Day[0]

A New AMD sidechannel, and an old intel CSME attack, a couple deserialization attacks, and a few clever but not terribly useful attacks, and some discussion about memory tagging on this weeks episode of DAY[0]. [00:00:21] Election Security 2020: Don't Let Disinformation Undermine Your Right to Vote [00:06:52] Announcing Remote Participation in Pwn2Own Vancouver [00:11:22] Revoking certain certificates on March 4 [00:19:40] FuzzBench: Fuzzer Benchmarking as a Service [00:28:53] Intel x86 Root of Trust: loss of trust [00:39:07] Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors [00:49:11] VU#782301 - pppd vulnerable to buffer overflow due to a flaw in EAP packet processing https://github.com/paulusmack/ppp/commit/8d45443bb5c9372b4c6a362ba2f443d41c5636afhttps://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426 [00:55:11] MediaTek rootkit affecting millions of Android devices [01:01:56] Zoho ManageEngine RCE [01:11:25] RCE Through a Deserialization Bug in Oracle's WebLogic Server (CVE-2020-2555) [01:14:22] Regex Vulnerabilities - parse-community/parse-server [01:18:57] HTTP request smuggling using malformed Transfer-Encoding header [01:27:20] [Nextcloud] Delete All Data of Any User [01:30:36] Dismantling DST80-based Immobiliser Systems [01:37:53] Exploring Backdoor Poisoning Attacks Against Malware Classifiers [01:45:59] Code Renewability for Native Software Protection [01:55:42] Security Analysis of Memory Tagging [02:04:15] DangKiller: Eliminating Dangling Pointers Efficiently via Implicit Identifier Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Join Specter and zi at they discuss several named vulns (kr00k, Forgot2kEyXCHANGE, GhostCat), the benefits of DNS-over-HTTPS, and a a few vulns in some of our regular targets: Samsung drivers, NordVPN, OpenSMTPd. [00:01:13] Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen [00:06:13] Firefox continues push to bring DNS over HTTPS by default for US users https://github.com/curl/curl/wiki/DNS-over-HTTPS [00:19:07] Securing Memory at EPYC Scale [00:26:30] How a Hacker's Mom Broke Into a Prison—and the Warden's Computer [00:29:12] kr00k | ESET [00:33:14] CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys [00:37:41] CVE-2020-1938: Ghostcat vulnerability [00:46:16] LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) [00:55:43] Blind SSRF on debug.nordvpn.com due to misconfigured sentry instance https://hackerone.com/reports/374737 [01:00:30] x-request-id header reflected in server response without sanitization [01:05:54] Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection https://hackerone.com/valve/hacktivity [01:12:56] Samsung Kernel /dev/hdcp2 hdcp_session_close() Race Condition [01:14:59] Samsung Kernel Arbitrary /dev/vipx / /dev/vertex kfree [01:18:34] Samsung Kernel /dev/vipx Pointer Leak [01:22:21] HFL: Hybrid Fuzzing on the Linux Kernel – NDSS Symposium [01:30:32] Et Tu Alexa? When Commodity WiFi Devices Turn into Adversarial Motion Sensors [01:38:27] Evasion techniques [01:39:31] Hacking Unicode Like a Boss [01:43:05] Pwning VMware, Part 2: ZDI-19-421, a UHCI bug | nafod [01:44:48] Intro to chrome's v8 from an exploit development angle Watch Live on Twitch (@dayzerosec) at 3PM EST

Keeping up our streak, we talk about some vulnerabilities in Cisco, NordVPN and Tesla, and about SlickWraps being hacked by a very dark, white-hat. [00:02:32] Humble Book Bundle: Cybersecurity 2020 by Wiley [00:11:31] Google Summer of Code 2020 https://radare.org/gsoc/2020/ [00:23:01] Critical Issue In ThemeGrill Demo Importer [00:28:48] Cisco Security Advisory: Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability [00:32:19] nordvpn Linux Desktop executable application does not use pie / no ASLR [00:40:57] Race condition (TOCTOU) in NordVPN can result in local privilege escalation [00:49:17] Periscope android app deeplink leads to CSRF in follow action [00:54:01] I hacked SlickWraps. This is how. - Lynx0x00 - Medium https://files.catbox.moe/fxn9r2.pdf [01:10:23] Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles [01:18:31] Edge CVE-2020-0767 RCE POC [01:22:02] GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath [01:28:37] CopyCat: Controlled Instruction-Level Attacks on Enclaves for Maximal Key Extraction [01:37:31] MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing [01:49:36] pwn.college BETA [01:53:17] Microcontroller Readback Protection: Bypasses and Defenses [01:54:00] Libxml2 Tutorial | AFLplusplus [01:56:06] Booting iOS on QEMU Research Slides https://github.com/alephsecurity/confs/blob/master/OFFENSIVE20/offensive-20-ios-qemu.pdfhttps://github.com/alephsecurity/xnu-qemu-arm64 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Is the new OSCP worth-it? Can election apps be made secure? We'll talk about those questions and several kernel exploits and a few cool fuzzing innovations.   [00:00:23] PWK and the OSCP Certification | Offensive Security [00:16:24] Rescheduling Root KSK Ceremony 40 [00:20:15] The Ballot is Busted Before the Blockchain:A Security Analysis of Voatz https://blog.voatz.com/?p=1209 [00:49:26] Lateral movement via MSSQL: a tale of CLR and socket reuse [00:55:51] Fix for CVE-2018-12122 can be bypassed via keep-alive requests [01:00:28] A Trivial Privilege Escalation Bug in Windows Service Tracing (CVE-2020-0668) https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html [01:05:01] Intel CSME Escalation of Privilege [01:07:41] Project Zero: A day^W^W Several months in the life of Project Zero [01:18:54] Project Zero: Mitigations are attack surface, too https://packetstormsecurity.com/files/156316/Samsung-Kernel-PROCA-Use-After-Free-Double-Free.html [01:33:42] Samsung SEND_FILE_WITH_HEADER Use-After-Free [01:35:52] Samsung /dev/tsmux Heap Out-Of-Bounds Write [01:39:55] Exploiting a Linux kernel vulnerability in the V4L2 subsystem (CVE-2019-18683) [01:45:10] KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities [01:54:06] HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing [01:58:14] HYPER-CUBE: High-Dimensional Hypervisor Fuzzing [02:02:21] FIDO2 Deep Dive: Attestations, Trust model and Security [02:03:04] Hypervisor Necromancy; Reanimating Kernel Protectors   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Android, Bluetooth, Microsoft, NordVPN, Twitter, WhatsApp, Cisco, vulns for days impacting several big names and a couple new attack ideas, blind regex injection and GhostKnight a technique to breach data integrity using speculative execution.   [00:01:07] Updated re. Sudo Exploit [00:03:32] Charges Filed against Four Chinese PLA Hackers for part in 2017 Equifax Breach [00:06:06] Announcing a Targeted Incentive Program for Selected Trend Micro Products [00:11:01] Android Security Bulletin - February 2020 https://android.googlesource.com/kernel/common/+/5eeb2ca0 https://android.googlesource.com/kernel/common/+/5eeb2ca0%5E%21/#F0 [00:17:06] Critical Bluetooth Vulnerability in Android (CVE-2020-0022) [00:22:48] Dangerous Domain Corp.com Goes Up for Sale [00:37:43] NordVPN - IDOR allow access to payments data of any user https://hackerone.com/nordvpn [00:43:35] Twitter - Bypass Password Authentication for updating email and phone number [00:48:27] WhatsApp Desktop XSS to Local File read (CVE-2019-18426) [01:03:03] CDPwn: 5 Zero-Days in Cisco Discovery Protocol [01:15:07] A Rough Idea of Blind Regular Expression Injection Attack https://speakerdeck.com/lmt_swallow/revisiting-redos-a-rough-idea-of-data-exfiltration-by-redos-and-side-channel-techniques [01:20:45] GhostKnight: Breaching Data Integrity via Speculative Execution [01:26:00] BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness [01:30:27] Forging SWIFT MT Payment Messages for fun and pr... research! [01:35:22] Grooming the iOS Kernel Heap Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Ok Google! Bypass authentication..and while we're at it, lets explot sudo and OpenSMPTD for root access. This week we dive into various code bases to explore several recent exploits that take advantage of some common yet subtle issues. Correction: During the segment about the sudo (pwfeedback) exploit I incorrectly described the issue as a stack-based buffer overflow, however the buf variable is declared as static so it ends up in .bss and not on the stack. ~zi Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:22] Charges Dismissed Against Coalfire Employees [00:06:50] Avast to Commence Wind Down of Subsidiary Jumpshot [00:22:10] Say hello to OpenSK: a fully open-source security key implementation [00:28:25] Kraken Identifies Critical Flaw in Trezor Hardware Wallets [00:33:56] Zoom-Zoom: We Are Watching You [00:39:08] TeamViewer using encrypted passwords [00:47:43] Buffer overflow [in sudo] when pwfeedback is set in sudoers (CVE-2019-18634) https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078 https://github.com/sudo-project/sudo/blob/0fcb6471609969b5911db0b2917ced16c913676f/src/tgetpass.c#L413 [01:01:23] Opkg susceptible to MITM (CVE-2020-7982) https://git.openwrt.org/?p=project/opkg-lede.git;a=commitdiff;h=54cc7e3bd1f79569022aa9fc3d0e748c81e3bcd8 [01:07:18] LPE and RCE in OpenSMTPD (CVE-2020-7247) [01:14:13] PHP 7.0-7.4 disable_functions bypass 0day PoC https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php [01:28:53] Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part I) https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/ [01:40:22] OK Google: bypass the authentication!

This week we look at 15 CVEs this week including the new MDS Attacks/Zombieload and GhostImage a cool attack against vision-based classification systems. We also have discussion about mobile vs desktop security. Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) [00:01:33] Pwn2Own Miami 2020 [00:06:32] Allegations that Saudi Crown Prince involved in hacking of Jeff Bezos’ phone https://twitter.com/dinodaizovi/status/1221324029841244161 [00:11:25] Chris Rohlf on Twitter: "...Mobile security was largely a success relative to the state of the desktop..." [00:25:49] More MDS Attacks: Intel Patching its Patch of the Patch for MDS/ZombieLoad Attacks https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.upv68b [00:31:34] MDHex Vulnerabilities [00:42:55] JSSE Client Authentication Bypass (CVE-2020-2655) [00:55:37] Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363) [00:58:34] ModSecurity Denial of Service (CVE-2019-19886) [01:02:47] GGvulnz - How I hacked hundreds of companies through Google Groups [01:09:14] Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption (CVE-2020-6857) [01:14:40] arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault - Patchwork [01:18:54] Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join Vulnerability (CVE-2020-3142) [01:21:35] iGPU Leak: An Information Leakage Vulnerability on Intel Integrated GPU (CVE-2019-14615) [01:28:41] Information Leaks via Safari's Intelligent Tracking Prevention [01:39:02] GhostImage: Perception Domain Attacks against Vision-based Object Classification Systems [01:44:46] Nightmare - A collection of binary exploitation / reverse engineering challenges and writeups [01:49:26] The Life of a Bad Security Fix [01:51:22] macOS/iOS: ImageIO: heap corruption when processing malformed TIFF image

Start off with some discussions about Google, privacy, Rust, and entitlement within open-source software. Then we look at some of the big vulns of the past week including CurveBall, CabelHaunt, and an RDP RCE.   [00:00:27] Chromium Blog: Building a more private web: A path towards making third party cookies obsolete [00:07:05] WeLeakInfo.com Domain Name Seized [00:13:39] A sad day for Rust [00:25:38] GitHub - microsoft/verona: Research programming language for concurrent ownership https://github.com/microsoft/verona/blob/master/docs/explore.md [00:37:30] Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer [00:47:16] Control Flow Integrity (CFI) in the Linux kernel [00:53:54] ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) [00:57:19] Netgear TLS Private Key Disclosure through Device Firmware Images https://news.ycombinator.com/item?id=22048619 https://github.com/ollypwn/CVE-2020-0601/blob/master/main.rb [01:17:39] Cable Haunt [01:27:19] RDP to RCE: When Fragmentation Goes Wrong [01:31:46] Critical Auth Bypass Vulnerability In InfiniteWP Client And WP Time Capsule [01:37:48] cuck00 | Twenty-twenty, bugs aplenty!   Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:35] SHA-1 is a Shambles https://www.youtube.com/watch?v=Gh6p7Y74m9A [00:14:50] Government-funded phones come pre-installed with unremovable malware [00:22:09] Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1 — Mozilla [00:27:02] CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway https://github.com/projectzeroindia/CVE-2019-19781 https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/ https://twitter.com/GossiTheDog/status/1215785949709459456 [00:38:20] Project Zero: Policy and Disclosure: 2020 Edition https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html [00:52:07] Privileged Access Never (PAN) - Another day, another broken mitigation. [00:57:43] Tik or Tok? Is TikTok secure enough? [01:18:33] Fortinet FortiSIEM Hardcoded SSH Key [01:22:58] Project Zero: Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 [01:32:00] WAF-A-MoLE: Evading Web Application Firewalls through Adversarial Machine Learning [01:36:00] QSOR: Quantum-Safe Onion Routing [01:45:09] Browser Games Aren't an Easy Target [01:46:31] Reverse engineering RNG in a GBA game https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])   [00:00:40] CCC [00:14:58] Sunsetting Python 2 | Python.org https://www.python.org/blogs/ [00:19:11] Kali 2020.1 - Default Non-Root User https://www.kali.org/news/kali-default-non-root-user/ https://www.offensive-security.com/ [00:35:53] Caterpillar padlocks all use the same key [00:42:51] Shitcoin Wallet is a scam, says security researcher [00:47:13] Microsoft Edge (Chromium) - Elevation of Privilege to Potential Remote Code Execution [00:56:57] Exploiting Wi-Fi Stack on Tesla Model S | Keen Security Lab Blog [01:08:52] Spiderman 2000 - Buffer overflow in file loading routine [01:14:31] Alert Alarm SMS exploit [01:27:33] D-Link DIR-859 - Unauthenticated RCE (CVE-2019-17621) [01:33:20] Cisco Security Advisory: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities https://tools.cisco.com/security/center/publicationListing.x https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-path-trav [01:45:03] Starbuck's JumpCloud API Key leaked via Open Github Repository https://www.androidpolice.com/2020/01/06/uh-oh-xiaomi-camera-feed-showing-random-homes-on-a-google-nest-hub-including-still-images-of-sleeping-people/ [01:56:39] JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms [02:02:28] Shadowclone: Thwarting and Detecting DOP Attacks with Stack Layout Randomization and Canary [02:15:21] Breaking PHP's mt_rand() with 2 values and no bruteforce