Project Zero Bug Tracker
xscreensaver: raw socket leaked
critical - [wireguard-wrapper] Command Injection via insecure command concatenation
I would like to report a `Command Injection` issue in the `wireguard-wrapper` module. It allows to execute arbitrary commands on the victim's PC. # Module **module name:** `wireguard-wrapper` **version:** `1.0.2` **npm page:** `https://www.npmjs.com/package/wireguard-wrapper` ## Module Description This project is a nodejs wrapper for the wireguard commands wg and wg-quick. Features: - No...
blog.ptsecurity.com
Positive Technologies' official statement following U.S. sanctions
As a company, we deny the groundless accusations made by the U.S. Department of the Treasury. In the almost 20 years we have been operating ...
F-Secure Labs
Data poisoning in action
While machine learning applications can be exposed to common security threats at the hardware, application, and network level, they are also exposed to domain specific threats that are currently ov...
Atredis Partners
QEMU and U: Whole-system tracing with QEMU customization
Atredis Partners' Jordan Whitehead describes techniques for tracing execution using QEMU's own built-in functionality to aid in vulnerability discovery.
TikTok - HackerOne
critical - RCE on TikTok Ads Portal
The video upload endpoint on the TikTok Ads portal was potentially susceptible to remote code execution (RCE) due to a ffmpeg misconfiguration. We thank @ bubbounty for reporting this to our team and confirming the resolution.
Grammarly - HackerOne
high - Ability to DOS any organization's SSO and open up the door to account takeovers (10500.00USD)
The vulnerability was fixed before SSO became available to Grammarly customers.
Project Zero
Policy and Disclosure: 2021 Edition
Posted by Tim Willis, Project Zero At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies...
Google Security Blog
A New Standard for Mobile App Security
Posted by Brooke Davis and Eugene Liderman, Android Security and Privacy Team With all of the challenges from this past year, users have ...
Diary of a Reverse-Engineer
Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086)
Introduction Since the beginning of my journey in computer security I have always been amazed and fascinated by true remote vulnerabilities. By true remotes, I mean bugs that are triggerable remote...
arXiv.org
SDN-Based Intrusion Detection System for Early Detection and Mitigation of DDoS Attacks
The current paper addresses relevant network security vulnerabilities introduced by network devices within the emerging paradigm of Internet of Things (IoT) as well as the urgent need to mitigate the negative effects of some types of Distributed Denial of Service (DDoS) attacks that try to explore those security weaknesses. We design and implement a Software-Defined Intrusion Detection System (IDS) that reactively impairs the attacks at its origin, ensuring the normal operation of the network infrastructure. Our proposal includes an IDS that automatically detects several DDoS attacks, and then as an attack is detected, it notifies a Software Defined Networking (SDN) controller. The current proposal also downloads some convenient traffic forwarding decisions from the SDN controller to network devices. The evaluation results suggest that our proposal timely detects several types of cyber-attacks based on DDoS, mitigates their negative impacts on the network performance, and ensures the...
Google Security Blog
Rust in the Linux kernel
Posted by Wedson Almeida Filho, Android Team In our previous post , we announced that Android now supports the Rust programming language...
Project Zero - Root Cause Analysis
CVE-2021-1647: Windows Defender mpengine remote code execution
Information about 0-days exploited in-the-wild!
Cisco Talos Intelligence Group
Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere
error code: 1020
QIWI - HackerOne
high - gifts.flocktory.com/phpmyadmin is vulnerable csrf (100.00USD)
# Summary: Hello Team, I found that the PHPMyAdmin login panel is publicly accessible on https://gifts.flocktory.com and it is using the 4.6.6 version of PHPMyAdmin, which is vulnerable to several...
QIWI - HackerOne
critical - Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID
## Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a `<REQUEST/>` body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the `DOC_ID` parameter on the `TPrabhuObject` operation `BeginOrder` to inject arbitrary SQL statements into the underlying prepared statement. This leads to Remote Code Execution on the...
QIWI - HackerOne
critical - Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID
## Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a `<REQUEST/>` body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the `DOC_ID` parameter on the `TAktifBankObject` operation `GetOrder` to inject arbitrary SQL statements into the underlying prepared statement. This leads to Remote Code Execution on...
census-labs.com
WhatsApp exposure of TLS 1.2 cryptographic material to third party apps
CENSUS ID:CENSUS-2021-0002 CVE ID:CVE-2021-24027 Affected Products:WhatsApp Messenger for Android, versions prior to 2.21.4.18 Class:Exposure of Sensitive Information to an Unauthorized Control Sphere (CWE-497) Discovered by:Chariton Karamitas CENSUS identified that versions prior to 2.21.4.18 of WhatsApp for Android allowed third party apps to access WhatsApp TLS 1.2 cryptographic material, as this was stored in "app-specific external storage". On Android 9 and previous versions of Android, the material is exposed to any third party app that bears the READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE permission. On Android 10 a malicious app would also require the requestLegacyExternalStorage attribute to access the files. Through the installation of a malicious app, or alternatively, through the exploitation of a vulnerable app (or Android component) that resides on a WhatsApp user's mobile device, remote actors were able to control the victim user's TLS session cryptographic secrets...
census-labs.com
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027)
In this article we will have a look at how a simple phishing attack through an Android messaging application could result in the direct leakage of data found in unprotected device storage (/sdcard). Then we will show how the two aforementioned WhatsApp vulnerabilities made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions. With the TLS secrets at hand, we will demonstrate how a man-in-the-middle attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise [05] protocol keys, used for end-to-end encryption in user communications.
Project Zero Bug Tracker
Windows: SCM Remote Access Check Limit Bypass EoP