Day[0]

The end of kASLR bypasses? Probably just click-bait, but the patch gap is real and we discuss that a bit before getting into a couple AI-based corruptions. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/172.html [00:00:00] Introduction [00:01:15] Spot the Vuln - Escape [00:06:00] Humble Tech Book Bundle: The Art of Hacking by No Starch Press [00:11:00] An End to KASLR Bypasses? [00:15:59] Mind the Gap [00:24:36] ANE_ProgramCreate() multiple kernel memory corruption [CVE-2022-32898] [00:34:29] Chat Question: Guides/Techniques to Help With C++ Reverse Engineering [00:36:35] ZinComputeProgramUpdateMutables() OOB write due to double fetch issue [CVE-2022-32932] The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Some RCE chains starting with DNS rebinding, always fun to see, a fairly basic SQL injection, and a JS sandbox escape for RCE in Spotify. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/171.html [00:00:00] Introduction [00:00:38] RCE in Tailscale, DNS Rebinding, and You [CVE-2022-41924] [00:17:55] SQL Injection in ManageEngine Privileged Access Management [CVE-2022-40300] [00:22:34] Unauthenticated Remote Code Execution in Spotify’s Backstage [00:36:28]     Till REcollapse [00:41:19] Chat Question: Alternatives to IDA Freeware The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A hardware heavy episode as we talk about two read protection bypasses, Pixel 6 bootloader exploitation and benchmarking fuzzers. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/170.html [00:00:00] Introduction [00:00:26] Spot the Vuln - Do More [00:05:04] Pixel6 Bootloader Exploitation [00:16:41] NXP i.MX SDP_READ_DISABLE Fuse Bypass [CVE-2022-45163] [00:22:05] Bypassing the Renesas RH850/P1M-E read protection using fault injection [00:29:32] FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week has the return of cross-site tracing, HTML injection, a golang specific vulnerable code pattern, and a fun case-sensitivity auth bypass. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/169.html [00:00:00] Introduction [00:01:02] A Confused Deputy Vulnerability in AWS AppSync [00:07:05] Grafana Race Condition Leading to Potential Authentication Bypass [CVE-2022-39328] [00:16:12] Stealing passwords from infosec Mastodon - without bypassing CSP [00:24:01] Cross-Site Tracing was possible via non-standard override headers [CVE-2022-45411] The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Is the compiler make exploitation easier, these divergent representations seem to do so. We also look at a chrome UAF and a double stack overflow. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/168.html [00:00:00] Introduction [00:00:52] Spot the Vuln - The Right Start [00:03:25] Look out! Divergent representations are everywhere! [00:12:18]  Chrome: heap-use-after-free in password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode [00:17:34] Netgear Nighthawk r7000p aws_json Unauthenticated Double Stack Overflow Vulnerability [00:23:52] A validation flaw in Netfilter leading to Local Privilege Escalation [CVE-2022-1015] [00:25:03] Windows Kernel multiple memory corruption issues when operating on very long registry paths The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A Pixel Lockscreen bypass and some discussion about dupes in bug bounty, then a long RCE chain, and a look at client-side path traversals. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/167.html [00:00:00] Introduction [00:00:48] Accidental $70k Google Pixel Lock Screen Bypass [00:23:28] Discovering vendor-specific vulnerabilities in Android [00:34:30] Checkmk: Remote Code Execution by Chaining Multiple Bugs (2/3) [00:52:13] Practical Client Side Path Traversal Attacks The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A lot of discussion about the OpenSSL vulnerability, fuzzing and exploitation. Then into a RCE in XML Signature verification, and a Samsung exploit chain. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/166.html [00:00:00] Introduction [00:00:35] Spot the Vuln - Spaced Out [00:03:29] OpenSSL punycode vulnerability [CVE-2022-3602] [00:35:43] Gregor Samsa: Exploiting Java's XML Signature Verification [00:46:37] A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain [00:58:53] Symbolic Triage: Making the Best of a Good Situation The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Several slightly weird issues this week, a reentrancy attack abusing a read-only function, SSRF and XSS through a statically generated website and others. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/165.html [00:00:00] Introduction [00:01:10] Vulnerabilities in Apache Batik Default Security Controls - SSRF and RCE Through Remote Class Loading [00:05:48] Exploiting Static Site Generators: When Static Is Not Actually Static [00:12:51] Decoding $220K Read-only Reentrancy Exploit [00:23:56] Weird Vulnerabilities Happening on Load Balancers, Shallow Copies and Caches [00:28:42] Arbitrary File Read in Tasks.org Android app [CVE-2022-39349] [00:33:13] [GitLab] RepositoryPipeline allows importing of local git repos [00:36:15] [GitLab] RepositoryPipeline allows importing of local git repos [00:46:05] Visual Studio Code Jupyter Notebook RCE The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Kicking off the week with a look at Apple's new security blog and the kalloc_type introduced into XNU, then a mix of issues including an overflow in SQLite. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/164.html [00:00:00] Introduction [00:00:24] Spot the Vuln - Right Code, Wrong Place [00:03:05] Hexacon Talks are Available [00:04:56] Towards the next generation of XNU memory safety: kalloc_type [00:21:23] NetBSD Coredump Kernel Refcount LPE [00:24:56] [Chrome] heap-use-after-free in AccountSelectionBubbleView::OnAccountImageFetched [00:31:42] Stranger Strings: An exploitable flaw in SQLite [00:44:35] Reaching Vulnerable Point starting from 0 Knowledge on RPC [CVE-2022-26809 The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Several simple bugs with significant impacts, XSS to being able to install apps, CSRFing via a Captcha, and a Google IDOR. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/163.html [00:00:00] Introduction [00:00:29] Defcon Talks are Available [00:03:10] Galaxy Store Applications Installation/Launching without User Interaction [00:08:49] Facebook SMS Captcha Was Vulnerable to CSRF Attack [00:15:32] Google Data Studio Insecure Direct Object Reference [00:21:06] HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9