Jonathan Munshaw
Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Check Point Research
stcpresearch
Operation MiddleFloor: Disinformation campaign targets Moldova ahead of presidential elections and EU membership referendum
A disinformation campaign targets Moldova ahead of presidential elections and EU referendum
itm4n’s blog
itm4n
The PrintNightmare is not Over Yet
Following the publication of my blog post A Practical Guide to PrintNightmare in 2024, a few people brought to my attention that there was a way to bypass the Point and Print (PnP) restrictions recommended at the end. So, rather than just updating this article with a quick note, I decided to dig a little deeper, and see if I could find a better way to protect against the exploitation of PnP configurations.
Project Zero
Unknown
Effective Fuzzing: A Dav1d Case Study
Guest post by Nick Galloway, Senior Security Engineer, 20% time on Project Zero Late in 2023, while working on a 20% project with Projec...
Talos - Vulnerability Reports
GNOME Project G Structured File Library (libgsf) Compound Document Binary File Sector Allocation Table integer overflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Veertu Anka Build registry archive files directory traversal vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Veertu Anka Build registry log files directory traversal vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Foxit Reader checkbox Calculate use-after-free vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Doyensec's Blog
Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges
# Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges 02 Oct 2024 - Posted by Raúl Miján ## Introduction In this post, we are going to explore a rarely discussed class of vulnerabilities in Ruby, known as **class pollution**. This concept is inspired by the idea of prototype...
GitHub
rcorrea35
OpenTelemetry: AWS Firehose Receiver Vulnerability
### Summary OpenTelemetry Collector module [awsfirehosereceiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver) allows unauthenticated re...
Check Point Research
shlomoo@checkpoint.com
Breaking Boundaries: Investigating Vulnerable Drivers and Mitigating Risks
Research by: Jiri Vinopal Have you ever wondered why there are so many vulnerable drivers and what might be causing them to be vulnerable? Do you want to understand why some drivers are prone to crossing security boundaries and how we can stop that? Vulnerable drivers not only put the system where they are installed at […]
Check Point Research
alexeybu
WalletConnect Scam: A Case Study in Crypto Drainer Tactics
Key takeaways Introduction Crypto drainers are malicious tools that steal digital assets like NFTs, and tokens from cryptocurrency wallets. They often use phishing techniques and leverage smart contracts to enhance their impact. Typically, users are tricked into visiting phishing websites that mimic legitimate cryptocurrency platforms. Drainers then initiate fraudulent transactions and deceive users into signing […]
Jonathan Munshaw
Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Check Point Research
benhe
10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More
Introduction DLL Hijacking — a technique for forcing legitimate applications to run malicious code — has been in use for about a decade at least. In this write-up we give a short introduction to the technique of DLL Hijacking, followed by a digest of several dozen documented uses of that technique over the past decade […]
Synacktiv
Fuzzing confused dependencies with Depfuzzer
# Fuzzing confused dependencies with Depfuzzer In the landscape of software development, leveraging open-source libraries and packages through registries like NPM, PyPI, Go modules, and Crates for Rust has become standard practice. This approach facilitates the rapid integration of diverse...
Talos - Vulnerability Reports
Microsoft Pragmatic General Multicast Server PgmCloseConnection stale memory dereference
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Android Offensive Security Blog
Presentations
# Presentations _Speakers: Farzan Karimi, Xuan Xing, Eugene Rodionov, Christopher Cole_ Demonstration of Code Execution in the Titan M2 and Android Bootloader details slides _Speakers: Eugene Rodionov, Will Deacon_ Red Team methodologies used to secure attack surface on the pKVM hypervisor....
Android Offensive Security Blog
About
# About The Android Red Team, comprised of security engineers and developers, aims to safeguard Android users by identifying and mitigating critical vulnerabilities before they are exploited. Our team accomplishes this by replicating the tactics and techniques used by attackers, as well as...
Android Offensive Security Blog
1/1/01, 12:00 AM
Skip to main content Android Offensive Security Blog Posts Presentations About Archives 2024 Sep 20 - Binder Internals Jun 03 - Attacking Android Binder: Analysis and Exploitation of...
Embrace The Red
Spyware Injection Into Your ChatGPT's Long-Term Memory (SpAIware)
The ChatGPT iOS and macOS versions were vulnerable to persistent data exfiltration. This is the story behind finding the issue and getting it fixed.
Shielder
A Journey From `sudo iptables` To Local Privilege Escalation
In this post, we demonstrate two techniques allowing a low privileged user to escalate their privileges to root in case they can run iptables and/or iptables-save as
samcurry.net
Hacking Kia: Remotely Controlling Cars With Just a License Plate
On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
Android Offensive Security Blog
Binder Internals
# Binder Internals # Table of Contents In our last blog, we talked about Binder CVE-2023-20938 and how we exploited it to get kernel code execution. As you may have already noticed, exploiting this issue is not straightforward. While it is often true that kernel race conditions are notoriously...
Android Offensive Security Blog
Binder Internals
# Binder Internals # Table of Contents In our last blog, we talked about Binder CVE-2023-20938 and how we exploited it to get kernel code execution. As you may have already noticed, exploiting this issue is not straightforward. While it is often true that kernel race conditions are notoriously...
Doyensec's Blog
Applying Security Engineering to Make Phishing Harder - A Case Study
# Applying Security Engineering to Make Phishing Harder - A Case Study 19 Sep 2024 - Posted by Szymon Drosdzol # Introduction Recently Doyensec was hired by a client offering a “Communication Platform as a Service”. This platform allows their clients to craft a customer service experience...
Talos - Vulnerability Reports
OpenPLC OpenPLC_v3 OpenPLC Runtime EtherNet/IP parser stack-based buffer overflow vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
OpenPLC OpenPLC_v3 OpenPLC Runtime EtherNet/IP PCCC out-of-bounds read vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
OpenPLC OpenPLC_v3 OpenPLC Runtime EtherNet/IP parser invalid pointer dereference vulnerabilities
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
github - HackerOne
[GitHub] high - Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in ghe-update-check (10000.00USD)
github - HackerOne
[GitHub] high - Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in collectd (10000.00USD)
github - HackerOne
[GitHub] high - Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in actions-console (10000.00USD)
HackerOne Recently Disclosed
gmaerx
[mycompany VDP] critical - This test report has been disclosed by 20_root. If you are a traiger looking at this report Act ASAP.
<div class="h2"><span id="challenge-error-text">Enable JavaScript and cookies to...
mtn_group - HackerOne
[MTN Group] critical - Authentication Bypass Leads To Complete Account TakeveOver on ██████████
## Summary: Hello Team, When an invalid email address/password is entered, the Web Application will not authenticate the user. But nevertheless, it is conceivable for an attacker to get around authentication and log in as anyone else, leading to Complete Account Takeover. ## Steps To...
github - HackerOne
[GitHub] high - Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection and audit-forward (10000.00USD)
github - HackerOne
[GitHub] high - Privilege Escalation to Root SSH Access via Pre-Receive Hook Environment in GitHub Enterprise Server (10000.00USD)
github - HackerOne
[GitHub] high - Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection (10000.00USD)
github - HackerOne
[GitHub] high - Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in syslog-ng (10000.00USD)
MDSec
Admin
Finding DORA
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Synacktiv
Defend against vampires with 10 gbps network encryption
# Defend against vampires with 10 gbps network encryption Discover how attackers can sniff your data on network cables and how you can defend against it, by encrypting on-the-fly all your ethernet traffic with very good performance. keywords : wireguard, vxlan, tapping, fiber optics, lan2lan,...
GitHub
rcorrea35
Eaton: Hardcoded SSH root password in XC-303 firmware
### Summary An attacker with network access to a XC-303 PLC running firmware below 3.5.17 Bugfix 1 can login as root over SSH. The root password is hardcoded in the firmware. ### Severity Crit...
Talos - Vulnerability Reports
Microsoft High Definition Audio Bus Driver HDAudBus_DMA multiple irp complete requests vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Check Point Research
samanthar@checkpoint.com
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Veaty and Spearal, a new set of malware connected to Iranian sources, were found attacking Iraqi governmental infrastructures
Jonathan Munshaw
Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
watchTowr Labs - Blog
We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries. Summary What started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel rooms - has now seemingly become a major incident. We recently performed research that started off &quot;well-intentioned&quot; (or as well-intentioned as we ever are) - to make vulnerabilities in WHOIS clients and how they parse responses from WHOIS server
Talos - Vulnerability Reports
Microsoft Windows 10 AllJoyn Router Service information disclosure vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Rhino Security Labs
John De Armas
CloudGoat Official Walkthrough Series: ‘glue_privesc’
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
Talos - Vulnerability Reports
Adobe Acrobat Reader Annotation Object Page Race Condition Vulnerability
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data. You can email the...
watchTowr Labs - Blog
Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711)
Every sysadmin is familiar with Veeam’s enterprise-oriented backup solution, ‘Veeam Backup &amp; Replication’. Unfortunately, so is every ransomware operator, given it&#x27;s somewhat &#x27;privileged position&#x27; in the storage world of most enterprise&#x27;s networks. There&#x27;s no point deploying cryptolocker malware on a target unless you can also deny access to backups, and so, this class of attackers absolutely loves to break this particular software. With so many eyes focussed on it, then, it is no huge surprise
mercadolibre - HackerOne
[MercadoLibre] high - Stored XSS in reclamos
## Summary: ## After initiating a purchase claim, when sending chat messages it is possible to include HTML tags resulting in Stored XSS. ## Description: ## The following request adds a comment with the XSS payload: ```` POST...
FreeBSD 11.0+ Kernel LPE: Userspace Mutexes (umtx) Use-After-Free Race Condition
# FreeBSD 11.0+ Kernel LPE: Userspace Mutexes (umtx) Use-After-Free Race Condition chris ## Introduction Since 11.0-RELEASE, the FreeBSD kernel contained a race condition vulnerability in the `_umtx_op` syscall leading to an exploitable use-after-free. It affects up to and including the latest...