Day[0]

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/webkit-bugs-a-windows-race-and-house-of-io-improved.html Tianfu Cup happened this week, we also got some cool windows and webkit issues, along side an improvment to the House of IO attack [00:00:17] Spot The Vuln - Prepare To Inject - Solution [00:03:14] Tianfu Cup 2021 [00:09:10] Six Privilege Escalations and an Info Leak in Windows [Blackswan vulnerabilities] [00:25:16] nt!ObpCreateSymbolicLinkName Race Condition Write-Beyond-Boundary [00:31:37] CVE-2021-30858: Use-after-free in WebKit [00:44:53] WebKit: heap-use-after-free in DOMWindow::open [00:50:23] House of IO - Heap Reuse [01:02:06] Getting started in macOS security The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/websocket-hijacking-github-review-bypass-and-sqli-to-rce.html Just a handful of traditional vulns this week: IDOR, CSRF, SQLi, a logic vuln and zi's boomer side starts to show. [00:00:18] Remote Chaos Experience [00:03:30] [Concrete CMS] Stored unauth XSS in calendar event via CSRF [00:08:47] ‘Websocket Hijacking’ to steal Session_ID of victim users [00:14:17] IDOR + Account Takeover leads to PII leakage [00:27:27] Bypassing required reviews using GitHub Actions [00:33:20] How I Escalated a Time-Based SQL Injection to RCE The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/hyperkit-bugs-an-open5gs-stack-overflow.html Uninitialized variables everywhere in Hyperkit, and a Open5GS stack-based buffer overflow. [00:00:19] Spot The Vuln - Mind the Sign - Solution [00:00:51] Spot The Vuln - Mind the Sign - Solution [00:03:53] In EU no contract can prevent you from decompiling software you bought, if your goal is fixing a bug. [00:11:05] Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794] [00:14:00] Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794] [00:15:27] Code execution outside the virtualized guest in hyperkit [00:19:45] Disclosure of the host memory into the virtualized guest in hyperkit [CVE-2021-32847] [00:30:14] The Challenges of Fuzzing 5G Protocols The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/sharepoint-rce-an-apache-path-traversal.html A simple to exploit path traversal in Apache...in 2021, a one-time-password defeat by having it be send to the attacker and victim, and more JWT issues. [00:00:24] critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 [00:07:47] [Zomato] Improper Validation at Partners Login [00:12:25] How did I earned 6000$ from tokens and scopes in one day [00:22:13] Remote Code Execution in SharePoint via Workflow Compilation [CVE-2021-26420] The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/chrome-exploits-and-a-firefox-update-bug.html This week we start off with a nice introduction to signedness issues before diving into a couple Chrome bugs (type confusion and use-after-free) [00:00:17] Spot the Vuln - I Can't Even (Solution) [00:03:46] Fixing a Security Bug by Changing a Function Signature [00:11:58] Chrome in-the-wild bug analysis: CVE-2021-30632 [00:21:25] GHSL-2021-124: Use After Free (UAF) in Chrome - CVE-2021-30528 [00:26:56] Phrack - Issue 70 The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/gatekeeper-bypass-opera-rce-and-prototype-pollution.html A few interesting issues this week, ranging from a macOS Gatekeeper bypass, some oauth flow issues in Facebook, and even an RCE through the password field. [00:00:37] The discovery of Gatekeeper bypass CVE-2021-1810 [00:08:50] Multiple bugs allowed malicious Android Applications to takeover Facebook/Workplace accounts [00:22:50] Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings [00:30:50] XSS to RCE in the Opera Browser [00:35:28] Prototype Pollution The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/kernel-uafs-and-a-parallels-vm-escape.html This week we we've got a couple Linux kernel Use-After-Frees and a Parallels guest to host escape. [00:00:18] Spot The Vuln - Solution [00:02:53] ChaffCTF [00:17:10] Kernel Vmalloc Use-After-Free in the ION Allocator [00:25:31] Linux Kernel: Exploitable vulnerability in io_uring [00:35:09] Parallels Desktop Guest to Host Escape [00:46:35] Igor: Crash Deduplication Through Root-Cause Clustering [00:51:10] Igor: Crash Deduplication Through Root-Cause Clustering [00:57:57] Deus x64: A Pwning Campaign | RET2 Systems The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/ios-0days-apache-dubbo-rces-and-npm-bugs.html Some of Apple's XPC services are leaking information, Finder has an RCE, and some CodeQL use to find many RCEs in Apache Dubbo. [00:00:38] macOS Finder RCE [00:06:11] AWS WorkSpaces Remote Code Execution [CVE-2021-38112] [00:10:09] Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program [00:26:51] 5 RCEs in npm for $15,000 [00:42:32] Apache Dubbo: All roads lead to RCE The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-curl-uaf-iphone-forcedentry-and-a-crazy-hp-omen-driver.html We start off the week with a crazy driver that exposes some powerful primitives, a use-after-free in curl, we speculate a bit about exploiting a 2-byte information disclosure, and talk about FORCEDENTRY. [00:00:20] Spot The Vuln - Minimax (Solution) [00:04:30] HP OMEN Gaming Hub Privilege Escalation Bug Hits Millions of Gaming Devices [CVE-2021-3437] [00:12:32] Nitro Pro PDF JavaScript document.flattenPages JSStackFrame stack-based use-after-free vulnerability [00:19:31] Microsoft Azure Sphere Security Monitor SMSyscallPeripheralAcquire information disclosure vulnerability [00:27:24] [curl] UAF and double-free in MQTT sending [CVE-2021-22945] [00:34:41] Analyzing Pegasus Spyware's Zero-Click iPhone Exploit ForcedEntry The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/a-flickr-csrf-gitlab-omigod-azure-again.html Some high impact vulnerabilities this week, CSRF in account deletion, remote code execution as root, and an apache "0day" that discloses PHP source. [00:00:23] [Flickr] CSRF in Account Deletion feature [00:03:38] OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers [00:23:38] How I found my first Adobe Experience Manager related bug. [00:27:41] [GitLab] Stored XSS in main page of a project [00:31:01] [Mattermost] Privilege Escalation leading to post in channel without having privilege [00:34:15] Hacking CloudKit - How I accidentally deleted your Apple Shortcuts [00:48:52] Apache 0day bug, which still nobody knows of, and which was fixed accidentally The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.