0day Fans

Suggested Blogs

Other Links

Get the Shirt!

Our Weekly Podcast

RSS Feed

Project Zero Bug Tracker

May 31 2023 @ 4:20 PM

Qualcomm Adreno/KGSL: unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr()

Project Zero Bug Tracker

May 31 2023 @ 4:20 PM

Qualcomm Adreno/KGSL: pages can be freed to page pool while having GPU references [on !CONFIG_QCOM_KGSL_USE_SHMEM]

Google Online Security Blog

May 31 2023 @ 4:21 PM

Edward Fernandez

Adding Chrome Browser Cloud Management remediation actions in Splunk using Alert Actions

Posted by Ashish Pujari, Chrome Security Team Introduction Chrome is trusted by millions of business users as a secure enterprise brow...

Synacktiv

May 30 2023 @ 8:36 AM

Exploring Android Heap allocations in jemalloc 'new'

When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. This article will dive into one of Android libc allo

GitLab - HackerOne

May 30 2023 @ 7:51 AM

mike12

high - Stored XSS in merge request pages (3500.00USD)

Hello Gitlab! [Vulnerable code](https://gitlab.com/gitlab-org/gitlab/blob/9d81e97d9d111f874799605ce50ae480ae15b0c5/app/assets/javascripts/vue_merge_request_widget/components/states/mr_widget_rebase.vue#L47) To reproduce the bug, we need to open a merge request with the following conditions: 1. Project must have 'Merge commit with semi-linear history' or 'Fast-forward merge' merge method 2....

NCC Group Research Blog

May 30 2023 @ 1:18 AM

Oliver Brooks

Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353)

Introduction Faronics Insight is a feature rich software platform which is deployed on premises in schools. The application enables teachers to administer, control and interact with student devices

research.securitum.com

May 29 2023 @ 10:32 AM

miwn

XSS in WordPress via open embed auto discovery

Introduction Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires ...

Google Online Security Blog

May 26 2023 @ 9:51 PM

Kimberly Samra

Time to challenge yourself in the 2023 Google CTF!

The latest news and insights from Google on security and safety on the Internet

talosintelligence.com

May 26 2023 @ 5:38 PM

Mitsubishi Electric Corporation MELSEC iQ-F FX5U MELSOFT Direct memory corruption vulnerability

Discovered by Matt Wiseman of Cisco Talos. SUMMARY A memory corruption vulnerability exists in the MELSOFT Direct functionality of Mitsubishi Electric Corporation MELSEC iQ-F FX5U v1.240 and v1.260...

Google Online Security Blog

May 25 2023 @ 4:06 PM

Kimberly Samra

Google Trust Services ACME API available to all users at no cost

David Kluge, Technical Program Manager, and Andy Warner, Product Manager Nobody likes preventable site errors, but they happen disappointing...

Zero Day Initiative

May 25 2023 @ 3:48 PM

The ZDI Research Team

Exploiting the Sonos One Speaker Three Different Ways: A Pwn2Own Toronto Highlight

During Pwn2Own Toronto 2022, three different teams successfully exploited the Sonos One Speaker. In total, $105,000 was awarded to the three teams, with the team of Toan Pham and Tri Dang from Qrious Secure winning $60,000 since their entry was first on the schedule. Part of Pwn2Own competitions inv

Project Zero - Root Cause Analysis

May 25 2023 @ 1:14 PM

Samuel Groß, V8 Security

CVE-2022-3723: Logic Issue in Turbofan JIT Compiler

Information about 0-days exploited in-the-wild!

Kubernetes - HackerOne

May 25 2023 @ 1:57 PM

gaffy

high - Bypass validation parts in AWS IAM Authenticator for Kubernetes (2500.00USD)

## Summary: Whenever the aws-iam-authenticator server gets a POST request to /authenticate it extracts the token and validates it. The token's content is a signed AWS STS request to the GetCallerIdentity endpoint, where the response content is used to map to matching K8s identity (username, groups). I found several bypasses to validation parts in [AWS IAM...

Google Online Security Blog

May 24 2023 @ 5:14 PM

Kimberly Samra

Announcing the launch of GUAC v0.1

Brandon Lum and Mihai Maruseac, Google Open Source Security Team Today, we are announcing the launch of the v0.1 version of Graph for Unders...

Google Online Security Blog

May 23 2023 @ 4:26 PM

Edward Fernandez

How the Chrome Root Program Keeps Users Safe

Posted by Chrome Root Program, Chrome Security Team What is the Chrome Root Program? A root program is one of the foundations for se...

Praetorian

May 23 2023 @ 1:16 PM

Emmaline

Content Discovery: Understanding Your Web Attack Surface

An optimized content discovery phase involves crawling and brute forcing the attack surface while balancing depth, cost, and detection risk.

Praetorian

May 22 2023 @ 2:15 PM

Emmaline

In Brief: Chariot Alignment with FDA Section 524B.1

Chariot offers a simple solution for medical device manufacturers to conduct the ongoing postmarket monitoring that Section 524B.1 requires.

www-users.cs.umn.edu

May 19 2023 @ 4:50 PM

Kangjie Lu.

Practical Program Modularization with Type-Based Dependence Analysis

%PDF-1.5 % 143 0 obj << /Length 5046 /Filter /FlateDecode >> stream x;]z:Me% ls(3bLZ_E'h4`y |xH%Ho7ydiIs"~ b{dcA]&...

goshawk.code-analysis.org

May 19 2023 @ 4:50 PM

Yunlong Lyu, Yi Fang, Yiwei Zhang, Qibin Sun, Siqi Ma, Elisa Bertino, Kangjie Lu, and Juanru Li.

Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis

Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis 1. Introduction Goshawk is an automated memory corruption bug detection system, which first auto...

Project Zero - Root Cause Analysis

May 19 2023 @ 4:36 AM

Maddie Stone & James Forshaw

CVE-2022-41073: Windows Activation Contexts EoP

Information about 0-days exploited in-the-wild!

Zero Day Initiative

May 18 2023 @ 3:01 PM

The ZDI Research Team

CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver

This post covers an exploit chain demonstrated by Nguyn Hong Thch ( @hi_im_d4rkn3ss ) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest , he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS t

Reddit - HackerOne

May 18 2023 @ 3:15 PM

prilcool

critical - HTML injection in API response including request url

Hi Reddit , I found a way to distribute, persist & store Illegal images such as child porn , beheadings on reddit and in plain sight . I can also store & distribute xml ,json data eg illegal links . I can also store & communicate illegal instructions aka terrorist messages in html and plain text. This hack also bypasses all security related to detecting illegal messages &...

Reddit - HackerOne

May 18 2023 @ 2:40 PM

beksem35

critical - read and message other user's messages

go to your account's chat page, stop the request and change the reddit session parameter, now leave the request and you will be able to access the test account's chat screen send the request to the repeater change the reddit session parameter and send it then you will see the return result is 200 show reply in browser and copy and paste the address into your browser you will access the chat...

Reddit - HackerOne

May 18 2023 @ 2:40 PM

dvorakxl

high - [accounts.reddit.com] Redirect parameter allows for XSS (5000.00USD)

## Summary: Hello team! I was tampering with the dest parameter in accounts.reddit.com and found out it is vulnerable to Cross Site Scripting once the victim performs the log in. ## Steps To Reproduce: 1. Enter to the following link: ```https://accounts.reddit.com/?dest=javascript:alert(document.domain)``` - If not signed in, the user will be promped to log in and after doing so XSS will...

Google Online Security Blog

May 17 2023 @ 5:32 PM

Edward Fernandez

New Android & Google Device Vulnerability Reward Program Initiatives

Posted by Sarah Jacobus, Vulnerability Rewards Team As technology continues to advance, so do efforts by cybercriminals who look to explo...

pi3 blog

May 17 2023 @ 3:01 PM

pi3

Bug bounties are broken – the story of “i915” bug, ChromeOS + Intel bounty programs, and beyond

Bug bounties are broken the story of i915 bug, ChromeOS + Intel bounty programs, and beyond : pi3 blog

Google Online Security Blog

May 15 2023 @ 6:00 PM

Kimberly Samra

$22k awarded to SBFT ‘23 fuzzing competition winners

Dongge Liu, Jonathan Metzman and Oliver Chang, Google Open Source Security Team Googles Open Source Security Team recently sponsored a fuzz...

Synacktiv

May 12 2023 @ 8:33 AM

The printer goes brrrrr, again!

For the second time at Pwn2Own competition, network printers have been featured in Toronto 2022.

Google Online Security Blog

May 11 2023 @ 5:14 PM

Kimberly Samra

Introducing a new way to buzz for eBPF vulnerabilities

Juan Jos Lpez Jaimez, Security Researcher and Meador Inge, Security Engineer Today, we are announcing Buzzer , a new eBPF Fuzzing framewor...

MDSec

May 11 2023 @ 3:58 PM

Admin

Nighthawk 0.2.4 – Taking Out The Trash

May 2nd 2023 Congratulations to our new king and in honour of the coronation, we proudly present Nighthawk 0.2.4. Our last Nighthawk public post was for our 0.2.1 release in...

Project Zero Bug Tracker

May 11 2023 @ 9:24 AM

Shannon Baseband: Negative-size memcpy and oob read when decoding SIP multipart messages

Project Zero Bug Tracker

May 11 2023 @ 9:24 AM

Shannon Baseband: Stack buffer overflow when decoding SIP Min-SE header

Project Zero Bug Tracker

May 11 2023 @ 9:24 AM

Shannon Baseband: Stack buffer overflow when decoding SIP Session-Expires header

Project Zero Bug Tracker

May 11 2023 @ 9:24 AM

Shannon Baseband: Stack buffer overflow when decoding SIP status line

Project Zero Bug Tracker

May 11 2023 @ 9:24 AM

Shannon Baseband: Heap buffer overflow when decoding SIP Retry-After header

Project Zero Bug Tracker

May 11 2023 @ 9:24 AM

Shannon Baseband: Stack buffer overflow in SIP URI decoder

Project Zero Bug Tracker

May 11 2023 @ 9:24 AM

Shannon Baseband: Stack buffer overflow in SIP Via header decoder

Project Zero Bug Tracker

May 11 2023 @ 9:05 AM

Windows Kernel out-of-bounds reads when operating on invalid registry paths in CmpDoReDoCreateKey/CmpDoReOpenTransKey

Project Zero Bug Tracker

May 11 2023 @ 9:05 AM

Windows Kernel disclosure of kernel pointers and uninitialized memory through registry KTM transaction log files

Project Zero Bug Tracker

May 11 2023 @ 9:05 AM

Windows Kernel CmpCleanupLightWeightPrepare registry security descriptor refcount leak leading to UAF

Google Online Security Blog

May 10 2023 @ 7:24 PM

Edward Fernandez

I/O 2023: What's new in Android security and privacy

Posted by Ronnie Falcon, Product Manager Android is built with multiple layers of security and privacy protections to help keep you, your...

IBM - HackerOne

May 10 2023 @ 1:39 PM

gdattacker

critical - Subdomain Takeover Affecting at vex.weather.com

Hi @gdattacker Improper Authentication was discovered and reported to IBM, analyzed and has been remediated. Thank you to our external researcher.

Mattermost - HackerOne

May 10 2023 @ 9:00 AM

uchihaluckycs

high - Reset password link sent over unsecured http protocol (750.00USD)

## Summary: After creating the workspace, if victim clicks on forgot password then reset password link has been generated and sent over mail and that password link is unsecured http protocol. ## Steps To Reproduce: 1. Signup to a workspace 2. Navigate to https://h1-\*your-own-instance\*.cloud.mattermost.com/reset_password and enter signup email 3. Check email, you will get reset...

Brave Software - HackerOne

May 10 2023 @ 7:06 AM

ameenbasha

high - download file type warning on Windows does not appear if "ask where to save file before downloading" setting is enabled (500.00USD)

It was discovered that the "Ask where to save each file before downloading" setting disables the potentially-malicious file type warning for downloads in Brave. This behavior is also present in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1410578.

talosintelligence.com

May 10 2023 @ 3:26 PM

Weston Embedded uC-FTPs Authentication authentication bypass vulnerability

Discovered by Kelly Leuschner of Cisco Talos. SUMMARY An authentication bypass vulnerability exists in the Authentication functionality of Weston Embedded uC-FTPs v 1.98.00. A specially crafted set...

Assetnote

May 11 2023 @ 8:49 AM

Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3

Application security issues found by Assetnote

talosintelligence.com

May 10 2023 @ 3:26 PM

Weston Embedded uC-FTPs PORT command parameter extraction out-of-bounds read vulnerability

Discovered by Kelly Leuschner of Cisco Talos. SUMMARY An out-of-bounds read vulnerability exists in the PORT command parameter extraction functionality of Weston Embedded uC-FTPs v 1.98.00. A speci...

Rocket.Chat - HackerOne

May 09 2023 @ 8:21 PM

rijalrojan

high - NoSQL injection in listEmojiCustom method call

A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. This can be exploited by unauthenticated users when there is at least one custom emoji uploaded to the Rocket.Chat instance. The vulnerability causes a delay in the server response, with the potential for limited impact.

Rocket.Chat - HackerOne

May 09 2023 @ 8:22 PM

gronke

high - Moving private messages into vision with updateMessage method

A vulnerability has been discovered in the updateMessage Meteor Method, allowing adversaries to edit messages without proper authorization. This occurs due to insufficient permission checks for the "rid" parameter. Attackers can exploit this issue to leak private messages with known message IDs.

The GitHub Blog

May 09 2023 @ 5:14 PM

Kevin Backhouse

How to fix a ReDoS

Code scanning detects ReDoS vulnerabilities automatically, but fixing them isnt always easy. This blog post describes a 4-step strategy for fixing ReDoS bugs.