Look for any podcast host, guest or anyone
Showing episodes and shows of

Dayzerosec

Shows

Day[0]Day[0]Iterating Exploits & Extracting SGX KeysWe are back and testing out a new episode format focusing more on discussion than summaries. We start talking a bit about the value of learning hacking by iterating on the same exploit and challenging yourself as a means of practicing the creative parts of exploitation. Then we dive into the recent Intel SGX fuse key leak, talk a bit about what it means, how it happened. We are seeking feedback on this format. Particularly interested in those of you with more of a bug bounty or higher-level focus if an episode like this...2024-09-1653 minDay[0]Day[0][bounty] DEF CON, HardwearIO, Broken Caching, and Dropping HeadersWe are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/215.html [00:00:00] Introduction [00:02:15] Summer Recap - HardwearIO [00:11:51] Summer Recap - DEF CON 2023-09-261h 18Day[0]Day[0][binary] XNU's kalloc_type, Stranger Strings, and a NetBSD BugKicking off the week with a look at Apple's new security blog and the kalloc_type introduced into XNU, then a mix of issues including an overflow in SQLite. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/164.html [00:00:00] Introduction [00:00:24] Spot the Vuln - Right Code, Wrong Place [00:03:05] Hexacon Talks are Available [00:04:56] Towards the next generation of XNU memory safety: kalloc_type [00:21:23] NetBSD Coredump Kernel Refcount LPE [00:24:56] [Chrome] heap-use-after-free in AccountSelectionBubbleView::OnAccountImageFetched [00:31:42...2022-11-0346 minDay[0]Day[0][bounty] A Galaxy Store Bug, Facebook CSRF, and Google IDORSeveral simple bugs with significant impacts, XSS to being able to install apps, CSRFing via a Captcha, and a Google IDOR. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/163.html [00:00:00] Introduction [00:00:29] Defcon Talks are Available [00:03:10] Galaxy Store Applications Installation/Launching without User Interaction [00:08:49] Facebook SMS Captcha Was Vulnerable to CSRF Attack [00:15:32] Google Data Studio Insecure Direct Object Reference [00:21:06] HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding ...2022-11-0128 minDay[0]Day[0][binary] Edge Vulns, a SHA-3 Overflow, and an io_uring ExploitA few issues this week, including an overflow in SHA-3, yet another io_uring bug, and multiple (questionably exploitable) corruptions in Edge. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/162.html [00:00:00] Introduction [00:00:23] Spot the Vuln - Tricky Notes [00:04:04] Memory corruption vulnerabilities in Edge [00:15:19] SHA-3 Buffer Overflow [00:23:53] A Journey To The Dawn [CVE-2022-1786] [00:36:57] Exploiting Xbox Game Frogger Beyond to Execute Arbitrary Unsigned Code The DAY[0] Podcast episodes are...2022-10-2738 minDay[0]Day[0][bounty] XMPP Stanza Smuggling in Jabber and a Cobalt Strike RCESeveral fun issues this week, from a Cobalt Strike RCE, a couple auth bypasses, and stanza smuggling in Jabber. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/161.html [00:00:00] Introduction [00:00:28] Sophos Firewall User Portal and Web Admin Code Injection [CVE-2022-3236] [00:07:05] [Cisco Jabber] XMPP Stanza Smuggling with stream:stream tag [00:14:52] Authentication Bypass & File Upload & Arbitrary File Overwrite [00:25:31] Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1 [00:33:38] HTTP/3 connection contamination: an upcoming threat?2022-10-2540 minDay[0]Day[0][binary] Fuchsia OS, Printer Bugs, and Hacking Radare2Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/fuchsia-os-printer-bugs-and-hacking-radare2.html Some silly issues in radare2, some printer hacking, some kernel vulnerabilities, and a look at exploiting Fuchsia OS on this weeks episode. Just as a reminder this will be our last episode until September. [00:00:40] Spot the Vuln - Size Matters [00:04:30] Multiple vulnerabilities in radare2 [00:10:08] The printer goes brrrrr!!! [00:17:25] A Kernel Hacker Meets Fuchsia OS [00:33:55] Finding Bugs in Windows Drivers, Part 1 - WDM [00:41:23] Chat Question...2022-06-0254 minDay[0]Day[0][bounty] A Zoom RCE, VMware Auth Bypass, and GitLab Stored XSSLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-zoom-rce-vmware-auth-bypass-and-gitlab-stored-xss.html Last bounty episode before our summer vacation, and we are ending off with some cool issues. XML Stanza smuggling in Zoom for a MitM attack, an odd auth bypass, a Gitlab Stored XSS and gadget based CSP bypass, and an interesting technique to leverage a path traversal/desync against NGINX Plus [00:01:00] How I hacked CTX and PHPass Modules [00:10:55] [Zoom] Remote Code Execution with XMPP Stanza Smuggling [00:19:38] VMware Authentication Bypass Vulnerability [CVE-2022-22972]2022-05-3151 minDay[0]Day[0][binary] Pwn2Own, Parallels Desktop, and an AppleAVD BugLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwn2own-parallels-desktop-and-an-appleavd-bug.html Just a couple vulnerabilities to talk about this week, but some interesting things to talk about in them. We also have some discussion about this year's pwn2own results and a couple things that caught out attention. [00:01:02] Spot the Vuln - NoSQL, No Problem [00:02:46] Pwn2Own Vancouver 2022 - The Results [00:16:14] CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD [00:23:16] Exploiting an Unbounded memcpy in Parallels Desktop The...2022-05-2634 minDay[0]Day[0][bounty] Stealing DropBox Google Drive Tokens, a GitLab Bug, and macOS "Powerdir" VulnerabilityLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/stealing-dropbox-google-drive-tokens-a-gitlab-bug-and-macos-powerdir-vulnerability.html Kicking off the week with some discussion about DOJ's policy change before getting into some vulnerabilities: "powerdir" a macOS TCC bypass, an integer overflow on the web, and another attack against HelloSign and their Google Drive integration [00:02:12] DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers [00:11:02] macOS Vulnerability "powerdir" could lead to unauthorized user data access [00:17:17] Arbitrary POST request as victim user from HT...2022-05-2432 minDay[0]Day[0][binary] Python 3 UAF and PS4/PS5 PPPoE Kernel BugLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/python-3-uaf-and-ps4-ps5-pppoe-kernel-bug.html We have a couple normally low-impact bugs in Solana rBPF this week netting a $200k bounty, a Python 2.7+ Use-After-Free and a PS4 and PS5 remote kernel heap overflow along with some discussion about exploitability and usability for a jailbreak. [00:00:48] Spot the Vuln - Clowning Around [00:03:27] Earn $200K by fuzzing for a weekend [00:17:37] Exploiting a Use-After-Free for code execution in every version of Python 3 [00:26:21] [PlayStation] Remote kernel heap...2022-05-1938 minDay[0]Day[0][bounty] Deleting Rubygems, BIG-IP Auth Bypass, and a Priceline Account TakeoverLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/yanking-rubygems-big-ip-auth-bypass-and-a-priceline-account-takeover.html A lot of cool little bugs this week with some solid impact, Facebook and Priceline account takeovers, F5 iControl Authentication Bypass, and a couple other logic bugs. [00:01:55] rubygems CVE-2022-29176 explained [00:06:09] Multiple bugs chained to takeover Facebook Accounts which uses Gmail [00:15:16] [curl] curl removes wrong file on error [CVE-2022-27778] [00:18:33] [Priceline] Account takeover via Google OneTap [00:22:14] F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive 2022-05-1734 minDay[0]Day[0][binary] Pwn2Owning Routers and Anker Eufy BugsLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwn2owning-routers-and-anker-eufy-bugs.html Just a few vulnerabilities this week, but we have some codeql discussion as its used to find several vulnerabilities in Accel-PPP VPN server, and a look at a bug submitted to Pwn2Own 2021. [00:00:33] Spot the Vuln - Is It Clear [00:05:13] Anker Eufy Homebase 2 libxm_av.so DemuxCmdInBuffer buffer overflow vulnerability [00:08:18] Hunting bugs in Accel-PPP with CodeQL [00:15:53] Competing in Pwn2Own 2021 Austin: Icarus at the Zenith The...2022-05-1230 minDay[0]Day[0][bounty] Cloudflare Pages, Hacking a Bank, and Attacking Price OraclesLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/cloudflare-pages-hacking-a-bank-and-attacking-price-oracles.html Some interesting vulnerabilities this week from a Cloudflare Pages container escape chain, to hacking a bank's web application with some neat tricks to get abuse a file-write in a hardened envrionment, and even another dumb smart-contract bug. [00:00:23] Cloudflare Pages, part 1: The fellowship of the secret [00:10:07] Ruby on Rails - Possible XSS Vulnerability in ActionView tag helpers [CVE-2022-27777] [00:15:01] Hacking a Bank by Finding a 0day in DotCMS [00:22:23] Aave V3’s Pr...2022-05-1038 minDay[0]Day[0][binary] NimbusPwn, a CLFS Vulnerability, and DatAFLow (Fuzzing)Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/nimbuspwn-a-clfs-vulnerability-and-dataflow.html A few vulnerabilities from a TOCTOU to an arbitrary free, and some research into using data-flow in your fuzzing. [00:00:18] Spot the Vuln - Where's it At? [00:03:44] Nimbuspwn - A Linux Elevation of Privilege [00:08:38] Windows Common Log File System (CLFS) Logical-Error Vulnerability [CVE-2022-24521] [00:15:32] Arbitrary Free in Accusoft ImageGear ioca_mys_rgb_allocate [00:25:31] Commit Level Vulnerability Dataset [00:28:44] DatAFLow - Towards a Data-Flow-Guided Fuzzer 2022-05-0541 minDay[0]Day[0][bounty] XSS for NFTs, a VMWare Workspace ONE UEM SSRF, and GitLab CI Container EscapeLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/xss-for-nfts-a-vmware-workspace-one-uem-ssrf-and-gitlab-ci-container-escape.html Some straight forward bugs this week with some interesting discussion around cryptographic protocols (VMWare Workspace), XSS in the Web3 world, and whether container escapes into a low-privileged VM matter. Along with a couple just note-worthy test-cases to keep in mind while bug hunting. [00:00:35] Wormable Cross-Site Scripting Vulnerability affecting Rarible’s NFT Marketplace [00:09:14] Encrypting our way to SSRF in VMWare Workspace One UEM [CVE-2021-22054] [00:14:29] Ho...2022-05-0337 minDay[0]Day[0][binary] Getting into Vulnerability Research and a FUSE use-after-freeLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/getting-into-vulnerability-research-and-a-fuse-use-after-free.html We are joined by Cts for a discussion about getting into vulnerability research and some thoughts about the higher-level bug hunting process, then a look at some black-box fuzzing of MS Defender for IoT and a FUSE use-after-free. [00:00:44] Spot the Vuln - What do I need? [00:03:11] Discussion: Getting into Vulnerability Research [00:39:43] Inside the Black Box - How We Fuzzed Microsoft Defender for IoT and Found Multiple Vulnerabilities [00:43:25] FUSE allows UAF...2022-04-2849 minDay[0]Day[0][bounty] A Struts RCE, Broken Java ECDSA (Psychic Signatures) and a Bad Log4Shell FixLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-struts-rce-broken-java-ecdsa-psychic-signatures-and-a-bad-log4shell-fix.html An intresting mix of issues from crypto (Psychic Signatures), to a bad vulnerability patching service (patching log4shell), and bad logic leading to authentication bypassing and leaking sensitive keys. [00:00:24] Psychic Signatures in Java [CVE-2022-21449] [00:15:09] AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation [00:18:33] Bypass Apple Corp SSO on Apple Admin Panel [00:21:55] Exploiting Struts RCE on 2.5.26 [00:27:46] bluez: malicious USB devices can steal Bluetooth...2022-04-2632 minDay[0]Day[0][binary] Another iOS Bug and Edge Chakra ExploitationLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/another-ios-bug-and-edge-chakra-exploitation.html A massive 11,000 byte overflow in WatchGuard, some discussion about lock-related vulnerabilities and analysis, and a look at a ChakraCore exploit dealing with all the mitigations (ASLR, DEP, CFG, ACG,CIG) [00:00:32] Spot the Vuln - The Global Query [00:05:04] Diving Deeper into WatchGuard Pre-Auth RCE [CVE-2022-26318] [00:09:42] HTTP Protocol Stack Remote Code Execution Vulnerability [CVE-2022-21907] [00:18:21] iOS in-the-wild vulnerability in vouchers [CVE-2021-1782] [00:37:06] Microsoft Edge Type Confusion Vulnerability (Part 2...2022-04-2155 minDay[0]Day[0][bounty] Taking Over an Internal AWS Service and an Interesting XSS VectorLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/taking-over-an-internal-aws-service-and-an-interesting-xss-vector.html Short episode this week, looking at some relatively simple vulnerabilities ranging XSS, to leaking internal service credentials in AWS Relational Database Service by disabling validiation. [00:00:40] Git security vulnerability announced [00:06:37] AWS RDS Vulnerability Leads to AWS Internal Service Credentials [00:14:04] Privilege Escalation to SYSTEM in AWS VPN Client [CVE-2022-25165] [00:18:37] Copy-paste XSS in vditor text editor [CVE-2021-32855] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice...2022-04-1922 minDay[0]Day[0][binary] A subtle iOS parsing bug and a PHP use-after-freeLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-subtle-ios-parsing-bug-and-a-php-use-after-free.html We dive into an ASN.1 parsing bug impacting iOS, and a PHP use-after-free to bypass disabled functions, ending the week with a discussion about whether or not its too late to get into this area of security. [00:00:29] Spot the Vuln - One HMAC at a Time [00:03:19] CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability [00:19:03] In the land of PHP you will always be (use-after-)free [00:30:13] security things in Linux v5.10 2022-04-1454 minDay[0]Day[0][bounty] A Double-Edged SSRF, Pritunl VPN LPE, and a NodeBB VulnLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-double-edged-ssrf-pritunl-vpn-lpe-and-a-nodebb-vuln.html Quick bounty episode this week with some request smuggling, abusing a SSRF for client-sided impact, a weird oauth flow, and a desktop VPN client LPE. [00:00:28] HTTP Request Smuggling on business.apple.com and Others. [00:06:25] Exploiting a double-edged SSRF for server and client-side impact [00:14:47] Local Privilege Escalation in Pritunl VPN Client [CVE-2022-25372] [00:20:27] A NodeBB 0-day The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a...2022-04-1226 minDay[0]Day[0][binary] FORCEDENTRY Sandbox Escape and NetFilter BugsLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/forcedentry-sandbox-escape-and-netfilter-bugs.html More information about the FORCEDENTRY exploit chain, and some Linux exploitation with a couple netfilter bugs. Ending the episode with some discussion about exploiting blind kernel read primitives from Microsoft. [00:00:28] Spot the Vuln - Adding Entropy [00:02:56] FORCEDENTRY: Sandbox Escape [00:15:21] How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables [00:32:38] Exploring a New Class of Kernel Exploit Primitive [00:40:18] BlueHat IL Videos are up2022-04-0742 minDay[0]Day[0][bounty] Spring4Shell, PEAR Bugs, and GitLab Hardcoded PasswordsLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/spring4shell-pear-bugs-and-gitlab-hardcoded-passwords.html This week we have some fun with some bugs that really shouldn't have passed code-review, we of course talk about Spring4Shell/SpringShell and dive into the decade long history of that bug, and a bit of discussion about triaging more subtle bugs. [00:00:29] [Stripe] CSRF token validation system is disabled [00:09:42] GitLab Account Takeover with Hardcoded Password [00:21:22] Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring 2022-04-051h 02Day[0]Day[0][binary] Pwning WD NAS, NetGear Routers, and Overflowing Kernel PagesLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwning-wd-nas-netgear-routers-and-overflowing-kernel-pages.html Plenty of exploit strategy talk this week with vulnerabilities and complete exploits targeting a NAS, a router, and a Linux Kernel module with a page-level overflow. [00:00:26] Spot the Vuln - Normalized Regex [00:01:52] Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) [00:07:10] Defeating the Netgear R6700v3 [00:18:36] Exploit esp6 modules in Linux kernel [CVE-2022-27666] [00:27:17] Racing against the clock -- hitting a tiny kernel race window2022-03-3132 minDay[0]Day[0][bounty] GitLab Arbitrary File Read and Bypassing PHP's filter_varLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gitlab-arbitrary-file-read-and-bypassing-php-s-filter-var.html Some easy vulnerabilities this week, a directory traversal due to a bad regex, a simply yet somewhat mysterious authentication bypass, arbitrary file read in GitLab thanks to archives with symlinks, and a PHP filter_var bypass. [00:00:25] elFinder: The story of a repwning [00:11:56] Authentication bypass using root array [00:17:04] [GitLab] Arbitrary file read via the bulk imports UploadsPipeline [00:19:54] PHP filter_var shenanigans [00:30:26] Quick Thoughts on Finding a Mentor2022-03-2934 minDay[0]Day[0][binary] Chrome Heap OOB Access and TLStormLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/chrome-heap-oob-access-and-tlstorm.html A few issues this week, a OOB access in chrome and in the Linux Kernel's Netfilter, and a few issues in Smart UPS devices. [00:00:17] Spot the Vuln - Where's My Token [00:03:21] Chrome: heap-buffer-overflow in chrome_pdf::PDFiumEngine::RequestThumbnail [00:06:23] TLStorm - Three Critical Vulnerabilities in Smart-UPS devices [00:15:59] The Discovery and Exploitation of CVE-2022-25636 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: ...2022-03-2433 minDay[0]Day[0][bounty] DOMPDF XSS to RCE, Chrome Leaking Envrionment Vars, and cr8escapeLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/dompdf-xss-to-rce-chrome-leaking-envrionment-vars-and-cr8escape.html Several easy issues this week from leaking envrionment variables, to gaining host code execution and an XSS to RCE. [00:01:15] Chrome, Edge and Opera - System environment variables leak [CVE-2022-0337] [00:10:05] [Yoti] Pin Bruteforce Rate-Limiting Bypass [00:21:58] From XSS to RCE (dompdf 0day) [00:31:49] cr8escape: New Vulnerability in CRI-O Container Engine [CVE-2022-0811] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays...2022-03-2239 minDay[0]Day[0][binary] A Windows UAF, Branch Prediction Bugs, and an io_uring ExploitLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-windows-uaf-branch-prediction-bugs-and-an-io-uring-exploit.html This time as we get side tracked with a couple discussions, first about security through obscurity, secondly about the nvidia leaks. We also have our usual mix of vulnerabilities this week, a cool exploit in the Linux kernel, a use-after-free in Windows Common Logging File System, and some speculative execution issues. [00:00:43] Spot the Vuln - Do You Even HMAC? [00:05:49] Put an io_uring on it: Exploiting the Linux Kernel [00:26:18] Discussion: Security through Obscurity...2022-03-171h 16Day[0]Day[0][bounty] Pascom RCE, AutoWarp, and a GKE Container EscapeLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pascom-rce-autowarp-and-a-gke-container-escape.html We've got some cloud issues this week, in Azure Automation and GKE Autopilot along with a couple other interesting chains. [00:02:11] Pascom: The story of 3 bugs that lead to unauthed RCE [00:12:37] How I Made +$16,500 Hacking CDN Caching Servers - Part 2 [00:17:16] AutoWarp Microsoft Azure Automation Vulnerability [00:23:19] Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays...2022-03-1533 minDay[0]Day[0][binary] Dirty Pipe and Analyzing Memory TaggingLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/dirty-pipe-and-analyzing-memory-tagging.html No spot the vuln this week, but we do have a cool kernel bug, "Dirty Pipe", a look at a stack based overflow: BrokenPrint, and finally some discussion about memory tagging. [00:00:31] The Dirty Pipe Vulnerability [00:18:26] BrokenPrint: A Netgear stack overflow [00:30:21] Security Analysis of MTE Through Examples [BHIL2022] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web...2022-03-1046 minDay[0]Day[0][bounty] Facebook Exploits, pfSense RCE, and MySQLjs SQLiLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/facebook-exploits-pfsense-rce-and-mysqljs-sqli.html A few interesting issues you this week, a JS race condition in some auth related code for Facebook, some fake prepared queries, and a RCE through sed commands (in pfSense) [00:00:56] Remote Code Execution in pfSense (2.5.2 and earlier) [00:06:13] Finding an Authorization Bypass on my Own Website [00:17:43] More secure Facebook Canvas Part 2: More Account Takeovers [00:32:43] The perils of the “real” client IP The DAY[0] Podcast episodes are streamed live on T...2022-03-0850 minDay[0]Day[0][binary] ImageGear JPEG Vulns, NetFilter, and a LibCurl Memory DisclosureLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/imagegear-jpeg-vulns-netfilter-and-libcurl.html Quick episode with four somewhat simple bugs in JPEG parsing, a remote memory disclosure in libcurl due to the difference `sizeof(long)` on Linux vs Windows, and a heap out of bounds write in the Linux Kernel. [00:00:16] Spot the Vuln - One of a Kind [00:03:14] Accusoft ImageGear JPEG-JFIF Scan header parser out-of-bounds write vulnerability [00:07:15] Accusoft ImageGear Palette box parser heap-based buffer overflow vulnerability [00:11:55] Remote memory disclosure vulnerability in libcurl on 64...2022-03-0326 minDay[0]Day[0][bounty] DynamicWeb RCE, VMWare Bugs, and Exploiting GitHub ActionsLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/dynamicweb-rce-vmware-bugs-and-exploiting-github-actions.html Re-accessing the stup page, an unlikely scenario leaking Github Secrets, and a proxying issue in Carbon Black. [00:00:34] Logic Flaw Leading to RCE in Dynamicweb 9.5.0 - 9.12.7 [00:06:15] Stealing a few more GitHub Actions secrets [00:19:31] Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more...2022-03-0134 minDay[0]Day[0][binary] Zynq-7000 Secure Boot Bypass and Compiler-Created BugsLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/zynq-7000-secure-boot-bypass-and-compiler-created-bugs.html Just one vulnerability this week, a secure boot bypass, and some research into detecting compiler introduced bugs. Ending the week with a discussion about how to learn fuzzing. [00:00:58] Spot the Vuln - All Inclusive HMAC [00:03:47] Zynq-7000 Secure Boot Bypass [CVE-2021-44850] [00:19:32] Cross-Architecture Testing for Compiler-Introduced Security Bugs [00:35:02] Question: Learning to Fuzz [01:03:00] tmp.0ut v2 The DAY[0] Podcast episodes are streamed live on Twitch...2022-02-241h 05Day[0]Day[0][bounty] CoinDesk, Zabbix, and Leaking Secrets Through Mirrored ReposLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/coindesk-zabbix-and-leaking-secrets-through-mirrored-repos.html Lets talk about "sidedoors" this week, with two vulnerabilities abusing alternative access points, along with an overly verbose error message that actually had some immediate impact, and a look at the challenges of client-sided session. [00:00:26] CoinDesk API Error Exposes Privileged Token [00:05:28] A tale of 0-Click Account Takeover and 2FA Bypass. [00:10:26] Zabbix - A Case Study of Unsafe Session Storage [00:17:54] Multiple vulnerabilities in Concrete CMS - part2 (PrivEsc/SSRF/etc)2022-02-2234 minDay[0]Day[0][binary] Another Kernel TIPC Bug, MySQL, and Buggy GoLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/another-kernel-tipc-bug-mysql-and-buggy-go.html This week we discuss taint analysis and where to use it compared with fuzzing, a couple buggy code patterns in Go to be on the lookout for, and another remote stack-overflow in the Kernel TIPC module. [00:00:14] Spot the Vuln - How Much [00:03:11] Linux Kernel kCTF VRP Extended [00:05:39] MindShaRE: When MySQL Cluster Encounters Taint Analysis [00:24:46] A deeper dive into CVE-2021-39137 - a Golang security bug that Rust would have prevented2022-02-1748 minDay[0]Day[0][bounty] Baby Monitor Bugs, Grafana, and Twitter De-anonymizationLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/baby-monitor-bugs-grafana-and-twitter-de-anonymization.html CSRF lives again in the form of CORF, Cross-Origin Request Forgery with an attack against Grafana. We also take a look at some baby monitor issues and a de-anonymization attack against Twitter. [00:00:28] Cross-origin request forgery against Grafana [CVE-2022-21703] [00:17:50] Vulnerabilities Identified in Nooie Baby Monitor [00:26:47] [Twitter] Discoverability by phone number/email restriction bypass [00:32:40] EarnHub Exploit - Post mortem The DAY[0] Podcast episodes are streamed live on Twitch...2022-02-1642 minDay[0]Day[0][binary] Fastly Infoleak, Samba OOB Access, and Pwning MacOSLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/fastly-infoleak-samba-oob-access-and-pwning-macos.html A discussion heavy episode this week as we speculate about how some XNU code passed muster, and how to exploit a small overflow and weaponizing a large info-leak. [00:00:17] Spot the Vuln - From Bits to Bytes [00:05:09] MacOS 12 Use After Free [00:13:08] A story of leaking uninitialized memory from Fastly [00:34:08] Details on a Samba Code Execution Bug [CVE-2021-44142] [00:46:05] Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF...2022-02-1052 minDay[0]Day[0][bounty] Hacking Google Drive Integrations and XSS PuzzlesLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/hacking-google-drive-integrations-and-xss-puzzles.html A "maybe" issue this week in Ruby's net/http library, some long chains leading to XSS, and a look at abusing parameter injection for SSRF in applications integrating with the Google Drive API. [00:00:26] [Ruby - net/http] HTTP Header Injection in the set_content_type method [00:10:22] Don't trust comments [00:16:54] HigherLogic Community RCE Vulnerability [00:24:29] Solving DOM XSS Puzzles [00:37:32] Hacking Google Drive Integrations The DAY[0] Podcast...2022-02-0844 minDay[0]Day[0][binary] PwnKit, a Win32k Type Confusion, and Binary Ninja 3.0Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwnkit-a-win32k-type-confusion-and-binary-ninja-3-0.html Binary ninja 3.0 just dropped, lets talk about that, then into pwnkit and a couple kernel bugs, and ending this week off with a discussion about dealing with imposter syndrome. [00:00:18] Spot the Vuln - Maintain Order [00:03:52] Binary Ninja 3.0 [00:13:09] PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec [CVE-2021-4034] [00:27:20] Win32k Window Object Type Confusion [CVE-2022-21882] [00:34:20] Linux kernel: erroneous error handling after fd_install()2022-02-0348 minDay[0]Day[0][bounty] Zoho Auth Bypass, a Bogus Bug, and Leaking Microsoft Bug ReportsLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/zoho-auth-bypass-a-bogus-bug-and-leaking-microsoft-bug-reports.html A few unique issues this week, routing issues in ManageEngine, a Little Snitch bypass, an undecodable characters leading to a denial of service. [00:00:37] CVE-2022-0329 and the problems with automated vulnerability management [00:19:45] [Omise] XSS via X-Forwarded-Host header [00:25:44] [FetLife] Specific Payload makes a Users Posts unavailable [00:31:03] How I could have read your confidential bug reports by simple mail? [00:36:38] Bypassing Little Snitch Firewall with Empty TCP Packets 2022-02-0153 minDay[0]Day[0][binary] NetUSB RCE, a Linux Kernel Heap Overflow, and an XNU Use-After-FreeLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/netusb-rce-a-kernel-heap-overflow-an-xnu-uaf.html Integer overflows and underflow this week, covering vulns from desktop Zoom clients, to kernel and some routers. [00:00:19] Spot the Vuln - One Verified JWT, Please [00:03:27] Zooming in on Zero-click Exploits [00:12:18] Zooming in on Zero-click Exploits [00:26:39] XNU kernel use-after-free in mach_msg [00:34:06] Linux kernel v5.1+ Heap buffer overflow in fs_context.c [00:36:03] Linux kernel v5.1+ Heap buffer overflow in fs_context.c [00:42:21...2022-01-2750 minDay[0]Day[0][bounty] Bypassing Box MFA and Bad AES Key GenerationLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bypassing-box-mfa-bad-aes-key-generation.html A new security-related humble bundle, MFA bypass in Box, and a a few older style vulnerabilities: lfi2rce, allow-list bypass with an @ sign, and insecure random number seeds. [00:00:37] Humble Book Bundle: Cybersecurity by Wiley [00:08:18] CWP CentOS Web Panel - preauth RCE [CVE-2021-45467] [00:13:37] Stealing administrative JWT's through post auth SSRF [CVE-2021-22056] [00:17:27] Telenot Complex: Insecure AES Key Generation [00:25:12] Mixed Messages: Busting Box’s MFA Methods ...2022-01-2533 minDay[0]Day[0][binary] Pwning Camera and Overflowing your IntegersLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwning-camera-and-overflowing-your-integers.html Short episode this week, stack smashing, integer overflowing and a more logical issue. Ending off with a discussion about what to do when you're stuck on CTFs. [00:00:42] Spot the Vuln - One at a Time [00:04:15] Uniview PreAuth RCE [00:06:59] Adobe Acrobat Reader DC annotation gestures integer overflow vulnerability [00:12:31] Chrome: Interface ID reuse leading to memory corruption in IPC::ChannelAssociatedGroupController [00:18:31] Question: Unsuccessful getting into CTFs The...2022-01-2026 minDay[0]Day[0][bounty] Bad Code and Bad URLsLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bad-code-and-bad-urls.html This week is a shorter episode looking at some bad code in mermaid.js and Moodle's Shibboleth plugin, and a bit of research regarding URL parsing issues. [00:00:44] Orca Security Discovered Two AWS Vulnerabilities [00:06:44] Cross-Site Scripting (XSS) in mermaid.js [00:12:41] Pre-Auth RCE in Moodle Part II - Session Hijack in Moodle's Shibboleth [00:20:24] Exploiting URL Parsing Confusion Vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice...2022-01-1836 minDay[0]Day[0][Binary] Rooting Ubuntu By Accident and Samsung Kernel BugsLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rooting-ubuntu-by-accident-and-samsung-kernel-bugs.html We are back for the first 2022 binary episode, and its all kernel. Obtaining root through an hours long exploit process on Ubuntu thanks to an invalid free, use-after-free in XNU due to bad locking, and some terrible code in Samsung S20 DSP kernel driver with multiple integer overflows. [00:00:42] Getting root on Ubuntu through wishful thinking [00:19:21] XNU: heap-use-after-free in inm_merge [00:29:42] Kernel LPE in the Vision DSP Kernel Driver [CVE-2021-25467] [00:34:34...2022-01-1342 minDay[0]Day[0][Bounty] RocketChat RCE, Flickr, and a Critical Smart Contract BugLinks and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rocketchat-rce-flickr-and-a-critical-smart-contract-bug.html More cases of developers make insecure assumptions and getting owned because of it. This week we've got a Flickr account takeover, escalating restricted SSRF into something more useful, and XSS to RCE in Rocket.Chat. [00:00:34] Rocket.Chat Client-side Remote Code Execution [00:10:14] Flickr Account Takeover [00:24:33] Turning bad SSRF to good SSRF: Websphere Portal [00:34:47] Polygon Lack Of Balance Check Bugfix Postmortem [00:45:22] Fuzzing for XSS via nested parsers condition2022-01-1157 minDay[0]Day[0]An Android Kernel Bug and a Chrome+Edge Bug [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/an-android-kernel-bug-a-chrome-edge-exploit.html Hex-rays/Adobe cross-over as they move to a subscription model and we are not too happy about it, we also discuss a few interesting bugs this week from an odd optimization and a signedness bug in Chrome, to some mishandled null-bytes in runc, and a subtle object-state confusion in the Linux kernel [00:00:21] Spot the Vuln - Revenge of the Average [00:04:38] Hex-rays is moving to a Subscription model [00:32:49] Understanding the Root Cause of a...2021-12-1658 minDay[0]Day[0]Log4j RCE coming to a service near you and uBlock CSS Injection [Bounty]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/log4j-rce-coming-to-a-service-near-you-and-ublock-css-injection.html Log4Shell RCE spawns a lot of discussion this episode, but we also look at a W10 RCE, Google SSRF and some CSS injection in uBlock. [00:00:29] Apache Log4j2 jndi RCE [00:29:50] Windows 10 RCE: The exploit is in the link [00:46:00] SSRF vulnerability in AppSheet - Google VRP [00:52:43] uBlock, I exfiltrate: exploiting ad blockers with CSS The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a...2021-12-151h 08Day[0]Day[0]MediaTek, Yet Another Chrome Bug, and BigSig [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/mediatek-yet-another-chrome-bug-and-bigsig.html A few easy issues this week, but some discussion about fuzzing campaigns and measurements and bypassing modern mitigations. [00:00:20] Spot the Vuln - Just a Normal Walk [00:06:10] This shouldn't have happened: A vulnerability postmortem [00:22:52] Looking for vulnerabilities in MediaTek audio DSP [00:35:23] Exploiting CVE-2021-43267 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and...2021-12-0948 minDay[0]Day[0]Bypassing MFA, WebCache Poisoning, and AWS SageMaker [Bounty Hunting]Some readily understood vulnerabilities, but with some interesting impacts, from escalating self-XSS to cross-account CSRF, data exfiltration with CSS, web-cache poisoning and MFA bypassing. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bypassing-mfa-webcache-poisoning-and-aws-sagemaker.html [00:00:00] Introduction [00:00:34] Humble Book Bundle: Hacking by No Starch Press [00:05:50] AWS SageMaker Jupyter Notebook Instance Takeover [00:16:39] [Glassdoor] CSS injection via link tag whitelisted-domain bypass [00:21:15] [Symfony] Webcache Poisoning via X-Forwarded-Prefix and sub-request [00:25:47] Bypassing Box’s Time-based One-Time Password MFA [00:31:26] Exploring Container Security: A Storage Vulnerability Deep Dive [00:36:28] Hakluke: Creating the Perfect Bug Bounty Automation [00:37:10] Data Exfiltration via CSS + SVG Font The DAY[0] Po...2021-12-0739 minDay[0]Day[0]KVM Bugs and an iOS IOMFB Kernel Exploit [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/kvm-bugs-and-an-ios-iomfb-kernel-exploit.html Starting off this week with the new humble bundle and some discussion about hacking books. Then onto the vulns, some OOB access, uninitalized memory, and iOS exploit strategy. [00:00:17] Spot the Vuln - Counting Widgets [00:02:36] Humble Book Bundle: Hacking by No Starch Press [00:17:14] KVM: SVM: out-of-bounds read/write in sev_es_string_io [00:23:42] Anker Eufy Homebase 2 home_security CMD_DEVICE_GET_SERVER_LIST_REQUEST out-of-bounds write vulnerability [00:34:14] Apple...2021-12-0257 minDay[0]Day[0]GitLab Prototype Pollution and Some Authentication Bypasses [Bounty Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gitlab-prototype-pollution-and-some-authentication-bypasses.html Short but sweet episode this week, prototype pollution, crypto issues, SSRF and some weird authentication. [00:00:46] Arbitrary command execution in Gerapy [CVE-2021-32849] [00:06:03] [jitsi-meet] Authentication Bypass when using JWT w/ public keys [00:07:41] [jitsi-meet] Authentication Bypass when using JWT w/ public keys [00:10:24] [shopify] A non-privileged user may create an admin account in Stocky [00:13:21] [#0008] URL whitelist bypass in https://cxl-services.appspot.com [00:19:20] [GitLab] Stored XSS via Mermaid...2021-11-3026 minDay[0]Day[0]Hacking Neural Nets, a Chrome WebRTC UAF and Pwning Windows [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/hacking-neural-nets-a-chrome-webrtc-uaf-and-pwning-windows.html Some mroe kernel bugs this week as we look at bugs in Samsung's NPU driver (Android), Linux, and the WIndows Kernel. [00:00:17] Spot the Vuln - Once Again - Solution [00:03:12] Google Chrome WebRTC addIceCandidate use after free vulnerability [00:08:53] Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) [00:15:08] Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver [00:31:13] POC2021 – Pwning the Windows 10 Ke...2021-11-2545 minDay[0]Day[0]Big Bounties by Exploiting WebKit's CSP & Concrete CMS Bugs [Bounty Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/big-bounties-by-exploiting-webkit-s-csp-concrete-cms-bugs.html What happens when a vendor refused to fix your bug? Well you can go claim a bunch of bounties with it. We also talk about some novel request smuggling research on this episode. [00:00:58] Multiple Concrete CMS vulnerabilities ( part1 - RCE ) [00:12:02] Exploiting CSP in Webkit to Break Authentication & Authorization [00:24:57] T-Reqs: HTTP Request Smuggling with Differential Fuzzing [00:35:30] An Illustrated Guide to Elliptic Curve Cryptography Validation The DAY[0] Podcast episodes...2021-11-2338 minDay[0]Day[0]DDR4 Rowhammer, Azure Bugs, "Essential 0days", and Backdoored IDA [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/ddr4-rowhammer-azure-bugs-essential-0days-and-backdoored-ida.html North Korea is at it again targeting researchers, 0day hoarding, breaching secure hardware, and fuzzing on this weeks episode. [00:01:15] Spot the Vuln - Beyond the Grave [00:03:50] ESET Research discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group [00:12:39] Why Zero-Days Are Essential to Security - Randori [00:29:32] Blacksmith - Rowhammer Returns [00:43:04] Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology [00:57:45] Microsoft...2021-11-181h 08Day[0]Day[0]Rust in the Web? A Special Guest and some Bad Crypto [Bounty Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rust-in-the-web-a-special-guest-and-some-bad-crypto.html We are joined by Bastian Gruber to start the episode with a discussion about Rust. Then we'll dive into a few interesting vulnerabilities this week including yet another ECDSA implementation issue and some header smuggling research. [00:00:40] Rust Discussion with Bastian Gruber (Use the code poddayzero21 for 35% off Manning books) [00:46:29] Arbitrary Signature Forgery in Stark Bank ECDSA Libraries [CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571] [01:02:37] Becoming A Super Admin In Someone...2021-11-161h 21Day[0]Day[0]A too trusty TrustZone and a few Linux Kernel bugs [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-too-trusty-trustzone-and-a-few-linux-kernel-bugs.html Some interesting vulnerability envrionments this week, some Trusted App issues, a couple Linux Kernel vulns, and a look at memory safety issues in unsafe Rust. [00:00:19] Spot The Vuln - Extract All The Things - Solution [00:03:43] Gerbv drill format T-code tool number out-of-bounds write vulnerability [00:13:27] Vulnerable tzdemuxerservice TA on Samsung TVs (J-series) [00:27:06] Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution [CVE-2021-43267] [00:33:49] SLUB overflow [CVE-2021...2021-11-111h 01Day[0]Day[0]A MacOS SIP Bypass & an XSS Fiesta [Bounty Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-macos-sip-bypass-an-xss-fiesta.html A discussion heavy episode this week, starting off with the "new" Trojan Source attackers, and then talking about a handful of interesting vulnerabilities. [00:00:18] Trojan Source Attacks [00:24:07] [SmartStoreNET] Malicious Message leading to E-Commerce Takeover [00:34:24] [Chrome] Cross-Site Scripting in New-Tab Page [CVE-2021-37999] [00:39:48] [StreamLabs] Steal access_token via open redirect [00:43:18] Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection [00:50:04] Android security checklist: WebView2021-11-0951 minDay[0]Day[0]Type Confusion in Android NFC, PHP-FPM Local Privilege Escalation, and CallbackHell [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/type-confusion-in-android-nfc-php-fpm-local-privilege-escalation-and-callbackhell.html This week we dive into PHP-FPM internals to look at escelating from a worker process to the root process, anotehr GDI bug, and a type confusion. [00:00:18] Spot the Vuln - Over the Edge - Solution [00:03:40] Trick & Treat! Paying Leets and Sweets for Linux Kernel privescs and k8s escapes [00:10:33] Android NFC: Type confusion due to race condition during tag type change [00:14:50] PHP-FPM local root vulnerability [00:28:26] GitHub...2021-11-0447 minDay[0]Day[0]Discourse SNS RCE, a Stored XSS in GitLab, and a Reddit Race Condition [Bug Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/discourse-sns-rce-a-stored-xss-in-gitlab-and-a-reddit-race-condition.html A couple unique vulns this week involving getting extra coins on Reddit, and bypassing certificate checking for a Discourse RCE. [00:00:40] Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD [00:09:50] Race condition leads to Inflation of coins when bought via Google Play Store [00:15:11] [GitLab] Stored XSS in Mermaid when viewing Markdown files [00:33:28] Discourse SNS webhook RCE [00:47:28] [GitLab] Stored XSS in Mermaid when viewing Markdown files The...2021-11-0244 minDay[0]Day[0]A Kernel Race, SuDump, and a Chrome Garbage Collector Bug [Exploit Dev/VR]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-kernel-race-sudump-and-a-chrome-garbage-collector-bug.html We start off this week with a look at in-the-wild 0days from the past seven years, before diving into some pretty awesome bugs this week including a OOB access in Squirrel (programming language), a couple Linux kernel issues and a Chrome garbage collector bug. [00:00:22] Spot The Vuln - Just Be Positive - Solution [00:06:42] Overview of 0days seen in the wild the last 7 years [00:18:33] Squirrel Sandbox Escape allows Code Execution in Games and Cloud...2021-10-281h 16Day[0]Day[0]A Slack Attack and a MySQL Scientific Notation Bug [Bug Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-slack-attack-and-a-mysql-scientific-notation-bug.html Just four bugs this week, but that all are somewhat interesting, from an Instagram 2FA removal, deanonymizing Slack users, a MySQL bug, and how to get cheap reddit coins. [00:00:31] How I was able to revoke your Instagram 2FA [00:10:02] Abusing Slack's file-sharing functionality to de-anonymise fellow workspace members [00:29:41] A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection [00:35:38] Reddit disclosed on HackerOne: IDOR to pay less for...2021-10-2642 minDay[0]Day[0]WebKit Bugs, a Windows Race, and House of IO Improved [Exploit Dev/VR]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/webkit-bugs-a-windows-race-and-house-of-io-improved.html Tianfu Cup happened this week, we also got some cool windows and webkit issues, along side an improvment to the House of IO attack [00:00:17] Spot The Vuln - Prepare To Inject - Solution [00:03:14] Tianfu Cup 2021 [00:09:10] Six Privilege Escalations and an Info Leak in Windows [Blackswan vulnerabilities] [00:25:16] nt!ObpCreateSymbolicLinkName Race Condition Write-Beyond-Boundary [00:31:37] CVE-2021-30858: Use-after-free in WebKit [00:44:53] WebKit: heap-use-after-free in DOMWindow::open [00:50:23...2021-10-211h 04Day[0]Day[0]WebSocket Hijacking, GitHub review bypass and SQLi to RCE [Bug Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/websocket-hijacking-github-review-bypass-and-sqli-to-rce.html Just a handful of traditional vulns this week: IDOR, CSRF, SQLi, a logic vuln and zi's boomer side starts to show. [00:00:18] Remote Chaos Experience [00:03:30] [Concrete CMS] Stored unauth XSS in calendar event via CSRF [00:08:47] ‘Websocket Hijacking’ to steal Session_ID of victim users [00:14:17] IDOR + Account Takeover leads to PII leakage [00:27:27] Bypassing required reviews using GitHub Actions [00:33:20] How I Escalated a Time-Based SQL Injection to RCE2021-10-1945 minDay[0]Day[0]HyperKit Bugs & an Open5GS Stack Overflow [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/hyperkit-bugs-an-open5gs-stack-overflow.html Uninitialized variables everywhere in Hyperkit, and a Open5GS stack-based buffer overflow. [00:00:19] Spot The Vuln - Mind the Sign - Solution [00:00:51] Spot The Vuln - Mind the Sign - Solution [00:03:53] In EU no contract can prevent you from decompiling software you bought, if your goal is fixing a bug. [00:11:05] Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794] [00:14:00] Open5GS Stack Buffer...2021-10-1432 minDay[0]Day[0]SharePoint RCE & an Apache Path Traversal [Bug Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/sharepoint-rce-an-apache-path-traversal.html A simple to exploit path traversal in Apache...in 2021, a one-time-password defeat by having it be send to the attacker and victim, and more JWT issues. [00:00:24] critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 [00:07:47] [Zomato] Improper Validation at Partners Login [00:12:25] How did I earned 6000$ from tokens and scopes in one day [00:22:13] Remote Code Execution in SharePoint via Workflow Compilation [CVE-2021-26420] The DAY[0] Podcast...2021-10-1231 minDay[0]Day[0]Chrome Exploits and a Firefox Update Bug [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/chrome-exploits-and-a-firefox-update-bug.html This week we start off with a nice introduction to signedness issues before diving into a couple Chrome bugs (type confusion and use-after-free) [00:00:17] Spot the Vuln - I Can't Even (Solution) [00:03:46] Fixing a Security Bug by Changing a Function Signature [00:11:58] Chrome in-the-wild bug analysis: CVE-2021-30632 [00:21:25] GHSL-2021-124: Use After Free (UAF) in Chrome - CVE-2021-30528 [00:26:56] Phrack - Issue 70 The DAY[0] Podcast episodes...2021-10-0731 minDay[0]Day[0]Gatekeeper Bypass, Opera RCE, and Prototype Pollution [Bounty Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gatekeeper-bypass-opera-rce-and-prototype-pollution.html A few interesting issues this week, ranging from a macOS Gatekeeper bypass, some oauth flow issues in Facebook, and even an RCE through the password field. [00:00:37] The discovery of Gatekeeper bypass CVE-2021-1810 [00:08:50] Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts [00:22:50] Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings [00:30:50] XSS to RCE in the Opera Browser [00:35:28] Prototype Pollution 2021-10-051h 00Day[0]Day[0]Kernel UAFs and a Parallels VM Escape [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/kernel-uafs-and-a-parallels-vm-escape.html This week we we've got a couple Linux kernel Use-After-Frees and a Parallels guest to host escape. [00:00:18] Spot The Vuln - Solution [00:02:53] ChaffCTF [00:17:10] Kernel Vmalloc Use-After-Free in the ION Allocator [00:25:31] Linux Kernel: Exploitable vulnerability in io_uring [00:35:09] Parallels Desktop Guest to Host Escape [00:46:35] Igor: Crash Deduplication Through Root-Cause Clustering [00:51:10] Igor: Crash Deduplication Through Root-Cause Clustering [00:57:57] Deus x64: A...2021-09-3059 minDay[0]Day[0]iOS 0days, Apache Dubbo RCEs, and NPM bugs [Bounty Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/ios-0days-apache-dubbo-rces-and-npm-bugs.html Some of Apple's XPC services are leaking information, Finder has an RCE, and some CodeQL use to find many RCEs in Apache Dubbo. [00:00:38] macOS Finder RCE [00:06:11] AWS WorkSpaces Remote Code Execution [CVE-2021-38112] [00:10:09] Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program [00:26:51] 5 RCEs in npm for $15,000 [00:42:32] Apache Dubbo: All roads lead to RCE The DAY[0] Podcast episodes are streamed...2021-09-2956 minDay[0]Day[0]A Curl UAF, iPhone FORCEDENTRY, and a Crazy HP OMEN Driver [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-curl-uaf-iphone-forcedentry-and-a-crazy-hp-omen-driver.html We start off the week with a crazy driver that exposes some powerful primitives, a use-after-free in curl, we speculate a bit about exploiting a 2-byte information disclosure, and talk about FORCEDENTRY. [00:00:20] Spot The Vuln - Minimax (Solution) [00:04:30] HP OMEN Gaming Hub Privilege Escalation Bug Hits Millions of Gaming Devices [CVE-2021-3437] [00:12:32] Nitro Pro PDF JavaScript document.flattenPages JSStackFrame stack-based use-after-free vulnerability [00:19:31] Microsoft Azure Sphere Security Monitor SMSyscallPeripheralAcquire information disclosure...2021-09-2346 minDay[0]Day[0]A Flickr CSRF, GitLab, & OMIGOD, Azure again? [Bounty Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-flickr-csrf-gitlab-omigod-azure-again.html Some high impact vulnerabilities this week, CSRF in account deletion, remote code execution as root, and an apache "0day" that discloses PHP source. [00:00:23] [Flickr] CSRF in Account Deletion feature [00:03:38] OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers [00:23:38] How I found my first Adobe Experience Manager related bug. [00:27:41] [GitLab] Stored XSS in main page of a project [00:31:01] [Mattermost] Privilege Escalation leading to post in channel without having...2021-09-2156 minDay[0]Day[0]NETGEAR smart switches, SpookJS, & Parallels Desktop [Binary Exploitation]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/netgear-smart-switches-spookjs-parallels-desktop.html This week we've got an awesome chain of attacks in NETGEAR smart switches, a speculative type confusion (Spook.js) and an integer overflow leading to HTTP Request Smuggling [00:03:40] Security researchers fed up with Apple’s bug bounty program [00:18:26] Demon's Cries vulnerability (some NETGEAR smart switches) [00:22:21] Draconian Fear vulnerability (some NETGEAR smart switches) [00:25:31] Seventh Inferno vulnerability (some NETGEAR smart switches) [00:34:33] Spook.js - Speculative Type Confusion ...2021-09-161h 12Day[0]Day[0]Reused VMWare exploits & Escaping Azure Container Instances [Bounty Hunting]Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/reused-vmware-exploits-escaping-azure-container-instances.html Some drama with the VMWare bounty program, and then a few straight forward vulnerabilities and a really cool Azure Container Instances escape and takeover. [00:01:51] Exploit Fired At VMWare leaked to Nuclei Project. [00:14:02] Bypassed! and uploaded a sweet reverse shell [00:18:51] Local File Read via Stored XSS in The Opera Browser [00:27:14] NETGEAR D7000 Authentication Bypass [00:33:34] GitHub Actions check-spelling community workflow - GITHUB_TOKEN leakage via advice.txt symlink2021-09-141h 01Day[0]Day[0]Escaping the Bhyve, WhatsApp, & BrakTooth [Binary Exploitation]A tricky to exploit WhatsApp vulnerability, but still an interesting bug, several Bhyve vulnerabilities, and a named bluetooth vuln (Braktooth) Links and summaries are available on our website: https://dayzerosec.com/podcast/escaping-the-bhyve-whatsapp-braktooth.html [00:00:00] Introduction + The Future [00:02:08] Spot The Vuln Solution [00:07:25] Replay-based attack on Honda and Acura vehicles [00:15:54] A Heap-based Buffer Overflow Bug in the MySQL InnoDB memcached Plugin [CVE-2021-2429] [00:25:44] Vulnerability in WhatsApp could have led to data exposure of users [00:32:26] Code execution outside the virtualized guest in bhyve [CVE-2021-29631] [00:40:59] Your vulnerability is in another OEM! [01:01:36...2021-09-091h 18Day[0]Day[0]Takeover A Facebook, SnapChat or JetBrains Account [Bounty Hunting]Multiple account takeover vulnerabilities in this episode with three  cross-origin communication vulnerabilities in Facebook, an odd OTP  endpoint in SnapChat and an open redirect in JetBrains leaking your JWT.     Links and summaries are available on our website: https://dayzerosec.com/podcast/takeover-a-facebook-snapchat-or-jetbrains-account.html  [00:00:00] Introduction + The Future [00:08:37] How MarkMonitor left 60,000 domains for the taking [00:17:21] Eye for an eye: Unusual single click JWT token takeover [00:25:20] How I found a primitive but critical broken access control vulnerability in YouTrack… [00:29:02] Ghost CMS 4.3.2 - Cross-Origin Admin Takeover [00:33:47] Tale of $126k worth of bugs that lead to Faceb...2021-09-071h 05Day[0]Day[0]NoSQL Injection, Mobile Misconfigurations and a Wormable Windows BugAnother short episode this week covering graphql attacks, a couple NoSQL injections, a few misconfigurations and a cool attack to reset monotonic counters on a Mifare card. [00:01:25] From CTFs to the Real World https://dayzerosec.com/tags/ctf-to-real-world/ [00:02:50] [GitHub] Exploits and Malware Policy Updates https://github.com/github/site-policy/pull/397https://github.com/github/site-policy/pull/397/files [00:07:37] Mobile app developers’ misconfiguration of third party services leave personal data of over 100 million exposed https://research.checkpoint.com/2021/mobile-app-developers-misconfiguration-of-third-party-services-leave-personal-data-of-over-100-million-exposed/ [00:13:49] QNAP MusicStation/MalwareRemover Pre-Auth RCE ht...2021-05-261h 10Day[0]Day[0]Cross-Browser Tracking, Frag Attacks, and Malicious Rust MacrosA shorter episode, but some really cool vulns none-the-less, from mitigation bypassing on D-Link routers, to a new set of WiFi protocol design flaws. [00:01:14] Security Vulnerability Detection Using Deep Learning Natural Language Processing https://arxiv.org/abs/2105.02388v1https://samate.nist.gov/SARD/ [00:08:12] Stealing secrets with Rust Macros proof-of-concept via VSCode https://github.com/lucky/bad_actor_poc [00:13:21] [GitLab] RCE when removing metadata with ExifTool https://hackerone.com/reports/1154542https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233 [00:19:47] Terminal escape...2021-05-191h 18Day[0]Day[0]Fake Vulns, More Valve, and an AWS Cognito issueKicking off the week with some awesome vulns, an "almost" padding oracle in Azure Functions, a race-condition in AWS Cognito, some sound engine bugs, and a Foxit Reader Use-after-free. [00:00:52] Arbitrary Code Execution in the Universal Turing Machine [CVE-2021-32471] Our discussion of this topic was probably a bit premature and there does seem to be a bit more to it than the title implied. Still no real-world impact, but a bit more interesting of situation none-the-less. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32471 https://arxiv.org/abs/2105.02124 [00:03:18] Detecting and annoying Burp...2021-05-121h 30Day[0]Day[0]Bad Patches, Fuzzing Sockets, & 3DS Hacked by Super MarioSome drama in the Linux Kernel and so many vulns resulting in code execution in Homebrew, GitLab, an air fryer, Source engine, Super Mario Maker, Adobe Reader and the Linux Kernel. [00:00:32] On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf https://lore.kernel.org/linux-nfs/YH+zwQgBBGUJdiVK@unreal/ https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ During this episode we speculated that the recent patches might be unrelated to the research. This seems to have been confirmed...2021-04-281h 49Day[0]Day[0]Windows Bugs, Duo 2FA Bypass, and some Reverse EngineeringAuthentication bypasses, a Duo 2FA bypass, RCEs, a VM escape, and some reverse engineering writeups. [00:00:26] Project Zero: Policy and Disclosure: 2021 Edition https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html [00:06:27] Remote exploitation of a man-in-the-disk vulnerability in WhatsApp [CVE-2021-24027] https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/ [00:14:06] Allow arbitrary URLs, expect arbitrary code execution https://positive.security/blog/url-open-rce [00:18:29] GHSL-2020-340: log injection in SAP/Infrabox https://securitylab.github.com/advisories/GHSL-2020-340/ [00:22:21] Duo Two-factor Authentication Bypass https://sensepost.com/blog/2021/duo-two-factor-authentication-bypass/ 2021-04-211h 23Day[0]Day[0]Pwn2own, Linux Kernel Exploits, and Malicious MailMD5 is trending in 2021...a few kernel vulnerabilities, and some drama around pwn2own. [00:00:26] Update on git.php.net incident https://externals.io/message/113981 [00:06:38] Pwn2Own 2021 - Results https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results [00:18:53] CSGO exploit allows hackers to steal passwords, and Valve hasn't fixed it https://www.dexerto.com/csgo/csgo-exploit-allows-hackers-steal-passwords-valve-no-fix-1551056/?amp [00:26:20] I Built a TV That Plays All of Your Private YouTube Videos https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/ [00:33:27] Leak of all accounts mail login md5 pass2021-04-141h 40Day[0]Day[0]Speculation in Predictive Store Forwarding, Broken Fixes, and Owning Rocket.ChatOne episode and several failed attempts to fix vulnerabilities, an interesting Rocket.Chat XSS and an exploitable TXT file abusing some weird features. [00:00:46] nOtWASP bottom 10: vulnerabilities that make you cry https://portswigger.net/research/notwasp-bottom-10-vulnerabilities-that-make-you-cry [00:07:28] Click here for free TV! - Chaining bugs to takeover Wind Vision accounts https://labs.f-secure.com/blog/wind-vision-writeup/ [00:15:28] Elevate Yourself to Admin in Umbraco CMS 8.9.0 (CVE-2020-29454) https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/elevate-yourself-to-admin-in-umb-cms-890-cve-2020-29454/ [00:23:19] "netmask" npm package vulnerable to octal input data [CVE-2021-28918]2021-04-071h 25Day[0]Day[0]Google exposes an APT campaign, PHP owned, and Several Auth IssuesLong episode this week as we talk about Google's decision to thwart a western intelligence operation (by fixing vulns), multiple authorization and authentication issues, and of course some memory corruption. [00:00:46] Google's unusual move to shut down an active counterterrorism operation being conducted by a Western democracy https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/ [00:21:48] PHP Git Compromised https://news-web.php.net/php.internals/113838https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a [00:32:24] [Google Chrome] File System Access API vulnerabilities https...2021-03-312h 16Day[0]Day[0]Fast Fuzzing, Malicious Pull Requests, and Rust in my kernel?!Time to rewrite Linux in Rust? Probably not, but it has landed in linux-next which we talked about. We also look at a couple interesting GitHub vulns, and talk about fuzzing. [00:00:28] Rust in the Linux Kernel https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/rust?id=c77c8025525c36c9d2b9d82e4539403701276a1dhttps://www.youtube.com/watch?v=FFjV9f_Ub9o&t=2066shttps://lkml.org/lkml/2020/7/9/952https://lkml.org/lkml/2020/7/10/1261 [00:13:40] Two Undocumented Instructions to Update Microcode Discovered https...2021-03-231h 45Day[0]Day[0]Hacking Cameras, Stealing Logins, and Breaking GitRCE while cloning a Git repo, injecting video into network cameras, and stealing logins with HTML injection when XSS isn't possible. [00:00:32] Critics fume after Github removes exploit code for Exchange vulnerabilities https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/https://borncity.com/win/2021/03/14/gab-es-beim-exchange-massenhack-ein-leck-bei-microsoft/ [00:09:21] CCTV: Now You See Me, Now You Don't https://research.aurainfosec.io/v380-ip-camera/ [00:13:47] CSRF to RCE Chain in Zabbix [CVE-2021-27927] https://www.horizon3.ai/disclosures/zabbix-csrf-to-rce [00:19:44] Stealing Froxlor login credentials using dangling markup [CVE-2020-29653] https://labs.detectify.com/2021/03/10/cve-2020...2021-03-161h 11Day[0]Day[0]Buggy Browsers, Heap Grooming, and Broken RSA?This week we get to take a look into some basic heap grooming techniques as we examine multiple heap overflows. We also briefly discuss the hand-on (by the DoD and Synack) assessment of the "unhackable" morpheus chip, and briefly discuss the new-ish paper claiming to defeat RSA. [00:00:53] "This destroys the RSA cryptosystem." - Fast Factoring Integers by SVP Algorithms https://eprint.iacr.org/2021/232https://github.com/lducas/SchnorrGate [00:06:55] DARPA pitted 500+ hackers against this computer chip. The chip won. https://cse.engin.umich.edu/stories/morpheus-vs-everybodyhttps://www.reddit.com/r...2021-03-101h 07Day[0]Day[0]BlackHat USA, Pre-Auth RCEs, and JSON SmugglingThis week we talk a bit about newly released Black Hat 2020 and NDSS 2021 presentation videos, before jumping into several pre-auth RCEs, and some interesting exploitation research to bring a PAC enforced Shadow Stack to ARM and an examination of JSON parser interoperability issues. [00:00:41] Microsoft open sources CodeQL queries used to hunt for Solorigate activity https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/https://github.com/github/codeql/pull/5083/commits/5e1e27c2b6b3429623b66531d4fe0b090e70638a [00:04:16] Black Hat USA 2020 https://www.youtube.com/playlist?list=PLH15HpR5qRsXE_4...2021-03-031h 09Day[0]Day[0]PDF Exploits, GPGME Making Mistakes EZ and Favicon TrackingA couple privacy violations, PDF exploits, and a complicated API being misused by developers. [00:00:48] Brave browser leaks onion addresses in DNS traffic https://ramble.pw/f/privacy/2387 [00:07:05] Tales of Favicons and Caches: Persistent Tracking in Modern Browsers https://www.ndss-symposium.org/ndss-paper/tales-of-favicons-and-caches-persistent-tracking-in-modern-browsers/ [00:18:12] Shadow Attacks: Hiding and Replacing Content in Signed PDFs https://www.ndss-symposium.org/ndss-paper/shadow-attacks-hiding-and-replacing-content-in-signed-pdfs/ [00:28:20] Getting Information Disclosure in Adobe Reader Through the ID Tag https://www.thezdi.com/blog/2021/2/17/zdi-21-171-getting-information-disclosure-in-adobe-reader-through-the-id-tag [00:32:42] Middleware everywhere and lots of...2021-02-241h 24Day[0]Day[0]Industrial Control Fails and a Package disguised in your own supply"Beg Bounty" hunters, dependency confusion, iOS kernel vuln, and how not to respond to security research. [00:00:59] Florida Water Treatment Facility Hacked https://twitter.com/Bing_Chris/status/1358873543623274499 [00:09:19] Have a domain name? "Beg bounty" hunters may be on their way https://news.sophos.com/en-us/2021/02/08/have-a-domain-name-beg-bounty-hunters-may-be-on-their-way/amp/ [00:20:14] FootFallCam and MetaTechnology Drama https://twitter.com/_MG_/status/1359582048260743169 [00:28:33] Telegram privacy fails [CVE-2021-27204] [CVE-2021-27205] https://www.inputzero.io/2020/12/telegram-privacy-fails-again.html [00:36:43] Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies2021-02-171h 44Day[0]Day[0]MediaTek BootROM Broken, Free Coffee, and an iOS Kernel ExploitA lot of discussion this week about OSS security and security processes, an iOS kernel type confusion and MediaTek Bootloader bypass impacting everything since atleast 2014. [00:04:54] Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html [00:15:18] Launching OSV - Better vulnerability triage for open source https://security.googleblog.com/2021/02/launching-osv-better-vulnerability.html [00:22:38] Most Common Bugs of 2021 So Far https://www.bugcrowd.com/blog/common-bugs-of-2021/ [00:31:59] Exploiting the Nespresso smart cards for fun and coffee https://pollevanhoof.be...2021-02-101h 34Day[0]Day[0]Snooping YouTube History and Breaking State MachinesThis week is a shorter episode, but still some solid bugs to look at. From a full chain Chrome exploit, to a Kindle chain from remote to root and a eBPF incorrect calculation leading to OOB read/write. [00:00:41] Albicla launch clusterfuck https://www.reddit.com/r/programminghorror/comments/l25ppk/albicla_launch_clusterfuck/ [00:04:41] [NordVPN] RCE through Windows Custom Protocol on Windows client https://hackerone.com/reports/1001255 [00:09:00] Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform https://www.thezdi.com/blog/2021/1/20/three-bugs-in-orions-belt-chaining-multiple-bugs-for-unauthenticated-rce-in-the-solarwinds-orion-platform [00:18:50] The Embedded...2021-01-2757 minDay[0]Day[0]Breaking Lock Screens & The Great Vbox EscapeSeveral lockscreen-related vulnerabilities this week, a cross-site leak,  and the hijacking of all .cd domains.   One important thing to mention about this weeks episode that was  neglected during the discussion is that the BitLocker Lockscreen Bypass  is a lockscreen bypass. It does not necessarily provide access to data  Bitlocker protects. If Bitlocker is being run in "transparent operation  mode" where the ability to login is all that is necessary to decrypt  data, then this vulnerability can grant access to encrypted data. [00:00:00] Introduction https://dayzerosec.com/ [00:00:59] Slayer Labs https://slayerlabs.com/ [00:1...2021-01-201h 24Day[0]Day[0]Universal Deserialization, Stealing Youtube Videos, and CTFsA new universal deserialization gadget for Ruby, a Rocket.Chat SAML auth bypass, and some heap exploitation research. [00:00:36] Cybersecurity Knowledge and Skills Taught in Capture the Flag Challenges https://arxiv.org/pdf/2101.01421v1.pdf [00:10:36] Universal Deserialisation Gadget for Ruby 2.x-3.x https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html [00:13:54] Stealing Your Private YouTube Videos, One Frame at a Time https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one-frame-at-a-time/ [00:21:43] Rocket.chat - SAML authentication bypass https://hackerone.com/reports/1049375 [00:25:49] curl is vulnerable to SSRF due to...2021-01-131h 17Day[0]Day[0]Hacking Nintendo 3DS, Apple vs Corellium, and Android BugsAn update on Apple v. Corellium, some 3DS vulnerabilities, and some drama on this weeks episode. [00:00:34] Remote Chaos Experience https://media.ccc.de/c/rc3 [00:20:06] Apple Inc. v. Corellium, LLC https://www.courtlistener.com/docket/16064642/784/apple-inc-v-corellium-llc/ [00:28:17] The Great Suspender - New maintainer is probably malicious https://github.com/greatsuspender/thegreatsuspender/issues/1263 [00:36:59] An HTML Injection Worth 600$ Dollars https://medium.com/bugbountywriteup/a-html-injection-worth-600-dollars-5f065be0ab49 [00:44:06] Zoom Meeting Connector Post-Auth Remote Root https://packetstormsecurity.com/files/160736/zoomer.py.txt 2021-01-061h 31Day[0]Day[0]Fireeye, PS4 exploit, and MacOS LPEBig news this week as several government agencies and contractors may have been compromised. We also have a number of great writeups this week covering everything from a PS4 webkit exploit, MacOS, and Windows. [00:00:25] CISA issues emergency directive for SolarWinds Orion products compromise https://twitter.com/CISAgov/status/1338348931571445762https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htmhttps://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.htmlhttps://twitter.com/KimZetter/status/1338305089597964290https://twitter.com/mamah1987/status/1338369455177523201https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network [00:26:53] Finding Critical Open Source Projects2020-12-161h 50Day[0]Day[0]Rooting iOS, Hacking with cURL, and the end of Use-After-FreeSome solid exploit development talk in this episode as we look at an iOS vuln, discuss the exploitability of a cURL buffer overflow and examine a new kernel UAF mitigation. [00:00:43] Improving open source security during the Google summer internship program https://security.googleblog.com/2020/12/improving-open-source-security-during.html [00:03:35] Justices seem wary of breadth of federal computer fraud statute https://www.scotusblog.com/2020/12/argument-analysis-justices-seem-wary-of-breadth-of-federal-computer-fraud-statute/ [00:11:37] Update regarding Snapchat SSRF https://hackerone.com/reports/530974 [00:12:53] A 3D Printed Shell https://www.securifera.com/blog/2020/12/02/a-3d-printed-shell/ [00:20:19] Site...2020-12-091h 35Day[0]Day[0]Bad Blocklists, Legal News, and Windows VulnsMore SD-PWN, more Tesla hacks, potential RCE in Drupal, and a couple windows vulns. [00:00:27] Congress unanimously passes federal IoT security law https://blog.rapid7.com/2020/11/18/congress-unanimously-passes-federal-iot-security-law/ [00:06:52] The Supreme Court will hear its first big CFAA case https://www.scotusblog.com/2020/11/case-preview-justices-to-consider-breadth-of-federal-computer-fraud-statute/ [00:13:35] How much is unauthorized access sold for? https://xorl.wordpress.com/2020/08/26/how-much-is-unauthorized-access-sold-for/ [00:20:10] Getting Banned for Security Research https://nedwill.github.io/blog/jekyll/update/2020/11/25/banned-for-research.html [00:33:11] SD-PWN Part 3 - Cisco vManage https://medium.com/realmodelabs/sd-pwn-part-3-cisco-vmanage-another-day-another-network-takeover-15731a4d75b7 [00:36:10] SD-PWN...2020-12-021h 20