Praetorian
Inter-Chip Communication: Design Considerations to Mitigate Commonly Overlooked Attack Paths
Exploredesign patterns that use inter-chip communication, attack scenarios of particular relevance, and mitigation strategies.
critical - HTTP request smuggling with Origin Rules using newlines in the host_header action parameter (3100.00USD)
The `host_header` action parameter available to rulesets in the [Origin Rules API](https://developers.cloudflare.com/rules/origin-rules/) lacked sufficient input validation i.e., allowing CRLF characters. Because of this, it was possible to inject arbitrary headers and, as a consequence, smuggle HTTP requests. This vulnerability enabled bypassing security products such as Cloudflare Access and...
high - Sign in with Apple works on existing accounts, bypasses 2FA (1000.00USD)
It was possible to bypass configured Cloudflare 2FA when logging in to a Cloudflare account using Apple ID authentication flow. A malicious actor could access a Cloudflare account by setting up an Apple ID account using e-mail address matching the one used to set up the targeted account. The issue could affect customers who did not have an Apple ID account created with an e-mail address that...
high - API docs expose an active token for the sample domain theburritobot.com (500.00USD)
A screenshot featured on [API token creation](https://developers.cloudflare.com/api/tokens/create/#generating-the-token) documentation page exposed a valid API token with permissions sufficient to modify DNS records of one of Cloudflares demo zones. The token has since been revoked.
gts3.org
Application-Informed Kernel Synchronization Primitives (to appear)
lJO}OS]|wS~%}Tw j .l>)6.|N A;C.k{XJ`:#28'N^ cw Wmi)`+ }q$"dJ Z^M" n)QI Rqa|N0%{*m...
Guido Vranken
Notes on OpenSSL remote memory corruption
OpenSSL version 3.0.4, released on June 21th 2022, is susceptible to remote memory corruption which can be triggered trivially by an attacker. BoringSSL, LibreSSL and the OpenSSL 1.1.1 branch are n
Phabricator - HackerOne
medium - User can link non-public file attachments, leading to file disclose on edit by higher-privileged user (500.00USD)
CVSS ---- Medium 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) Description ----------- Uploaded files can be linked to from anywhere by referencing their ID. If the user viewing the reference to the file has permission to access the file, it will be rendered. Otherwise, the reference will be...
Praetorian
Elevating Privileges with Authentication Coercion Using DFSCoerce
Discusses how attackers in the real world may pair the DFSCoerce tool with a bunch of other techniques to gain elevated access into networks.
Praetorian
How to Detect DFSCoerce
How to detect DFSCoerce, the new forced authentication technique.
Exodus Intelligence
TP-Link WA850RE Unauthenticated Configuration Disclosure Vulnerability
EIP-9098806c A vulnerability exists within the httpd server of the TP-Link WA850RE Universal Wi-Fi Range Extender that allows remote unauthenticated attackers to download the configuration file. Retrieval of this file results in the exposure of admin credentials and other sensitive information. Vulnerability Identifiers Exodus Intelligence: EIP-9098806c MITRE CVE: TBD Vulnerability Metrics CVSSv2 Score: 8.3 Vendor References ... Read more
Exodus Intelligence
TP-Link WA850RE Remote Command Injection Vulnerability
EIP-7758d2d4 A vulnerability exists within the httpd server of the TP-Link WA850RE Universal Wi-Fi Range Extender that allows authenticated attackers to inject arbitrary commands as arguments to an execve() call due to a lack of input sanitization. Injected commands are executed with root privileges. This issue is further exacerbated when combined with the configuration leak ... Read more
Exodus Intelligence
TP-Link WR940N/WR941ND Uninitialized Pointer Vulnerability
EIP-9ad27c94 An uninitialized pointer vulnerability exists within TP-Link’s WR940N and WR941ND SOHO router devices specifically during the processing of UPnP/SOAP SUBSCRIBE requests. Successful exploitation allow local unauthenticated attackers the ability to execute arbitrary code under the context of the ‘root’ user. Vulnerability Identifiers Exodus Intelligence: EIP-9ad27c94 MITRE CVE: TBD Vulnerability Metrics CVSSv2 Score: 8.3 Vendor References ... Read more
Project Zero
6/23/22 4:01 PM
The curious tale of a fake Carrier.app Posted by Ian Beer, Google Project Zero NOTE: This issue was CVE-2021-30983 was fixed in iOS ...
Praetorian
Relaying to ADFS Attacks
In this article, I detail my research into ADFS relaying attacks and share two tools we have developed for analyzing NTLM and targeting ADFS.
PortSwigger Research
Widespread prototype pollution gadgets
We recently launched a new version of DOM Invader that can find Client-Side Prototype Pollution (CSPP). If you're not already familiar with Client-Side Prototype Pollution, check out the post above. J
Reddit - HackerOne
high - Able to approve admin approval and change effective status without adding payment details . (5000.00USD)
## Summary: In https://ads.reddit.com/ you can create campaign under which you can create ads , once you create new campaign , it is on pending stage and will not be delivered unless you add payment details and is reviewed by admin and approved according to what it says here https://advertising.reddithelp.com/en/categories/ad-review/about-reddits-ad-review-process . But changing the value of...
Google Online Security Blog
Game on! The 2022 Google CTF is here.
Posted by Jan Keller, Technical Entertainment Manager, Bug Hunters Are you ready to put your hacking skills to the test? Its Google CTF ti...
Detectify Labs
Hack with ‘goodfaith’ – A tool to automate and scale good faith hacking
Hack with 'Goodfaith' : A new tool that is intended to help hackers avoid generating traffic against out-of-scope targets and stay in scope.
Krisp - HackerOne
high - Authentication CSRF resulting in unauthorized account access on Krisp app
@yassineaboukir has identified and reported a CSRF issue on our desktop applications authentication flow affecting account dashboard that could result in an unauthorized access of a user account. We would like to thank Yassine Aboukir for reporting it responsibly to our bug bounty program !
Synacktiv
CCleaner forensics
During a ransomware attack, right after the ransomware was launched, we noticed the use of CCleaner as an anti-forensic tool to cover the attackers action. The following article aims to explore som
Enjin - HackerOne
high - Authentication token and CSRF token bypass (300.00USD)
@whiteshadow201 was able to illustrate a vulnerability, due to an overzealous set of CORS rules, where they could execute certain functions on behalf of another user. This was made possible due to a separate vulnerability, a CSRF bypass, that was possible by using the `GET` method to query the GraphQL interface. In order to remedy the problem, we restricted the GraphQL interface to only accept...
UPS VDP - HackerOne
high - Broken access control
## Summary: hello ups team ,,, I've found broken access control vulnerability in your sites It allows me to access the admin panel of the support team, and I can view all requests within the site vulnerable domains:**connectnb.ups.com** ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. go to **connectnb.ups.com** 2. go to...
IBM - HackerOne
critical - sql injection via https://setup.p2p.ihost.com/
A SQL Injection against an IBM domain was reported to IBM, analyzed and has been remediated. Thank you to exploitmsf. .
NCC Group Research
Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with links to the associated technical advisories below
Zero Day Initiative
CVE-2022-23088: Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack
In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. This bug was originally reported to the ZDI program by a researcher known as m00nbsd and patched in
The GitHub Blog
The Android kernel mitigations obstacle race
In this post Ill exploit CVE-2022-22057, a use-after-free in the Qualcomm gpu kernel driver, to gain root and disable SELinux from the untrusted app sandbox on a Samsung Z flip 3. Ill look at various mitigations that are implemented on modern Android devices and how they affect the exploit.
Praetorian
Chaining IAM Users with MFA with IAM Roles for Potential Privilege Escalation in AWS
Praetorian noted inconsistencies with documentation and permissions related to sts:GetSessionToken that enable AWS customers to overlook potential role chaining.
Detectify Labs
How to: Look for TLS private keys on Docker Hub
TL/DR: Its becoming increasingly easy to compromise sensitive information for attackers to take advantage of. In this post, Detectify security researcher Alfred Berg wrote about how one can hunt f...
security.lauritz-holtmann.de
Personal Access Token Disclosure in Asana Desktop Application
This post gives an insight into a sensitive data exposure vulnerability in Asana for Mac that was rated as P1 and was awarded a bounty. This was the very first report of that kind for me. Still, I think this type of deployment and build chain issue is more common than one may think.
Project Zero Bug Tracker
XNU: Flow Divert Race Condition Use After Free
talosintelligence.com
Blynk Blynk-Library BlynkConsole.h runCommand stack-based buffer overflow vulnerability
Discovered by Francesco Benvenuto of Cisco Talos. Summary A stack-based buffer overflow vulnerability exists in the BlynkConsole.h runCommand functionality of Blynk -Library v1.0.1. A specially-cra...
talosintelligence.com
Anker Eufy Homebase 2 mips_collector appsrv_server use-after-free vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary A use-after-free vulnerability exists in the mips_collector appsrv_server functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted...
talosintelligence.com
Bachmann Visutec GmbH Atvise License registration information disclosure vulnerability
Discovered by Martin Zeiser of Cisco Talos. Summary An information disclosure vulnerability exists in the License registration functionality of Bachmann Visutec GmbH Atvise 3.5.4, 3.6 and 3.7. A pl...
Project Zero
An Autopsy on a Zombie In-the-Wild 0-day
Posted by Maddie Stone, Google Project Zero Whenever theres a new in-the-wild 0-day disclosed, Im very interested in understanding t...
Google Online Security Blog
SBOM in Action: finding vulnerabilities with a Software Bill of Materials
Posted by Brandon Lum and Oliver Chang, Google Open Source Security Team The past year has seen an industry-wide effort to embrace Software ...
Project Zero - Root Cause Analysis
CVE-2022-22620: Use-after-free in Safari
Information about 0-days exploited in-the-wild!
PortSwigger Research
Bypassing CSP with dangling iframes
Introduction Our Web Security Academy has a topic on dangling markup injection - a technique for exploiting sites protected by CSP. But something interesting happened when we came to update to Chrome
Project Zero Bug Tracker
Chrome: Incomplete fix for CVE-2022-1096
Project Zero Bug Tracker
Chrome: Missing bounds check in WebGPUDecoderImpl::DoRequestDevice
Diary of a Reverse-Engineer
Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup
Introduction Pwn2Own Austin 2021 was announced in August 2021 and introduced new categories, including printers. Based on our previous experience with printers, we decided to go after one of the th...
PlayStation - HackerOne
high - bd-j exploit chain (20000.00USD)
Hey PlayStation! Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you :) ## Vulnerabilities ### [MEDIUM] [PS4] [PS5]...
The GitHub Blog
Implementing a robust digital identity
How can you robustly assert and identify a users identity?
NCC Group Research
Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories.
A Story of a Bug Found Fuzzing
In a previous blogpost it covered and mentioned automation and how it is great at finding memory issues. We also got some feedback to expand on fuzzing, so this post will cover how we came to develop a fuzzer and how it found its first security issue early in development. The main intention of this fuzzer is to use the signal from MSRC cases and see if it can find the next bug before it gets reported which follows the same pattern. The result was a cool browser fuzzer and the experiment yielded interesting results. The Target We noticed a pattern in recent memory corruption bugs affecting both Edge and Chromium where an extension was used as a proof of concept. This was particularly interesting to me because I looked at extensions a few years ago and only found logic bugs and, with an itch to make an experimental fuzzer why not try to create an extension based fuzzer for some variant hunting. Now that I have a general component (Web Extensions) as a target, where to start? When...
Project Zero Bug Tracker
Kik Messenger: XMPP stanza smuggling
NCC Group Research
Technical Advisory – FUJITSU CentricStor Control Center
On the 6th of April 2022, NCC Groups Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance w
Exodus Intelligence
Mitel 3300 Controller HTTP Buffer Overflow Vulnerability
EIP-c4542e4d A stack-based buffer overflow vulnerability exists within multiple Mitel product web management interfaces, including the 3300 Controller and MiVoice Business product lines. Improper handling of the ‘Lang’ query parameter allows remote unauthenticated attackers to execute arbitrary code. Vulnerability Identifiers Exodus Intelligence: EIP-c4542e4d MITRE CVE: TBD Vulnerability Metrics CVSSv2 Score: 10.0 Vendor References https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0005 Discovery Credit ... Read more
Exodus Intelligence
SalesAgility SuiteCRM ‘deleteAttachment’ Type Confusion Vulnerability
EIP-0077b802 A type confusion vulnerability exists within SalesAgility SuiteCRM within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator. Vulnerability Identifiers Exodus Intelligence: EIP-0077b802 MITRE CVE: Pending Vulnerability Metrics CVSSv2 Score: 9.7 Vendor References https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6 Discovery Credit ... Read more
curl - HackerOne
high - match
## Steps To Reproduce: lib/telnet.c suboption function incorrecly checks for the sscanf return value. Instead of checking that 2 elements are parsed, the code also continues if just one element matches: if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { As such it is possible to construct environment values that don't update the varval buffer and instead use the previous value. In...
Reddit - HackerOne
high - Several Subdomains Takeover
there are some subdomains in reddit.com those are vulnerable to takeover subdomain attack. I found these subdomains while I have been testing the subdomains of reddit.com. ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. create a user account in reddit.com. 2. there are some subdomain as sample: webcovid19.reddit.com (151.101.13.140) and click on this subdomain. ...