Day[0]

This week we've got some summer highlights: the impact of MTE on  Android, an iOS vuln and some primitive chaining in a Titan M exploit. Links and summaries of today's topics are available on our website:  https://dayzerosec.com/podcast/an-ios-bug-attacking-titan-m-and-mte-arrives.html   [00:01:17] Spot the Vuln - Easy Regex [00:03:53] Binary Ninja - 3.1 The Performance Release [00:11:52] Dogbolt - Decompiler Explorer [00:15:28] Making Linux Kernel Exploit Cooking Harder [00:23:31] MTE comes to Android [00:37:19] ipc_kmsg_get_from_kernel, iOS 15.4 - root cause analysis [00:44:48] Attacking Titan M with Only One Byte [01:00:01] CVE-2022-29582 - An io_uring vulnerability [01:07:47] mast1c0re: Hacking the PS4 / PS5 through the PS2 Emulator [01:09:32] bd-jb: The first bd-j hack (PS4/PS5) [01:11:01] [CVE-2022-34918] A crack in the Linux firewall

We are back at it, covering some write-ups and exploits we found  interesting this summer. From browse-powered desyncs, to account take  overs.   Links are available on our website at:  https://dayzerosec.com/podcast/reading-gitlab-hidden-hackerone-reports-and-golang-parameter-smuggling.html  [00:02:17] Ridiculous vulnerability disclosure process with CrowdStrike Falcon Sensor [00:15:03] [GitLab] Able to view hackerone report attachments [00:26:59] Forwarding addresses is hard [CVE-2022-31813] [00:32:18] "ParseThru" – Exploiting HTTP Parameter Smuggling in Golang [00:46:41] Browser-Powered Desync Attacks [01:09:30] Scraping the bottom of the CORS barrel (part 1)

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/fuchsia-os-printer-bugs-and-hacking-radare2.html Some silly issues in radare2, some printer hacking, some kernel vulnerabilities, and a look at exploiting Fuchsia OS on this weeks episode. Just as a reminder this will be our last episode until September. [00:00:40] Spot the Vuln - Size Matters [00:04:30] Multiple vulnerabilities in radare2 [00:10:08] The printer goes brrrrr!!! [00:17:25] A Kernel Hacker Meets Fuchsia OS [00:33:55] Finding Bugs in Windows Drivers, Part 1 - WDM [00:41:23] Chat Question: Learning Kernel Exploitation [00:50:25] Resources While We are Gone The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-zoom-rce-vmware-auth-bypass-and-gitlab-stored-xss.html Last bounty episode before our summer vacation, and we are ending off with some cool issues. XML Stanza smuggling in Zoom for a MitM attack, an odd auth bypass, a Gitlab Stored XSS and gadget based CSP bypass, and an interesting technique to leverage a path traversal/desync against NGINX Plus [00:01:00] How I hacked CTX and PHPass Modules [00:10:55] [Zoom] Remote Code Execution with XMPP Stanza Smuggling [00:19:38] VMware Authentication Bypass Vulnerability [CVE-2022-22972] [00:23:05] Breaking Reverse Proxy Parser Logic [00:26:44] [GitLab] Stored XSS in Notes (with CSP bypass) [00:37:13] GhostTouch: Targeted Attacks on Touchscreens without Physical Touch [00:48:00] Resources While We Are Gone The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwn2own-parallels-desktop-and-an-appleavd-bug.html Just a couple vulnerabilities to talk about this week, but some interesting things to talk about in them. We also have some discussion about this year's pwn2own results and a couple things that caught out attention. [00:01:02] Spot the Vuln - NoSQL, No Problem [00:02:46] Pwn2Own Vancouver 2022 - The Results [00:16:14] CVE-2022-22675: AppleAVD Overflow in AVC_RBSP::parseHRD [00:23:16] Exploiting an Unbounded memcpy in Parallels Desktop The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/stealing-dropbox-google-drive-tokens-a-gitlab-bug-and-macos-powerdir-vulnerability.html Kicking off the week with some discussion about DOJ's policy change before getting into some vulnerabilities: "powerdir" a macOS TCC bypass, an integer overflow on the web, and another attack against HelloSign and their Google Drive integration [00:02:12] DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers [00:11:02] macOS Vulnerability "powerdir" could lead to unauthorized user data access [00:17:17] Arbitrary POST request as victim user from HTML injection in Jupyter notebooks [00:21:44] [Glovo] Integer overflow vulnerability [00:25:11] Stealing Google Drive OAuth tokens from Dropbox [00:29:46] Privileged pod escalations in Kubernetes and GKE The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/python-3-uaf-and-ps4-ps5-pppoe-kernel-bug.html We have a couple normally low-impact bugs in Solana rBPF this week netting a $200k bounty, a Python 2.7+ Use-After-Free and a PS4 and PS5 remote kernel heap overflow along with some discussion about exploitability and usability for a jailbreak. [00:00:48] Spot the Vuln - Clowning Around [00:03:27] Earn $200K by fuzzing for a weekend [00:17:37] Exploiting a Use-After-Free for code execution in every version of Python 3 [00:26:21] [PlayStation] Remote kernel heap overflow The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/yanking-rubygems-big-ip-auth-bypass-and-a-priceline-account-takeover.html A lot of cool little bugs this week with some solid impact, Facebook and Priceline account takeovers, F5 iControl Authentication Bypass, and a couple other logic bugs. [00:01:55] rubygems CVE-2022-29176 explained [00:06:09] Multiple bugs chained to takeover Facebook Accounts which uses Gmail [00:15:16] [curl] curl removes wrong file on error [CVE-2022-27778] [00:18:33] [Priceline] Account takeover via Google OneTap [00:22:14] F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive [00:29:02] The Underrated Bugs, Clickjacking, CSS Injection, Drag-Drop XSS, Cookie Bomb, Login+Logout CSRF… [00:30:20] Hunting evasive vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwn2owning-routers-and-anker-eufy-bugs.html Just a few vulnerabilities this week, but we have some codeql discussion as its used to find several vulnerabilities in Accel-PPP VPN server, and a look at a bug submitted to Pwn2Own 2021. [00:00:33] Spot the Vuln - Is It Clear [00:05:13] Anker Eufy Homebase 2 libxm_av.so DemuxCmdInBuffer buffer overflow vulnerability [00:08:18] Hunting bugs in Accel-PPP with CodeQL [00:15:53] Competing in Pwn2Own 2021 Austin: Icarus at the Zenith The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/cloudflare-pages-hacking-a-bank-and-attacking-price-oracles.html Some interesting vulnerabilities this week from a Cloudflare Pages container escape chain, to hacking a bank's web application with some neat tricks to get abuse a file-write in a hardened envrionment, and even another dumb smart-contract bug. [00:00:23] Cloudflare Pages, part 1: The fellowship of the secret [00:10:07] Ruby on Rails - Possible XSS Vulnerability in ActionView tag helpers [CVE-2022-27777] [00:15:01] Hacking a Bank by Finding a 0day in DotCMS [00:22:23] Aave V3’s Price Oracle Manipulation Vulnerability [00:33:53] [Reddit] Able to bypass email verification and change email to any other user email The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.