Day[0]

Null-dereferences might not be too exploitable on a lot of systems, what about the handling of a null-dereference. We cover a great Project Zero post on the topic, then look at a type confusion in Windows COM, a Nintendo buffer overflow, and several memory corruptions in git, highlighting their unique primitives and potential exploitability. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/182.html [00:00:00] Introduction [00:01:14] Spot the Vuln - Resolution [00:03:38] Exploiting null-dereferences in the Linux kernel [00:15:31] Type confusion in Windows COM+ Event System Service [CVE-2022-41033] [00:22:57] Information and PoC about the ENLBufferPwn vulnerability [00:28:11] Git security vulnerabilities announced The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We've got a cloud focused episode this week, starting with a logging bypass in AWS CloudTrail, a SSH Key injection, and cross-tenant data access in Azure Cognitive Search. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/181.html [00:00:00] Introduction [00:00:25] Undocumented API allows CloudTrail bypass [00:06:00] Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434) [00:14:53] SSH key injection in Google Cloud Compute Engine [Google VRP] [00:19:08] Chat Question: Why is Cross-Site Scripting called That [00:22:36] Cross-tenant network bypass in Azure Cognitive Search The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

An Apple-focused episode this week, with a trivial iPod Nano BootRom exploit, and a WebKit Use-after-free. We also have a really cool XNU Virutal Memory bug, strictly a race condition and a logic differential between two alternate paths resulting in bypassing copy-on-write protection. We also handle a few questions from chat, how much reverse engineering is necessary for vuln research, how much programming knowledge is required, and a bit about AI's applicability to reverse engineering. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/180.html [00:00:00] Introduction [00:00:18] Spot the Vuln - An Exceptional Login [00:02:39] wInd3x, the iPod Bootrom exploit 10 years too late [00:09:14] XNU VM copy-on-write bypass due to incorrect shadow creation logic during unaligned vm_map_copy operations [CVE-2022-46689] [00:17:52] [WebKit] Use-after-free of RenderMathMLToken in CSSCrossfadeValue::crossfadeChanged [00:21:46] Chat Question: How Important is Reverse Engineering to Vuln Research [00:40:33] Learning eBPF exploitation [00:41:23] [Chrome] Analyzing and Exploiting CVE-2018-17463 [00:42:40] Off-By-One Security - The Process of Reversing and Exploit Complex Vulnerabilities w/Chompie1337 The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week kicks off with another look at client-side path traversal attacks, this time with some more case-studies. Then we get into some mobile issues, one a cool desync between DER processors resulting in an iOS privilege escalation. The other a Bundle processing issue in Android that provides an almost use-after-free like primitive but in Java. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/179.html [00:00:00] Introduction [00:00:27] Full Team Takeover [00:04:20] Fetch Diversion [00:13:39] Practical Example Of Client Side Path Manipulation [00:17:50] DER Entitlements: The (Brief) Return of the Psychic Paper [00:30:47] Privilege escalation to system app via LazyValue using Parcel after recycle() [CVE-2022-20452] [00:47:38] Critical Thinking - A Bug Bounty Podcast by Justin Gardner (Rhynorater) The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Just a few issues this week, but some solid exploitation. A Kernel UAF, IoT, and a bhyve escape. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/178.html [00:00:00] Introduction [00:00:35] Spot the Vuln - Internal Externals [00:06:35] Escaping from bhyve [00:13:14] Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg [00:29:28] MeshyJSON: A TP-Link tdpServer JSON Stack Overflow [00:42:19] Survey of security mitigations and architectures, December 2022 [00:45:25] Abusing RCU callbacks with a Use-After-Free read to defeat KASLR The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

First episode of the new year, and we've got some cool stuff. Several authentication issues and "class pollution" in Python. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/177.html [00:00:00] Introduction [00:00:31] ReDoS "vulnerabilities" and misaligned incentives [00:17:14] Web Hackers vs. The Auto Industry [00:37:19] Prototype Pollution in Python  - Correction: We discuss a bit of a disagreement regarding calling the issue "Prototype Pollution" in Python, turns out we missed the fact the author calls it "Class Pollution" in the actual article which is a more fitting name. [00:50:26] [MK8DX] Improper verification of Competition creation allows to create "Official" competitions [00:56:36] 0 click Facebook Account Takeover and Two-Factor Authentication Bypass [01:01:18] How SAML works and some attacks on it The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In this episode, we discuss the discovery of a type confusion in Internet Explorer's JScript. We also explore a fun exploit strategy for a low-level memory management bug in the Linux kernel and delve into several issues in Huawei's Secure Monitor that enable code execution in the secure world. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/176.html [00:00:00] Introduction [00:00:30] Spot the Vuln - Update All The Things [00:06:02] Type confusion in Internet Explorer's JScript9 engine [CVE-2022-41128] [00:14:48] Exploiting CVE-2022-42703 - Bringing back the stack attack [00:29:01] Huawei Secure Monitor Vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Is Pwn2Own worth it for bug bounty hunters? A handful of trivial command injections, and some awesome WAF bypasses. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/175.html [00:00:00] Introduction [00:00:34] Pwn2Own Toronto 2022 - Results [00:10:31] Cool vulns don't live long - Netgear and Pwn2Own [00:15:03] The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022 [00:26:54] Abusing JSON-Based SQL to Bypass WAF [00:26:54] RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass [00:37:25] Abusing JSON-Based SQL to Bypass WAF [00:46:47] OTP Leaking Through Cookie Leads to Account Takeover [00:50:47] ChatGPT bid for bogus bug bounty is thwarted The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Will AI be your next vuln research assistant? ... Maybe? We also talk about a stack-based overflow in `ping` and a Huawei hypervisor vuln. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/174.html [00:00:00] Introduction [00:00:41] Spot the Vuln - A Nice Choice [00:03:49] ChatGPT - AI for Vuln Research? [00:21:46] Memory Safe Languages in Android 13 [00:31:28] [FreeBSD] Stack overflow in ping [00:40:59] Huawei Security Hypervisor Vulnerability [00:45:09] Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals [00:45:16] Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A variety of issues this week, DOM Clobbering, argument injection, a filesystem race condition, cross-site scripting, and a normalization-based auth bypass. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/173.html [00:00:00] Introduction [00:00:41] Humble Tech Book Bundle: The Art of Hacking by No Starch Press [00:03:23] Hijacking service workers via DOM Clobbering [00:11:14] Grafana RCE via SMTP server parameter injection [00:16:33] Race condition in snap-confine's must_mkdir_and_open_with_perms() [CVE-2022-3328] [00:23:56] XSS on account.leagueoflegends.com via easyXDM [00:32:41] [Hyundai] Remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9