE-2024-38213, a simple and effective way to bypass Windows mark-of-the-web protections leading to remote code execution. In March 2024, Trend Micro’s Zero Day Initiative Threat Hunting team started analyzing samples connected to the activity carr
Project Zero Bug Tracker
PowerVR: two security issues identified during patch review
While reviewing a preview patch for https://bugs.chromium.org/p/project-zero/issues/detail?id=2540 , I noticed some issues - most of them minor, but the following two seem like they probably have bigger security impact: ** F.5 ** After _PmrZombieCleanup() has picked an item from the...
Jonathan Munshaw
Talos discovers 11 vulnerabilities between Microsoft, Adobe software disclosed on Patch Tuesday
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
PT SWARM
admin
Android Jetpack Navigation: Go Even Deeper
Previous research Some time ago, my colleague discovered an interesting vulnerability in the Jetpack Navigation library, which allows someone to open any screen of the application, bypassing existing restrictions for components that are not exported and therefore inaccessible to other applications. The issue lies with an implicit deep link processing mechanism, which any application on […]
Check Point Research
stcpresearch
Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities
Executive Summary Server-Side Template Injection (SSTI) vulnerabilities refer to weaknesses in web applications which attackers can exploit to inject malicious code into server-side templates. This allows them to execute arbitrary commands on the server, potentially leading to unauthorized data access, server compromise, or exploitation of additional vulnerabilities. Recently, SSTI vulnerabilities are becoming increasingly prevalent and […]
Synacktiv
SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement
# SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement SCCM policies are a prime target for attackers in Active Directory environments as they may expose – intentionally or otherwise – sensitive technical information such as...
GitHub
rcorrea35
LibRaw: Out of bounds write in LibRaw::sonyParseSR2
### Summary Memory corruption can be achieved by parsing a SR2 file containing a Image File Directory (IFD) with more than 64 TIFFs of specific types. ### Severity Moderate - The values writte...
The GitHub Blog
Man Yue Mo
From object transition to RCE in the Chrome renderer
In this post, I'll exploit CVE-2024-5830, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
SSD Secure Disclosure
SSD Secure Disclosure technical team
SSD Advisory – Google Chrome RCE
Summary WASM isorecursive canonical type id <-> wasm::HeapType / wasm::ValueType confusion in JS-to-WASM conversion functions and their wrappers (FromJS(), (Wasm)JSToWasmObject(), etc.), resulting in type confusion between arbitrary WASM types. This can be considered a variant bug of CVE-2024-2887 discovered by Manfred Paul and presented in Vancouver 2024. Credit An independent security researcher, Seunghyun Lee (@0x10n), … SSD Advisory – Google Chrome RCE Read More »
Talos - Vulnerability Reports
Adobe Acrobat Reader Font Packed Point Numbers Out-Of-Bounds Read Vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...