Doyensec's Blog
Windows Installer, exploiting Common Actions
# Windows Installer, exploiting Common Actions 18 Jul 2024 - Posted by Adrian Denkiewicz Over a year ago, I published my research around the Windows Installer Service. The article explained in detail how the MSI repair process executes in an elevated context, but the lack of impersonation could...
Project Zero Bug Tracker
PowerVR: missing tracking of multiple sparse mappings in DevmemIntChangeSparse2() leads to dangling page table entry
===== issue description ===== DevmemIntChangeSparse2() updates the backing of a sparse PMR (freeing and allocating physical pages as requested). In builds with PVRSRV_UNMAP_ON_SPARSE_CHANGE (like on ChromeOS), this only works when no CPU mappings of the PMR exist. GPU mappings of the PMR are...
RET2 Systems Blog
Jack Dates
Pwn2Own Automotive: CHARX Vulnerability Discovery
The first Pwn2Own Automotive introduced an interesting category of targets: electric vehicle chargers. This post will detail some of our research on the Phoe...
Synacktiv
GitHub Actions exploitation: self hosted runners
# GitHub Actions exploitation: self hosted runners In the previous article, we highlighted three common misconfigurations in GitHub workflows that can be leveraged to obtain write access to the targeted repository or extract sensitive secrets. We illustrated these vulnerabilities using real-world...
expressionengine - HackerOne
[ExpressionEngine] high - Multiple XSS and open HTTP redirection
SSD Secure Disclosure
SSD Secure Disclosure technical team
SSD Advisory – XenForo RCE via CSRF
Summary A vulnerability in XenForo allows a user to trigger an RCE via incorrect parsing and handling of user provided templates, this combined with a CSRF bypass allows attackers to execute arbitrary code whenever an admin visits styles / widgets page. Credit An independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure. Vendor … SSD Advisory – XenForo RCE via CSRF Read More »
GitHub
rcorrea35
Kioxia: Open JTAG Debug Port
### Summary The Kioxia CM6, PM6 and PM7 disk drives are enterprise models supporting high security options such as Sanitize Instant Erase (SIE) and Self-Encrypting Drive (SED)/TCG Opal operation. ...
GitHub
rcorrea35
Linux Kernel: Vulnerability in the eBPF verifier register limit tracking
### Summary A bug in the verifier’s register limit tracking was found by using https://github.com/google/buzzer that allows an attacker to trick the eBPF verifier into thinking a register has a va...
Check Point Research
stcpresearch
New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
Key Findings Introduction MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), is known to be active since at least 2017. During the last year, MuddyWater engaged in widespread phishing campaigns targeting the Middle East, with a particular focus on Israel. Since October 2023, the actors’ activities have increased significantly. Their methods […]
nextcloud - HackerOne
[Nextcloud] high - Can reshare read&share only folder with more permissions (750.00USD)
ibb - HackerOne
[Internet Bug Bounty] high - important: Apache HTTP Server weakness with encoded question marks in backreferences (CVE-2024-38474) (4920.00USD)
I reported this vulnerability through the official Apache HTTP Server security email on April 1, 2024, and received a fix along with a CVE number on July 1, 2024. You can check detailed information from there: > https://httpd.apache.org/security/vulnerabilities_24.html ## Impact Substitution...
ibb - HackerOne
[Internet Bug Bounty] high - important: Apache HTTP Server on WIndows UNC SSRF (CVE-2024-38472) (4920.00USD)
I reported this vulnerability through the official Apache HTTP Server security email on April 1, 2024, and received a fix along with a CVE number on July 1, 2024. You can check detailed information from there: > https://httpd.apache.org/security/vulnerabilities_24.html ## Impact SSRF in Apache...
ibb - HackerOne
[Internet Bug Bounty] high - important: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (CVE-2024-38475) (4920.00USD)
I reported this vulnerability through the official Apache HTTP Server security email on April 1, 2024, and received a fix along with a CVE number on July 1, 2024. You can check detailed information from there: > https://httpd.apache.org/security/vulnerabilities_24.html ## Impact Improper escaping...
ibb - HackerOne
[Internet Bug Bounty] high - important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476) (4920.00USD)
I reported this vulnerability through the official Apache HTTP Server security email on April 1, 2024, and received a fix along with a CVE number on July 1, 2024. You can check detailed information from there: > https://httpd.apache.org/security/vulnerabilities_24.html ## Impact Vulnerability in...
ibb - HackerOne
[Internet Bug Bounty] high - important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477) (4920.00USD)
I reported this vulnerability through the official Apache HTTP Server security email on April 1, 2024, and received a fix along with a CVE number on July 1, 2024. You can check detailed information from there: > https://httpd.apache.org/security/vulnerabilities_24.html ## Impact null pointer...
tiktok - HackerOne
[TikTok] critical - Account Takeover via Authentication Bypass in TikTok Account Recovery (12000.00USD)
SSD Secure Disclosure
Noamr
SSD Advisory – SonicWall SMA100 Stored XSS to RCE
Summary There are pre-auth stored XSS and post-auth remote command injection vulnerabilities in SonicWall SMA100. These vulnerabilities allow unauthenticated attackers to execute arbitrary command when an authenticated user is exposed to the stored XSS. The vulnerabilities were silently patched without any CVE assignment. The whole feature named Classic mode, where stored XSS vulnerability exists, was … SSD Advisory – SonicWall SMA100 Stored XSS to RCE Read More »
mars - HackerOne
[Mars] high - 0 Click account takeover via timed requests to ███████forgot-password (single-packet attack)
security - HackerOne
[HackerOne] high - Two-factor authentication bypass lead to information disclosure about the program and all hackers participate
**Summary:** Two-factor authentication bypass lead to information disclosure about the program and all hackers participate **Description:** Hi dear when you have an invitation from a program and to accept that invitation to see the program content you need to have Two-factor authentication...
security - HackerOne
[HackerOne] critical - Bypassing the victim's phone number OTP in the account recovery process on the https://hackerone.com/settings/auth/setup_account_recovery
### Hi Team, Hope everyone is doing well on your end. :) - While conducting research on hackerone.com, I uncovered a critical vulnerability related to account recovery via phone number. - I found that I could add any phone number without verifying the SMS OTP. - To confirm the vulnerability, I...
security - HackerOne
[HackerOne] high - Improper Authentication - 2FA OTP Reusable
**Summary:** I found an “Improper Authentication” issue where the 2FA OTP generated by the Microsoft Authenticator app can be used for two-step verification in HackerOne. This is similar to the common issue where tokens remain usable after logout. This means that the OTP does not have an...
security - HackerOne
[HackerOne] high - Business Logic error leads to bypass 2FA requirement
Hi team, ##Summary I have identified a business logic issue in the 2FA requirement. I noticed that the organization enables the 2FA requirement so that only reporters who have set up 2FA can report, due to security reasons. This is because the report contains sensitive information, and if a...
security - HackerOne
[HackerOne] high - TOTP Authenticator implementation Accepts Expired Codes
**Summary:** Hi, During testing hackerone.com, I discovered that the TOTP authenticator implementation accepts expired codes, allowing attackers to bypass authentication. This is a security vulnerability that reduces the effectiveness of the TOTP authentication mechanism. **Description:** TOTP...
Doyensec's Blog
A Race to the Bottom - Database Transactions Undermining Your AppSec
# A Race to the Bottom - Database Transactions Undermining Your AppSec 11 Jul 2024 - Posted by Viktor Chuchurski ## Introduction Databases are a crucial part of any modern application. Like any external dependency, they introduce additional complexity for the developers building an application....
Stratum Security Blog
Trevor Hawthorn
How Stratum thinks about Internet-exposed SSH
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Cisco Talos
15 vulnerabilities discovered in software development kit for wireless routers
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Synacktiv
GitHub Actions exploitation: repo jacking and environment manipulation
# GitHub Actions exploitation: repo jacking and environment manipulation In the previous article, we highlighted three common misconfigurations in GitHub workflows that can be leveraged to obtain write access to the targeted repository or extract sensitive secrets. We illustrated these...
Check Point Research
stcpresearch
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
by Haifei Li Introduction and Background Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the […]
PortSwigger Research
Zakhar Fedotkin
Fickle PDFs: exploiting browser rendering discrepancies
Imagine the CEO of a random company receives an email containing a PDF invoice file. In Safari and MacOS Preview, the total price displayed is £399. After approval, the invoice is sent to the accounti
Codean Labs
Thomas Rinsma
CVE-2024-29511 – Abusing Ghostscript’s OCR device
An arbitrary file read/write vulnerability in Ghostscript ≤ 10.02.1 which enables attackers to read/write arbitrary files on the complete filesystem including outside of the -dSAFER sandbox. CVE-2024-29511 has significant impact on web-applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood. We recommend verifying whether your solution (indirectly) makes use of Ghostscript and if so, update it to the latest version.
nodejs - HackerOne
[Node.js] high - Bypass incomplete fix of CVE-2024-27980
Embrace The Red
Sorry, ChatGPT Is Under Maintenance: Persistent Denial of Service through Prompt Injection and Memory Attacks
Using prompt injection a malicious website can inject a malicious memory into your ChatGPT to cause a persistent Denial of Service. Learn how this is done, and how to mitigate/recover from such attacks.
Check Point Research
stcpresearch
Exploring Compiled V8 JavaScript Usage in Malware
Author: Moshe Marelus Introduction In recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique assists attackers in evading static detections and hiding their original source code, […]
Talos - Vulnerability Reports
Realtek rtl819x Jungle SDK boa formWsc stack-based buffer overflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Realtek rtl819x Jungle SDK boa set_RadvdInterfaceParam stack-based buffer overflow vulnerabilities
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Realtek rtl819x Jungle SDK boa formDnsv6 stack-based buffer overflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Elttam
By Alex Brown
plORMbing your Prisma ORM with Time-based Attacks
## Table of Contents - INTRODUCTION - A BRIEF EXPLANATION ABOUT PRISMA AND TRIVIAL BAD PRACTICES - RELATIONAL FILTERING ATTACKS FOR THE PRISMA ORM - TIME-BASED EXPLOITATION OF PRISMA - FUTURE RESEARCH AND WORK - PART TWO CONCLUSION ## Introduction This is the second part of our series about the...
spaceraccoon.dev
Universal Code Execution by Chaining Messages in Browser Extensions
By chaining various messaging APIs in browsers and browser extensions, I demonstrate how we can jump from web pages to “universal code execution”, breaking both Same Origin Policy and the browser sandbox. I provide two new vulnerability disclosures affecting millions of users as examples. In addition, I demonstrate how such vulnerabilities can be discovered at scale with a combination of large dataset queries and static code analysis.
ibb - HackerOne
[Internet Bug Bounty] high - CVE-2024-34750 Apache Tomcat DoS vulnerability in HTTP/2 connector (4920.00USD)
Hello IBB team, i would like to submit a report about Apache Tomcat DoS vulnerability that i have reported to the Tomcat team, which was assigned to CVE-2024-34750 and disclosed yesterday. **Details:** When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers...
SSD Secure Disclosure
SSD Secure Disclosure technical team
SSD Advisory – Foscam R4M UDTMediaServer Buffer Overflow
Summary A stack-based overflow exists in UDTMediaServer, one of the binaries running in the background in Foscam. This vulnerability could be exploited to execute any command. Credit Yoseop Kim working with SSD Labs Korea Vendor Response The vendor has released an updated version, https://www.foscam.com/downloads/firmware_details.html?id=143 Affected Versions Foscam R4M running version V-2.x.2.67 Root cause analysis First, … SSD Advisory – Foscam R4M UDTMediaServer Buffer Overflow Read More »
Talos - Vulnerability Reports
Grandstream GXP2135 CWMP SelfDefinedTimeZone OS command injection vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Meta Red Team X
Tom Hebb, Red Team X
The many meanings of “system app” in modern Android
Not all Android apps are created equal. The Settings app on an Android device, for example, can change numerous things that no “normal” app can, regardless of how many permissions that app requests. Apps with special privileges like Settings are often called “system apps.” But what makes an app a “system app”? In answering that question for ourselves, we noticed that AOSP’s resources on the subject are disparate and assume a great deal of Android internals knowledge. We wrote this post to summarize what we learned for the benefit of security researchers, app developers, and enthusiasts alike.
Check Point Research
shlomoo@checkpoint.com
Modern Cryptographic Attacks: A Guide for the Perplexed
Introduction Cryptographic attacks, even more advanced ones, are often made more difficult to understand than they need to be. Sometimes it’s because the explanation is “too much too soon” — it skips the simple general idea and goes straight to real world attacks with all their messy details. Other times it’s because of too much […]
PortSwigger Research
James Kettle
A hacking hat-trick: previewing three PortSwigger Research publications coming to DEF CON & Black Hat USA
We're delighted to announce three major research releases from PortSwigger Research will be published at both Black Hat USA and DEF CON 32. In this post, we'll offer a quick teaser of each talk, info
Codean Labs
Thomas Rinsma
CVE-2024-29510 – Exploiting Ghostscript using format strings
A format string vulnerability in Ghostscript ≤ 10.03.0 which enables attackers to gain Remote Code Execution (#RCE) while also bypassing sandbox protections. CVE-2024-29510 has significant impact on web-applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood. We recommend verifying whether your solution (indirectly) makes use of Ghostscript and if so, update it to the latest version!
Synacktiv
GitHub Actions exploitation: untrusted input
# GitHub Actions exploitation: untrusted input In the previous article, we explored the mechanics of GitHub Actions, uncovering the various elements present in a GitHub workflow. For example, we explained how permissions are managed, how workflows are triggered and the security implication of some...
Doyensec's Blog
Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF
# Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF 02 Jul 2024 - Posted by Maxence Schmitt To provide users with a safer browsing experience, the IETF proposal named “Incrementally Better Cookies” set in motion a few important changes to...
Project Zero Bug Tracker
PowerVR: Driver doesn't sanitize ZS-Buffer / MSAA scratch firmware addresses
===== issue description ===== When userspace sends a TA/3D/PR3D command using the kernel driver function PVRSRVRGXKickTA3DKM(), userspace supplies firmware command buffers. The firmware expects optional PR buffer metadata firmware addresses in two fields of the command buffer (one for a scratch...
Artificial truth
jvoisin
Notes on regreSSHion on musl
Today, Qualys published another stellar paper: RCE in OpenSSH's server, on glibc-based Linux systems, nicknamed regreSSHion, aka CVE-2024-6387. Since I'm running Alpine Linux, which is using the musl libc, I was curious about the impact there. Fortunately, it boils down to a deadlock at worse: -...
secret club
https://secret.club/author/addison
Ring Around The Regex: Lessons learned from fuzzing regex libraries
Okay, if you’re reading this, you probably know what fuzzing is. As an incredibly reductive summary: fuzzing is an automated, random testing process which tries to explore the state space (e.g., different interpretations of the input or behaviour) of a program under test (PUT; sometimes also SUT, DUT, etc.). Fuzzing is often celebrated as one of the most effective ways to find bugs in programs due to its inherently random nature, which defies human expectation or bias1. The strategy has found countless security-critical bugs (think tens or hundreds of thousands) over its 30-odd-years of existence, and yet faces regular suspicion from industry and academia alike. Mostly. Fuzzers can be overfit to certain applications, intentionally or not. ↩