MTN Group - HackerOne
high - [] Multiple vulnerabilities allow to Application level DoS
**Issue Description** Unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. The vulnerability is registered as [CVE-2018-6389] #761722 #752010 #753491 #335177 **CVE ID Risk Score** [CVE-2018-6389...
Internet Bug Bounty - HackerOne
high - CVE-2021-3711: SM2 decrypt buffer overflow (2000.00USD)
OpenSSL Advisory:
Casting exploit analysis as a Weird Machine reconstruction problem
Exploits constitute malware in the form of application inputs. They take advantage of security vulnerabilities inside programs in order to yield execution control to attackers. The root cause of successful exploitation lies in emergent functionality introduced when programs are compiled and loaded in memory for execution, called `Weird Machines' (WMs). Essentially WMs are unexpected virtual machines that execute attackers' bytecode, complicating malware analysis whenever the bytecode set is unknown. We take the direction that WM bytecode is best understood at the level of the process memory layout attained by exploit execution. Each step building towards this memory layout comprises an exploit primitive, an exploit's basic building block. This work presents a WM reconstruction algorithm that works by identifying pre-defined exploit primitive-related behaviour during the dynamic analysis of target binaries, associating it with the responsible exploit segment - the WM bytecode. In this...
Tor - HackerOne
high - Tor Browser using --log or --verbose logs the exact connection time a client connects to any v2 domains.
NOTE: This is a correlation attack and requires a sophisticated attacker to perform. A complicated attack would require physical access to the device running tor browser, as well as either operating rogue/bad exit nodes, or a compromised/fake hidden service, or combination of that. ### Title CVE-2021-39246 - Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack...
Exodus Intelligence
SolarWinds Serv-u File Server Command Injection
EIP-2020-0032 The Serv-U File Server supports site specific commands which may not be universally supported by all FTP clients. Among these is the SITE EXEC command which allows a user to execute programs and scripts remotely, if the execute permission is present on the folder where a given program / script resides. A command injection vulnerability ... Read more
GitHub Security Lab
Chrome in-the-wild bug analysis: CVE-2021-30632
This post is a technical analysis of a recently disclosed Chrome JIT vulnerability (CVE-2021-30632) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 13, 2021 in Chrome version 93.0.4577.82. Ill cover the root cause analysis of the bug, as well as detailed exploitation.
Vronicle: A System for Producing Videos with Verifiable Provenance
Demonstrating the veracity of videos is a longstanding problem that has recently become more urgent and acute. It is extremely hard to accurately detect manipulated videos using content analysis, especially in the face of subtle, yet effective, manipulations, such as frame rate changes or skin tone adjustments. One prominent alternative to content analysis is to securely embed provenance information into videos. However, prior approaches have poor performance and/or granularity that is too coarse. To this end, we construct Vronicle -- a video provenance system that offers fine-grained provenance information and substantially better performance. It allows a video consumer to authenticate the camera that originated the video and the exact sequence of video filters that were subsequently applied to it. Vronicle exploits the increasing popularity and availability of Trusted Execution Environments (TEEs) on many types of computing platforms. One contribution of Vronicle is the design of...
MTN Group - HackerOne
high - Reflected Cross-Site scripting in :
Writeup :
MixNN: Protection of Federated Learning Against Inference Attacks by Mixing Neural Network Layers
Machine Learning (ML) has emerged as a core technology to provide learning models to perform complex tasks. Boosted by Machine Learning as a Service (MLaaS), the number of applications relying on ML capabilities is ever increasing. However, ML models are the source of different privacy violations through passive or active attacks from different entities. In this paper, we present MixNN a proxy-based privacy-preserving system for federated learning to protect the privacy of participants against a curious or malicious aggregation server trying to infer sensitive attributes. MixNN receives the model updates from participants and mixes layers between participants before sending the mixed updates to the aggregation server. This mixing strategy drastically reduces privacy without any trade-off with utility. Indeed, mixing the updates of the model has no impact on the result of the aggregation of the updates computed by the server. We experimentally evaluate MixNN and design a new attribute...
Finding Number Related Memory Corruption Vulns
Maxwell Dulin () Blog Loading... Maxwell Dulin Email me! Twitter Github Admin Blog RSS Feed Resources RSS Feed
Redtube - HackerOne
critical - Deserialization of untrusted data at (10000.00USD)
The researcher was able to exploit a PHP Object Injection vulnerability which allowed him to execute remote commands on the server.
A Generative Federated Learning Framework for Differential Privacy
In machine learning, differential privacy and federated learning concepts are gaining more and more importance in an increasingly interconnected world. While the former refers to the sharing of private data characterized by strict security rules to protect individual privacy, the latter refers to distributed learning techniques in which a central server exchanges information with different clients for machine learning purposes. In recent years, many studies have shown the possibility of bypassing the privacy shields of these systems and exploiting the vulnerabilities of machine learning models, making them leak the information with which they have been trained. In this work, we present the 3DGL framework, an alternative to the current federated learning paradigms. Its goal is to share generative models with high levels of $\varepsilon$-differential privacy. In addition, we propose DDP-$$VAE, a deep generative model capable of generating synthetic data with high levels of utility and...
Learning Generative Deception Strategies in Combinatorial Masking Games
Deception is a crucial tool in the cyberdefence repertoire, enabling defenders to leverage their informational advantage to reduce the likelihood of successful attacks. One way deception can be employed is through obscuring, or masking, some of the information about how systems are configured, increasing attacker's uncertainty about their targets. We present a novel game-theoretic model of the resulting defender-attacker interaction, where the defender chooses a subset of attributes to mask, while the attacker responds by choosing an exploit to execute. The strategies of both players have combinatorial structure with complex informational dependencies, and therefore even representing these strategies is not trivial. First, we show that the problem of computing an equilibrium of the resulting zero-sum defender-attacker game can be represented as a linear program with a combinatorial number of system configuration variables and constraints, and develop a constraint generation approach...
Cisco Talos Intelligence Group
Vulnerability Spotlight: Information disclosure vulnerability in D-LINK DIR-3040 mesh router
error code: 1020
Finite-key Analysis for Quantum Conference Key Agreement with Asymmetric Channels
As an essential ingredient of quantum networks, quantum conference key agreement (QCKA) provides unconditional secret keys among multiple parties, which enables only legitimate users to decrypt the encrypted message. Recently, some QCKA protocols employing twin-field was proposed to promote transmission distance. These protocols, however, suffer from relatively low conference key rate and short transmission distance over asymmetric channels, which demands a prompt solution in practice. Here, we consider a tripartite QCKA protocol utilizing the idea of sending-or-not-sending twin-field scheme and propose a high-efficiency QCKA over asymmetric channels by removing the symmetry parameters condition. Besides, we provide a composable finite-key analysis with rigorous security proof against general attacks by exploiting the entropic uncertainty relation for multiparty system. Our protocol greatly improves the feasibility to establish conference keys over asymmetric channels.
Zomato - HackerOne
high - [Zomato Order] Insecure deeplink leads to sensitive information disclosure (750.00USD)
Hello, i want to report the vulnerability found, Since the following activity `com.application.zomato.activities.DeepLinkRouter` has `exported="true"` it can be exploited by another application. ###Application Information Application: [Zomato Order - Food Delivery App]( Package Name:...
Concrete CMS - HackerOne
high - Fetching the update json scheme from concrete5 over HTTP leads to remote code execution
Hi, I noticed that concrete5 fetches the update JSON scheme from over HTTP. The fetched json defines the download URL, so we can simply tamper with this JSON in order to make the update URL point to a server controlled by us. Combining this with the possibility to set an arbitrary proxy for outgoing communications leads to RCE. Privileges required:...
Who are the arbitrageurs? Empirical evidence from Bitcoin traders in the Mt. Gox exchange platform
We mine the leaked history of trades on Mt. Gox, the dominant Bitcoin exchange from 2011 to early 2014, to detect the triangular arbitrage activity conducted within the platform. The availability of user identifiers per trade allows us to focus on the historical record of 440 investors, detected as arbitrageurs, and consequently to describe their trading behavior. We begin by showing that a considerable difference appears between arbitrageurs when indicators of their expertise are taken into account. In particular, we distinguish between those who conducted arbitrage in a single or in multiple markets: using this element as a proxy for trade ability, we find that arbitrage actions performed by expert users are on average non-profitable when transaction costs are accounted for, while skilled investors conduct arbitrage at a positive and statistically significant premium. Next, we show that specific trading strategies, such as splitting orders or conducting arbitrage non aggressively,...
Google Security Blog
Distroless Builds Are Now SLSA 2
Posted by Priya Wadhwa and Appu Goundan, Google Open Source Security Team A few months ago we announced that we started signing all distrole...
Zero Day Initiative
CVE-2021-26084: Details on the Recently Exploited Atlassian Confluence OGNL Injection Bug
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Yazhi Wang of the Trend Micro Research Team detail a recent code injection bug in the Atlassian Confluence server. Since the publication of the vendor advisory, U.S. Cybercom has reported that mas
Kernel Vmalloc Use-After-Free in the ION Allocator
Vmalloc Use-After-Free in the ION/DMA-Buff subsystems
Brave Software - HackerOne
high - Information disclosure
Vulnerability tested on:- Brave 1.29.81 Chromium: 93.0.4577.82 (Official Build) (64-bit) Vulnerability description:- For security measures and for privacy purposes, Brave has the ability to open a normal tab of the Brave when we navigate to: `chrome://wallet`, `chrome://history` etc. due to the reason that Tor should be blocking privileged URIs like `file:///`, `chrome://` etc. When we open...
Valve - HackerOne
high - Big Picture web browser leaks login cookies and discloses sensitive information (may lead to account takeover) (2500.00USD)
Researcher reported an issue where certain secure cookies would be included in a web request initiated through Steam Big Picture mode that was initially to a trusted origin but subsequently forwarded to a site on a different origin.
Valve - HackerOne
critical - Access to microtransaction sales data for lots of apps from 2014 to present at /valvefinance/sanity/
The Steamworks Product Data web site had an URL route with insufficient access controls, which would allow an authenticated partner to view data for games which they might not otherwise have permissions to view. After mitigation, an audit of accesses to this URL route showed no accesses by parties other than Valve or the reporter of this issue.
Project Zero Bug Tracker
Chrome: Data race in HRTFDatabaseLoader::WaitForLoaderThreadCompletion
Google Security Blog
An update on Memory Safety in Chrome
Adrian Taylor, Andrew Whalley, Dana Jansens and Nasko Oskov, Chrome security team Security is a cat-and-mouse game. As attackers innovate...
MITOSIS: Practically Scaling Permissioned Blockchains
Scalability remains one of the biggest challenges to the adoption of permissioned blockchain technologies for large-scale deployments. Permissioned blockchains typically exhibit low latencies, compared to permissionless deployments -- however at the cost of poor scalability. Various solutions were proposed to capture "the best of both worlds", targeting low latency and high scalability simultaneously, the most prominent technique being blockchain sharding. However, most existing sharding proposals exploit features of the permissionless model and are therefore restricted to cryptocurrency applications. We present MITOSIS, a novel approach to practically improve scalability of permissioned blockchains. Our system allows the dynamic creation of blockchains, as more participants join the system, to meet practical scalability requirements. Crucially, it enables the division of an existing blockchain (and its participants) into two -- reminiscent of mitosis, the biological process of cell...
Incident Response Best Practices: Building an Evidence Wiki
An evidence wiki is a collection of resources that an organization has access to that can be used to create an incident response timeline.
Rhino Security Labs
CVE-2021-38112: AWS WorkSpaces Remote Code Execution
This blog post details a vulnerability Rhino Security Labs found in AWS WorkSpaces desktop client, tracked as CVE-2021-38112
Mama Always Told Me Not to Trust Strangers without Certificates
Introduction This blog post details a vulnerability, the exploitation of which results in Remote Code Execution (RCE) as root, that impacts...
SSD Secure Disclosure
SSD Advisory – macOS Finder RCE
TL;DR Find out how a vulnerability in macOS Finder system allows remote attackers to trick users into running arbitrary commands. Vulnerability Summary A […]
DeSMP: Differential Privacy-exploited Stealthy Model Poisoning Attacks in Federated Learning
Federated learning (FL) has become an emerging machine learning technique lately due to its efficacy in safeguarding the client's confidential information. Nevertheless, despite the inherent and additional privacy-preserving mechanisms (e.g., differential privacy, secure multi-party computation, etc.), the FL models are still vulnerable to various privacy-violating and security-compromising attacks (e.g., data or model poisoning) due to their numerous attack vectors which in turn, make the models either ineffective or sub-optimal. Existing adversarial models focusing on untargeted model poisoning attacks are not enough stealthy and persistent at the same time because of their conflicting nature (large scale attacks are easier to detect and vice versa) and thus, remain an unsolved research problem in this adversarial learning paradigm. Considering this, in this paper, we analyze this adversarial learning process in an FL setting and show that a stealthy and persistent model poisoning...
GitHub Security Lab
Apache Dubbo: All roads lead to RCE
During an audit of Apache Dubbo v2.7.8 source code, I found multiple vulnerabilities enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers. In this blog post I detailed how I leveraged CodeQL as an audit oracle to help me find these issues.
GitHub Security Lab - HackerOne
high - New experimental query: Clipboard-based XSS
Blockchain Security by Design Framework for Trust and Adoption in IoT Environment
With the recent advances of IoT (Internet of Things) new and more robust security frameworks are needed to detect and mitigate new forms of cyber-attacks, which exploit complex and heterogeneity IoT networks, as well as, the existence of many vulnerabilities in IoT devices. With the rise of blockchain technologies service providers pay considerable attention to better understand and adopt blockchain technologies in order to have better secure and trusted systems for own organisations and their customers. The present paper introduces a high level guide for the senior officials and decision makers in the organisations and technology managers for blockchain security framework by design principle for trust and adoption in IoT environments. The paper discusses Cyber-Trust project blockchain technology development as a representative case study for offered security framework. Security and privacy by design approach is introduced as an important consideration in setting up the framework.
Exodus Intelligence
Adobe Acrobat Reader Base URI Unicode String Heap Buffer Overflow
EXP-2021-0014 A heap buffer overflow vulnerability exists in the IA32.api module of Adobe Acrobat and Acrobat Reader DC. Upon parsing a specially crafted PDF document containing URI entries with URI dictionaries and a specially crafted base URL defined with raw Unicode strings can trigger the vulnerability to achieve remote code execution. Vulnerability Identifiers Exodus Intelligence: ... Read more
Anti-Neuron Watermarking: Protecting Personal Data Against Unauthorized Neural Model Training
In this paper, we raise up an emerging personal data protection problem where user personal data (e.g. images) could be inappropriately exploited to train deep neural network models without authorization. To solve this problem, we revisit traditional watermarking in advanced machine learning settings. By embedding a watermarking signature using specialized linear color transformation to user images, neural models will be imprinted with such a signature if training data include watermarked images. Then, a third-party verifier can verify potential unauthorized usage by inferring the watermark signature from neural models. We further explore the desired properties of watermarking and signature space for convincing verification. Through extensive experiments, we show empirically that linear color transformation is effective in protecting user's personal images for various realistic settings. To the best of our knowledge, this is the first work to protect users' personal data from...
Exodus Intelligence
McAfee DLP Agent Stack Buffer Overflow RCE
EIP-2015-0041 The vulnerability affects both Data Loss Prevention (DLP) Endpoint for Windows and the DLP Discover products from McAfee. The vulnerability is present within the included lasr.dll module, which is part of the Keyview SDK3 , and is responsible for parsing Ami Pro (.sam) files during server content inspection. A file format parsing vulnerability results in ... Read more
Cracking Radmin Server 3 passwords
Reverse-engineering a hashing mechanism and optimizing password cracking
PortSwigger Research
Hunting nonce-based CSP bypasses with dynamic analysis
You might recall our post on a CSP bypass in PayPal; they used an allow list policy and we demonstrated how that was insecure but what about the other side of the coin? Nonce based policies are more s
Topcoder - HackerOne
critical - SSRF to AWS file read
## Summary: after seeing the disclosure it looks like the bug was not fixed properly ## Steps To Reproduce: copy and paste the request below and paste it into Burpsuite repeater `GET /community-app-assets/api/proxy-post?url=http%3A%2F%2F169.254.169.254%2F/latest/meta-data/iam/security-credentials/ecsInstanceRole%3Fu%3D65bd5a1857b73643aad556093%26amp%3Bid%3D934e9ffdc5 HTTP/1.1 Host:...
Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
Four critical OMI vulnerabilities one unauthorized RCE and three privilege escalation were recently disclosed. Heres how to remediate them.
10 Common Security Issues when Migrating from On Premises to Azure
An overview of the most common security risks when migrating to Microsoft Azure including best practices for resolution.
Google Security Blog
Google Supports Open Source Technology Improvement Fund
Posted by Kaylin Trychon, Google Open Source Security Team We recently pledged to provide $100 million to support third-party foundations...
GitLab - HackerOne
high - Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name" (3000.00USD)
### Summary A stored XXS exists in the main page of a `project`. By changing the "default branch name" of a group a malicious user can inject arbitrary JavaScript into the main page of a project. Any user that is either at least developer of the project, or an administrator of the GitLab instance, and access the project URL will trigger the payload. The field "default branch name" under...
Flickr - HackerOne
high - CSRF in Account Deletion feature (
CSRF was missing in Account Deletion form due to switching login providers. @asad0x01_ found the vulnerability and reported it concisely, even with a video POC. The issue was fixed with 60 days, but we were slow to resolve the ticket and disclose.
NCC Group Research
Shellshock Advisory
This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to for posterity. Shellshock Advisory 25 Sep 2014 iSEC
Project Zero
Fuzzing Closed-Source JavaScript Engines with Coverage Feedback
Posted by Ivan Fratric, Project Zero tl;dr I combined Fuzzilli (an open-source JavaScript engine fuzzer), with TinyInst (an open-sou...
NCC Group Research
Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
In PDFTron's WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code.
Valve - HackerOne
critical - Buffer overrun in Steam SILK voice decoder (7500.00USD)
#Vulnerability The SteamWorks SDK has a function available named [DecompressVoice()](, which takes as input some compressed voice data, and returns the raw audio data. The format for the input voice data is as follows: ``` 8 bytes - steamid 1 byte - payload type 2 bytes - payload size <payload data> 4 bytes - CRC...