Day[0]

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/nimbuspwn-a-clfs-vulnerability-and-dataflow.html A few vulnerabilities from a TOCTOU to an arbitrary free, and some research into using data-flow in your fuzzing. [00:00:18] Spot the Vuln - Where's it At? [00:03:44] Nimbuspwn - A Linux Elevation of Privilege [00:08:38] Windows Common Log File System (CLFS) Logical-Error Vulnerability [CVE-2022-24521] [00:15:32] Arbitrary Free in Accusoft ImageGear ioca_mys_rgb_allocate [00:25:31] Commit Level Vulnerability Dataset [00:28:44] DatAFLow - Towards a Data-Flow-Guided Fuzzer The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

<p>Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/xss-for-nfts-a-vmware-workspace-one-uem-ssrf-and-gitlab-ci-container-escape.html</p> <p>Some straight forward bugs this week with some interesting discussion around cryptographic protocols (VMWare Workspace), XSS in the Web3 world, and whether container escapes into a low-privileged VM matter. Along with a couple just note-worthy test-cases to keep in mind while bug hunting.</p> <p>[00:00:35] Wormable Cross-Site Scripting Vulnerability affecting Rarible’s NFT Marketplace<br></p> <p>[00:09:14] Encrypting our way to SSRF in VMWare Workspace One UEM [CVE-2021-22054]<br></p> <p>[00:14:29] How I Bypass 2FA while Resetting Password<br></p> <p>[00:16:41] Container escape on public GitLab CI Runners<br></p> <p>[00:30:39] [Nextcloud] Bypass the protection lock in andoid app<br></p> <p>The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week:<p> <ul> <li>Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities</li> <li>Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits.</li> </ul> <p>The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec</p> <p>You can also join our discord: https://discord.gg/daTxTK9</p> <p>Or follow us on Twitter (@dayzerosec) to know when new releases are coming.</p>

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/getting-into-vulnerability-research-and-a-fuse-use-after-free.html We are joined by Cts for a discussion about getting into vulnerability research and some thoughts about the higher-level bug hunting process, then a look at some black-box fuzzing of MS Defender for IoT and a FUSE use-after-free. [00:00:44] Spot the Vuln - What do I need? [00:03:11] Discussion: Getting into Vulnerability Research [00:39:43] Inside the Black Box - How We Fuzzed Microsoft Defender for IoT and Found Multiple Vulnerabilities [00:43:25] FUSE allows UAF reads of write() buffers, allowing theft of (partial) /etc/shadow hashes [00:46:51] FUSE allows UAF reads of write() buffers, allowing theft of (partial) /etc/shadow hashes The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-struts-rce-broken-java-ecdsa-psychic-signatures-and-a-bad-log4shell-fix.html An intresting mix of issues from crypto (Psychic Signatures), to a bad vulnerability patching service (patching log4shell), and bad logic leading to authentication bypassing and leaking sensitive keys. [00:00:24] Psychic Signatures in Java [CVE-2022-21449] [00:15:09] AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation [00:18:33] Bypass Apple Corp SSO on Apple Admin Panel [00:21:55] Exploiting Struts RCE on 2.5.26 [00:27:46] bluez: malicious USB devices can steal Bluetooth link keys over HCI using fake BD_ADDR [00:31:20] New XSS vectors The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/another-ios-bug-and-edge-chakra-exploitation.html A massive 11,000 byte overflow in WatchGuard, some discussion about lock-related vulnerabilities and analysis, and a look at a ChakraCore exploit dealing with all the mitigations (ASLR, DEP, CFG, ACG,CIG) [00:00:32] Spot the Vuln - The Global Query [00:05:04] Diving Deeper into WatchGuard Pre-Auth RCE [CVE-2022-26318] [00:09:42] HTTP Protocol Stack Remote Code Execution Vulnerability [CVE-2022-21907] [00:18:21] iOS in-the-wild vulnerability in vouchers [CVE-2021-1782] [00:37:06] Microsoft Edge Type Confusion Vulnerability (Part 2) [CVE-2019-0567] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/taking-over-an-internal-aws-service-and-an-interesting-xss-vector.html Short episode this week, looking at some relatively simple vulnerabilities ranging XSS, to leaking internal service credentials in AWS Relational Database Service by disabling validiation. [00:00:40] Git security vulnerability announced [00:06:37] AWS RDS Vulnerability Leads to AWS Internal Service Credentials [00:14:04] Privilege Escalation to SYSTEM in AWS VPN Client [CVE-2022-25165] [00:18:37] Copy-paste XSS in vditor text editor [CVE-2021-32855] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-subtle-ios-parsing-bug-and-a-php-use-after-free.html We dive into an ASN.1 parsing bug impacting iOS, and a PHP use-after-free to bypass disabled functions, ending the week with a discussion about whether or not its too late to get into this area of security. [00:00:29] Spot the Vuln - One HMAC at a Time [00:03:19] CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability [00:19:03] In the land of PHP you will always be (use-after-)free [00:30:13] security things in Linux v5.10 [00:36:16] Discussion: Is It too late to get into "cyber security" The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-double-edged-ssrf-pritunl-vpn-lpe-and-a-nodebb-vuln.html Quick bounty episode this week with some request smuggling, abusing a SSRF for client-sided impact, a weird oauth flow, and a desktop VPN client LPE. [00:00:28] HTTP Request Smuggling on business.apple.com and Others. [00:06:25] Exploiting a double-edged SSRF for server and client-side impact [00:14:47] Local Privilege Escalation in Pritunl VPN Client [CVE-2022-25372] [00:20:27] A NodeBB 0-day The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/forcedentry-sandbox-escape-and-netfilter-bugs.html More information about the FORCEDENTRY exploit chain, and some Linux exploitation with a couple netfilter bugs. Ending the episode with some discussion about exploiting blind kernel read primitives from Microsoft. [00:00:28] Spot the Vuln - Adding Entropy [00:02:56] FORCEDENTRY: Sandbox Escape [00:15:21] How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables [00:32:38] Exploring a New Class of Kernel Exploit Primitive [00:40:18] BlueHat IL Videos are up The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/spring4shell-pear-bugs-and-gitlab-hardcoded-passwords.html This week we have some fun with some bugs that really shouldn't have passed code-review, we of course talk about Spring4Shell/SpringShell and dive into the decade long history of that bug, and a bit of discussion about triaging more subtle bugs. [00:00:29] [Stripe] CSRF token validation system is disabled [00:09:42] GitLab Account Takeover with Hardcoded Password [00:21:22] Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring [00:37:49] PHP Supply Chain Attack on PEAR [00:52:16] Finding bugs that doesn’t exists The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.