Day[0]

Are iOS 0days now worthless? Can you hack a satellite...or hackerone? Are WAFs worthwhile? And more on a fairly discussion heavy episode of DAY[0]. [00:00:52] [UPDATE] Huawei HKSP Introduces Trivially Exploitable Vulnerability https://github.com/cloudsec/aksp/blob/master/hksp.patch [00:11:59] iOS one-click chains prices likely to drop https://www.hackasat.com/ [00:33:30] Defcon Quals 2020 https://hxp.io/blog/72/DEFCON-CTF-Quals-2020-notbefoooled/ [00:46:33] vBulletin 5.6.1 SQL Injection [00:52:52] Subdomain takeover of resources.hackerone.com [01:01:11] MyLittleAdmin PreAuth RCE [01:06:13] DOM-Based XSS at accounts.google.com by Google Voice Extension. [01:16:47] Playing with GZIP: RCE in GLPI [CVE-2020-11060] [01:36:24] Reverse RDP - The Path Not Taken [01:44:19] PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth [CVE-2020-1048] https://twitter.com/VbScrub/status/1260598344650539009 [01:53:34] Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently [02:00:29] Cloud WAF Comparison Using Real-World Attacks https://medium.com/fraktal/cloud-waf-comparison-part-2-e6e2d25f558chttps://en.wikipedia.org/wiki/Server_Side_Includes [02:18:20] Fuzzing TLS certificates from their ASN.1 grammar [02:22:25] DHS CISA and FBI share list of top 10 most exploited vulnerabilities Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Update: While we talk about Huawei Kernel Self Protection (HKSP) I make mention of the authors statement that he is unrelated to Huawei. Turns out this statement, despite a commit date of Friday wasn't pushed until Monday morning so it was not original. Further information has also come out showing that the author is a Huawei employee, so the relationship is much closer than I believe it to be. ~zi It was a busy week, Microsofts Github account was hacked, Centurylink Routers have no security, and multiple interactionless RCEs in Samsung phones. [00:01:45] OpenOrbis PS4 Toolchain [00:05:06] DEF CON 28 in-person conference is CANCELLED [00:13:23] The Nintendo leak saga continues... [00:18:40] Keybase joins Zoom https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/ [00:33:41] Azure Security Lab - Research Challenge [00:42:38] Hijacking Centurylink Routers [CVE 2019-19639] [00:46:24] DoS on Twitter App [00:51:39] A tale of verbose error message and a JWT token [01:00:29] Pentesting Cisco SD-WAN Part 2: Breaking routers [01:04:21] Memory leak and Use After Free in Squid [01:17:48] How a Deceptive Assert Caused a Critical Windows Kernel Vulnerability [01:28:30] Samsung Android multiple interactionless RCE https://github.com/googleprojectzero/SkCodecFuzzer [01:38:25] Linux futex+VFS Use-After-Free [01:45:03] Huawei HKSP Introduces Trivially Exploitable Vulnerability [01:50:32] Ragnarok Stopper: development of a vaccine [01:55:51] Understanding Memory and Thread Safety Practices and Issues in Real-World Rust Programs [02:09:34] Analyzing a Trio of Remote Code Execution Bugs in Intel Wireless Adapters [02:10:19] GitHub - JHUAPL/Beat-the-Machine: Reverse engineering basics in puzzle form

Authentication bypasses, SQL injection, command injection, and more in this web-exploit heavy episode. [00:09:11] Facebook v. NSO Group [00:18:14] Netsweeper PreAuth RCE [00:25:49] SaltStack authorization bypass https://github.com/saltstack/salt/blob/0b2a5613b345f17339cb90e60b407199b3d26980/salt/master.py#L1139 [00:42:02] E-Learning Platforms Getting Schooled https://github.com/LearnPress/learnpress/commit/d6f818b5f65b007acbdf62236d4aa549fb33d24a?diff=split [01:03:54] Roblox - Subdomain Takeover [01:08:09] Fix XSS issue in handling of CDATA in HTML messages · roundcube/roundcubemail@87e4cd0 · GitHub [01:10:13] Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin [01:17:11] Gitlab - Arbitrary file read via the UploadsRewriter when moving and issue [01:20:15] Researching Polymorphic Images for XSS on Google Scholar [01:27:41] TP-LINK Cloud Cameras Multiple Vulnerabilities https://seclists.org/fulldisclosure/2020/May/3https://seclists.org/fulldisclosure/2020/May/4 [01:34:46] Remote Code Execution on Microsoft SharePoint Using TypeConverters [CVE-2020-0932] [01:43:03] Firefox js::ReadableStreamCloseInternal Out-Of-Bounds Access [01:51:56] Siguza - iOS <13.5 sandbox escape/entitlement 0day [02:03:16] Honeysploit: Exploiting the Exploiters [02:15:13] Guy's 30 Reverse Engineering Tips & Tricks [02:16:45] Remote Code Execution on Nintendo 64 through Morita Shogi 64 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Since we forgot to cover it when it came out, we look at Relyze's new decompiler that is available on the free version. There is also some sandbox escaping, some crypto issues (AMD's SME/SEV) and even some IBM 0days. [00:00:33] Relyze Decompiler [00:22:06] Firefox's Bug Bounty in 2019 and into the Future [00:30:29] Source code for both CS:GO and TF2 Leaked [00:38:58] Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS [00:44:34] MSI TrueColor Unquoted Service Path Vulnerability [00:48:43] 1-click RCE on Keybase [00:55:56] jQuery < 3.5 Cross-Site Scripting (XSS) in html() https://xss.pwnfunction.com/challenges/ww3/ [01:01:37] Multiple 0 day vulnerabilities in IBM Data Risk Manager [01:17:24] You Won't Believe what this One Line Change Did to the Chrome Sandbox https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-1 [01:23:58] You’ve Got (0-click) Mail! [01:31:29] Sharing a Logon Session a Little Too Much [01:37:00] SEVurity: No Security Without Integrity - Breaking Integrity-Free Memory Encryption with Minimal Assumptions https://0x0539.net/play/fangorn/crypto_cookie [01:47:10] MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages [01:54:37] Android 8.0-9.0 Bluetooth Zero-Click RCE [CVE-2020-0022] [01:57:26] Patchguard: Detection of Hypervisor Based Introspection https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/ [01:59:37] HITB Lockdown Livestream Day 1 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Zoom vuln worth $500k? Probably not... What is worth $500k? Binary Ninja's new decompiler...okay probably not but it is exciting.We've also got some stupid issues and some interesting LPEs this episode. [00:00:29] Cognizant suffers Maze Ransomware cyber attack [00:14:08] Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000 [00:27:46] How I Reverse Engineered the LastPass CLI Tool [00:35:59] State of the Ninja: Episode 13 [01:02:18] Riot offering up to $100k n Bug Bounty [01:05:31] Research Grants to support Google VRP Bug Hunters during COVID-19 [01:09:08] Denial of service to WP-JSON API by cache poisoning [01:11:43] CSRF to RCE bug chain in Prestashop [01:21:16] Unintended disclosure of OTP [01:24:20] JSON Web Token Validation Bypass in Auth0 Authentication API [01:27:06] git: Newline injection in credential helper [01:31:20] How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability [01:36:34] Pwning vCenter with CVE-2020-3952 [01:45:19] Oracle Solaris 11.x/10 whodo/w Buffer Overflow [01:51:22] Linux Kernel EoP via Improper eBPF Program Verification [CVE-2020-8835] [01:57:39] Multiple Kernel Vulnerabilities Affecting All Qualcomm Devices https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c4f42c24e02ce82392d8f8fe215570568380c8ab [02:07:20] Ricerca Security: "SMBGhost pre-auth RCE https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/ [02:14:01] IJON: Exploring Deep State Spaces via Fuzzing [02:23:26] Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction [02:27:45] GitHub - wcventure/FuzzingPaper

Starting off the week with a discussion about the disappointing IDA Home, before moving into a few easy command injections, code-reuse attacks applied to XSS, detecting trojaned hardware and ending with a subtle crypto-bug. [00:00:45] DAY[0] Episode Transcripts now Available [00:02:53] Microsoft Buys Corp.com to Keep It Safe from Hackers (Over $1.7 Million Deal) [00:05:42] Hack for Good: Easily Donate Bounties to WHO’s COVID-19 Response Fund [00:10:55] RetDec v4.0 is out [00:17:33] IDA Home is coming https://www.sophia.re/Binary-Rockstar/index.htmlhttps://nostarch.com/GhidraBook [00:33:44] Sandboxie Open Source Code is available https://github.com/xanasoft/Sandboxie [00:38:01] Exploiting the TP-Link Archer A7 [00:46:50] Exploiting the Starcraft 1 EUD Bug [00:51:23] OhMyZsh dotenv Remote Code Execution [00:56:19] Symantec Web Gateway 5.0.2.8 Remote Code Execution [00:59:15] VMware vCenter Server Sensitive Information Disclosure [CVE-2020-3952] [01:01:39] Bypassing modern XSS mitigations with code-reuse attacks [01:07:49] Practical Data Poisoning Attack against Next-Item Recommendation [01:11:40] Hardware Trojan Detection Using Controlled Circuit Aging [01:16:18] A "Final" Security Bug [01:27:05] RCEed version of computer malware / rootkit MyRTUs / Stuxnet. https://github.com/christian-roggia/open-myrtus/blob/master/rootkit/FastIo.chttps://xkcd.com/350/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

First, we talk about Facebook trying to buy some spyware, and then we feast upon a number of Zoom "vulns." Follow that up with some interesting vulnerabilities including a hyper-visor Guest-to-host escape, a complicated Safari permissions bypass, and a Gitlab Parser Differential. [00:09:31] Facebook tried to buy NSO Group's iOS spyware to monitor iPhone users [00:14:49] Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings [00:28:28] Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1 [00:33:20] Bug bounty platforms buy researcher silence, violate labor laws, critics say [00:53:56] Zoom NTLM Hash Leak [00:59:44] The 'S' in Zoom, Stands for Security [01:05:52] Use-After-Free Vulnerability in the VMware Workstation DHCP Component [CVE-2020-3947] https://www.vmware.com/security/advisories/VMSA-2020-0004.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-20-298/ [01:15:38] Exploiting SMBGhost for a Local Privilege Escalation [CVE-2020-0796] [01:26:31] How to exploit parser differentials [01:37:07] Unauthorized Camera access on iOS and macOS [01:49:07] [Slack] Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation [01:54:21] Physically Realizable Adversarial Examples for LiDAR Object Detection [02:01:39] Attack matrix for Kubernetes [02:03:34] Project Zero: TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln [02:04:13] Tale of two hypervisor bugs - Escaping from FreeBSD bhyve [02:08:21] So you want to be a web security researcher? Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Is there a shortcut to RCE? Well, on Windows .LNK files could be just that. We also talk about a few others vulnerabilities impacting Windows, Pi-Hole and Netflix. And end by looking at Window's new hardware enforced Shadow Stack and a proof-of-concept for fine-grained kASLR on Linux. [00:01:18] The Netflix account compromise Bugcrowd doesn't want you to know about https://bugcrowd.com/netflix [00:16:21] Where is my Train : Tracking to Hacking [00:22:59] Intel SGX removed from Rocket Skylake-S CPUs [00:28:17] Type 1 Font Parsing Remote Code Execution Vulnerability [00:33:41] Configuration Overwrite in IBM Cognos TM1 [CVE-2019-4716] [00:42:19] Remote Code Execution Through .LNK Files [CVE-2020-0729] [00:53:15] Pi-hole Remote Code Execution [CVE-2020-8816] [01:03:14] NordVPN - Unauthorized User Can Delete Any User Account [01:09:33] Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns https://blockchain-ctf.securityinnovation.com/#/ [01:20:01] Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns [01:20:28] Understanding Hardware-enforced Stack Protection https://windows-internals.com/cet-on-windows/ [01:32:21] [RFC PATCH 00/11] Finer grained kernel address space randomization - Kristen Carlson Accardi https://www.kryptoslogic.com/blog/2020/03/another-look-at-two-linux-kaslr-patches/ [01:42:14] Slayer Labs https://www.reddit.com/r/netsec/comments/fr8w8u/free_vpn_access_to_slayer_labs_networks/?sort=top Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

More discussion about election hacking with Voatz undergoing a more complete security assessment, we also discuss a few interesting web attacks and end with a good discussion about a new code-reuse mitigation: Hurdle. [00:00:20] Learn Exploit Development While Not Dying [00:02:10] Exploit Education [00:07:32] Pwn2Own Results https://www.zerodayinitiative.com/blog/2020/3/19/pwn2own-2020-day-one-results [00:16:19] DEF CON CTF 2020 QUALS COVID-19 DELAY [00:22:30] Software Engineer - Jobs at Apple [00:30:56] Tesla Model 3 Denial of Service Vulnerability [CVE-2020-10558] [00:36:26] Trail of Bits - Voatz Security Review [01:01:49] XXE-scape through the front door: circumventing the firewall with HTTP request smuggling [01:08:12] Don't Clone That Repo: Visual Studio Code^2 Execution https://github.com/doyensec/VSCode_PoC_Oct2019/https://github.com/doyensec/VSCode_PoC_Oct2019/blob/master/.vscode/settings.jsonhttps://github.com/doyensec/VSCode_PoC_Oct2019/commit/19b4687259bd5d1821525a3ebbe6aa76618359c3#diff-62b00de1d62bb867ef03dec7057712f1R50 [01:14:22] [Hacker101] Race Condition leads to undeletable group member [01:19:58] JavaScript without parentheses using DOMMatrix https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked [01:24:21] Hurdle: Securing Jump Instructions Against Code Reuse Attacks https://www.youtube.com/watch?v=qFWTZ2zZ1XQhttp://se.ri0.us/2020-03-23-110829182-9e1b1.png Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Start off by looking at a few Google Cloud attacks, a couple named vulns (LVI: Load Value Injection, and TRRespass) and then into some web-focused exploits including how to hack a CTF. [00:00:15] P2O Vancouver now remote-only [00:04:10] Announcing our first GCP VRP Prize winner and updates to 2020 program https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-introduction/ [00:18:36] Whisper has exposed all user information [00:28:10] LVI: Hijacking Transient Execution with Load Value Injection [00:39:13] TRRespass: Exploiting the Many Sides ofTarget Row Refresh [00:47:17] The unexpected Google wide domain check bypass [00:56:34] Facebook OAuth Framework Vulnerability [01:06:36] JSON CSRF with method override technique [01:13:20] Breaking the Competition [01:23:26] [Slack] TURN server allows TCP and UDP proxying to internal network [01:26:08] [Slack] HTTP Request Smuggling to steal session cookies [01:30:46] [Slack] DTLS uses a private key that is in the public domain [01:32:55] [htmr] DOM-based XSS [01:42:08] A Compiler Assisted Scheduler for Detecting and Mitigating Cache-Based Side Channel Attacks [01:50:00] Bypassing memory safety mechanisms through speculative control flow hijacks Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])