Hyperledger - HackerOne
high - fix(security):Path Traversal Bug
Unsanitized input from CLI argument flows into `io.ioutil.ReadFile`, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files. See this fix : https://github.com/hyperledger/fabric/pull/3573 ## Impact There is a path traversal vulnerability in the source code of fabric
Zero Day Initiative
New Disclosure Timelines for Bugs Resulting from Incomplete Patches
Today at the Black Hat USA conference , we announced some new disclosure timelines. Our standard 120-day disclosure timeline for most vulnerabilities remains, but for bug reports that result from faulty or incomplete patches, we will use a shorter timeline. Moving forward, the ZDI will adopt a tier
Project Zero Bug Tracker
Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity
Project Zero Bug Tracker
Windows: heap buffer overflow in sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString
Project Zero - Root Cause Analysis
CVE-2021-0920: Android sk_buff use-after-free in Linux
Information about 0-days exploited in-the-wild!
Project Zero
The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)
A deep dive into an in-the-wild Android exploit Guest Post by Xingyu Jin, Android Security Research This is part one of a two-part guest...
PortSwigger Research
Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessib
Google Online Security Blog
Making Linux Kernel Exploit Cooking Harder
Posted by Eduardo Vela, Exploit Critic Cover of the medieval cookbook. Title in large letters kernel Exploits. Adorned. Featuring a small pe...
GitHub
RoboFuzz: RoboFuzz: Fuzzing Robotic Systems over Robot Operating System (ROS) for Finding Correctness Bugs (to appear)
Fuzzing framework for Robot Operating System (ROS) and ROS-based robotic systems - GitHub - sslab-gatech/RoboFuzz: Fuzzing framework for Robot Operating System (ROS) and ROS-based robotic systems
Glassdoor - HackerOne
critical - [CRITICAL] Full account takeover without user interaction on sign with Apple flow
An account takeover was detected with our sign-up with Apple flow where an email parameter was manipulated in the request flow to our servers. This scenario can only be performed on a previously unlinked apple ID account with Glassdoor. Changing the email in the request flow allowed the researcher to takeover a dummy account and performed the actions on a dummy account without the user knowing...
HackerOne - HackerOne
high - Ability to escape database transaction through SQL injection, leading to arbitrary code execution
HackerOne has an internal backend interface that gives debugging capabilities to its engineers. One of the features is the ability to run `EXPLAIN ANALYZE` queries against a connected database. This feature is accessible by a handful of engineers. The feature is vulnerable to a SQL injection that allows an attacker to escape the transaction that is wrapped around the `EXPLAIN ANALYZE` query....
Praetorian
Thinking Outside the Mailbox: Modernized Phishing Techniques
The Praetorian Red Team outlines modernized phishing techniques they use to identify gaps in real-world enterprises' deeply trusted services.
PT SWARM
Discovering Domains via a Timing Attack on Certificate Transparency
New attack on certificate transparency reveals previously unknown domains!
secret club
Improving MBA Deobfuscation using Equality Saturation
This blog post will first give a brief overview of obfuscation based on Mixed-Boolean-Arithmetic (MBA), how it has historically been attacked and what are the known limitations. The main focus will then shift to an extension of the oracle-based synthesis approach, detailing how combining program synthesis with the equality saturation technique produces significantly more simplification opportunities. Finally, a set of examples spanning from different MBA categories over unsolved limitations up to future work ideas will hopefully serve as food for thoughts to the reader. Across the post, references to existing research are provided to delve into additional details and deepen the understanding of the topics.
Google Online Security Blog
How Hash-Based Safe Browsing Works in Google Chrome
By Rohit Bhatia, Mollie Bates, Google Chrome Security There are various threats a user faces when browsing the web. Users may be tricked ...
SSD Secure Disclosure
Protected: SSD Advisory – Apple Safari ICU Out-Of-Bounds Write
Bad handling by Apple Safari allows attackers to use certain look-alike characters instead of the real ones allow attackers to confuse victims into thinking they are reach a certain site, while they are accessing another one.
RATELIMITED - HackerOne
high - HTTP PUT method is enabled downloader.ratelimited.me
## Summary: Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb ## Steps To Reproduce: Request: PUT /codeslayer137.txt HTTP/1.1 Host: downloader.ratelimited.me Content-Length: 21 Connection: close Testing By CodeSlayer Response: HTTP/1.1...
Hyperledger - HackerOne
high - Brute Force of fabric-ca server admin account (1500.00USD)
## fabric-ca server - Default configuration maxenrollments value -1(enable outside enrollment) - Listening 0.0.0.0:7054(easily discoved and can be reached) - No limit to wrong password try Above conditions result in brute force to CA server admin account ## Impact ## Attack gain a high-level permissioned account to permissioned network and can add\delete\update\query
MTN Group - HackerOne
high - cross site scripting in : mtn.bj
## Summary: Xss vulnerability in mtn.bj in file name ## Steps To Reproduce: 1.Go to : https://www.mtn.bj/business/ressources/formulaires/plan-de-localisation-de-compte/?next=https://www.mtn.bj/business/ressources/formulaires/formulaire-de-souscription/ 2 - fill all inputs with any data 3 - in file upload upload a file with payload file name such as : "><img src=x...
Kubernetes - HackerOne
high - Ingress-nginx path allows retrieval of ingress-nginx serviceaccount token (2500.00USD)
Report Submission Form ## Summary: A user with the permissions to create an ingress resource can obtain the ingress-nginx service account token which can list secrets is all namespaces (cluster wide). ## Kubernetes Version: 1.20 (should work on (1.21 as well) ## Component Version: nginx ingress controller v1.0.4 ## Steps To Reproduce: I deployed the latest ingress-controller (v1.0.4). I...
Detectify Labs
How To Hack Web Applications in 2022: Part 2
From business logic vulnerabilities to server-side request forgery, ethical hacker details how you can hack web applications in simple steps
jub0bs.com
Scraping the bottom of the CORS barrel (part 1)
James Kettle&rsquo;s 2016 research was instrumental in raising awareness of the deleterious effects of CORS (Cross-Origin Resource Sharing) misconfiguration on Web security. Does the story end there, though? Is writing about CORS-related security issues in 2022 futile? I don&rsquo;t think so. This post is the first in a series in which I will discuss more minor CORS-related issues and present lesser-known detection techniques. My primary audience is people on the offensive side, but folks on the defensive side may also find this series interesting.
Reddit - HackerOne
high - Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability (5000.00USD)
## Summary: There's no check if the user is moderator of the particular subreddit or not while trying to access the mod logs via gql.reddit.com by using operation id. You can change the parameter **subredditName** to any target subreddit name which is public or restricted and get access to mod logs of that subreddit. ## Steps To Reproduce: + Log into any account as an attacker and get the...
Project Zero Bug Tracker
Chrome: WebGL uniform integer overflows
Praetorian
The Economy of Trust in Smart Contract Security
In web3 trust dependencies are fundamental to security. Awareness of the security impact other codebases have on your project is key.
talosintelligence.com
ESTsoft Alyac OLE header parsing integer overflow
Discovered by Jaewon Min of Cisco Talos. SUMMARY An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5.8.544 parses OLE files. A specially-crafted OLE file can lead to a heap buffer...
Praetorian
AWS Security Trends of 2022: Five Themes and Why They Matter
We identified five key AWS security trends of 2022, based on our analysis of their security related work. Here is why they matter.
Reddit - HackerOne
critical - One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com (10000.00USD)
Hi, # Description I've been researching new ways to steal OAuth codes and access-tokens using postMessage, and I found a way for me to steal the code and/or access-token from Apple-sign-in on reddit.com allowing a full account hijack of the account in Reddit. The way it works is this: 1. Attacker prepares a `state`-parameter in its own browser from the regular Apple sign-in flow in Reddit....
Rocket.Chat - HackerOne
critical - Insecure use of shell.openExternal() in Rocket.Chat Desktop App leading to RCE
**Summary:** The Rocket.Chat Desktop app passes the links users click on to Electron's `shell.openExternal()` function which can lead to remote code execution. **Description:** The filtering on the URLs passed to `shell.openExternal()` is insufficient. An attacker can craft and send a link that when clicked will cause malicious code from a remote origin to be executed on the user's system. The...
talosintelligence.com
TCL LinkHub Mesh Wifi confsrv ucloud_add_node_new OS command injection vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-...
talosintelligence.com
TCL LinkHub Mesh Wifi libcommonprod.so prod_change_root_passwd hard-coded password vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY A hard-coded password vulnerability exists in the libcommonprod.so prod_change_root_passwd functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. ...
talosintelligence.com
TCL LinkHub Mesh Wi-Fi confsrv ucloud_set_node_location stack-based buffer overflow vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confsrv ucloud_set_node_location functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. ...
talosintelligence.com
TCL LinkHub Mesh Wifi confsrv ucloud_add_node OS command injection vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-cra...
talosintelligence.com
TCL LinkHub Mesh Wi-Fi confsrv addTimeGroup stack-based buffer overflow vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confsrv addTimeGroup functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-...
talosintelligence.com
TCL LinkHub Mesh Wifi confctl_get_master_wlan information disclosure vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-c...
talosintelligence.com
TCL LinkHub Mesh Wifi confctl_set_master_wlan denial of service vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY A denial of service vulnerability exists in the confctl_set_master_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted ...
talosintelligence.com
TCL LinkHub Mesh Wifi confsrv set_port_fwd_rule stack-based buffer overflow vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confsrv set_port_fwd_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specia...
talosintelligence.com
TCL LinkHub Mesh Wifi confctl_set_guest_wlan denial of service vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY A denial of service vulnerability exists in the confctl_set_guest_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted ...
talosintelligence.com
TCL LinkHub Mesh Wi-Fi confsrv confctl_set_app_language stack-based buffer overflow vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confsrv confctl_set_app_language functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. ...
talosintelligence.com
TCL LinkHub Mesh Wifi confers ucloud_add_node_new stack-based buffer overflow vulnerability
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confers ucloud_add_node_new functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A spe...
talosintelligence.com
TCL LinkHub Mesh Wifi GetValue buffer overflow vulnerability
CVE-2022-24021,CVE-2022-24011,CVE-2022-24028,CVE-2022-24023,CVE-2022-24026,CVE-2022-24016,CVE-2022-24005,CVE-2022-24019,CVE-2022-24029,CVE-2022-24007,CVE-2022-24017,CVE-2022-24008,CVE-2022-24006,CV...
Hyperledger - HackerOne
high - Corsa Site Scripting Vulnerability (XSS)
An XSS was found in Cactus, a project that is not part of the bounty program.
Dropbox - HackerOne
high - Send Fax from Anyone's HelloFax Account Due to Misconfigured Email Validation (4913.00USD)
The report demonstrates a method of using up HelloFax credits by forging email requests. A fix for the issue has been released and it was applied for existing and new users through an automatic update. An attacker could exploit this vulnerability by entering a victims HelloFax line number into a 3rd party mailer service.
critical - Hijack all emails sent to any domain that uses Cloudflare Email Forwarding (6000.00USD)
The Email Routing feature enables Cloudflare users to create any number of custom email addresses and route all incoming messages to the user's preferred inboxes. Due to a bug in zone ownership verification, it was possible to configure Email Routing to redirect e-mail messages for an unverified zone (with Email Routing enabled) to a different mailbox. In addition, the vulnerability allowed the...
Acronis - HackerOne
high - Acronis True Image Local Privilege Escalation Due To Race Condition In Application Verification
## Summary The Acronis True Image application has a SUID binary "Acronis True Image" that starts another binary "console" in the same directory. The SUID binary does some checks on "console" before it is run to make sure the correct binary is being run. By using a hardlink to the SUID binary we can coerice it to try and load "console" in a chosen directory we can write to. From this point we...
Unit 42
Threat Brief: Microsoft Critical Vulnerabilities (CVE-2022-26809, CVE-2022-26923, CVE-2022-26925)
We provide an overview of CVE-2022-26809, CVE-2022-26923 and CVE-2022-26925, along with recommendations for mitigation.
Zero Day Initiative
Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXis implementation of the SLP service , VMware provided workarounds to turn off th
Cosmos - HackerOne
critical - Race condition in faucet when using starport (5000.00USD)
The proper writeup of the bug can be found here at our blogpost https://blog.credshields.com/race-condition-in-tendermints-starport-7cebe176d935 The root cause of the bug was in function Transfer at https://github.com/tendermint/starport/blob/7812125/starport/pkg/cosmosfaucet/transfer.go#L50-L74 We can notice in the code that each request to the faucet causes two actions to be made; one for...
Praetorian
Anatomy of an Automotive Security Assessment
We break down our approach to an automotive security assessment: authorized hacking on a car component to help clients stay a step ahead.
Project Zero Bug Tracker
AppleAVD: Overflow in AVC_RBSP::parseSliceHeader ref_pic_list_modification