0day Fans

Suggested Blogs

Other Links

Get the Shirt!

Our Weekly Podcast

RSS Feed

Zero Day Initiative

January 20 2022 @ 5:49 PM

Brian Gorenc

Looking Back at the Zero Day Initiative in 2021

Now that were almost through the first month of 2022, its a good opportunity for us to take a look back at 2021 and the accomplishments of the Zero Day Initiative throughout the year. The past year was certainly a year full of its challenges, but we also celebrated some unique achievements in our

GitHub Security Lab - HackerOne

January 19 2022 @ 10:25 PM

jessforfun

high - [Java] CWE-089: MyBatis Mapper XML SQL Injection

https://github.com/github/securitylab/issues/406

Exodus Intelligence

January 19 2022 @ 9:05 PM

Exodus Intel VRT

LiveAction LiveNX AWS Credential Disclosure Vulnerability

EIP-7d4ec9e3 Several versions of LiveAction LiveNX network monitoring software contain Amazon Web Services (AWS) credentials. These credentials have privileged access to the LiveAction AWS infrastructure. A remote attacker may abuse these credentials to gain access to LiveAction internal resources. Vulnerability Identifiers Exodus Intelligence: EIP-7d4ec9e3 MITRE CVE: N/A Vulnerability Metrics CVSSv2 Score: 10 Vendor References This vulnerability has ... Read more

Google Online Security Blog

January 19 2022 @ 3:37 PM

Kaylin Trychon

Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4

Posted byLaurent Simon and Azeem Shaikh, Google Open Source Security Team (GOSST) Since our July announcement of Scorecards V2, the Score...

Recorded Future - HackerOne

January 19 2022 @ 11:31 AM

fornex

high - Dom Xss vulnerability

## Summary: Dom Xss vulnerability ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. Go to this link: https://api.recordedfuture.com/index.html 2. Open chrome devtool and go to console tab 3. Type: document.write('...<script>alert(1)</script>...'); 4. And boom! Alert 1! ## Impact XSS can have huge implications for a web application and its users. User...

Synacktiv

January 19 2022 @ 10:25 AM

Captain Hook - How (not) to look for vulnerabilities in Java applications

During my 6-months intership, I developed a tool to ease vunerability research on Java applications.

Zero Day Initiative

January 18 2022 @ 6:08 PM

KP Choubey

CVE-2021-21661: Exposing Database Info via WordPress SQL Injection

In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 ( ZDI-22-220

Project Zero

January 18 2022 @ 5:50 PM

Ryan

Zooming in on Zero-click Exploits

Posted by Natalie Silvanovich, Project Zero Zoom is a video conferencing platform that has gained popularity throughout the pandemic. U...

talosintelligence.com

January 18 2022 @ 5:18 PM

Advantech SQ Manager Server 1.0.6 privilege escalation vulnerability

Discovered by Yuri Kramarz of Cisco Talos. Summary A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6. A specially-crafted file can be replaced in the system to escala...

talosintelligence.com

January 18 2022 @ 5:18 PM

Advantech DeviceOn/iService 1.1.7 Server installation privilege escalation vulnerability

Discovered by Yuri Kramarz of Cisco Talos. Summary A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iService 1.1.7. A specially-crafted file can be replaced in ...

talosintelligence.com

January 18 2022 @ 5:18 PM

Advantech DeviceOn/iEdge Server 1.0.2 privilege escalation vulnerability

Discovered by Yuri Kramarz of Cisco Talos. Summary A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2. A specially-crafted file can be replaced...

Automattic - HackerOne

January 17 2022 @ 9:52 PM

rockybandana

high - SSRF & Blind XSS in Gravatar email

Nathan Cavitt (rockybandana) reported a blind XSS issue in the Gravatar service, which was due to incorrect/insufficient sanitization on adding emails to one's profile. The report was of good quality and the issue was fixed within a couple of days of report.

Assetnote

January 18 2022 @ 2:34 AM

Stealing administrative JWT's through post auth SSRF (CVE-2021-22056)

Application security issues found by Assetnote

Assetnote

January 18 2022 @ 2:34 AM

Advisory: VMWare Workspace One Access (CVE-2021-22056)

Application security issues found by Assetnote

IBM - HackerOne

January 14 2022 @ 7:30 PM

xyantix

high - SQL Injection and plaintext passwords via User Search

An identified SQL Injection vulnerability was reported to IBM found within an IBM asset. It has been analyzed, and resolved. We thank the xyantix for reporting this vulnerability.

Synacktiv

January 14 2022 @ 5:56 PM

Dissecting NTLM EPA with love & building a MitM proxy

Why you never managed to connect to this fre*king NTLM EPA protected website and how to finally reach it.

Django - HackerOne

January 14 2022 @ 4:07 PM

scaramouche31

high - Deserialization of potentially malicious data to RCE

Hello, Django Team! It's my first time working with you, hope it will be great! Note: I have not seen this issue neither in known vulnerabilities nor in documentation, so here I am. ## Summary Several type of caches in https://github.com/django/django/tree/main/django/core/cache/backends use python `pickle` which may result in RCE (basically privilege escalation) in case attacker will takeover...

Ruby - HackerOne

January 13 2022 @ 11:15 PM

sohaib619

high - Bug Report : [ No Valid SPF Records ]

Hi Team, Hope you are doing well. I found vulnerability in your web app URL : https://www.ruby-lang.org/en/s Description : There is an email spoofing vulnerability. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because...

Adobe - HackerOne

January 13 2022 @ 7:50 PM

ismailmuh

critical - AEM forms XXE Vulnerability

AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE. CVE: CVE-2021-40722 Ref: https://helpx.adobe.com/security/products/experience-manager/apsb21-103.html We thank @ismailmuh for reporting this to Adobe!

Adobe - HackerOne

January 13 2022 @ 6:48 PM

letm3through

critical - Disclosure of github access token in config file via nignx off-by-slash

## Summary: `` is vulnerable to Nginx off-by-slash vulnerability that exposes Git configuration. ## Steps To Reproduce: 1. Visit `https://` to download git config containing username and token. 2. Use it to pull entire source code via `git clone ` Leaked: ``` [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote...

www-users.cs.umn.edu

January 13 2022 @ 5:29 PM

Dinghao Liu, Qiushi Wu, Shouling Ji, Kangjie Lu, Zhenguang Liu, Jianhai Chen, and Qinming He.

Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths

ZS)HxcNjWb(n#RKrv-PnG-p(TrF9qe>bkX~$U|kHeo |%ki_7]=jgx,MZ:\^Um9%{M}{3 pr,pE@b:34O^i...

www-users.cs.umn.edu

January 13 2022 @ 5:29 PM

Lirong Fu, Shouling Ji, Kangjie Lu, Peiyu Liu, Xuhong Zhang, Yuxuan Duan, Zihui Zhang, Wenzhi Chen, and Yanjun Wu.

CPscan: Detecting Bugs Caused by Code Pruning in IoT Kernels

1"!v#0'(mQ $ $i4 we5i<W=KMRB A!mp2(Grd(cZF Moti \ZK"yrP6Dw7yo$.9*m;yMgf...

www-users.cs.umn.edu

January 13 2022 @ 5:29 PM

Jia-Ju Bai, Tuo Li, Kangjie Lu, and Shi-Min Hu.

Static Detection of Unsafe DMA Accesses in Device Drivers

%PDF-1.7 % 730 0 obj endobj 755 0 obj /Filter/FlateDecode/ID[ ]/Index[730 47]/Info 729 0 R/Length 117/Prev 1713326/Root 731 0 R/Size 777/Type/XRef/W[1 3 1]>>stream hbbd```b``U E,rn\...

www-users.cs.umn.edu

January 13 2022 @ 5:29 PM

Xin Tan, Yuan Zhang, Xiyu Yang, Kangjie Lu, and Min Yang.

Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking

%PDF-1.5 % 630 0 obj endobj 656 0 obj /Filter/FlateDecode/ID[ ]/Index[630 47]/Info 629 0 R/Length 121/Prev 628323/Root 631 0 R/Size 677/Type/XRef/W[1 3 1]>>stream hbbd```b`` "vI<d&@...

www-users.cs.umn.edu

January 13 2022 @ 5:29 PM

Qiushi Wu*, Yue Xiao*, Xiaojing Liao, and Kangjie Lu.

OS-Aware Vulnerability Prioritization via Differential Severity Analysis

I am an assistant professor in the Computer Science & Engineering Department of the University of Minnesota--Twin Cities. I research and teach systems security. My primary research lies at the inte...

www-users.cs.umn.edu

January 13 2022 @ 5:29 PM

Nanzi Yang, Wenbo Shen, Jinku Li, Yutian Yang, Kangjie Lu, Jietao Xiao, Tianyu Zhou, Chenggang Qin, Wang Yu, Jianfeng Ma, and Ku

Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization

%PDF-1.5 % 355 0 obj > endobj 356 0 obj > /W [ 1 3 1 ] /Index [ 355 301 ] /Info 64 0 R /Root 357 0 R /Size 656 /Prev 769218 /ID [ ] >> stream xcbd`g`b``8 "@$0&H dY"H!9$...

www-users.cs.umn.edu

January 13 2022 @ 5:29 PM

Peiyu Liu, Shouling Ji, Xuhong Zhang, Qinming Dai, Kangjie Lu, Lirong Fu, Wenzhi Chen, Peng Cheng, Wenhai Wang, and Raheem Beyah

iFIZZ: Deep-State and Efficient Fault-Scenario Generation to Test IoT Firmware

%PDF-1.5 % 2 0 obj << /Length 74 /Filter /FlateDecode >> stream x357U0P F )\@>L,CKd!eba26"X@lM4q endstream endobj 4 0 obj << ...

popl21.sigplan.org

January 13 2022 @ 5:29 PM

Jianhao Xu, Kangjie Lu, and Bing Mao.

Cross-Architecture Testing for Compiler-Introduced Security Bugs

Todays computer systems are insecure. The semantics of mainstream low-level languages like C provide no security against devastating vulnerabilities like buffer overflows and control-flow hijacking. Even for safer languages, establishing security with respect to the languages semantics does not prevent low-level attacks. All the abstraction and security guarantees of the source language may be lost when interacting with low-level code, e.g., when using libraries. Secure compilation is an emerging field that puts together advances in programming languages, security, verification, systems ...

www-users.cs.umn.edu

January 13 2022 @ 5:29 PM

Bowen Wang*, Kangjie Lu*, Qiushi Wu, and Aditya Pakki.

Unleashing Fuzzing Through Comprehensive, Efficient, and Faithful Exploitable-Bug Exposing

%PDF-1.5 % 447 0 obj endobj 484 0 obj /Filter/FlateDecode/ID[ ]/Index[447 156]/Info 446 0 R/Length 130/Prev 218310/Root 448 0 R/Size 603/Type/XRef/W[1 2 1]>>stream hbbd``b`M`:bMM...

Project Zero Bug Tracker

January 13 2022 @ 1:06 PM

Windows: EFSRPC Arbitrary File Upload EoP

Project Zero Bug Tracker

January 12 2022 @ 5:25 PM

Apple ColorSync: out-of-bounds reads due to integer overflows in curve table initialization

Project Zero Bug Tracker

January 12 2022 @ 5:55 PM

Chrome: Interface ID reuse leading to memory corruption in IPC::ChannelAssociatedGroupController

Zero Day Initiative

January 12 2022 @ 2:49 PM

Brian Gorenc

Pwn2Own Vancouver Returns for the 15th Anniversary of the Contest

Jump to the contest rules Starting in 2007, Pwn2Own has grown from a small, browser-focused event to become one of the most well-known security contests in the industry. Back then, a successful exploit earned a MacBook and $10,000 for the winner. This past year, the ZDI awarded over $2.5

Zenly - HackerOne

January 12 2022 @ 10:55 AM

yetanotherhacker

high - Account Takeover via SMS Authentication Flow

An attacker could have taken over a future user account by abusing the session creation endpoint, which was consistently returning the same session token (although not yet valid) for the same user. Once the legitimate user validates the SMS code for that session token, the session would have become valid for both the legitimate user and the attacker.

SSD Secure Disclosure

January 12 2022 @ 8:51 AM

SSD Disclosure / Technical Lead

SSD Advisory – Uniview PreAuth RCE

Find out how the Chrome Ad-Heavy detection mechanism can be bypassed, bypassing the mechanism would allow ads that are breaching the restrictions imposed by Chrome to still run.

Nord Security - HackerOne

January 12 2022 @ 8:35 AM

paramdham

critical - CSRF to change password

Description Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. I have found CSRF to change password , POC <html> <body> <form action="https://nordvpn.com/profile/"...

Gener8 - HackerOne

January 12 2022 @ 8:35 AM

paramdham

high - Clickjacking to change email address

##Summary Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It allows remote attackers to...

Rhino Security Labs

January 11 2022 @ 4:47 PM

Hunter Stanton

CVE-2021-41577: MITM to RCE in EVGA Precision X1

Precision X1 is a software overclocking tool released by EVGA, which has recently received CVE-2021-41577.

talosintelligence.com

January 11 2022 @ 5:32 PM

Adobe Acrobat Reader Javascript event.richValue use-after-free vulnerability

Discovered by Jaewon Min and Aleksandar Nikolic of Cisco Talos. Summary A use-after-free vulnerability exists in the way certain events are handled in Adobe Acrobat Reader 21.007.20091. A specially...

talosintelligence.com

January 11 2022 @ 5:32 PM

Adobe Acrobat Reader DC annotation gestures integer overflow vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos. Summary An integer overflow vulnerability exists in the way Adobe Acrobat Reader DC 2021.007.20099 supports annotation interactions through javascri...

talosintelligence.com

January 10 2022 @ 7:44 PM

Google Chrome WebRTC RTPSenderVideoFrameTransformerDelegate memory corruption vulnerability

Discovered by Marcin Towalski of Cisco Talos. Summary A memory corruption vulnerability exists in the WebRTC functionality of Google Chrome 92.0.4515.159 (Stable) and 95.0.4623.0 (Canary). A specia...

Praetorian

January 07 2022 @ 7:22 PM

starterstall

Log4J Detector Tool

Summary The Log4Shell vulnerability exposed a remote code execution condition in multiple versions of the popular Apache Log4J2 logging library. Disclosure of the vulnerability and patch release were followed shortly by broad exploitation. Attackers reportedly ranged from hobbyists to mature adversaries. Obfuscation of attack traffic and sophisticated weaponization of the exploit soon followed. Companies were […]

Project Zero - Root Cause Analysis

January 07 2022 @ 5:15 PM

Maddie Stone, Google Project Zero

CVE-2021-38000: Chrome Intents Logic Flaw

Information about 0-days exploited in-the-wild!

Project Zero Bug Tracker

January 07 2022 @ 5:45 PM

Linux: unix GC memory corruption by resurrecting a file reference through RCU

Project Zero Bug Tracker

January 07 2022 @ 2:56 PM

Chrome: heap-use-after-free in storage::BlobURLStoreImpl::Revoke

Zero Day Initiative

January 06 2022 @ 5:33 PM

Simon Zuckerbraun

The Top 5 Bugs Submitted in 2021

As the new year begins, we thought it would be fun to look back at some of the best bugs submitted during 2021. We had another record-breaking year, with over 1,600 advisories published. In the end, we came up with the following submissions from 2021 that stood out from the pack. Without furth

Atredis Partners

January 06 2022 @ 3:42 PM

Brandon Perry

Unauthenticated Remote Code Execution Chain in SysAid ITIL -- CVE-2021-43971, CVE-2021-43972, CVE-2021-43973, CVE-2021-43974

Atredis Partners found a chain of vulnerabilities in the ITIL product offering by SysAid during personal research. Other competitors to this SysAid product are ManageEngine, Remedy, or other ticketing and workflow systems. The full chain of issues allows an unauthenticated attacker to gain full admi

Project Zero Bug Tracker

January 05 2022 @ 9:04 PM

XNU: heap-use-after-free in inm_merge

Twitter - HackerOne

January 05 2022 @ 8:19 PM

ian

high - Subdomain takeover of images.crossinstall.com

## Summary images.crossinstall.com points to an AWS S3 bucket that no longer exists. I was able to take control of this bucket and put my own content onto it. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers or servers are pointing to anything within this domain, I could serve them arbitrary/malicious content. I could also use this in case...

PortSwigger Research

January 05 2022 @ 2:06 PM

Top 10 web hacking techniques of 2021 - nominations open

Update: nominations are now closed, but voting is live! Cast your vote here. Nominations are now open for the top 10 new web hacking techniques of 2021! Every year security researchers share their dis