Day[0]

A bit of a rambling episode to finish off 2023, we talk about some Linux kernel exploitation research (RetSpill) then get into several vulnerabilities. A type confusion in QNAP QTS5, a JavaScriptCore bug in Safari, and several issues in Steam's Remote Play protocol. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/232.html [00:00:00] Introduction [00:02:00] RetSpill - Igniting User-Controlled Data to Burn Away Linux Kernel Protections [00:12:23] QNAP QTS5 – /usr/lib/libqcloud.so JSON parsing leads to RCE [00:19:53] Safari, Hold Still for NaN Minutes! [00:31:00] Achieving Remote Code Execution in Steam: a journey into the Remote Play protocol The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A mix of issues this week, not traditionally bounty topics, but there are some lessons that can be applied. First is a feature, turned vulnerability in VS Code which takes a look at just abusing intentional functionality. Several XOS bugs with a web-console. A Sonos Era 100 jailbreak which involves causing a particular call to fail, a common bug path we've seen before, and some discussion about doing fast DNS rebinding attacks against Chrome and Safari. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/231.html [00:00:00] Introduction [00:01:00] It’s not a Feature, It’s a Vulnerability [00:13:40] Multiple Vulnerabilities In Extreme Networks ExtremeXOS [00:24:06] Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100 [00:30:08] Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari [00:46:02] Apache Struts2 文件上传漏洞分析（CVE-2023-50164） - 先知社区 [00:48:49] Blind CSS Exfiltration: exfiltrate unknown web pages [00:51:11] Finding that one weird endpoint, with Bambdas The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A Samsung special this week, starting off with two Samsung specific vulnerabilities, one in the baseband chip for code execution. And a stack based overflow in the RILD service handler parsing IPC calls from the baseband chip for a denial of service. Lastly a Mali GPU driver use-after-free. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/230.html [00:00:00] Introduction [00:00:27] Humble Tech Book Bundle: Hacking 2023 by No Starch [00:08:15] CVE-2023-21517: Samsung Baseband LTE ESM TFT Heap Buffer Overflow [00:18:10] CVE-2023-30644: Samsung RIL Stack Buffer Overflow [00:24:58] Arm Mali r44p0: UAF by freeing waitqueue with elements on it [00:31:55] A Detailed Look at Pwn2Own Automotive EV Charger Hardware The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week brings up a pretty solid variety of issues. Starting off with some cookie smuggling (and other cookie attacks) which presents some interesting research I hadn't really looked for before that has some potential. Then an AI alignment evasion to leak training data. Not the most interesting attack but it appears to open up some other ideas for further research. A MacOS desktop issue (for a $30k bounty), and some home assistant issues. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/229.html [00:00:00] Introduction [00:00:25] Humble Tech Book Bundle: Hacking 2023 by No Starch [00:06:58] Cookie Bugs - Smuggling & Injection [00:17:21] Extracting Training Data from ChatGPT [00:32:22] lateralus (CVE-2023-32407) - a macOS TCC bypass [00:37:35] Securing our home labs: Home Assistant code review [00:45:16] TRAP; RESET; POISON; - Taking over a country Kaminsky style [00:47:04] Exploiting XPath Injection Weaknesses [00:47:42] Deep dive into the new Amazon EKS Pod Identity feature The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week kicks off with a a V8 misoptimization leading to out-of-bounds access, an unprotected MSR in Microsoft's Hypervisor allowing corruption of Hypervisor code. We also take a quick look at a 2021 CVE with an integer underflow leading to an overflow in the Windows Kernel low-fragmentation heap, and finally an interesting information leak due to the kernel not clearing a sensitive register. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/228.html [00:00:00] Introduction [00:00:56] Spot the Vuln - Beyond the Grave [00:04:00] Chrome V8 Hole Exploit [00:15:57] How I found Microsoft Hypervisor bugs as a by-product of learning [00:33:13] Exploitation of a kernel pool overflow from a restrictive chunk size [CVE-2021-31969] [00:44:13] That's FAR-out, Man [00:47:38] Money Tree [00:50:21] How to voltage fault injection The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week we've got a few relatively simple bugs to talk about along with a discussion about auditing and manually analysis for vulnerabilities. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/227.html [00:00:00] Introduction [00:00:23] Introducing the Microsoft Defender Bounty Program [00:04:26] Tapping into a telecommunications company’s office cameras [00:07:47] CrushFTP Critical Vulnerability CVE-2023-43177 Unauthenticated Remote Code Execution [00:17:22] [Kubernetes] Ingress nginx annotation injection causes arbitrary command execution [00:24:38] Testing for audits: there is no spoon The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Topics include a CPU bug called Reptar, exploiting Google kernelCTF instances, analyzing the CVE-2023-2598 vulnerability, Linux's new random kmalloc caches, and bugs in Linux 6.6. The hosts also discuss the impact of these vulnerabilities and mitigation techniques. The podcast covers various Linux kernel vulnerabilities and their exploitation.

This week has an interesting mix of issues, starting with a pretty standard template inject. Then we get into a Windows desktop issue, a TOCTOU in how the Mark-of-the-Web would be applied to file extracted from an archive, a privilege escalation from a Chrome extension, and a bit of a different spin on what you could do with a prompt injection. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/225.html [00:00:00] Introduction [00:00:26] Magento Template Engine, a story of CVE-2022-24086 [00:06:57] In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584 [00:24:50] Google Cloud Vertex AI - Data Exfiltration Vulnerability Fixed in Generative AI Studio [00:30:40] Uncovering a crazy privilege escalation from Chrome extensions [00:47:49] Content Providers and the potential weak spots they can have The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We've got a few Windows bugs this week, but first a fun off-by-one null-byte write. Then we jump into a containerized registry escape, a browser escape with a very simple bug buried deep in the browser, and a kernel bug. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/224.html [00:00:00] Introduction [00:00:20] Spot the Vuln - Minimax [00:05:00] Weston Embedded uC-HTTP HTTP Server Host header parsing memory corruption vulnerability [00:14:49] Windows Kernel containerized registry escape through integer overflows in VrpBuildKeyPath and other weaknesses [00:20:04] Escaping the sandbox: A bug that speaks for itself [00:37:07] Exploiting Windows Kernel Wild Copy With User Fault Handling [CVE-2023–28218] The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Just a few issues this week, a Mastodon normalization issue leading to the potential to impersonate another account. Then we have a more complex chain starting again with a normalization leading to a fairly interesting request smuggling (CL.0 via malformed content-type header) and cache poisoning to leak credentials. Finally a crypto issue with a signature not actually being a signature. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/223.html [00:00:00] Introduction [00:00:23] Usurping Mastodon instances - mastodon.so/cial [CVE-2023-42451] [00:09:59] From Akamai to F5 to NTLM... with love. [00:33:36] Our Pwn2Own journey against time and randomness (part 2) The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9