Day[0]

A few issues this week, including an overflow in SHA-3, yet another io_uring bug, and multiple (questionably exploitable) corruptions in Edge. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/162.html [00:00:00] Introduction [00:00:23] Spot the Vuln - Tricky Notes [00:04:04] Memory corruption vulnerabilities in Edge [00:15:19] SHA-3 Buffer Overflow [00:23:53] A Journey To The Dawn [CVE-2022-1786] [00:36:57] Exploiting Xbox Game Frogger Beyond to Execute Arbitrary Unsigned Code The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Several fun issues this week, from a Cobalt Strike RCE, a couple auth bypasses, and stanza smuggling in Jabber. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/161.html [00:00:00] Introduction [00:00:28] Sophos Firewall User Portal and Web Admin Code Injection [CVE-2022-3236] [00:07:05] [Cisco Jabber] XMPP Stanza Smuggling with stream:stream tag [00:14:52] Authentication Bypass & File Upload & Arbitrary File Overwrite [00:25:31] Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1 [00:33:38] HTTP/3 connection contamination: an upcoming threat? The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We've got a few interesting vulns, a blind format string attack, Windows kernel int overflow, and a browser exploit (unchecked bounds after lowering). Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/160.html [00:00:00] Introduction [00:00:24] Spot the Vuln - Chat Configuration [00:02:06] CCC Cancelled [00:07:53] Hacking TMNF: Part 2 - Exploiting a blind format string [00:19:17] Windows Kernel integer overflows in registry subkey lists leading to memory corruption [00:28:13] Browser Exploitation: A Case Study Of CVE-2020-6507 [00:45:48] Chat Question: Getting Into Browser Exploitation

This week we look at a insecure deserialization (GitLab), argument injection (Packagist), and insecure string interpolation (Apache Commons Text) Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/159.html [00:00:00] Introduction [00:01:01] New reward system to accelerate learning and growth on Detectify [00:04:33] RCE via github import [00:11:27] Securing Developer Tools: A New Supply Chain Attack on PHP [00:17:32] FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive [CVE-2022-40684] [00:23:08] Apache Commons Text Interpolation leading to potential RCE [CVE-2022-42889]

Just a couple issues this week and a discussion about why you should look at old vulnerabilities and the pace exploit development advanced at. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/158.html [00:00:00] Introduction [00:00:26] Spot the Vuln - Authentic Token ... Fixed [00:05:42] Hancom Office 2020 Hword Docx XML parsing heap underflow vulnerability [00:11:07] Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices [00:22:21] Discussion: Why Care About Old Vulnerabilities

No actual bounties this week, but we start off with a discussion on semgrep vs codeql, then get into some cool issues that you can start testing for. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/157.html [00:00:00] Introduction [00:00:39] Comparing Semgrep and CodeQL [00:14:27] A Deep Dive of CVE-2022–33987 (Got allows a redirect to a UNIX socket) [00:20:18] Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style [00:28:23] [OpenJDK] Weak Parsing Logic in java.net.InetAddress and Related Classes [00:34:22] RCE via Phar Deserialisation [CVE-2022-41343]

Starting off with some discussion about XOM and CFI on the PS5 and how it impacts exploitation. Then into a uClibC issue, and hacking wireless scoreboards. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/156.html [00:00:00] Introduction [00:00:27] Spot the Vuln - Authentic Token [00:05:04] PS5-4.03-Kernel-Exploit: An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on 4.03FW [00:17:54] uClibC and uClibC-ng libpthread linuxthreads memory corruption vulnerabilities [00:26:35] Scoreboard Hacking  Part 2 - Getting the AES Key [00:41:16] When Hypervisor Met Snapshot Fuzzing

Had some varied issues this week, a file format allowing JScript for a $20,000 bounty, Akamai Cache Poisoning, Universal XSS in Chrome. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/155.html [00:00:00] Introduction [00:00:26] Two Lines of JScript for $20,000 [00:05:31] Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes ($50K+ Bounty Earned) [00:14:10] [Chrome] Universal XSS in Autofill Assistant [00:22:51] Aurora Improper Input Sanitization Bugfix Review [00:31:21] What I learnt from reading 126* Information Disclosure Writeups.

Starting off with meme vulnerabilities in UNISOC BootROMs, and ending  with a discussion about bypassing CFI/Intel CET and some fun issues in-between.   Links and summaries are available at  https://dayzerosec.com/podcast/154.html  [00:00:00] Introduction [00:00:24] Spot the Vuln - You Put Where Where?! [00:04:05] There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities [00:12:19] Crow HTTP framework use-after-free [00:17:51] Crowbleed (Crow HTTP framework vulnerability) [00:19:34] exploit for CVE-2022-2588 [00:23:24] Bypassing Intel CET with Counterfeit Objects [00:48:05] Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja [00:50:32] PS5 IPV6_2292PKTOPTIONS Use-After-Free

Discussion this week around Chrome's Sanitizer API, and bypassing firewalls with webhooks and 0days (ModSecurity bypass), and a pre-auth BitBucket RCE. Links and summaries are available at https://dayzerosec.com/podcast/153.html [00:00:00] Introduction [00:00:31] Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library [00:10:31] Breaking Bitbucket: Pre Auth Remote Command Execution [CVE-2022-36804] [00:16:25] [Chrome] Sanitizer API bypass via prototype pollution [00:23:02] How we Abused Repository Webhooks to Access Internal CI Systems at Scale [00:35:03] WAF bypasses via 0days [00:42:40] Cloning internal Google repos for fun and… info? [00:43:19] How to turn security research into profit: a CL.0 case study