Day[0]

Google makes some changes to their kCTF competition, and a few kernel bugs shake out of the LogMeIn and wlan VFS drivers. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/242.html [00:00:00] Introduction [00:00:29] Netfilter Tables Removed from kCTF [00:20:23] LogMeIn / GoTo LMIInfo.sys Handle Duplication [00:27:20] Several wlan VFS read handlers don't check buffer size leading to userland memory corruption [00:32:35] International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO) - 0x22 [00:34:15] Exploring AMD Platform Secure Boot The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

DEF CON moves venues, the Canadian government moves to ban Flipper Zero, and some XSS issues affect Microsoft Whiteboard and Meta's Excalidraw. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/241.html [00:00:00] Introduction [00:00:33] DEF CON was canceled. [00:16:42] Federal action on combatting auto theft [00:39:03] Jenkins Arbitrary File Leak Vulnerability, CVE-2024-23897, Can Lead To RCE [00:43:27] Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140) [00:52:26] SSRF on a Headless Browser Becomes Critical! [00:59:04] ChatGPT Account Takeover - Wildcard Web Cache Deception [01:05:14] Differential testing and fuzzing of HTTP servers and proxies [01:10:14] Hunting for Vulnerabilities that are ignored by most of the Bug Bounty Hunters [01:19:38] Analyzing AI Application Threat Models The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Libfuzzer goes into maintenance-only mode and syslog vulnerabilities plague some vendors in this week's episode. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/240.html [00:00:00] Introduction [00:00:20] LibFuzzer in Maintainence-only Mode [00:11:41] Heap-based buffer overflow in the glibc's syslog() [CVE-2023-6246] [00:26:33] Hunting for ~~Un~~authenticated n-days in Asus Routers [00:34:44] Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution [00:35:51] Chaos Communication Congress (37C3) recap [00:36:51] GitHub - google/oss-fuzz-gen: LLM powered fuzzing via OSS-Fuzz. The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week we have a crazy crypto fail where some Android devices had updates signed by publicly available private keys, as well as some Docker container escapes. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/239.html [00:00:00] Introduction [00:00:22] Missing signs: how several brands forgot to secure a key piece of Android [00:13:37] ModSecurity: Path Confusion and really easy bypass on v2 and v3 [00:21:24] runc process.cwd & leaked fds container breakout [CVE-2024-21626] [00:24:23] Buildkit GRPC SecurityMode Privilege Check [CVE-2024-23653] [00:27:49] Jumpserver Preauth RCE Exploit Chain [00:43:49] 500$: MFA bypass By Race Condition [00:49:52] HTTP Downgrade attacks with SmuggleFuzz The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week's binary episode features a range of topics from discussion on Pwn2Own's first automotive competition to an insane bug that broke ASLR on various Linux systems. At the lower level, we also have some bugs in UEFI, including one that can be used to bypass Windows Hypervisor Code Integrity mitigation. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/238.html [00:00:00] Introduction [00:02:40] 37C3: Unlocked - media.ccc.de [00:08:15] Zero Day Initiative — Pwn2Own Automotive 2024 - Day One Results [00:16:35] ASLRn’t: How memory alignment broke library ASLR [00:22:47] Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980) [00:26:33] PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack. [00:31:10] Hunting down the HVCI bug in UEFI [00:35:51] A Deep Dive into V8 Sandbox Escape Technique Used in In-The-Wild Exploit [00:37:32] Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write Code Execution - Exodus Intelligence [00:38:38] OffSec EXP-401 Advanced Windows Exploitation (AWE) - Course Review [00:44:56] Dumping GBA ROMs from Sound The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A packed episode this week as we cover recent vulnerabilities from the last two weeks, including some IDORs, auth bypasses, and a HackerOne bug. Some fun attacks such as a resurface of IDN Homograph Attacks and timing attacks also appear. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/237.html [00:00:00] Introduction [00:02:59] 37C3: Unlocked - media.ccc.de [00:09:00] Ivanti's Pulse Connect Secure Auth Bypass and RCE [00:19:47] [HackerOne] View Titles of Private Reports with pending email invitation [00:23:58] 1 Program, 4 Business Logic Bugs and Cashing in 2300$. [00:33:32] Global site selector authentication bypass [00:42:55] IDN Homograph Attack - Reborn of the Rare Case [00:50:53] PII Disclosure At `theperfumeshop.com/register/forOrder` [00:54:40] [darkhttpd] timing attack and local leak of HTTP basic auth credentials [01:02:42] Ransacking your password reset tokens [01:08:11] Worse than SolarWinds: Three Steps to  Hack Blockchains, GitHub, and ML through GitHub Actions [01:10:41] Crypto Gotchas! [01:13:37] Web LLM attacks [01:15:13] Improving LLM Security Against Prompt Injection [01:16:17] Sys:All: How A Simple Loophole in Google Kubernetes Engine Puts Clusters at Risk of Compromise [01:17:37] Kubernetes Scheduling And Secure Design The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A bit of a game special this week, with a Counter-Strike: Global Offensive vulnerability and an exploit for Factorio. We also have a Linux kernel bug and a Chromecast secure-boot bypass with some hardware hacking mixed in. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/236.html [00:00:00] Introduction [00:00:25] Exploring Counter-Strike: Global Offensive Attack Surface [00:26:22] Exploiting a Factorio Buffer Overflow [00:31:46] io_uring: __io_uaddr_map() handles multi-page region dangerously [00:39:25] Chromecast with Google TV (1080P) Secure-Boot Bypass [00:51:58] exploits.club The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A short bounty episode featuring some logical bugs in Apache OFBiz, a GitLab Account Takeover, and an unauthenticated RCE in Adobe Coldfusion. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/235.html [00:00:00] Introduction [00:00:20] SonicWall Discovers Critical Apache OFBiz Zero-day [00:11:40] [GitLab] Account Takeover via password reset without user interactions [00:24:05] Unauthenticated RCE in Adobe Coldfusion [CVE-2023-26360] [00:35:08] No new iPhone? No secure iOS: Looking at an unfixed iOS vulnerability [00:36:45] How we made $120k bug bounty in a year with good automation The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week's highly technical episode has discussion around the exploitation of a libwebp vulnerability we covered previously, memory tagging (MTE) implementation with common allocators, and an insane iPhone exploit chain that targeted researchers. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/234.html [00:00:00] Introduction [00:02:35] PagedOut Issue 3 [00:05:14] GPSd NTRIP Stream Parsing access violation vulnerability [00:08:25] Exploiting the libwebp Vulnerability, Part 1: Playing with Huffman Code [00:30:01] Strengthening the Shield: MTE in Heap Allocators [00:37:40] Operation Triangulation - What you get when you attack iPhones of Researchers The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

The hosts delve into security vulnerabilities lurking in desktop applications, highlighting client-side path traversal risks. They reveal alarming issues in Pandora FMS, including unauthenticated access and remote code execution. A deep dive into SMTP vulnerabilities unravels the complex world of email spoofing and the failures of current security protocols. Through engaging anecdotes and technical analysis, they advocate for better security practices and responsible disclosure to combat these persistent threats.