Day[0]

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwning-wd-nas-netgear-routers-and-overflowing-kernel-pages.html Plenty of exploit strategy talk this week with vulnerabilities and complete exploits targeting a NAS, a router, and a Linux Kernel module with a page-level overflow. [00:00:26] Spot the Vuln - Normalized Regex [00:01:52] Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) [00:07:10] Defeating the Netgear R6700v3 [00:18:36] Exploit esp6 modules in Linux kernel [CVE-2022-27666] [00:27:17] Racing against the clock -- hitting a tiny kernel race window The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gitlab-arbitrary-file-read-and-bypassing-php-s-filter-var.html Some easy vulnerabilities this week, a directory traversal due to a bad regex, a simply yet somewhat mysterious authentication bypass, arbitrary file read in GitLab thanks to archives with symlinks, and a PHP filter_var bypass. [00:00:25] elFinder: The story of a repwning [00:11:56] Authentication bypass using root array [00:17:04] [GitLab] Arbitrary file read via the bulk imports UploadsPipeline [00:19:54] PHP filter_var shenanigans [00:30:26] Quick Thoughts on Finding a Mentor The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/chrome-heap-oob-access-and-tlstorm.html A few issues this week, a OOB access in chrome and in the Linux Kernel's Netfilter, and a few issues in Smart UPS devices. [00:00:17] Spot the Vuln - Where's My Token [00:03:21] Chrome: heap-buffer-overflow in chrome_pdf::PDFiumEngine::RequestThumbnail [00:06:23] TLStorm - Three Critical Vulnerabilities in Smart-UPS devices [00:15:59] The Discovery and Exploitation of CVE-2022-25636 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/dompdf-xss-to-rce-chrome-leaking-envrionment-vars-and-cr8escape.html Several easy issues this week from leaking envrionment variables, to gaining host code execution and an XSS to RCE. [00:01:15] Chrome, Edge and Opera - System environment variables leak [CVE-2022-0337] [00:10:05] [Yoti] Pin Bruteforce Rate-Limiting Bypass [00:21:58] From XSS to RCE (dompdf 0day) [00:31:49] cr8escape: New Vulnerability in CRI-O Container Engine [CVE-2022-0811] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-windows-uaf-branch-prediction-bugs-and-an-io-uring-exploit.html This time as we get side tracked with a couple discussions, first about security through obscurity, secondly about the nvidia leaks. We also have our usual mix of vulnerabilities this week, a cool exploit in the Linux kernel, a use-after-free in Windows Common Logging File System, and some speculative execution issues. [00:00:43] Spot the Vuln - Do You Even HMAC? [00:05:49] Put an io_uring on it: Exploiting the Linux Kernel [00:26:18] Discussion: Security through Obscurity in the Linux Kernel [00:34:20] Exploiting a use-after-free in Windows Common Logging File System (CLFS) [00:43:57] The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before [CVE-2021-26341] [00:56:20] Branch History Injection [01:04:25] Chat Question: About the Nvidia Leak The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pascom-rce-autowarp-and-a-gke-container-escape.html We've got some cloud issues this week, in Azure Automation and GKE Autopilot along with a couple other interesting chains. [00:02:11] Pascom: The story of 3 bugs that lead to unauthed RCE [00:12:37] How I Made +$16,500 Hacking CDN Caching Servers - Part 2 [00:17:16] AutoWarp Microsoft Azure Automation Vulnerability [00:23:19] Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/dirty-pipe-and-analyzing-memory-tagging.html No spot the vuln this week, but we do have a cool kernel bug, "Dirty Pipe", a look at a stack based overflow: BrokenPrint, and finally some discussion about memory tagging. [00:00:31] The Dirty Pipe Vulnerability [00:18:26] BrokenPrint: A Netgear stack overflow [00:30:21] Security Analysis of MTE Through Examples [BHIL2022] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/facebook-exploits-pfsense-rce-and-mysqljs-sqli.html A few interesting issues you this week, a JS race condition in some auth related code for Facebook, some fake prepared queries, and a RCE through sed commands (in pfSense) [00:00:56] Remote Code Execution in pfSense (2.5.2 and earlier) [00:06:13] Finding an Authorization Bypass on my Own Website [00:17:43] More secure Facebook Canvas Part 2: More Account Takeovers [00:32:43] The perils of the “real” client IP The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/imagegear-jpeg-vulns-netfilter-and-libcurl.html Quick episode with four somewhat simple bugs in JPEG parsing, a remote memory disclosure in libcurl due to the difference `sizeof(long)` on Linux vs Windows, and a heap out of bounds write in the Linux Kernel. [00:00:16] Spot the Vuln - One of a Kind [00:03:14] Accusoft ImageGear JPEG-JFIF Scan header parser out-of-bounds write vulnerability [00:07:15] Accusoft ImageGear Palette box parser heap-based buffer overflow vulnerability [00:11:55] Remote memory disclosure vulnerability in libcurl on 64 Bit Windows [00:19:15] Linux kernel: heap out of bounds write in nf_dup_netdev.c since 5.4 [00:23:03] Overview of GLIBC heap exploitation techniques The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/dynamicweb-rce-vmware-bugs-and-exploiting-github-actions.html Re-accessing the stup page, an unlikely scenario leaking Github Secrets, and a proxying issue in Carbon Black. [00:00:34] Logic Flaw Leading to RCE in Dynamicweb 9.5.0 - 9.12.7 [00:06:15] Stealing a few more GitHub Actions secrets [00:19:31] Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.