Day[0]

A Facebook DOM-based XSS, Rocket.chat and Github Actions RCEs, and a Brave Browser information disclosure in this week's episode. [00:00:50] Pwn2Own Tokyo (Live from Toronto) - Schedule and Results https://www.zerodayinitiative.com/blog/2020/7/28/announcing-pwn2own-tokyo-2020-live-from-toronto [00:12:00] Tianfu Cup - Results [00:16:28] Unlimited Chase Ultimate Rewards Points [00:26:09] Github: Widespread injection vulnerabilities in Actions [00:36:37] About the security content of iOS 14.2 and iPadOS 14.2 https://twitter.com/ShaneHuntley/status/1324431104187670529 [00:42:04] Rocket.Chat Desktop RCE [00:44:44] git-lfs RCE [00:46:46] Attack of the clones: Git clients remote code execution [00:48:17] YOURLS 1.5 - 1.7.10, Multiple Stored XSS Vulnerabilities in Admin Panel [00:53:23] Company forced to change name that could be used to hack websites [00:57:12] Facebook DOM Based XSS using postMessage [01:03:00] SQL Injection and Reflected XSS in Oracle Communications Diameter Signaling Router [01:06:00] Re-discovering a JWT Authentication Bypass in ServiceStack https://docs.servicestack.net/releases/v5.9#v592-patch-release-notes [01:10:45] How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day [01:18:12] Exploiting Microsoft Store Games [CVE-2020-16877] [01:26:21] Fuzzing for eBPF JIT bugs in the Linux kernel [01:41:18] Capture the Bot: Using Adversarial Examples to Improve CAPTCHA Robustness to Bot Attacks Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

This week we are joined by CTS to discuss fuzzing. We also take at PEN-300/OSEP. Before jumping into this weeks exploits, from NAT Slipstreaming to a Metasploit command injection and plenty in between. [00:01:06] Cybersecurity as we know it will be 'a thing of the past in the next decade,' says Cloudflare's COO [00:05:51] A Researcher’s Guide to Some Legal Risks of Security Research [00:10:57] Exploit Developer Spotlight: The Story of PlayBit [00:17:25] New Pentesting Course: PEN-300 (OSEP) https://www.offensive-security.com/awe-osee/ [00:28:20] Vulnonym: Stop the Naming Madness! https://twitter.com/vulnonym [00:30:55] DeFuzz: Deep Learning Guided Directed Fuzzing [00:59:32] NAT Slipstreaming [01:08:10] GitLab CVE-2020-13294 [01:13:17] Attacking Roku sticks for fun and profit [01:16:48] Tiki Wiki - Authentication Bypass [CVE-2020-15906] [01:20:12] Metasploit framework template command injection - CVE-2020-7384 [01:23:43] Wormable remote code execution in Alien Swarm [01:29:50] Pulse Connect Secure - RCE via Uncontrolled Gzip Extraction [CVE-2020-8260] [01:32:55] The story of three CVE's in Ubuntu Desktop [01:41:31] CVE-2020-16939: Windows Group Policy DACL Overwrite Privilege Escalation [01:46:36] Windows Kernel cng.sys pool-based buffer overflow [01:54:21] Vector35 releases all Binary Ninja core architecture plugins [01:55:33] How Debuggers Work: Getting and Setting x86 Registers, Part 1 [01:56:12] CodeQL U-Boot Challenge (C/C++) [01:59:14] Fundamentals of Software Exploitation Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

A lot to cover in this episode, from high performance fuzzing on GPUs, to low-cost pentesters, and APT groups. And, of course many vulns from GitHub RCEs to VMWare Workstation race conditions. [00:01:21] Youtube-dl Cease and Desist [00:14:33] Let’s build a high-performance fuzzer with GPUs! https://gamozolabs.github.io/2020/10/23/some_thoughts_on_gpu_fuzzing.html [00:29:07] Samsung S20 - RCE via Samsung Galaxy Store App [00:33:24] Jitsi Meet Electron - Arbitrary Client Remote Code Execution [CVE-2020-27162] https://github.com/jitsi/jitsi-meet-electron/blob/40866232594442ea77d5144deebcd38ed3d362be/main.js#L126 [00:39:14] 2FA Disable With Wrong Password - Response Tampering. [00:41:22] HTTP Request Smuggling due to CR-to-Hyphen conversion https://hackerone.com/nodejs?type=team [00:46:56] GitHub Gist - Account takeover via open redirect [00:53:19] GitHub - RCE via git option injection (almost) [00:56:36] GitHub Pages - Multiple RCEs via insecure Kramdown configuration [01:01:38] Gateway2Hell - Multiple Privilege Escalation Vulnerabilities in Citrix Gateway Plug-In [01:09:02] Remote code execution on Symfony based websites [01:18:40] Detailing Two VMware Workstation TOCTOU Vulnerabilities [01:25:15] Linksys WRT160NL – Authenticated Remote Buffer Overflow [CVE-2020-26561] [01:32:03] The FreeType Project - Heap buffer overflow due to integer truncation [01:38:54] Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild [01:45:15] NSA Warns Chinese State-Sponsored Malicious Cyber Actors Exploiting 25 CVEs [01:57:15] Penetration Testing and Low-Cost Freelancing [02:23:24] WPScan.io "XSS" [02:28:24] MITRE - Adversarial Threat Matrix [02:29:16] Shoutout to Alh4zr3d Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

It has been a while since we had an exploit extravaganza but here we are. Several binary-level issues from Bad Neighbor on Windows to BleedingTooth on Linux, and several vulns in Qualcomm SoCs, even a Discord RCE. [00:00:57] Introducing Edge Vulnerability Research [00:06:57] Cache Partitioning in Chrome [00:10:29] Magma: A Ground-Truth Fuzzing Benchmark [00:25:27] "Bits Please!" - CVE-2020-16938 [00:29:50] ContainerDrip [CVE-2020-15157] [00:40:01] Discord Desktop app RCE [00:52:34] Time Based SQLi via referrer header https://www.fedscoop.com/hack-the-army-2-results/ [00:57:35] PyYAML 0day [01:09:24] Phantom of the ADAS [01:15:03] Rollback Attack in Mozilla Maintenance Service [01:19:33] Glitching The MediaTek BootROM [01:25:05] AssaultCube RCE: Technical Analysis [01:32:27] CVE-2020-12928 - Privilege Escalation in AMD Ryzen Master [01:35:38] Major Vulnerabilities in Qualcomm QCMAP [01:42:58] Bad Neighbor - RCE in Windows ICMPv6 Router Advertisement [01:51:16] DOS2RCE: A New Technique to Exploit V8 NULL Pointer Dereference Bug (see: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers) [01:56:34] BleedingTooth - Linux Bluetooth Zero-Click RCE https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649 [02:07:25] shmdt doesn't check the tag of pointers [02:12:29] Security Analysis of the CHERI ISA [02:13:18] Evading defences using VueJS script gadgets [02:14:32] Sega Master System Architecture - A Practical Analysis [02:14:52] IPC scripts for access to Intel CRBUS Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on

Its a web-exploit heavy episode impacing Apple, Hasicorp, Azure, Google, and even a DOMPurify Bypass. Then we end-off with a look into benchmarking fuzzers, and a look at the House of Muney heap exploitation technique. [00:00:49] Fuzzing internships for Open Source Software [00:03:15] CET Updates – CET on Xanax [00:09:07] Binary Ninja - Open Source Architectures [00:14:03] Memory Safe 'curl' for a More Secure Internet https://daniel.haxx.se/blog/2020/10/09/rust-in-curl-with-hyper/ [00:17:25] We Hacked Apple for 3 Months: Here’s What We Found [00:25:46] Race condition while removing the love react in community files [00:30:11] Enter the Vault: Authentication Issues in HashiCorp Vault [00:46:39] Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure [00:51:11] Password Reset Link Leaked In Refer Header [00:57:37] The mass CSRFing of *.google.com/* products. [01:06:02] A brief encounter with Leostream Connect Broker [01:15:47] Bypassing DOMPurify again with mutation XSS https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/https://github.com/marcinguy/jquery-xss-in-html [01:22:10] Apache Struts OGNL Remote Code Execution [CVE-2019-0230] [01:28:11] UNIFUZZ: A Holistic, Pragmatic Metrics-Driven Platform for Evaluating Fuzzers https://github.com/unifuzz/unibenchhttps://github.com/unifuzz [01:47:15] House of Muney - Leakless Heap Exploitation Technique https://github.com/mdulin2/house-of-muney Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Every wondering how you might fingerprint and trace exploit devs in the wild? Wondered what a backdoor in a D-Link router looks like? Want to hack Facebook (for Android)? We have all of that and more! [00:00:43] Google: Android Partner Vulnerability Initiative https://bugs.chromium.org/p/apvi/issues/list?q=&can=1 [00:02:55] Project Zero: Announcing the Fuzzilli Research Grant Program [00:08:40] GitHub: Code scanning is now available [00:16:39] Hunting for exploits by looking for the author's fingerprints [00:22:26] Forcing Firefox to Execute XSS Payloads during 302 Redirects [00:27:10] Exploiting fine-grained AWS IAM permissions for total cloud compromise https://medium.com/bugbountywriteup/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7 [00:38:04] BLURtooth (the BLUR attacks) [00:44:25] Arbitrary code execution on Facebook for Android [00:51:44] [stripo] Public and secret api key leaked in JavaScript source [01:00:14] [GitLab] Unvalidated Oauth email results in accounts takeovers on 3rd parties [01:06:03] Hacking Grindr Accounts with Copy and Paste [01:16:37] Exploiting Other Remote Protocols in IBM WebSphere https://portswigger.net/web-security/deserialization/exploiting [01:25:57] The Anatomy of a Bug Door: Dissecting Two D-Link Router Authentication Bypasses [01:38:36] Hacking Punkbuster. [01:43:26] Race Condition in handling of PID by apport [CVE-2020-15702] [01:57:24] Hardware Hacking Experiments [01:59:11] How I automated McDonalds mobile game to win free iPhones [01:59:42] Voyager - A Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel) [02:00:28] zznop/sploit: Go package that aids in binary analysis and exploitation Watch

Lets go back in time to look at the leaked WinXP source, and a Half-Life 1 exploit. And, while we are at it a couple Instagram vulns and a cheap hardware attack against Android. [00:00:50] Windows XP Source Leak https://twitter.com/vxunderground/status/1309231131313737735https://twitter.com/dangeredwolf/status/1310067935902343170 [00:12:49] "I'm not a fan of critical bugs" [00:28:01] API Keys leaked via Solana BBP github repo [00:36:34] Exploiting Tiny Tiny RSS [00:45:28] HackerOne Reflected XSS [00:50:37] Steam Arbitrary File Overwrite [00:55:23] Half-Life 1 Code Execution with malformed map name [00:59:09] uTorrent Vulnerability [CVE-2020-8437] https://raw.githubusercontent.com/guywhataguy/uTorrent-CVE-2020-8437/master/malicious.torrent [01:09:26] $25K Instagram Almost XSS Filter Link [01:14:57] #Instagram_RCE [01:26:44] Kernel exploitation: weaponizing [CVE-2020-17382] [01:34:07] Bypass Android MDM [01:41:17] XSS without arbitrary JavaScript [01:48:40] security things in Linux v5.7 [01:56:48] Code Review 101 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

A "trivial" Bhyve VM escape, a BitWarden "RCE", a ModSecurity "Denial of Service" and more scare quotes for your enjoyment in this week's episode. [00:00:33] Patient Dies After Ransomware Attack [00:08:05] Zerologon [CVE-2020-1472] [00:14:29] BitWarden Blind HTTP GET SSRF https://github.com/bitwarden/server/pull/812/commits/f094b76b6638932b13bb5ed2d9295185c54ce332https://github.com/bitwarden/desktop/issues/552 [00:23:40] Apache + PHP under v7.4.10 open_basedir bypass [00:29:59] ModSecurity v3 Affected By DoS (Severity HIGH) [CVE-2020-15598] [00:38:09] Bhyve VM Escape https://bsdsec.net/articles/freebsd-announce-freebsd-security-advisory-freebsd-sa-20-29-bhyve_svm [00:42:59] Webkit aboutBlankURL() code execution vulnerability [00:48:28] CVE-2020-9964 - An iOS infoleak [00:51:44] Online Casino Roulette - A guideline for pen testers [00:56:40] Light Can Hack Your Face! Black-box Backdoor Attack on Face Recognition [01:03:06] UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling [01:12:07] FANS: Fuzzing Android Native System Services via Automated Interface Analysis https://github.com/iromise/fans [01:19:52] OneFuzz framework, an open source developer tool to find and fix bugs at scale https://github.com/microsoft/onefuzz [01:28:35] Finding Australian Prime Minister Tony Abbott's passport number [01:34:08] ARM64 Reversing and Exploitation [01:37:25] Hypervisor Exploitation Compiled Research List https://github.com/bitwarden/server/pull/812/commits/f094b76b6638932b13bb5ed2d9295185c54ce332 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Leading off this week's discussion is the news about the now remote CCC and Offensive Security's plans to retire OSCE. On the exploit side of things, this week we have a few recent bug bounties including a Google Maps XSS, a FreeBSD TOCTOU, and a couple of Linux kernel vulnerabilities. [00:02:30] CCC going remote this year due to pandemic [00:09:44] NVIDIA to Acquire Arm for $40 Billion [00:20:36] OSCE being retired https://ringzer0.training/ [00:34:21] Giggle; laughable security [00:44:51] Raccoon Attack https://portswigger.net/daily-swig/researchers-exploit-http-2-wpa3-protocols-to-stage-highly-efficient-timeless-timing-attacks [00:53:34] Executing arbitrary code on NVIDIA GeForce NOW VMs [01:02:07] Cache poisoning via X-Forwarded-Host [01:08:56] Team object in GraphQL disclosed private_comment [01:14:08] XSS->Fix->Bypass: 10000$ bounty in Google Maps [01:28:33] Microsoft Sharepoint and Exchange Server Vulnerabilities [01:45:35] Short story of 1 Linux Kernel Use-After-Free and 2 CVEs [01:53:25] FreeBSD Kernel Privilege Escalation [CVE-2020-7460] [02:02:47] WSL 2.0 dxgkrnl Driver Memory Corruption [02:10:46] Project Zero: Attacking the Qualcomm Adreno GPU [02:16:03] GoogleCTF 2020 Challenge Source + Exploits Release [02:20:08] IDA Pro Tips to Add to Your Bag of Tricks [02:20:48] Reverse Engineering: Marvel's Avengers - Developing a Server Emulator Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

The DAY[0] podcast will be on break until September 14, 2020 A quick chat about E2E Crypto and Zoom, followed by a few noteworth exploits including Bluetooth impersonation, a 15-year old qmail CVE, NordVPN, and an RCE in Google [00:00:50] Adventures of porting MUSL to PS4 [00:01:55] End-to-End Encryption for Zoom Meetings [00:13:16] Memory safety - The Chromium Projects [00:21:17] First 0d iOS jailbreak in 6 years [00:24:11] BIAS: Bluetooth Impersonation AttackS https://little-canada.org/pdf/web/viewer.html?file=antonioli-20-bias.pdfhttps://francozappa.github.io/about-bias/talk/bias-snp/ [00:33:13] 15 years later: Remote Code Execution in qmail (CVE-2005-1513) http://tukan.farm/2016/07/27/munmap-madness/https://cr.yp.to/qmail/guarantee.htmlhttp://www.guninski.com/where_do_you_want_billg_to_go_today_4.html [00:48:01] Privilege Escalation in Parallels Desktop via VGA Device [CVE-2020-8871] https://twitter.com/matalaz/status/580600098092105728 [00:55:50] Multiple vulnerabilities in Dovecot IMAP server [00:59:05] Yet another arbitrary delete EoP [CVE-2020–1088] [01:06:29] Vulnerabilities chain leading to privilege escalation [NordVPN] [01:09:27] Race condition in activating email resulting in infinite amount of diamonds received [01:12:23] RCE in Google Cloud Deployment Manager [01:28:17] QNAP Pre-Auth Root RCE [01:37:07] Safe-Linking - Eliminating a 20 year-old malloc() exploit primitive [01:47:37] Not So Fast: Understanding and Mitigating Negative Impacts of Compiler Optimizations on Code Reuse Gadget Sets [02:05:43] Precise XSS detection and mitigation with Client-side Templates [02:17:53] Documenting the impossible: Unexploitable XSS labs DAY[0] will be on break until September but you can find the video archive on on Youtube (@DAY[0])