Day[0]

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/netgear-smart-switches-spookjs-parallels-desktop.html This week we've got an awesome chain of attacks in NETGEAR smart switches, a speculative type confusion (Spook.js) and an integer overflow leading to HTTP Request Smuggling [00:03:40] Security researchers fed up with Apple’s bug bounty program [00:18:26] Demon's Cries vulnerability (some NETGEAR smart switches) [00:22:21] Draconian Fear vulnerability (some NETGEAR smart switches) [00:25:31] Seventh Inferno vulnerability (some NETGEAR smart switches) [00:34:33] Spook.js - Speculative Type Confusion [00:50:36] Critical vulnerability in HAProxy [00:55:45] Ribbonsoft dxflib DL_Dxf::handleLWPolylineData Heap-Based Buffer Overflow Vulnerability [01:03:43] Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/reused-vmware-exploits-escaping-azure-container-instances.html Some drama with the VMWare bounty program, and then a few straight forward vulnerabilities and a really cool Azure Container Instances escape and takeover. [00:01:51] Exploit Fired At VMWare leaked to Nuclei Project. [00:14:02] Bypassed! and uploaded a sweet reverse shell [00:18:51] Local File Read via Stored XSS in The Opera Browser [00:27:14] NETGEAR D7000 Authentication Bypass [00:33:34] GitHub Actions check-spelling community workflow - GITHUB_TOKEN leakage via advice.txt symlink [00:42:25] Create free Shopify application credits [00:47:24] Cross-Account Container Takeover in Azure Container Instances [00:58:59] IAM Vulnerable - An AWS IAM Privilege Escalation Playground The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

A tricky to exploit WhatsApp vulnerability, but still an interesting bug, several Bhyve vulnerabilities, and a named bluetooth vuln (Braktooth) Links and summaries are available on our website: https://dayzerosec.com/podcast/escaping-the-bhyve-whatsapp-braktooth.html [00:00:00] Introduction + The Future [00:02:08] Spot The Vuln Solution [00:07:25] Replay-based attack on Honda and Acura vehicles [00:15:54] A Heap-based Buffer Overflow Bug in the MySQL InnoDB memcached Plugin [CVE-2021-2429] [00:25:44] Vulnerability in WhatsApp could have led to data exposure of users [00:32:26] Code execution outside the virtualized guest in bhyve [CVE-2021-29631] [00:40:59] Your vulnerability is in another OEM! [01:01:36] BrakTooth [01:09:00] HyperFuzzer: An Efficient Hybrid Fuzzer for Virtual CPUs The DAY[0] Podcast has two weekly episodes that are streamed live on Twitch (https://www.twitch.tv/dayzerosec) Mondays at 3pm Eastern we focus on vulnerabilities that would be of interest to bounty hunters, and on Tuesdays at 7:00pm Eastern we focus on low-level vulnerabilities. You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Multiple account takeover vulnerabilities in this episode with three  cross-origin communication vulnerabilities in Facebook, an odd OTP  endpoint in SnapChat and an open redirect in JetBrains leaking your JWT.     Links and summaries are available on our website: https://dayzerosec.com/podcast/takeover-a-facebook-snapchat-or-jetbrains-account.html  [00:00:00] Introduction + The Future [00:08:37] How MarkMonitor left 60,000 domains for the taking [00:17:21] Eye for an eye: Unusual single click JWT token takeover [00:25:20] How I found a primitive but critical broken access control vulnerability in YouTrack… [00:29:02] Ghost CMS 4.3.2 - Cross-Origin Admin Takeover [00:33:47] Tale of $126k worth of bugs that lead to Facebook Account Takeovers [00:47:15] Improper Authentication - any user can login as other user [00:53:35] Illogical Apps - Exploring and Exploiting Azure Logic Apps   The DAY[0] Podcast has two weekly episodes that are streamed live on Twitch (https://www.twitch.tv/dayzerosec) Mondays at 3pm Eastern we focus on vulnerabilities that would be of interest to bounty hunters, and on Tuesdays at 7:00pm Eastern we focus on low-level vulnerabilities. You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

Another short episode this week covering graphql attacks, a couple NoSQL injections, a few misconfigurations and a cool attack to reset monotonic counters on a Mifare card. [00:01:25] From CTFs to the Real World https://dayzerosec.com/tags/ctf-to-real-world/ [00:02:50] [GitHub] Exploits and Malware Policy Updates https://github.com/github/site-policy/pull/397https://github.com/github/site-policy/pull/397/files [00:07:37] Mobile app developers’ misconfiguration of third party services leave personal data of over 100 million exposed https://research.checkpoint.com/2021/mobile-app-developers-misconfiguration-of-third-party-services-leave-personal-data-of-over-100-million-exposed/ [00:13:49] QNAP MusicStation/MalwareRemover Pre-Auth RCE https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/ [00:17:45] 2FA Bypass via Forced Browsing https://infosecwriteups.com/2fa-bypass-via-forced-browsing-9e511dfdb8df [00:24:22] That single GraphQL issue that you keep missing https://blog.doyensec.com/2021/05/20/graphql-csrf.html [00:32:22] Remote code execution in squirrelly [CVE-2021-32819] https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/ [00:44:30] NoSQL Injections in Rocket.Chat https://blog.sonarsource.com/nosql-injections-in-rocket-chat/https://hackerone.com/reports/1130721 [00:49:15] RFID: Monotonic Counter Anti-Tearing Defeated https://blog.quarkslab.com/rfid-monotonic-counter-anti-tearing-defeated.html [00:56:24] A Wormable Code Execution Bug in HTTP.sys [CVE-2021-31166] https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsyshttps://github.com/0vercl0k/CVE-2021-31166 [01:04:15] Fuzzing iOS code on macOS at native speed https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at-native.html [01:05:07] RuhrSec 2018: "Keynote: Weird machines, exploitability and unexploitability", Thomas Dullien https://www.youtube.com/watch?v=1ynkWcfiwOk [01:07:58] Browser fuzzing at Mozilla https://blog.mozilla.org/attack-and-defense/2021/05/20/browser-fuzzing-at-mozilla/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)

A shorter episode, but some really cool vulns none-the-less, from mitigation bypassing on D-Link routers, to a new set of WiFi protocol design flaws. [00:01:14] Security Vulnerability Detection Using Deep Learning Natural Language Processing https://arxiv.org/abs/2105.02388v1https://samate.nist.gov/SARD/ [00:08:12] Stealing secrets with Rust Macros proof-of-concept via VSCode https://github.com/lucky/bad_actor_poc [00:13:21] [GitLab] RCE when removing metadata with ExifTool https://hackerone.com/reports/1154542https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233 [00:19:47] Terminal escape injection in AWS CloudShell https://bugs.chromium.org/p/project-zero/issues/detail?id=2154https://github.com/c9/core/blob/master/plugins/c9.ide.terminal/aceterm/libterm.js#L1276 [00:23:54] Cross-browser tracking vulnerability in Tor, Safari, Chrome and Firefox https://fingerprintjs.com/blog/external-protocol-flooding/ [00:34:27] Fei Protocol Flashloan Vulnerability Postmortem https://medium.com/immunefi/fei-protocol-flashloan-vulnerability-postmortem-7c5dc001affbhttps://uniswap.org/docs/v2/smart-contract-integration/providing-liquidity/ [00:44:46] One-click reflected XSS on Instagram https://ysamm.com/?p=695 [00:47:24] D-Link Vulnerability [CVE-2021-27342] https://blog.whtaguy.com/2021/05/d-link-router-cve-2021-27342.html [00:51:52] Experimental Security Assessment of Mercedes-Benz Cars https://keenlab.tencent.com/en/2021/05/12/Tencent-Security-Keen-Lab-Experimental-Security-Assessment-on-Mercedes-Benz-Cars/https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf [01:01:08] FragAttacks: Fragmentation & Aggregation Attacks https://github.com/vanhoefm/fragattackshttps://www.youtube.com/watch?v=OJ9nFeuitIU [01:10:57] Dell ‘dbutil_2_3.sys’ Kernel Exploit [CVE-2021-21551] https://connormcgarr.github.io/cve-2020-21551-sploit/ [01:11:45] googleprojectzero/Hyntrospect https://github.com/googleprojectzero/Hyntrospect [01:13:01] IDA Free w/ Cloud Decompiler Dropped https://www.hex-rays.com/ida-free/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)

Kicking off the week with some awesome vulns, an "almost" padding oracle in Azure Functions, a race-condition in AWS Cognito, some sound engine bugs, and a Foxit Reader Use-after-free. [00:00:52] Arbitrary Code Execution in the Universal Turing Machine [CVE-2021-32471] Our discussion of this topic was probably a bit premature and there does seem to be a bit more to it than the title implied. Still no real-world impact, but a bit more interesting of situation none-the-less. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32471 https://arxiv.org/abs/2105.02124 [00:03:18] Detecting and annoying Burp users https://dustri.org/b/detecting-and-annoying-burp-users.html https://www.youtube.com/watch?v=I3pNLB3Cq24 [00:08:08] Enabling Hardware-enforced Stack Protection (cetcompat) in Chrome https://security.googleblog.com/2021/05/enabling-hardware-enforced-stack.html [00:13:00] Password reset code brute-force vulnerability in AWS Cognito https://www.pentagrid.ch/en/blog/password-reset-code-brute-force-vulnerability-in-AWS-Cognito/ [00:16:52] ASUS GT-AC2900 Authentication Bypass [CVE-2021-32030] https://www.atredis.com/blog/2021/4/30/asus-authentication-bypass [00:20:10] The False Oracle - Azure Functions Padding Oracle Issue https://polarply.medium.com/the-false-oracle-azure-functions-padding-oracle-issue-2025e0e6b8a [00:25:30] How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit https://blog.polybdenum.com/2021/05/05/how-i-hacked-google-app-engine-anatomy-of-a-java-bytecode-exploit.html [00:38:01] Workplace by Facebook | Unauthorized access to companies environment https://mvinni.medium.com/workplace-by-facebook-unauthorized-access-to-companies-environment-27-5k-a593a57092f1 [00:42:39] Exploiting the Source Engine (Part 2) - Full-Chain Client RCE in Source using Frida https://ctf.re//source-engine/exploitation/2021/05/01/source-engine-2/ https://phoenhex.re/2018-08-26/csgo-fuzzing-bsp [00:53:11] [Valve] OOB reads in network message handlers leads to RCE https://hackerone.com/reports/807772 [01:01:07] Security probe of Qualcomm MSM data services https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/ [01:05:17] Foxit Reader FileAttachment annotation use-after-free vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2021-1287 [01:09:45] Attack llvmpipe Graphics Driver from Chromium https://insinuator.net/2021/05/attack-llvmpipe-graphics-driver-from-chromium/ [01:16:00] Privilege Escalation Via a Use After Free Vulnerability In win32k [CVE-2021-26900] https://www.zerodayinitiative.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-via-a-use-after-free-vulnerability-in-win32k [01:26:25] 21Nails: Multiple vulnerabilities in Exim https://www.qualys.com/2021/05/04/21nails/21nails.txt [01:27:22] nRF52 Debug Resurrection (APPROTECT Bypass) https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/ [01:28:56] Capture The Flag - Discussion Video https://www.youtube.com/watch?v=4u5MDsIfQM8 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)

Big episode this week, with a lot of discussion about CTFs, kernel drama, and Github's exploit policy. Then some really interesting exploit strategies on Tesla and Netgear, along with some simple, yet deadly issues in Wordpress and Composer. [00:00:32] An Update on the UMN Affair https://lwn.net/SubscriberLink/854645/334317047842b6c3/https://www-users.cs.umn.edu/%7Ekjlu/papers/full-disclosure.pdf [00:11:29] [GitHub] Exploits and Malware Policy Updates https://github.com/github/site-policy/pull/397https://github.com/github/site-policy/pull/397/commits/f220679709b60dd4d6b34465a56b89bb79efcfe6#diff-24d72c4cb9785e60d5cbf50905291a5e079f4efd8c03f67904077cc2af4b8412L34 [00:18:22] OOO - DEF CON CTF https://oooverflow.io/https://twitter.com/oooverflow/status/1388920554111987715 [00:34:23] BadAlloc - Memory Allocation Vulnerabilities https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 [00:40:15] I See Dead μops: Leaking Secrets via Intel/AMDMicro-Op Caches http://www.cs.virginia.edu/venkat/papers/isca2021a.pdfhttps://comparch.org/2021/05/01/i-see-dead-uops-thoughts-on-the-latest-spectre-paper-targeting-uop-caches/ [00:54:43] Brave - Stealing your cookies remotely https://infosecwriteups.com/brave-stealing-your-cookies-remotely-1e09d1184675 [00:57:37] Facebook account takeover due to unsafe redirects after the OAuth flow https://ysamm.com/?p=667 [01:03:11] WordPress 5.7 XXE Vulnerability https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/ [01:05:43] PHP Supply Chain Attack on Composer https://blog.sonarsource.com/php-supply-chain-attack-on-composer [01:10:25] Multiple Issues in Libre Wireless LS9 Modules https://www.iot-inspector.com/blog/advisory-multiple-issues-libre-wireless-ls9/ [01:14:50] macOS Gatekeeper Bypass https://objective-see.com/blog/blog_0x64.htmlhttps://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508 [01:19:28] Linux Kernel /proc/pid/syscall information disclosure vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211 [01:24:08] Remote Zero-Click Exploit in Tesla Automobiles https://kunnamon.io/tbone/ [01:31:00] NETGEAR Nighthawk R7000 httpd PreAuth RCE https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r7000-httpd-preauth-rce/ [01:34:43] Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities https://www.zerodayinitiative.com/blog/2021/4/26/parallels-desktop-rdpmc-hypercall-interface-and-vulnerabilities [01:39:24] Exploiting Undocumented Hardware Blocks in the LPC55S69 https://oxide.computer/blog/lpc55/ [01:40:05] python stdlib "ipaddress" - Improper Input Validation [CVE-2021-29921] https://sick.codes/sick-2021-014/ [01:40:35] Ham Hacks: Breaking Into Software-defined Radio https://labs.bishopfox.com/industry-blog/ham-hacks-breaking-into-software-defined-radio [01:41:59] gand3lf/heappy: A happy heap editor to support your exploitation process https://github.com/Gand3lf/heappy [01:43:38] LiveQL Episode II: The Rhino in the room https://securitylab.github.co

Some drama in the Linux Kernel and so many vulns resulting in code execution in Homebrew, GitLab, an air fryer, Source engine, Super Mario Maker, Adobe Reader and the Linux Kernel. [00:00:32] On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf https://lore.kernel.org/linux-nfs/YH+zwQgBBGUJdiVK@unreal/ https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ During this episode we speculated that the recent patches might be unrelated to the research. This seems to have been confirmed by U. Mn in an email we did not see before recording  https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/ [00:15:18] Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective https://signal.org/blog/cellebrite-vulnerabilities/ [00:22:30] [Ubuntu] OverlayFS LPE https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/ [00:25:48] Synology DSM AppArmor synosearchagent misconfiguration https://talosintelligence.com/vulnerability_reports/TALOS-2020-1158 [00:28:22] [GitLab] RCE via unsafe inline Kramdown options https://hackerone.com/reports/1125425 [00:35:25] [Homebrew] Broken parsing of Git diff allows an attacker to inject arbitrary Ruby scripts to Casks on official taps https://hackerone.com/reports/1167608 https://blog.ryotak.me/post/homebrew-security-incident-en/ [00:41:52] Remote code execution vulnerabilities in Cosori smart air fryer https://blog.talosintelligence.com/2021/04/vuln-spotlight-co.html https://talosintelligence.com/vulnerability_reports/TALOS-2020-1217 https://talosintelligence.com/vulnerability_reports/TALOS-2020-1216 [00:48:54] Source engine remote code execution via game invites [CVE-2021-30481] https://secret.club/2021/04/20/source-engine-rce-invite.html [01:00:40] Discussion: Should programs be banned from Hackerone https://dayzerosec.com [01:08:54] [Nintendo|3DS] Buffer Overflow in Super Mario Maker level decompression https://hackerone.com/reports/687887 [01:15:12] PrusaSlicer Obj.cpp load_obj() out-of-bounds write vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2020-1219 [01:20:12] Analysis of a use-after-free Vulnerability in Adobe Acrobat Reader DC https://blog.exodusintel.com/2021/04/20/analysis-of-a-use-after-free-vulnerability-in-adobe-acrobat-reader-dc/ https://www.zerodayinitiative.com/blog/2021/4/22/cve-2021-20226-a-reference-counting-bug-in-the-linux-kernel-iouring-subsystem [01:31:21] Designing sockfuzzer, a network syscall fuzzer for XNU https://googleprojectzero.blogspot.com/2021/04/designing-sockfuzzer-network-syscall.html [01:37:26] gaasedelen/tenet: A Trace Explorer for Reverse Engineers https://github.com/gaasedelen/tenet [01:40:41] tmp.0ut https://tmpout.sh/1/ [01:44:35] Phœnix exploit / iOS 9.3.5 https://gist.github.com/Siguza/96ae6d6806e974199b1d44ffffca5331 [01:46:02] Experiences with Apple Security Bounty https://theevilbit.github.io/posts/experiences_with_asb/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the vide

Authentication bypasses, a Duo 2FA bypass, RCEs, a VM escape, and some reverse engineering writeups. [00:00:26] Project Zero: Policy and Disclosure: 2021 Edition https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html [00:06:27] Remote exploitation of a man-in-the-disk vulnerability in WhatsApp [CVE-2021-24027] https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/ [00:14:06] Allow arbitrary URLs, expect arbitrary code execution https://positive.security/blog/url-open-rce [00:18:29] GHSL-2020-340: log injection in SAP/Infrabox https://securitylab.github.com/advisories/GHSL-2020-340/ [00:22:21] Duo Two-factor Authentication Bypass https://sensepost.com/blog/2021/duo-two-factor-authentication-bypass/ [00:31:22] [Grammarly] Ability to DOS any organization's SSO and open up the door to account takeovers https://hackerone.com/reports/976603 [00:35:50] From 0 to RCE: Cockpit CMS https://swarm.ptsecurity.com/rce-cockpit-cms/?d [00:41:41] Big Bugs: Bitbucket Pipelines Kata Containers Build Container Escape https://www.bugcrowd.com/blog/big-bugs-cve-2020-28914/ [00:48:52] xscreensaver: raw socket leaked https://bugs.chromium.org/p/project-zero/issues/detail?id=2174 [00:51:31] Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086) https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html [00:59:49] Exploiting System Mechanic Driver https://voidsec.com/exploiting-system-mechanic-driver/ [01:03:27] Zero-day vulnerability in Desktop Window Manager used in the wild [CVE-2021-28310] https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/ [01:08:33] Windows Defender mpengine remote code execution [CVE-2021-1647] https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1647.html [01:13:55] ELECTRIC CHROME - CVE-2020-6418 on Tesla Model 3 https://leethax0.rs/2021/04/ElectricChrome/http://www.phrack.org/papers/attacking_javascript_engines.html [01:20:36] QEMU and U: Whole-system tracing with QEMU customization https://www.atredis.com/blog/qemu-and-u-whole-system-tracing-with-qemu-customization [01:21:31] Learning Resource - Hexterisk Blog https://hexterisk.github.io/blog/posts/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)