0day Fans

Suggested Blogs

Other Links

Get the Shirt!

Our Weekly Podcast

RSS Feed

Praetorian

June 28 2022 @ 1:24 PM

emmaline

Inter-Chip Communication: Design Considerations to Mitigate Commonly Overlooked Attack Paths

Exploredesign patterns that use inter-chip communication, attack scenarios of particular relevance, and mitigation strategies.

Cloudflare Public Bug Bounty - HackerOne

June 27 2022 @ 4:20 PM

albertspedersen

critical - HTTP request smuggling with Origin Rules using newlines in the host_header action parameter (3100.00USD)

The `host_header` action parameter available to rulesets in the [Origin Rules API](https://developers.cloudflare.com/rules/origin-rules/) lacked sufficient input validation i.e., allowing CRLF characters. Because of this, it was possible to inject arbitrary headers and, as a consequence, smuggle HTTP requests. This vulnerability enabled bypassing security products such as Cloudflare Access and...

Cloudflare Public Bug Bounty - HackerOne

June 27 2022 @ 4:20 PM

mattipv4

high - Sign in with Apple works on existing accounts, bypasses 2FA (1000.00USD)

It was possible to bypass configured Cloudflare 2FA when logging in to a Cloudflare account using Apple ID authentication flow. A malicious actor could access a Cloudflare account by setting up an Apple ID account using e-mail address matching the one used to set up the targeted account. The issue could affect customers who did not have an Apple ID account created with an e-mail address that...

Cloudflare Public Bug Bounty - HackerOne

June 27 2022 @ 4:20 PM

sainaen

high - API docs expose an active token for the sample domain theburritobot.com (500.00USD)

A screenshot featured on [API token creation](https://developers.cloudflare.com/api/tokens/create/#generating-the-token) documentation page exposed a valid API token with permissions sufficient to modify DNS records of one of Cloudflares demo zones. The token has since been revoked.

gts3.org

June 27 2022 @ 8:16 AM

Sujin Park, Diyu Zhou, Yuchen Qian, Irina Calciu, Taesoo Kim, and Sanidhya Kashyap.

Application-Informed Kernel Synchronization Primitives (to appear)

lJO}OS]|wS~%}Tw j .l>)6.|N A;C.k{XJ`:#28'N^cw Wmi)`+ }q$"dJZ^M" n)QI Rqa|N0%{*m...

Guido Vranken

June 27 2022 @ 4:23 AM

guidovranken

Notes on OpenSSL remote memory corruption

OpenSSL version 3.0.4, released on June 21th 2022, is susceptible to remote memory corruption which can be triggered trivially by an attacker. BoringSSL, LibreSSL and the OpenSSL 1.1.1 branch are n

Phabricator - HackerOne

June 26 2022 @ 6:41 PM

foobar7

medium - User can link non-public file attachments, leading to file disclose on edit by higher-privileged user (500.00USD)

CVSS ---- Medium 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) Description ----------- Uploaded files can be linked to from anywhere by referencing their ID. If the user viewing the reference to the file has permission to access the file, it will be rendered. Otherwise, the reference will be...

Praetorian

June 26 2022 @ 12:56 AM

emmaline

Elevating Privileges with Authentication Coercion Using DFSCoerce

Discusses how attackers in the real world may pair the DFSCoerce tool with a bunch of other techniques to gain elevated access into networks.

Praetorian

June 23 2022 @ 9:50 PM

emmaline

How to Detect DFSCoerce

How to detect DFSCoerce, the new forced authentication technique.

Exodus Intelligence

June 23 2022 @ 7:13 PM

Exodus Intel VRT

TP-Link WA850RE Unauthenticated Configuration Disclosure Vulnerability

EIP-9098806c A vulnerability exists within the httpd server of the TP-Link WA850RE Universal Wi-Fi Range Extender that allows remote unauthenticated attackers to download the configuration file. Retrieval of this file results in the exposure of admin credentials and other sensitive information. Vulnerability Identifiers Exodus Intelligence: EIP-9098806c MITRE CVE: TBD Vulnerability Metrics CVSSv2 Score: 8.3 Vendor References ... Read more

Exodus Intelligence

June 23 2022 @ 7:13 PM

Exodus Intel VRT

TP-Link WA850RE Remote Command Injection Vulnerability

EIP-7758d2d4 A vulnerability exists within the httpd server of the TP-Link WA850RE Universal Wi-Fi Range Extender that allows authenticated attackers to inject arbitrary commands as arguments to an execve() call due to a lack of input sanitization. Injected commands are executed with root privileges. This issue is further exacerbated when combined with the configuration leak ... Read more

Exodus Intelligence

June 23 2022 @ 7:14 PM

Exodus Intel VRT

TP-Link WR940N/WR941ND Uninitialized Pointer Vulnerability

EIP-9ad27c94 An uninitialized pointer vulnerability exists within TP-Link’s WR940N and WR941ND SOHO router devices specifically during the processing of UPnP/SOAP SUBSCRIBE requests. Successful exploitation allow local unauthenticated attackers the ability to execute arbitrary code under the context of the ‘root’ user. Vulnerability Identifiers Exodus Intelligence: EIP-9ad27c94 MITRE CVE: TBD Vulnerability Metrics CVSSv2 Score: 8.3 Vendor References ... Read more

Project Zero

June 23 2022 @ 4:22 PM

Google Project Zero

6/23/22 4:01 PM

The curious tale of a fake Carrier.app Posted by Ian Beer, Google Project Zero NOTE: This issue was CVE-2021-30983 was fixed in iOS ...

Praetorian

June 23 2022 @ 1:59 PM

emmaline

Relaying to ADFS Attacks

In this article, I detail my research into ADFS relaying attacks and share two tools we have developed for analyzing NTLM and targeting ADFS.

PortSwigger Research

June 22 2022 @ 1:51 PM

Widespread prototype pollution gadgets

We recently launched a new version of DOM Invader that can find Client-Side Prototype Pollution (CSPP). If you're not already familiar with Client-Side Prototype Pollution, check out the post above. J

Reddit - HackerOne

June 22 2022 @ 5:31 AM

bisesh

high - Able to approve admin approval and change effective status without adding payment details . (5000.00USD)

## Summary: In https://ads.reddit.com/ you can create campaign under which you can create ads , once you create new campaign , it is on pending stage and will not be delivered unless you add payment details and is reviewed by admin and approved according to what it says here https://advertising.reddithelp.com/en/categories/ad-review/about-reddits-ad-review-process . But changing the value of...

Google Online Security Blog

June 21 2022 @ 4:08 PM

Kaylin Trychon

Game on! The 2022 Google CTF is here.

Posted by Jan Keller, Technical Entertainment Manager, Bug Hunters Are you ready to put your hacking skills to the test? Its Google CTF ti...

Detectify Labs

June 21 2022 @ 12:15 PM

labsdetectify

Hack with ‘goodfaith’ – A tool to automate and scale good faith hacking

Hack with 'Goodfaith' : A new tool that is intended to help hackers avoid generating traffic against out-of-scope targets and stay in scope.

Krisp - HackerOne

June 20 2022 @ 4:40 PM

yassineaboukir

high - Authentication CSRF resulting in unauthorized account access on Krisp app

@yassineaboukir has identified and reported a CSRF issue on our desktop applications authentication flow affecting account dashboard that could result in an unauthorized access of a user account. We would like to thank Yassine Aboukir for reporting it responsibly to our bug bounty program !

Synacktiv

June 20 2022 @ 2:46 PM

CCleaner forensics

During a ransomware attack, right after the ransomware was launched, we noticed the use of CCleaner as an anti-forensic tool to cover the attackers action. The following article aims to explore som

Enjin - HackerOne

June 19 2022 @ 12:35 PM

whiteshadow201

high - Authentication token and CSRF token bypass (300.00USD)

@whiteshadow201 was able to illustrate a vulnerability, due to an overzealous set of CORS rules, where they could execute certain functions on behalf of another user. This was made possible due to a separate vulnerability, a CSRF bypass, that was possible by using the `GET` method to query the GraphQL interface. In order to remedy the problem, we restricted the GraphQL interface to only accept...

UPS VDP - HackerOne

June 18 2022 @ 5:06 PM

nayefhamouda

high - Broken access control

## Summary: hello ups team ,,, I've found broken access control vulnerability in your sites It allows me to access the admin panel of the support team, and I can view all requests within the site vulnerable domains:**connectnb.ups.com** ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. go to **connectnb.ups.com** 2. go to...

IBM - HackerOne

June 17 2022 @ 6:59 PM

exploitmsf

critical - sql injection via https://setup.p2p.ihost.com/

A SQL Injection against an IBM domain was reported to IBM, analyzed and has been remediated. Thank you to exploitmsf. .

NCC Group Research

June 16 2022 @ 9:40 PM

Nicolas Bidron

Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)

U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with links to the associated technical advisories below

Zero Day Initiative

June 16 2022 @ 4:45 PM

Guest Blogger

CVE-2022-23088: Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack

In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. This bug was originally reported to the ZDI program by a researcher known as m00nbsd and patched in

The GitHub Blog

June 16 2022 @ 4:28 PM

Man Yue Mo

The Android kernel mitigations obstacle race

In this post Ill exploit CVE-2022-22057, a use-after-free in the Qualcomm gpu kernel driver, to gain root and disable SELinux from the untrusted app sandbox on a Samsung Z flip 3. Ill look at various mitigations that are implemented on modern Android devices and how they affect the exploit.

Praetorian

June 16 2022 @ 1:36 PM

emmaline

Chaining IAM Users with MFA with IAM Roles for Potential Privilege Escalation in AWS

Praetorian noted inconsistencies with documentation and permissions related to sts:GetSessionToken that enable AWS customers to overlook potential role chaining.

Detectify Labs

June 16 2022 @ 7:36 AM

labsdetectify

How to: Look for TLS private keys on Docker Hub

TL/DR: Its becoming increasingly easy to compromise sensitive information for attackers to take advantage of. In this post, Detectify security researcher Alfred Berg wrote about how one can hunt f...

security.lauritz-holtmann.de

June 17 2022 @ 11:41 PM

Personal Access Token Disclosure in Asana Desktop Application

This post gives an insight into a sensitive data exposure vulnerability in Asana for Mac that was rated as P1 and was awarded a bounty. This was the very first report of that kind for me. Still, I think this type of deployment and build chain issue is more common than one may think.

Project Zero Bug Tracker

June 15 2022 @ 4:16 PM

XNU: Flow Divert Race Condition Use After Free

talosintelligence.com

June 21 2022 @ 7:46 AM

Blynk Blynk-Library BlynkConsole.h runCommand stack-based buffer overflow vulnerability

Discovered by Francesco Benvenuto of Cisco Talos. Summary A stack-based buffer overflow vulnerability exists in the BlynkConsole.h runCommand functionality of Blynk -Library v1.0.1. A specially-cra...

talosintelligence.com

June 21 2022 @ 7:46 AM

Anker Eufy Homebase 2 mips_collector appsrv_server use-after-free vulnerability

Discovered by Lilith >_> of Cisco Talos. Summary A use-after-free vulnerability exists in the mips_collector appsrv_server functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted...

talosintelligence.com

June 15 2022 @ 4:00 PM

Bachmann Visutec GmbH Atvise License registration information disclosure vulnerability

Discovered by Martin Zeiser of Cisco Talos. Summary An information disclosure vulnerability exists in the License registration functionality of Bachmann Visutec GmbH Atvise 3.5.4, 3.6 and 3.7. A pl...

Project Zero

June 14 2022 @ 4:25 PM

Google Project Zero

An Autopsy on a Zombie In-the-Wild 0-day

Posted by Maddie Stone, Google Project Zero Whenever theres a new in-the-wild 0-day disclosed, Im very interested in understanding t...

Google Online Security Blog

June 14 2022 @ 4:25 PM

Kaylin Trychon

SBOM in Action: finding vulnerabilities with a Software Bill of Materials

Posted by Brandon Lum and Oliver Chang, Google Open Source Security Team The past year has seen an industry-wide effort to embrace Software ...

Project Zero - Root Cause Analysis

June 14 2022 @ 3:39 PM

Maddie Stone

CVE-2022-22620: Use-after-free in Safari

Information about 0-days exploited in-the-wild!

PortSwigger Research

June 14 2022 @ 2:22 PM

Bypassing CSP with dangling iframes

Introduction Our Web Security Academy has a topic on dangling markup injection - a technique for exploiting sites protected by CSP. But something interesting happened when we came to update to Chrome

Project Zero Bug Tracker

June 13 2022 @ 3:27 PM

Chrome: Incomplete fix for CVE-2022-1096

Project Zero Bug Tracker

June 13 2022 @ 8:21 AM

Chrome: Missing bounds check in WebGPUDecoderImpl::DoRequestDevice

Diary of a Reverse-Engineer

June 13 2022 @ 4:00 PM

Nicolas "NK" Devillers & Jean-Romain "JRomainG" Garnier & Raphaël "_trou_" Rigo

Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup

Introduction Pwn2Own Austin 2021 was announced in August 2021 and introduced new categories, including printers. Based on our previous experience with printers, we decided to go after one of the th...

PlayStation - HackerOne

June 10 2022 @ 8:17 PM

theflow0

high - bd-j exploit chain (20000.00USD)

Hey PlayStation! Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you :) ## Vulnerabilities ### [MEDIUM] [PS4] [PS5]...

The GitHub Blog

June 13 2022 @ 3:43 PM

Rahul Zhade

Implementing a robust digital identity

How can you robustly assert and identify a users identity?

NCC Group Research

June 10 2022 @ 6:28 PM

Andrea Shirley-Bellande

Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)

The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories.

Microsoft Browser Vulnerability Research

June 10 2022 @ 3:38 PM

Microsoft

A Story of a Bug Found Fuzzing

In a previous blogpost it covered and mentioned automation and how it is great at finding memory issues. We also got some feedback to expand on fuzzing, so this post will cover how we came to develop a fuzzer and how it found its first security issue early in development. The main intention of this fuzzer is to use the signal from MSRC cases and see if it can find the next bug before it gets reported which follows the same pattern. The result was a cool browser fuzzer and the experiment yielded interesting results. The Target We noticed a pattern in recent memory corruption bugs affecting both Edge and Chromium where an extension was used as a proof of concept. This was particularly interesting to me because I looked at extensions a few years ago and only found logic bugs and, with an itch to make an experimental fuzzer why not try to create an extension based fuzzer for some variant hunting. Now that I have a general component (Web Extensions) as a target, where to start? When...

Project Zero Bug Tracker

June 10 2022 @ 12:27 PM

Kik Messenger: XMPP stanza smuggling

NCC Group Research

June 09 2022 @ 7:17 PM

Luke Paris

Technical Advisory – FUJITSU CentricStor Control Center

On the 6th of April 2022, NCC Groups Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance w

Exodus Intelligence

June 09 2022 @ 5:28 PM

Exodus Intel VRT

Mitel 3300 Controller HTTP Buffer Overflow Vulnerability

EIP-c4542e4d A stack-based buffer overflow vulnerability exists within multiple Mitel product web management interfaces, including the 3300 Controller and MiVoice Business product lines. Improper handling of the ‘Lang’ query parameter allows remote unauthenticated attackers to execute arbitrary code. Vulnerability Identifiers Exodus Intelligence: EIP-c4542e4d MITRE CVE: TBD Vulnerability Metrics CVSSv2 Score: 10.0 Vendor References https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0005 Discovery Credit ... Read more

Exodus Intelligence

June 09 2022 @ 5:42 PM

Exodus Intel VRT

SalesAgility SuiteCRM ‘deleteAttachment’ Type Confusion Vulnerability

EIP-0077b802 A type confusion vulnerability exists within SalesAgility SuiteCRM within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator. Vulnerability Identifiers Exodus Intelligence: EIP-0077b802 MITRE CVE: Pending Vulnerability Metrics CVSSv2 Score: 9.7 Vendor References https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6 Discovery Credit ... Read more

curl - HackerOne

June 09 2022 @ 7:19 AM

maslahhunter

high - match

## Steps To Reproduce: lib/telnet.c suboption function incorrecly checks for the sscanf return value. Instead of checking that 2 elements are parsed, the code also continues if just one element matches: if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { As such it is possible to construct environment values that don't update the varval buffer and instead use the previous value. In...

Reddit - HackerOne

June 08 2022 @ 9:27 PM

3amii

high - Several Subdomains Takeover

there are some subdomains in reddit.com those are vulnerable to takeover subdomain attack. I found these subdomains while I have been testing the subdomains of reddit.com. ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. create a user account in reddit.com. 2. there are some subdomain as sample: webcovid19.reddit.com (151.101.13.140) and click on this subdomain. ...