Day[0]

In this episode, we discuss the US government discloses how many 0ds were reported to vendors in a first-ever report. We also cover PortSwigger's top 10 web hacking techniques of 2024, as well as a deep dive on how kernel mode shadow stacks are implemented on Windows by Connor McGarr.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/272.html[00:00:00] Introduction[00:01:50] U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report[00:19:54] What Okta Bcrypt incident can teach us about designing better APIs[00:40:08] Top 10 web hacking techniques of 2024[00:55:03] Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows[01:06:11] Accidentally uncovering a seven years old vulnerability in the Linux kernelPodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9

On the web side, we cover a portswigger post on ways of abusing unicode mishandling to bypass firewalls and a doyensec guide to OAuth vulnerabilities. We also get into a Windows exploit for a use-after-free in the telephony service that bypasses Control Flow Guard, and a data race due to non-atomic writes in the macOS kernel. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/271.html [00:00:00] Introduction [00:00:22] Bypassing character blocklists with unicode overflows [00:06:53] Common OAuth Vulnerabilities [00:18:37] Windows Telephony Service - It's Got Some Call-ing Issues [CVE-2024-26230] [00:32:05] TRAVERTINE (CVE-2025-24118) Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Zero Day Initiative posts their trends and observations from their threat hunting highlights of 2024, macOS has a sysctl bug, and a technique leverages CloudFlare to deanonymize users on messaging apps. PortSwigger also publishes a post on the Cookie Sandwich technique, and Subaru's weak admin panel security allows tracking and controlling other people's vehicles. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/270.html [00:00:00] Introduction [00:00:11] ZDI Threat Hunting 2024 - Highlights, Trends, and Challenges [00:21:44] Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform [00:41:54] Stealing HttpOnly cookies with the cookie sandwich technique [00:49:06] Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week features a mix of topics, from polyglot PDF/JSON to android kernel vulnerabilities. Project Zero also publishes a post about excavating an exploit strategy from crash logs of an In-The-Wild campaign. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/269.html [00:00:00] Introduction [00:07:48] Attacking Hypervisors - From KVM to Mobile Security Platforms [00:12:18] Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal [00:19:41] How an obscure PHP footgun led to RCE in Craft CMS [00:34:44] oss-security - RSYNC: 6 vulnerabilities [00:42:13] The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit [00:59:59] security-research/pocs/linux/kernelctf/CVE-2024-50264_lts_cos/docs/exploit.md [01:10:35] GLibc Heap Exploitation Training Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Specter and zi discuss their winter break, cover some interesting CCC talks, and discuss the summary judgement in the WhatsApp vs. NSO Group case. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/268.html [00:00:00] Introduction [00:09:53] 38C3: Illegal Instructions [00:35:38] WhatsApp v. NSO Group [01:04:06] Vulnerability Research Highlights 2024 [01:08:45] Debugging memory corruption: Who wrote ‘2’ into my stack?! [01:16:46] HardBreak [01:20:14] Announcing CodeQL Community Packs Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In our last episode of 2024, we delve into some operating system bugs in both Windows and Linux, as well as some bugs that are not bugs but rather AI slop. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/267.html [00:00:00] Introduction [00:06:48] Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4 [00:19:20] Bypassing WAFs with the phantom $Version cookie [00:27:51] Windows Sockets: From Registered I/O to SYSTEM Privileges [00:34:02] ksthunk.sys Integer Overflow (PE) [00:38:20] Linux Kernel: TOCTOU in Exec System Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week's episode contains some LLM hacking and attacks on classifiers, as well as the renewal of DMA attacks with SD Express and the everlasting problems of null bytes. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/266.html [00:00:00] Introduction [00:00:31] Hacking 2024 by No Starch [00:09:18] Announcing the Adaptive Prompt Injection Challenge (LLMail-Inject) [00:14:37] Breaking Down Adversarial Machine Learning Attacks Through Red Team Challenges [00:25:49] Null problem! Or: the dangers of an invisible byte [00:36:32] New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A short episode this week, featuring Keyhole which abuses a logic bug in Windows Store DRM, an OAuth flow issue, and a CSRF protection bypass. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/265.html [00:00:00] Introduction [00:00:16] Attacking Hypervisors From KVM to Mobile Security Platforms [00:02:30] Keyhole [00:10:12] Drilling the redirect_uri in OAuth [00:18:00] Cross-Site POST Requests Without a Content-Type Header [00:24:03] New AMSI Bypss Technique Modifying CLR.DLL in Memory Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Linux userspace is still a mess and has some bad bugs in root utilities, and Vaultwarden has an interesting auth bypass attack. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/264.html [00:00:00] Introduction [00:00:29] LPEs in needrestart [Ubuntu] [00:18:41] Vulnerability Disclosure: Authentication Bypass in Vaultwarden versions < 1.32.5 [00:31:50] From an Android Hook to RCE [00:43:34] Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Explore the intriguing changes in Google's Chrome bug bounty program, particularly regarding sandbox escapes. Discover the fascinating FortiJump Higher vulnerability and its implications for Fortinet's FortiManager. Dive into the challenges of fuzzing macOS kernel extensions with innovative coverage techniques. Unpack the complexities of control flow flattening in binary analysis and the unique approaches to handling browser exploits. Plus, learn about a notable Firefox vulnerability and exciting internship opportunities in the cybersecurity landscape.