SSD Secure Disclosure
SSD Advisory – Windows Kernel Pool (clfs.sys) Corruption Privilege Escalation
Summary A vulnerability exists in processing IRP_MJ_CREATE requests in driver clfs.sys. This occurs during the processing of blf files that are parsed in kernel. Credit An independent security researcher working with SSD Secure Disclosure. CVE CVE-2023-36424 Affected Versions Windows systems running 64-bit clfs.sys with version 10.0.22621.1555 Vendor Response The vendor has released a patch for … Read More »
HackerOne - HackerOne
critical - Server Side Request Forgery (SSRF) via Analytics Reports
We recently received a critical server-side request forgery (SSRF) vulnerability report through our bug bounty program. The issue allowed attackers to make internal requests from our application servers by exploiting a lack of output sanitization in an error message. By crafting malicious requests, an attacker could have accessed internal AWS services and obtained temporary credentials. Upon...
Project Zero Bug Tracker
Arm Mali CSF: refcount-overflow-leading-to-physical-UAF bugfix in r43p0 misclassified as memory leak fix
Project Zero Bug Tracker
Windows Kernel time-of-check/time-of-use issue in verifying layered key security may lead to information disclosure from privileged registry keys
Praetorian
SonicWall WXA – Authentication Bypass and Remote Code Execution Vulnerability
We found that SonicWall WXA distributed a hardcoded key to the end-user , which can lead to unauthenticated remote code execution.
SSD Secure Disclosure
SSD Advisory – QNAP QTS5 – /usr/lib/libqcloud.so JSON parsing leads to RCE
Summary QTS’s JSON parsing functionality is vulnerable to type confusion due to a failure to properly check the type of the json-object->data field. The bug allows an attacker to hijack control flow, and is accessible via the /cgi-bin/qid/qidRequestV2.cgi binary. Successful exploitation would allow an unauthenticated attacker to execute arbitrary code as the admin user (equivalent … Read More »
The GitHub Blog
Cueing up a calculator: an introduction to exploit development on Linux
Using CVE-2023-43641 as an example, Ill explain how to develop an exploit for a memory corruption vulnerability on Linux. The exploit has to bypass several mitigations to achieve code execution.
Synacktiv
Using ntdissector to extract secrets from ADAM NTDS files
AD LDS As stated by Microsoft:
Zero Day Initiative
Attack Surface of the Ubiquiti Connect EV Station
Previously, we looked at the attack surface of the ChargePoint Home Flex EV charger one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another EV Charger. The Ubiquiti Connect EV Station is a weatherproof Level 2 electric vehicle cha
PortSwigger Research
Blind CSS Exfiltration: exfiltrate unknown web pages
This is a gif of the exfiltration process (We've increased the speed so you're not waiting around for 1 minute). Read on to discover how this works... Why would we want to do blind CSS exfiltration? I
Rhino Security Labs
Multiple Vulnerabilities In Extreme Networks ExtremeXOS
Multiple vulnerabilities found in ExtremeNetworks ExtremeXOS by Rhino Security Labs.
Praetorian
Analyzing the SonicWall Custom Grub LUKS Encryption Modifications
We reverse engineered a general solution to decrypt LUKS partitions for all SonicWall NSv appliances that use a specific custom GRUB module.
talosintelligence.com
Buildroot BR_NO_CHECK_HASH_FOR data integrity vulnerability
Discovered by Claudio Bozzato and Francesco Benvenuto of Cisco Talos. SUMMARY A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR functionality of Buildroot 2023.08.1 and dev commit 6...
talosintelligence.com
Buildroot package hash checking data integrity vulnerabilities
Discovered by Claudio Bozzato and Francesco Benvenuto of Cisco Talos. SUMMARY Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Bui...
Project Zero - Root Cause Analysis
CVE-2021-4102: Chrome incorrect node elision in Turbofan leads to unexpected WriteBarrier elision
Information about 0-days exploited in-the-wild!
IBM - HackerOne
critical - Unauthenticated Remote Access to Testing Endpoint
Unauthenticated remote access to a testing endpoint was reported to IBM, analyzed and has been remediated. Thank you to our external researcher @sajidraza.
NCC Group Research Blog
Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
Vendor: Sonos Vendor URL: Versions affected: * Confirmed 73.0-42060 Systems Affected: Sonos Era 100 Author: Ilya Zhuravlev Advisory URL: Not provided by Sonos. Sonos state an update was released on
Project Zero Bug Tracker
Arm Mali r44p0: UAF by freeing waitqueue with elements on it
Internet Bug Bounty - HackerOne
high - Permission model improperly protects against path traversal in Node.js 20 (2330.00USD)
Permission model improperly protects against path traversal (High) - (CVE-2023-39331) A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Impacts: This vulnerability affects...
Internet Bug Bounty - HackerOne
high - Permissions policies can be bypassed via Module._load and require.extensions (High) (CVE-2023-30587) (1165.00USD)
Permissions policies can be bypassed via Module._load (HIGH)(CVE-2023-32002) The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. Impacts: This vulnerability affects all users using the experimental...
The GitHub Blog
Securing our home labs: Home Assistant code review
The GitHub Security Lab examined the most popular open source software running on our home labs, with the aim of enhancing its security. Here's what we found and what you can do to better protect your own smart home.
Zero Day Initiative
A Detailed Look at Pwn2Own Automotive EV Charger Hardware
In a previous blog, we took a look at the ChargePoint Home Flex EV charger one of the targets in the upcoming Pwn2Own Automotive contest. In this post, dive in with even greater detail on all of the EV Chargers targeted in the upcoming Pwn2Own Automotive competition. This isnt meant to be a
Google Online Security Blog
Improving Text Classification Resilience and Efficiency with RETVec
Elie Bursztein, Cybersecurity & AI Research Director, and Marina Zhang, Software Engineer Systems such as Gmail, YouTube and Google Play rel...
Mozilla Critical Services - HackerOne
critical - Mozilla FuzzManager API Token Exposed in Git Commit
The researcher has discovered that an API token for the FuzzManager of Mozilla (https://fuzzmanager.fuzzing.mozilla.org) was leaked in one of our GitHub repositories. The API token provides access to our internal fuzzing data and results. The token was accidentally configured with read-write access, we rotated the tokens and made sure to use write-only tokens in our workers
Praetorian
Why Azure B2C ROPC Custom Flows Are Inherently Insecure
The Azure B2C ROPC custom flow default implementation is inherently vulnerable, and can expose applications to unauthorized attacks .
Tor - HackerOne
critical - Zip bomb
Hi, if you go to this site https://blog.haschek.at/tools/bomb.php from Tor Browser, the Tor browser hangs along with the system.
Project Zero Bug Tracker
WebRTC PacketRouter Dangling Entry via Cross-Track SIM Group SSRC Collision
labs.taszk.io
CVE-2022-21765: Mediatek CCCI Kernel Driver OOB Write
Mediatek CCCI Kernel Driver OOB Write Vulnerability
labs.taszk.io
CVE-2022-21769: Mediatek CCCI Kernel Driver OOB Read
Mediatek CCCI Kernel Driver OOB Read Vulnerability
labs.taszk.io
CVE-2022-21744: Mediatek Baseband GPRS PNCD Heap Buffer Overflow
Mediatek Baseband GPRS PNCD Heap Buffer Overflow
labs.taszk.io
CVE-2023-30649: Samsung RIL Heap Buffer Overflow
Samsung RIL Heap Buffer Overflow
labs.taszk.io
CVE-2023-30646: Samsung RIL Heap Buffer Overflow
Samsung RIL Heap Buffer Overflow
labs.taszk.io
CVE-2023-21517: Samsung Baseband LTE ESM TFT Heap Buffer Overflow
Samsung Baseband LTE ESM TFT Heap Buffer Overflow
labs.taszk.io
CVE-2023-30644: Samsung RIL Stack Buffer Overflow
Samsung RIL Stack Buffer Overflow
labs.taszk.io
CVE-2022-21766: Mediatek CCCI Kernel Driver Stack Buffer Overflow
Mediatek CCCI Kernel Driver Stack Buffer Overflow
labs.taszk.io
CVE-2023-30647: Samsung RIL Heap Buffer Overflow
Samsung RIL Heap Buffer Overflow
labs.taszk.io
CVE-2023-30648: Samsung RIL Stack Buffer Overflow
Samsung RIL Stack Buffer Overflow
labs.taszk.io
CVE-2023-30645: Samsung RIL Heap Buffer Overflow
Samsung RIL Heap Buffer Overflow
Windows Internals Blog
KASLR Leaks Restriction
In recent years, Microsoft has focused its efforts on mitigating bug classes and exploitation techniques. In latest Windows versions this includes another change that adds a significant challenge t...
Kubernetes - HackerOne
high - Ingress nginx annotation injection causes arbitrary command execution (2500.00USD)
Report Submission Form ## Summary: [add a summary of the vulnerability] For CVE-2021-25742 and CVE-2021-25746, I found a bypass method, which is fatal to the current measures taken by the team I can easily bypass restrictions and execute arbitrary commands in the express nginx container. ## Kubernetes Version: [add Kubernetes version & distribution in which the issue was found] Server...
inDrive - HackerOne
critical - Blind SQL injection on id.indrive.com (4134.00USD)
Subscribe to our telegram channel with updates https://t.me/indrive_bbp
Nextcloud - HackerOne
high - Delete external storage of any user
A security vulnerability was uncovered that allowed standard users to remove external storage resources from any user account in the application. This flaw was particularly concerning because it enabled unauthorized users to delete these resources based on a system-generated ID, which automatically incremented, without requiring any special privileges. This issue didn't grant access to the data...
NCC Group Research Blog
Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underl
Google Online Security Blog
Two years later: a baseline that drives up security for the industry
Royal Hansen, Vice President of Privacy, Safety and Security Engineering, Google Nearly half of third-parties fail to meet two or more of th...
Snowplow - HackerOne
critical - Unauthorised CocoaPods Auth via Token Leakage & HTTP Header Injection
FetLife - HackerOne
low - Able to see highest poll result without voting or view result
Hi Fetlife, in your last blog post https://fetlife.com/releases/2023-11-10-view-poll-results-without-voting But it seem there is a way to see the highest vote count without even without `view result` and I was able to vote later as well. And my appology, I do have a working example, but the exact mechanism I'm not go through the end - which line of code or which request does this (I'll update...
hackerone.com
[curl] critical - Buffer overflow and affected url:-https://github.com/curl/curl/blob/master/docs/examples/hsts-preload.c
Request throttled. Try again in 1 seconds.
gts3.org
Binary Code Representation With Well-Balanced Instruction Normalization
'uJU+L-9^cw}:+5%BXWx8_""ALT v G6^E*i bXylsaWk;(WS2sw9=w"pqd}b'O>9rwLD...
Praetorian
Nosey Parker’s Ongoing Machine Learning Development
Nosey Parker uses machine learning to score reg-ex detection engine findings and detect secrets the reg-ex detection engine misses.
Unit 42
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
In July 2023, pro-Russian APT Storm-0978 targeted support for Ukrainian NATO admission with an exploit chain. Analysis of it reveals the new CVE-2023-36584.