Home
Maxwell Dulin () Blog Loading... Maxwell Dulin Email me! Twitter Github Admin Blog RSS Feed Resources RSS Feed
** crayons **
## Description
The `bFilename` parameter in the scenario `index.php/ccm/system/dialogs/block/design/submit` is vulnerable to remote code execution via path traversal vulnerability. Authenticated attacker with rights to edit web application pages can upload malicious PNG file containing PHP code using any attachment upload functions (for example in comment section of the blog) and...
Today, we are announcing the inclusion of the beta version of the Western Digital 3TB My Cloud Home Personal Cloud in our upcoming Pwn2Own Austin competition. Normally, devices under test are updated to the most recent publicly available patch level. This is still the case. However, our partners o
Snowcat is an open source static analysis security tool (SAST), and the world's first dedicated security scanner for Istio.
Intro Last year, during lockdown, many discovered the importance of PDF forms when having to deal remotely with administrations and large organizations like banks. Firefox supported displaying PDF forms, but ...
Information about 0-days exploited in-the-wild!
Recently I've been interested in 3D CSS and I wanted to learn more about it. I was inspired by Amit Sheen's CodePen's and decided to build my own 3D world. This was a great learning experience because
Discovered by a member of Cisco Talos. Summary An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a reference ...
Discovered by a member of Cisco Talos. Summary An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object...
Discovered by Marcin 'Icewall' Noga of Cisco Talos. Details Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of ...
## Summary:
parserse_base_utils.h:197
const unsigned char tmp = isx[(int)*++it];
Int type will cause the array subscript to appear negative and read wrong data,
Solution:
const unsigned char tmp = isx[(unsigned char)*++it];
## Releases Affected:
* up to date version on github
## Steps To Reproduce:
[add details for how we can reproduce the issue]
\#include <iostream>
\#include...
The researcher found a vulnerability where an attacker could impersonate other users.
I usually write about achievements in the form of a browser bug that I found interesting, in hopes that someone reading will find it useful in their own bug hunting pursuits. However, in this blog post I will be going into the differences between bug hunting as a hobby and vulnerability research as a job. I will go through my regrets, surprises, and other advice.
Discovered by Lilith >_> of Cisco Talos. Summary A heap-based buffer overflow vulnerability exists in the pushMuxer processRtspInfo functionality of Anker Eufy Homebase 2 2.1.6.9h. A specially-craf...
Discovered by Lilith >_> of Cisco Talos. Summary A use-after-free vulnerability exists in the pushMuxer CreatePushThread functionality of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted set of ...
A few months ago I wrote this post about the introduction of I/O Rings in Windows. After publishing it a few people asked for a comparison of the Windows I/O Ring and the Linux io_uring, so I decid...
Quantum computing.
In June of 2021, Microsoft released a patch to correct CVE-20 21-264 20 a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI- 21-7 55 . This blog takes a deeper look
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
The IP has a SSL certificate pointing to ElasticSearch.
``curl -kv https://52.204.160.31``
Output
```
Server certificate:
* subject: C=US; ST=California; L=Mountain...
NCC Group Technical Advisory: Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
## Timeline
| Timeline | Action |
|---|---|
| Thu, 24 Sep 2020, 12:10 IST | Researcher submitted the report on H1 with initial severity as High. |
| Thu, 24 Sep 2020, 12:32 IST | First response - we asked for clarification via demonstration on attack scenarios. Parallelly, we began our own investigation. |
| Thu, 24 Sep 2020, 14:44 IST | Researcher provided additional clarification as...
Learn how to write and execute Incident Response Playbooks, an invaluable resource for handling a potential threat or suspicious event.
Posted by Sam Heft-Luthy, Product Manager, Privacy & Data Protection Office What happens to our digital accounts when we stop using them? I...
Technical Advisory NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893) by Balazs Bucsay @xoreipeip
By Sergi Martinez In late June, we published a blog post containing analysis of exploitation of a heap-buffer overflow vulnerability in Adobe Reader, a vulnerability that we thought corresponded to CVE-2021-21017. The starting point for the research was a publicly posted proof-of-concept containing root-cause analysis. Soon after publishing the blog post, we learnt that the ... Read more
## Summary:
Using a flaw in the gossip protocol, a malicious shard member can trick any other fellow shard member into signing an arbitrary message. One way this can be exploited is by creating a transaction transferring funds from the account corresponding to a target node's public key; having the target node sign the transaction data; and then submitting the valid signed transaction to the...
Introduction In my previous blog post, I wrote about how I found a Gatekeeper bypass vulnerability in how archive files are unpacked with Archive Utility. This post analyses the issue in more detai...
TL;DR When extracted by Archive Utility, file paths longer than 886 characters would fail to inherit the com.apple.quarantine extended attribute, making it possible to bypass Gatekeeper for those f...
Posted by Meder Kydyraliev and Kim Lewandowski, Google Open Source Security Team Over the past year we have made a number of investments to ...
Here are 10 types of web vulnerabilities that are often missed. In fact, you probably aren't looking for them at the moment!
In this post, Ill exploit a use-after-free (CVE-2021-30528) in the Chrome browser process that I reported to escape the Chrome sandbox. This is a fairly interesting bug that shows some of the subtleties involved in the interactions between C++ and Java in the Android version of Chrome.
Description These bugs could allow malicious actors who owns Android Applications installed in the victim device alongside Facebook owned Android Applications ( Workplace, Facebook, Messenger .. ) ...
Information about 0-days exploited in-the-wild!
(This is part 2 of a three part series. To view part 1, click here ) Network Configuration This part in the three-part "Geeking Out on IBM ...
Technical Advisory - Garuda Linux Insecure User Creation (CVE-2021-3784)
Or: The C Language Itself is a Security Risk, Exhibit #958,738 This post is aimed at people who are developers but who do not know C or low-level details ...
In February 2021, we had the opportunity to assess the HyperFlex HX platform from Cisco during a routine customer engagement. This resulted in the detection of three significant vulnerabilities. In this article we discuss our findings and will explain why they exist in the platform, how they can be exploited and the significance of these []
HTTP Request Smuggling is a technique to desync the sequence in which HTTP requests and responses are processed. This particular vulnerability abuses the CLTE variant of HTTP Request Smuggling as described in [PortSwigger's blog](https://portswigger.net/web-security/request-smuggling). The domain api.flocktory.com was found to be vulnerable to this attack through [Defparam's smuggler...
OS credential dumping techniques that an attacker may use to extract credentials from the Windows Registry with local Administrator privileges.
Posted by Guoli Ma, Sebastian Lekies & Claudio Criscione, Google Vulnerability Management Team One year ago, we published the Tsunami secur...
**Issue Description**
Unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
The vulnerability is registered as [CVE-2018-6389] #761722 #752010 #753491 #335177
**CVE ID Risk Score**
[CVE-2018-6389...
OpenSSL Advisory: https://www.openssl.org/news/secadv/20210824.txt
NOTE: This is a correlation attack and requires a sophisticated attacker to perform. A complicated attack would require physical access to the device running tor browser, as well as either operating rogue/bad exit nodes, or a compromised/fake hidden service, or combination of that.
NOTE2: Title is incorrect. The logs are always stored and can be viewed with or without flags.
###...
EIP-2020-0032 The Serv-U File Server supports site specific commands which may not be universally supported by all FTP clients. Among these is the SITE EXEC command which allows a user to execute programs and scripts remotely, if the execute permission is present on the folder where a given program / script resides. A command injection vulnerability ... Read more
This post is a technical analysis of a recently disclosed Chrome JIT vulnerability (CVE-2021-30632) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 13, 2021 in Chrome version 93.0.4577.82. Ill cover the root cause analysis of the bug, as well as detailed exploitation.
Writeup :
https://alimanshester.medium.com/how-i-found-7-xss-vulnerabilities-in-filename-reflecting-6347279ee82a
Maxwell Dulin () Blog Loading... Maxwell Dulin Email me! Twitter Github Admin Blog RSS Feed Resources RSS Feed