Day[0]

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/pwning-camera-and-overflowing-your-integers.html Short episode this week, stack smashing, integer overflowing and a more logical issue. Ending off with a discussion about what to do when you're stuck on CTFs. [00:00:42] Spot the Vuln - One at a Time [00:04:15] Uniview PreAuth RCE [00:06:59] Adobe Acrobat Reader DC annotation gestures integer overflow vulnerability [00:12:31] Chrome: Interface ID reuse leading to memory corruption in IPC::ChannelAssociatedGroupController [00:18:31] Question: Unsuccessful getting into CTFs The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bad-code-and-bad-urls.html This week is a shorter episode looking at some bad code in mermaid.js and Moodle's Shibboleth plugin, and a bit of research regarding URL parsing issues. [00:00:44] Orca Security Discovered Two AWS Vulnerabilities [00:06:44] Cross-Site Scripting (XSS) in mermaid.js [00:12:41] Pre-Auth RCE in Moodle Part II - Session Hijack in Moodle's Shibboleth [00:20:24] Exploiting URL Parsing Confusion Vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rooting-ubuntu-by-accident-and-samsung-kernel-bugs.html We are back for the first 2022 binary episode, and its all kernel. Obtaining root through an hours long exploit process on Ubuntu thanks to an invalid free, use-after-free in XNU due to bad locking, and some terrible code in Samsung S20 DSP kernel driver with multiple integer overflows. [00:00:42] Getting root on Ubuntu through wishful thinking [00:19:21] XNU: heap-use-after-free in inm_merge [00:29:42] Kernel LPE in the Vision DSP Kernel Driver [CVE-2021-25467] [00:34:34] Kernel LPE in the Vision DSP Kernel Driver's ELF Linker [CVE-2021-25475] [00:37:16] Linux Heap Exploitation - Part 3 [00:38:37] PS4 CCP Crypto Bug The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/rocketchat-rce-flickr-and-a-critical-smart-contract-bug.html More cases of developers make insecure assumptions and getting owned because of it. This week we've got a Flickr account takeover, escalating restricted SSRF into something more useful, and XSS to RCE in Rocket.Chat. [00:00:34] Rocket.Chat Client-side Remote Code Execution [00:10:14] Flickr Account Takeover [00:24:33] Turning bad SSRF to good SSRF: Websphere Portal [00:34:47] Polygon Lack Of Balance Check Bugfix Postmortem [00:45:22] Fuzzing for XSS via nested parsers condition [00:52:35] Cache Poisoning at Scale [00:54:48] Fixing the Unfixable: Story of a Google Cloud SSRF The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/an-android-kernel-bug-a-chrome-edge-exploit.html Hex-rays/Adobe cross-over as they move to a subscription model and we are not too happy about it, we also discuss a few interesting bugs this week from an odd optimization and a signedness bug in Chrome, to some mishandled null-bytes in runc, and a subtle object-state confusion in the Linux kernel [00:00:21] Spot the Vuln - Revenge of the Average [00:04:38] Hex-rays is moving to a Subscription model [00:32:49] Understanding the Root Cause of a Chrome Bug from Pwn2Own 2021 [CVE-2021-21220] [00:44:30] runc/libcontainer: insecure handling of null-bytes in bind mount sources [00:49:50] refcount increment on mid-destruction file [CVE-2021-1048] [00:56:30] Overview of V8 Exploitation The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/log4j-rce-coming-to-a-service-near-you-and-ublock-css-injection.html Log4Shell RCE spawns a lot of discussion this episode, but we also look at a W10 RCE, Google SSRF and some CSS injection in uBlock. [00:00:29] Apache Log4j2 jndi RCE [00:29:50] Windows 10 RCE: The exploit is in the link [00:46:00] SSRF vulnerability in AppSheet - Google VRP [00:52:43] uBlock, I exfiltrate: exploiting ad blockers with CSS The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/mediatek-yet-another-chrome-bug-and-bigsig.html A few easy issues this week, but some discussion about fuzzing campaigns and measurements and bypassing modern mitigations. [00:00:20] Spot the Vuln - Just a Normal Walk [00:06:10] This shouldn't have happened: A vulnerability postmortem [00:22:52] Looking for vulnerabilities in MediaTek audio DSP [00:35:23] Exploiting CVE-2021-43267 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Some readily understood vulnerabilities, but with some interesting impacts, from escalating self-XSS to cross-account CSRF, data exfiltration with CSS, web-cache poisoning and MFA bypassing. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bypassing-mfa-webcache-poisoning-and-aws-sagemaker.html [00:00:00] Introduction [00:00:34] Humble Book Bundle: Hacking by No Starch Press [00:05:50] AWS SageMaker Jupyter Notebook Instance Takeover [00:16:39] [Glassdoor] CSS injection via link tag whitelisted-domain bypass [00:21:15] [Symfony] Webcache Poisoning via X-Forwarded-Prefix and sub-request [00:25:47] Bypassing Box’s Time-based One-Time Password MFA [00:31:26] Exploring Container Security: A Storage Vulnerability Deep Dive [00:36:28] Hakluke: Creating the Perfect Bug Bounty Automation [00:37:10] Data Exfiltration via CSS + SVG Font The DAY[0] Podcast episodes are streamed live on Twitch twice a week: - Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities - Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The audio-only version of the podcast is available on: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming. #BugBounty #EthicalHacking #InfoSec #Podcast

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/kvm-bugs-and-an-ios-iomfb-kernel-exploit.html Starting off this week with the new humble bundle and some discussion about hacking books. Then onto the vulns, some OOB access, uninitalized memory, and iOS exploit strategy. [00:00:17] Spot the Vuln - Counting Widgets [00:02:36] Humble Book Bundle: Hacking by No Starch Press [00:17:14] KVM: SVM: out-of-bounds read/write in sev_es_string_io [00:23:42] Anker Eufy Homebase 2 home_security CMD_DEVICE_GET_SERVER_LIST_REQUEST out-of-bounds write vulnerability [00:34:14] Apple ColorSync: use of uninitialized memory in CMMNDimLinear::Interpolate [00:40:16] Popping iOS <=14.7 with IOMFB The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gitlab-prototype-pollution-and-some-authentication-bypasses.html Short but sweet episode this week, prototype pollution, crypto issues, SSRF and some weird authentication. [00:00:46] Arbitrary command execution in Gerapy [CVE-2021-32849] [00:06:03] [jitsi-meet] Authentication Bypass when using JWT w/ public keys [00:07:41] [jitsi-meet] Authentication Bypass when using JWT w/ public keys [00:10:24] [shopify] A non-privileged user may create an admin account in Stocky [00:13:21] [#0008] URL whitelist bypass in https://cxl-services.appspot.com [00:19:20] [GitLab] Stored XSS via Mermaid Prototype Pollution vulnerability The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.