Day[0]

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/zynq-7000-secure-boot-bypass-and-compiler-created-bugs.html Just one vulnerability this week, a secure boot bypass, and some research into detecting compiler introduced bugs. Ending the week with a discussion about how to learn fuzzing. [00:00:58] Spot the Vuln - All Inclusive HMAC [00:03:47] Zynq-7000 Secure Boot Bypass [CVE-2021-44850] [00:19:32] Cross-Architecture Testing for Compiler-Introduced Security Bugs [00:35:02] Question: Learning to Fuzz [01:03:00] tmp.0ut v2 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/coindesk-zabbix-and-leaking-secrets-through-mirrored-repos.html Lets talk about "sidedoors" this week, with two vulnerabilities abusing alternative access points, along with an overly verbose error message that actually had some immediate impact, and a look at the challenges of client-sided session. [00:00:26] CoinDesk API Error Exposes Privileged Token [00:05:28] A tale of 0-Click Account Takeover and 2FA Bypass. [00:10:26] Zabbix - A Case Study of Unsafe Session Storage [00:17:54] Multiple vulnerabilities in Concrete CMS - part2 (PrivEsc/SSRF/etc) [00:25:15] Finding secrets in mirrored Git repositories The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/another-kernel-tipc-bug-mysql-and-buggy-go.html This week we discuss taint analysis and where to use it compared with fuzzing, a couple buggy code patterns in Go to be on the lookout for, and another remote stack-overflow in the Kernel TIPC module. [00:00:14] Spot the Vuln - How Much [00:03:11] Linux Kernel kCTF VRP Extended [00:05:39] MindShaRE: When MySQL Cluster Encounters Taint Analysis [00:24:46] A deeper dive into CVE-2021-39137 - a Golang security bug that Rust would have prevented [00:38:47] Remote Stack Overflow in Linux Kernel TIPC Module since 4.8 (net/tipc) [CVE-2022-0435] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/baby-monitor-bugs-grafana-and-twitter-de-anonymization.html CSRF lives again in the form of CORF, Cross-Origin Request Forgery with an attack against Grafana. We also take a look at some baby monitor issues and a de-anonymization attack against Twitter. [00:00:28] Cross-origin request forgery against Grafana [CVE-2022-21703] [00:17:50] Vulnerabilities Identified in Nooie Baby Monitor [00:26:47] [Twitter] Discoverability by phone number/email restriction bypass [00:32:40] EarnHub Exploit - Post mortem The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/fastly-infoleak-samba-oob-access-and-pwning-macos.html A discussion heavy episode this week as we speculate about how some XNU code passed muster, and how to exploit a small overflow and weaponizing a large info-leak. [00:00:17] Spot the Vuln - From Bits to Bytes [00:05:09] MacOS 12 Use After Free [00:13:08] A story of leaking uninitialized memory from Fastly [00:34:08] Details on a Samba Code Execution Bug [CVE-2021-44142] [00:46:05] Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers [CVE-2022-0185] [00:49:38] Sha256 Algorithm Explained The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/hacking-google-drive-integrations-and-xss-puzzles.html A "maybe" issue this week in Ruby's net/http library, some long chains leading to XSS, and a look at abusing parameter injection for SSRF in applications integrating with the Google Drive API. [00:00:26] [Ruby - net/http] HTTP Header Injection in the set_content_type method [00:10:22] Don't trust comments [00:16:54] HigherLogic Community RCE Vulnerability [00:24:29] Solving DOM XSS Puzzles [00:37:32] Hacking Google Drive Integrations The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwnkit-a-win32k-type-confusion-and-binary-ninja-3-0.html Binary ninja 3.0 just dropped, lets talk about that, then into pwnkit and a couple kernel bugs, and ending this week off with a discussion about dealing with imposter syndrome. [00:00:18] Spot the Vuln - Maintain Order [00:03:52] Binary Ninja 3.0 [00:13:09] PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec [CVE-2021-4034] [00:27:20] Win32k Window Object Type Confusion [CVE-2022-21882] [00:34:20] Linux kernel: erroneous error handling after fd_install() [00:38:26] Question: Dealing with Imposter Syndrome The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/zoho-auth-bypass-a-bogus-bug-and-leaking-microsoft-bug-reports.html A few unique issues this week, routing issues in ManageEngine, a Little Snitch bypass, an undecodable characters leading to a denial of service. [00:00:37] CVE-2022-0329 and the problems with automated vulnerability management [00:19:45] [Omise] XSS via X-Forwarded-Host header [00:25:44] [FetLife] Specific Payload makes a Users Posts unavailable [00:31:03] How I could have read your confidential bug reports by simple mail? [00:36:38] Bypassing Little Snitch Firewall with Empty TCP Packets [00:45:06] ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/netusb-rce-a-kernel-heap-overflow-an-xnu-uaf.html Integer overflows and underflow this week, covering vulns from desktop Zoom clients, to kernel and some routers. [00:00:19] Spot the Vuln - One Verified JWT, Please [00:03:27] Zooming in on Zero-click Exploits [00:12:18] Zooming in on Zero-click Exploits [00:26:39] XNU kernel use-after-free in mach_msg [00:34:06] Linux kernel v5.1+ Heap buffer overflow in fs_context.c [00:36:03] Linux kernel v5.1+ Heap buffer overflow in fs_context.c [00:42:21] NetUSB RCE Flaw in Millions of End User Routers [CVE-2021-45608] [00:47:54] Humble Book Bundle: Cybersecurity by Wiley The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bypassing-box-mfa-bad-aes-key-generation.html A new security-related humble bundle, MFA bypass in Box, and a a few older style vulnerabilities: lfi2rce, allow-list bypass with an @ sign, and insecure random number seeds. [00:00:37] Humble Book Bundle: Cybersecurity by Wiley [00:08:18] CWP CentOS Web Panel - preauth RCE [CVE-2021-45467] [00:13:37] Stealing administrative JWT's through post auth SSRF [CVE-2021-22056] [00:17:27] Telenot Complex: Insecure AES Key Generation [00:25:12] Mixed Messages: Busting Box’s MFA Methods The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.