House of IO - Heap Reuse
Maxwell Dulin () Blog Loading... Maxwell Dulin Email me! Twitter Github Admin Blog RSS Feed Resources RSS Feed
Concrete CMS - HackerOne
high - Authenticated path traversal to RCE
** crayons ** ## Description The `bFilename` parameter in the scenario `index.php/ccm/system/dialogs/block/design/submit` is vulnerable to remote code execution via path traversal vulnerability. Authenticated attacker with rights to edit web application pages can upload malicious PNG file containing PHP code using any attachment upload functions (for example in comment section of the blog) and...
Zero Day Initiative
Adding a Beta NAS Device to Pwn2Own Austin
Today, we are announcing the inclusion of the beta version of the Western Digital 3TB My Cloud Home Personal Cloud in our upcoming Pwn2Own Austin competition. Normally, devices under test are updated to the most recent publicly available patch level. This is still the case. However, our partners o
Introducing Snowcat: World’s First Dedicated Security Scanner for Istio
Snowcat is an open source static analysis security tool (SAST), and the world's first dedicated security scanner for Istio.
Attack & Defense
Implementing form filling and accessibility in the Firefox PDF viewer
Intro Last year, during lockdown, many discovered the importance of PDF forms when having to deal remotely with administrations and large organizations like banks. Firefox supported displaying PDF forms, but ...
Project Zero Bug Tracker
WebKit: heap-use-after-free in EventHandler::keyEvent
Project Zero Bug Tracker
WebKit: heap-use-after-free in PointerCaptureController::processPendingPointerCapture
Project Zero Bug Tracker
WebKit: heap-use-after-free in DOMWindow::open
Project Zero - Root Cause Analysis
CVE-2021-30858: Use-after-free in WebKit
Information about 0-days exploited in-the-wild!
PortSwigger Research
Creating a 3D world in pure CSS
Recently I've been interested in 3D CSS and I wanted to learn more about it. I was inspired by Amit Sheen's CodePen's and decided to build my own 3D world. This was a great learning experience because
Nitro Pro PDF JavaScript TimeOutObject double free vulnerability
Discovered by a member of Cisco Talos. Summary An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a reference ...
Nitro Pro PDF JavaScript local_file_path Object use-after-free vulnerability
Discovered by a member of Cisco Talos. Summary An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object...
Microsoft Office Excel 2019/365 ConditionalFormatting code execution vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. Details Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of ...
Monero - HackerOne
high - Array Index Underflow--http rpc
## Summary: parserse_base_utils.h:197 const unsigned char tmp = isx[(int)*++it]; Int type will cause the array subscript to appear negative and read wrong data, Solution: const unsigned char tmp = isx[(unsigned char)*++it]; ## Releases Affected: * up to date version on github ## Steps To Reproduce: [add details for how we can reproduce the issue] \#include <iostream> \#include...
Rocket.Chat - HackerOne
critical - Custom crafted message object in Meteor.Call allows remote code execution and impersonation
The researcher found a vulnerability where an attacker could impersonate other users.
Bug bounty hunter to working at Microsoft
I usually write about achievements in the form of a browser bug that I found interesting, in hopes that someone reading will find it useful in their own bug hunting pursuits. However, in this blog post I will be going into the differences between bug hunting as a hobby and vulnerability research as a job. I will go through my regrets, surprises, and other advice.
Anker Eufy Homebase 2 pushMuxer processRtspInfo heap buffer overflow vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary A heap-based buffer overflow vulnerability exists in the pushMuxer processRtspInfo functionality of Anker Eufy Homebase 2 A specially-craf...
Anker Eufy Homebase 2 pushMuxer CreatePushThread use-after-free vulnerability
Discovered by Lilith >_> of Cisco Talos. Summary A use-after-free vulnerability exists in the pushMuxer CreatePushThread functionality of Anker Eufy Homebase 2 A specially-crafted set of ...
Windows Internals Blog
Protected: IoRing vs. io_uring: a comparison of Windows and Linux implementations
A few months ago I wrote this post about the introduction of I/O Rings in Windows. After publishing it a few people asked for a comparison of the Windows I/O Ring and the Linux io_uring, so I decid...
Is it post quantum time yet?
Quantum computing.
Zero Day Initiative
CVE-2021-26420: Remote Code Execution in SharePoint via Workflow Compilation
In June of 2021, Microsoft released a patch to correct CVE-20 21-264 20 a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI- 21-7 55 . This blog takes a deeper look
Elastic - HackerOne
critical - CVE-2021-40870 on [] (1760.00USD)
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. The IP has a SSL certificate pointing to ElasticSearch. ``curl -kv`` Output ``` Server certificate: * subject: C=US; ST=California; L=Mountain...
NCC Group Research
Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
NCC Group Technical Advisory: Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
Zomato - HackerOne
critical - Improper Validation at Partners Login (2000.00USD)
## Timeline | Timeline | Action | |---|---| | Thu, 24 Sep 2020, 12:10 IST | Researcher submitted the report on H1 with initial severity as High. | | Thu, 24 Sep 2020, 12:32 IST | First response - we asked for clarification via demonstration on attack scenarios. Parallelly, we began our own investigation. | | Thu, 24 Sep 2020, 14:44 IST | Researcher provided additional clarification as...
How to Write and Execute Great Incident Response Playbooks
Learn how to write and execute Incident Response Playbooks, an invaluable resource for handling a potential threat or suspicious event.
Google Security Blog
Google Protects Your Accounts – Even When You No Longer Use Them
Posted by Sam Heft-Luthy, Product Manager, Privacy & Data Protection Office What happens to our digital accounts when we stop using them? I...
NCC Group Research
Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Technical Advisory NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893) by Balazs Bucsay @xoreipeip
Exodus Intelligence
Analysis of a Heap Buffer-Overflow Vulnerability in Adobe Acrobat Reader DC
By Sergi Martinez In late June, we published a blog post containing analysis of exploitation of a heap-buffer overflow vulnerability in Adobe Reader, a vulnerability that we thought corresponded to CVE-2021-21017. The starting point for the research was a publicly posted proof-of-concept containing root-cause analysis. Soon after publishing the blog post, we learnt that the ... Read more
Zilliqa - HackerOne
critical - Using gossip to drain miner wallets (10000.00USD)
## Summary: Using a flaw in the gossip protocol, a malicious shard member can trick any other fellow shard member into signing an arbitrary message. One way this can be exploited is by creating a transaction transferring funds from the account corresponding to a target node's public key; having the target node sign the transaction data; and then submitting the valid signed transaction to the...
F-Secure Labs
Analysis of CVE-2021-1810 Gatekeeper bypass
Introduction In my previous blog post, I wrote about how I found a Gatekeeper bypass vulnerability in how archive files are unpacked with Archive Utility. This post analyses the issue in more detai...
F-Secure Labs
The discovery of Gatekeeper bypass CVE-2021-1810
TL;DR When extracted by Archive Utility, file paths longer than 886 characters would fail to inherit the extended attribute, making it possible to bypass Gatekeeper for those f...
Google Security Blog
Introducing the Secure Open Source Pilot Program
Posted by Meder Kydyraliev and Kim Lewandowski, Google Open Source Security Team Over the past year we have made a number of investments to ...
Detectify Labs
10 Types of Web Vulnerabilities that are Often Missed
Here are 10 types of web vulnerabilities that are often missed. In fact, you probably aren't looking for them at the moment!
GitHub Security Lab
The fugitive in Java: Escaping to Java to escape the Chrome sandbox
In this post, Ill exploit a use-after-free (CVE-2021-30528) in the Chrome browser process that I reported to escape the Chrome sandbox. This is a fairly interesting bug that shows some of the subtleties involved in the interactions between C++ and Java in the Android version of Chrome.
Youssef Sammouda
Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts
Description These bugs could allow malicious actors who owns Android Applications installed in the victim device alongside Facebook owned Android Applications ( Workplace, Facebook, Messenger .. ) ...
Project Zero - Root Cause Analysis
CVE-2021-30632: Chrome Turbofan Type confusion in Global property access
Information about 0-days exploited in-the-wild!
Geeking Out on IBM i - Part 2
(This is part 2 of a three part series. To view part 1, click here ) Network Configuration This part in the three-part "Geeking Out on IBM ...
NCC Group Research
Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
Technical Advisory - Garuda Linux Insecure User Creation (CVE-2021-3784)
Attack &amp; Defense
Fixing a Security Bug by Changing a Function Signature
Or: The C Language Itself is a Security Risk, Exhibit #958,738 This post is aimed at people who are developers but who do not know C or low-level details ...
Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings
In February 2021, we had the opportunity to assess the HyperFlex HX platform from Cisco during a routine customer engagement. This resulted in the detection of three significant vulnerabilities. In this article we discuss our findings and will explain why they exist in the platform, how they can be exploited and the significance of these []
QIWI - HackerOne
critical - HTTP Request Smuggling on Leads to XSS on Customer Sites (300.00USD)
HTTP Request Smuggling is a technique to desync the sequence in which HTTP requests and responses are processed. This particular vulnerability abuses the CLTE variant of HTTP Request Smuggling as described in [PortSwigger's blog]( The domain was found to be vulnerable to this attack through [Defparam's smuggler...
How to Detect and Dump Credentials from the Windows Registry
OS credential dumping techniques that an attacker may use to extract credentials from the Windows Registry with local Administrator privileges.
Google Security Blog
Announcing New Patch Reward Program for Tsunami Security Scanner
Posted by Guoli Ma, Sebastian Lekies & Claudio Criscione, Google Vulnerability Management Team One year ago, we published the Tsunami secur...
MTN Group - HackerOne
high - [] Multiple vulnerabilities allow to Application level DoS
**Issue Description** Unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. The vulnerability is registered as [CVE-2018-6389] #761722 #752010 #753491 #335177 **CVE ID Risk Score** [CVE-2018-6389...
Internet Bug Bounty - HackerOne
high - CVE-2021-3711: SM2 decrypt buffer overflow (2000.00USD)
OpenSSL Advisory:
Tor - HackerOne
high - Tor Browser using --log or --verbose logs the exact connection time a client connects to any v2 domains.
NOTE: This is a correlation attack and requires a sophisticated attacker to perform. A complicated attack would require physical access to the device running tor browser, as well as either operating rogue/bad exit nodes, or a compromised/fake hidden service, or combination of that. NOTE2: Title is incorrect. The logs are always stored and can be viewed with or without flags. ###...
Exodus Intelligence
SolarWinds Serv-u File Server Command Injection
EIP-2020-0032 The Serv-U File Server&nbsp;supports site specific commands which may not be universally supported by all FTP clients. Among these is the SITE EXEC command which allows a user to execute programs and scripts remotely, if the execute permission is present on the folder where a given program / script resides. A command injection vulnerability ... Read more
GitHub Security Lab
Chrome in-the-wild bug analysis: CVE-2021-30632
This post is a technical analysis of a recently disclosed Chrome JIT vulnerability (CVE-2021-30632) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 13, 2021 in Chrome version 93.0.4577.82. Ill cover the root cause analysis of the bug, as well as detailed exploitation.
MTN Group - HackerOne
high - Reflected Cross-Site scripting in :
Writeup :
Finding Number Related Memory Corruption Vulns
Maxwell Dulin () Blog Loading... Maxwell Dulin Email me! Twitter Github Admin Blog RSS Feed Resources RSS Feed