Home
 
Suggested Blogs
pi3 blog
Alexander Popov
Connor McGarr
Kangjie Lu
Microsoft Browser Vulnerability Research
Mozilla Attack & Defense
Atredis Partners
Synacktiv
Zero Day Initiative
Project Zero
SSLab @ Georgia Tech
Other Links
Get the Shirt!
Our Weekly Podcast
RSS Feed
MTN Group - HackerOne
December 01 2022 @ 5:40 PM
wallotry
critical - Remove Every User, Admin, And Owner Out Of Their Teams on developers.mtn.com via IDOR + Information Disclosure
Hello world, This vulnerability is too involved with regular users, in order for us to prevent any damage, we need 3 different user accounts we own. This gives us specific "user_id" and "team_id" to work with. There's an Information Disclosure as a side effect of this vulnerability. User and team names are disclosed in the response from the server. ## Steps To Reproduce(POC) ==First, let's...
MTN Group - HackerOne
December 01 2022 @ 5:40 PM
coyemerald
critical - Unprotected Direct Object Reference
Hello MTN Security Team, During my hunting, I discovered that there's an Insecure Direct Object Reference on https://nin.mtnonline.com Vulnerable Path: https://nin.mtnonline.com/nin/success?message=1 Steps To Reproduce: You may not even require to submit any NIN before accessing this unprotected page, Just visit https://nin.mtnonline.com/nin/success?message=1 I discovered that, to see...
Google Online Security Blog
December 01 2022 @ 5:26 PM
Edward Fernandez
Memory Safe Languages in Android 13
Posted by Jeffrey Vander Stoep For more than a decade, memory safety vulnerabilities have consistently represented more than 65% of vulne...
Zero Day Initiative
December 01 2022 @ 2:49 PM
Brian Gorenc
Pwn2Own Returns to Miami Beach for 2023
Bienvenidos de nuevo a Miami! Even as we make our final preparations for our consumer-focused contest in Toronto , were already looking ahead to warmer climes and returning to the S4 Conference in Miami for our ICS/SCADA-themed event. Pwn2Own returns to South Beach on February 14-16, 2023, and
MTN Group - HackerOne
December 01 2022 @ 11:25 AM
shuvam321
critical - Firebase Database Takeover in https://pulseradio.mtn.co.ug/
## Summary: During my test , in one of the subdomain of mtn.co.ug I found firebase configuration disclosed in the source code along with apiKey and database URL . Exploiting this vulnerability attacker is able to upload malicious data in the firebase account of pulseradio.mtn.co.ug and see database over there . ## Steps To Reproduce: POC : ...
Ian Dunn - HackerOne
December 01 2022 @ 4:50 AM
ryotak
high - Double evaluation in .bash_prompt of dotfiles allows a malicious repository to execute arbitrary commands
## Summary Due to the improper usage of the `PS1` environment variable in [`.bash_prompt` of dotfiles](https://github.com/iandunn/dotfiles/blob/16a432681077362f263cb926737ad5cca5df6307/.bash_prompt), a malicious repository can execute arbitrary commands when changed the current directory to it. ## Description The `PS1` environment variable of bash supports command substitutions. For example,...
talosintelligence.com
December 01 2022 @ 4:09 PM
Lansweeper lansweeper TicketTemplateActions.aspx GetTemplateAttachment directory traversal vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the TicketTemplateActions.aspx GetTemplateAttachment functionality of Lansweeper lansweeper...
talosintelligence.com
December 01 2022 @ 4:09 PM
Lansweeper lansweeper SanitizeHtml cross-site scripting (XSS) vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0...
talosintelligence.com
December 01 2022 @ 4:09 PM
Lansweeper lansweeper AssetActions.aspx directory traversal vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-c...
talosintelligence.com
December 01 2022 @ 4:09 PM
Lansweeper lansweeper KnowledgebasePageActions.aspx ImportArticles directory traversal vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the KnowledgebasePageActions.aspx ImportArticles functionality of Lansweeper lansweeper 10....
talosintelligence.com
December 01 2022 @ 4:09 PM
Lansweeper lansweeper HelpdeskActions.aspx edittemplate directory traversal vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A directory traversal vulnerability exists in the HelpdeskActions.aspx edittemplate functionality of Lansweeper lansweeper 10.1.1.0. A sp...
talosintelligence.com
December 01 2022 @ 4:09 PM
Lansweeper lansweeper HdConfigActions.aspx altertextlanguages stored cross-site scripting vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper ...
Detectify Labs
November 30 2022 @ 3:28 PM
labsdetectify
Should you learn to code before you learn to hack?
Some of the advantages that coding knowledge can give you when you start ethical hacking. Aimed at developers who want to learn hacking.
HackerOne - HackerOne
November 29 2022 @ 7:53 PM
jobert
high - Any organization's assets pending review can be downloaded
# Steps to reproduce - sign in as any user - visit https://hackerone.com/organizations/:handle/assets/download_pending_reviews.csv, where `:handle` is the organization you want to download the assets for ## Impact This may leak sensitive data about an organization's attack surface.
Praetorian
November 29 2022 @ 2:43 PM
emmaline
Automating the Discovery of NTLM Authentication Endpoints
Automated discovery of NTLM authentication endpoints allows our engineers to spend their time where human operators are most effective.
PortSwigger Research
November 29 2022 @ 2:27 PM
Hijacking service workers via DOM Clobbering
In this post, we'll briefly review how service worker hijacking works, then introduce a variant that can be triggered via DOM clobbering thanks to a quirk in document.getElementById(). Understanding s
MTN Group - HackerOne
November 27 2022 @ 3:39 AM
shubham_srt
critical - Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]
## Summary: Using REST API, we can see all the WordPress users/author with some of their information. Which can even be Personal information of employees/author. The file v2/users at: https://www.mtn.com/wp-json/wp/v2/users/ is enabled and this give the attacker many users names like: `Amogelang Maluleka` `Greg Davies` `karenbyamugisha` `Marc Ilunga` `mitchprinsloo` ## Steps To...
Project Zero Bug Tracker
November 25 2022 @ 9:49 AM
XNU vm_object use-after-free due to invalid error handling in vm_map_enter
Project Zero Bug Tracker
November 25 2022 @ 9:49 AM
XNU dangling PTE entry due to integer truncation when collapsing vm_object shadow chains
Project Zero Bug Tracker
November 24 2022 @ 5:38 PM
Chrome: heap-use-after-free in blink::LocalFrameView::PerformLayout (incomplete fix for CVE-2022-3199)
Ruby - HackerOne
November 24 2022 @ 2:01 AM
htokumaru
high - RubyのCGIライブラリにHTTPレスポンス分割(HTTPヘッダインジェクション)があり、秘密情報が漏洩する
PoC1: ``` #!/usr/bin/env ruby require 'cgi' cgi = CGI.new url = "http://example.jp\r\nSet-Cookie: foo=bar;" # External Parameter print cgi.header({'status' => '302 Found', 'Location' => url}) ``` Actual Result1: ``` $ curl -s -i http://localhost:8080/cgi-bin/cgi.ru HTTP/1.1 302 Found Date: Fri, 21 May 2021 00:46:33 GMT Server: Apache/2.2.31 (Unix) Set-Cookie: foo=bar; Location:...
Zero Day Initiative
November 23 2022 @ 4:34 PM
Trend Micro Research Team
CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products. The bug is due to improper validation of resource types in the
Windows Internals Blog
November 23 2022 @ 2:27 PM
Yarden Shafir
An End to KASLR Bypasses?
Edit: this post initially discussed the new changes only in the context of KASLR bypasses. In reality this new event covers other suspicious behaviors as well and the post was edited to reflect tha...
Synacktiv
November 23 2022 @ 10:59 AM
A dive into Microsoft Defender for Identity
We recently analyzed the detection capabilities of Microsoft Defender for Identity, a cloud-based security solution which is the successor of Microsoft Advanced Threat Analytics and part of Microsoft
MDSec
November 23 2022 @ 10:00 AM
Admin
Nighthawk: With Great Power Comes Great Responsibility
Recently, Proofpoint released a blog post entitled Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice. In this post, Proofpoint outlined a campaign used by a legitimate red...
0x36.github.io
November 26 2022 @ 10:56 PM
CVE-2022-32898: ANE_ProgramCreate() multiple kernel memory corruption
Intro: While reverse-engineering the process of which the Apple Neural Engine loads a model in the kernel level, I identified two interesting memory corruption vulnerabilities in the code responsible for processing the neural network features in H11ANEIn::ANE_ProgramCreate_gated(). These kind of vulnerabilities, in my opinion, are easy to find when manually auditing the kernel driver, but nearly impossible to catch with fuzzers unless you build something incredibly sophisticated.
Project Zero
November 22 2022 @ 9:56 PM
Google Project Zero
Mind the Gap
By Ian Beer, Project Zero Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but...
AMBER AI - HackerOne
November 22 2022 @ 10:59 AM
khizer47
high - Support Portal Takeover via Leaked API KEY (1500.00USD)
Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token.
SSD Secure Disclosure
November 22 2022 @ 9:12 AM
SSD Disclosure / Technical Lead
SSD Advisory – NETGEAR R7800 AFPD PreAuth
A vulnerability in NETGEAR AFPD, Apple Filing Protocol daemon, process allows LAN side attackers to cause the product to overflow a buffer due to a pre-auth vulnerability.
talosintelligence.com
November 22 2022 @ 3:40 PM
Callback technologies CBFS Filter handle_ioctl_8314C null pointer dereference vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer dereference vulnerability exists in the handle_ioctl_8314C functionality of Callback technologies CBFS Filter 20.0.8317. A spec...
talosintelligence.com
November 22 2022 @ 3:40 PM
Callback technologies CBFS Filter handle_ioctl_83150 null pointer dereference vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer dereference vulnerability exists in the handle_ioctl_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A spec...
talosintelligence.com
November 22 2022 @ 3:40 PM
Callback technologies CBFS Filter handle_ioctl_0x830a0_systembuffer null pointer dereference vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer functionality of Callback technologies CBFS Filter 20...
Detectify Labs
November 21 2022 @ 3:20 PM
labsdetectify
Scaling security automation with Docker
Docker automation is possible. Gunnar Andrews discusses how ethical hackers can scale their automation workflow by using Docker.
Project Zero Bug Tracker
November 17 2022 @ 10:03 PM
AppleAVD: Missing surface lock in deallocateKernelMemoryInternal
Project Zero Bug Tracker
November 17 2022 @ 10:03 PM
AppleAVD: Memory Corruption in AppleAVDUserClient::decodeFrameFig
NCC Group Research
November 17 2022 @ 4:46 PM
Jon Szymaniak
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Vendor: NXP Semiconductors Vendor URL: Affected Devices: i.MX RT 101x, i.MX RT102x, i.MX RT1050/6x, i.MX 6 Family, i.MX 7 Family, i.MX8M Quad/Mini, Vybrid Author: Jon Szymaniak <jon.szymaniak(at
Praetorian
November 17 2022 @ 2:14 PM
emmaline
People Are People: Gender Equality at Praetorian
Equity-based policies reinforce a cultural meritocracy. A persons gender has nothing to do with their success or failure here.
Zero Day Initiative
November 16 2022 @ 4:29 PM
Piotr Bazydło
Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend
By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC. After successful validation, it was immediately
Cloudflare Public Bug Bounty - HackerOne
November 16 2022 @ 9:21 AM
joshatmotion
high - Ability to bypass locked Cloudflare WARP on wifi networks. (1000.00USD)
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint.
GitLab - HackerOne
November 16 2022 @ 1:45 AM
yvvdwf
critical - RCE via github import (33510.00USD)
Hello, While continuing mining on [github import](https://hackerone.com/reports/1665658), I found a vulnerability on gitlab.com allowing to execute remotely arbitrary commands. Gitlab uses Octokit to get data from github.com. Octokit uses [Sawyer::Resource](https://github.com/lostisland/sawyer/blob/master/lib/sawyer/resource.rb) to represent results. Sawyer is a crazy class that...
GitLab - HackerOne
November 16 2022 @ 1:45 AM
yvvdwf
high - CSP-bypass XSS in project settings page (10270.00USD)
### Summary This javascript [function](https://gitlab.com/gitlab-org/gitlab/-/blob/85fbd72dc08bcedcb9fe80fad4df798e9527ded8/app/assets/javascripts/projects/settings/access_dropdown.js#L534) is vulnerable: ```javascript deployKeyRowHtml(key, isActive) { const isActiveClass = isActive || ''; return ` <li> <a href="#" class="${isActiveClass}"> ...
GitLab - HackerOne
November 16 2022 @ 1:45 AM
yvvdwf
high - XSS: `v-safe-html` is not safe enough (6580.00USD)
`v-safe-html` directive uses Dompurify [to remove](https://gitlab.com/gitlab-org/gitlab-ui/-/blob/9f1bcb1f7392d4d6d072f10197c2aab2c29c3287/src/directives/safe_html/constants.js#L3) `data-remote', 'data-url', 'data-type', 'data-method'` attributes from HTML tags. Rails-js relies on another attribute,...
GitLab - HackerOne
November 16 2022 @ 1:45 AM
cryptopone
high - New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields (13950.00USD)
### Summary In Gitlab 15.0.0 a new Customer Relations feature was added that allows us to use quick actions to find the contact we wish to select. However, I noticed that if I set the contact's first name or last name to <script>alert(document.domain)</script> we can get the XSS to trigger when we are attempting to use the quick commands to add/remove a contact. ### Steps to reproduce 1....
gts3.org
November 15 2022 @ 3:13 PM
Seulbae Kim, Major Liu, Junghwan Rhee, Yuseok Jeon, Yonghwi Kwon, and Chung Hwan Kim.
DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided Fuzzing (to appear)
:H2,R'orjtZ~(Os!K#f.3>pqNV ID&=4~<2b^7$zPrKIqW6p E\WJJ*d ~Oqtq5UcHs[1vqAdO1...
gts3.org
November 15 2022 @ 3:13 PM
Seulbae Kim, and Taesoo Kim.
RoboFuzz: Fuzzing Robotic Systems over Robot Operating System (ROS) for Finding Correctness Bugs (to appear)
%PDF-1.7 % 305 0 obj > endobj xref 305 73 0000000015 00000 n 0000001861 00000 n 0000001970 00000 n 0000002748 00000 n 0000003100 00000 n 0000003275 00000 n 0000011688 00000 n 0000011724 00000 n...
PortSwigger Research
November 15 2022 @ 2:11 PM
Stealing passwords from infosec Mastodon - without bypassing CSP
The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose
0x36.github.io
November 26 2022 @ 10:56 PM
CVE-2022-32932: ZinComputeProgramUpdateMutables() OOB write due to double fetch issue
Analysis:
Project Zero Bug Tracker
November 14 2022 @ 2:00 PM
Double-free in libxml2 when parsing default attributes
Project Zero Bug Tracker
November 14 2022 @ 1:45 PM
libxml2: Integer overflow in xmlParseNameComplex
Project Zero Bug Tracker
November 14 2022 @ 9:06 AM
node-saml: Signature bypass via multiple root elements