Day[0]

As memory tagging (MTE) finally comes to a consumer device, we talk about how it may impact vulnerability research and exploit development going forward. Then we get into a few vulnerabilities including a DNS response parsing bug on the Wii U, an Adobe Acrobat bug that was exploited by a North Korean APT, and a CPU bug (iTLB Multihit). Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/222.html [00:00:00] Introduction [00:00:23] Hexacon 2023 Talks [00:02:48] First handset with MTE on the market [00:24:15] Exploiting DNS response parsing on the Wii U [00:33:11] Adobe Acrobat PDF Reader RCE when processing TTF fonts [CVE-2023-26369 [00:46:18] iTLB multihit The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Kicking off the week with a bit of Pwn2Own drama, then taking a look at an OAuth attack against Grammarly and a couple other sites, a fun little polyglot file based attack, and Citrix Bleed, a snprintf information disclosure vulnerability on the web. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/221.html [00:00:00] Introduction [00:01:24] Wyze Cam v3 - Pwn2Own Drama [00:17:57] Oh-Auth - Abusing OAuth to take over millions of accounts [00:30:55] Exploiting Healthcare Servers with Polyglot Files [CVE-2023-33466] [00:41:06] Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 [00:49:25] Hacking a Silent Disco [00:50:43] DOM-based race condition: racing in the browser for fun The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Diving right into some binary exploitation issues this week. Starting wtih a look at a rare sort of curl vulnerability where a malicious server could compromise a curl user. Then we take a look at a pretty straight-forward type confusion in Windows kernel code, and an integer underflow in Safari with some questionable exploitation. Ending the episode with some thoughts on how impactful grsecurity's "constify" mitigation could be. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/220.html [00:00:00] Introduction [00:00:14] How I made a heap overflow in curl [00:17:32] Critically close to zero (day): Exploiting Microsoft Kernel streaming service [00:30:34] Story of an innocent Apple Safari copyWithin gone (way) outside [CVE-2023-38600] [00:38:10] CONSTIFY: Fast Defenses for New Exploits [00:46:53] An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit [00:47:40] Getting RCE in Chrome with incomplete object initialization in the Maglev compiler The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We've got a mix of topics this week, started with a bit of discussion around the recent Rapid Reset denial of service attack, before diving into a few vulnerabilities. A Node "permissions" module escape due to having a fail-open condition when unexpected but supported types are passed in. Then we talk about some common AWS Cognito issues, a fun little privilege escalation in Confluence, and a log injection bug leading to RCE. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/219.html [00:00:00] Introduction [00:00:15] HTTP/2 Rapid Reset Attack [CVE-2023-44487] [00:04:35] [Node] Path traversal through path stored in Uint8Array [00:09:44] Attacking AWS Cognito with Pacu [00:14:33] Privilege Escalation Vulnerability in Confluence Data Center and Server [CVE-2023-22515] [00:21:15] Not Your Stdout Bug - RCE in Cosmos SDK The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec

Some complex and confusing vulnerabilities as we talk about the recent WebP 0day and the complexities of huffman coding. A data-only exploit to escape a kCTF container, the glibc LPE LOONY_TUNABLES, and a Chrome TurboFan RCE. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/218.html [00:00:00] Introduction [00:00:40] Expanding our exploit reward program to Chrome and Cloud [00:06:10] The WebP 0day - We do somewhat downplay this issue due to the difficulty of exploiting it. But to be clear, it was exploited in the wild on Apple devices, so it exploitable. We're more downplaying the panic that came up around it. It is still a serious issue that should be patched. [00:34:00] Escaping the Google kCTF Container with a Data-Only Exploit [00:44:49] Local Privilege Escalation in the glibc's ld.so [CVE-2023-4911] [01:01:27] Getting RCE in Chrome with incorrect side effect in the JIT compiler [01:08:03] Behind the Shield: Unmasking Scudo's Defenses The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week we've got some fun issues, including a WinRAR processing bug that results in code execution due (imo) to a filename adjustment when extracting that isn't performed consistently. A MyBB admin-panel RCE, fairly privileged bug but I think the bug pattern could appear elsewhere and is something to watch out for, And several silly issues in a "next-gen" firewall, including source disclosures and RCEs from the login page. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/217.html [00:00:00] Introduction [00:01:17] Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR [00:13:32] Yet More Unauth Remote Command Execution Vulns in Firewalls [00:29:02] MyBB Admin Panel RCE [CVE-2023-41362] [00:44:55] How to build custom scanners for web security research automation [00:46:33] Exploiting HTTP Parsers Inconsistencies The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A binary summer-recap episode, looking at some vulnerabilities and research put out over the summer. Talking about what TPM really offers when it comes to full-disk encryption, some thoughts on AI in the fuzzing loop. Then into some cool bugs, kicking off with some ARM Memory Tagging Extension vulnerabilities, a `-fstack-protector` implementation failure and bypass, and then a look at a Android exploit that was found in-the-wild. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/216.html [00:00:00] Introduction [00:01:50] Spot the Vuln - Only One Domain [00:04:46] AI-Powered Fuzzing: Breaking the Bug Hunting Barrier [00:15:00] Summary: MTE As Implemented [00:38:21] TPM provides zero practical security [00:47:30] CVE-2023-4039: GCC’s -fstack-protector fails to guard dynamic stack allocations on ARM64 [00:55:30] Analyzing a Modern In-the-wild Android Exploit [01:07:31] Various Vulnerabilities in Huawei Trustlets The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/215.html [00:00:00] Introduction [00:02:15] Summer Recap - HardwearIO [00:11:51] Summer Recap - DEF CON [00:49:20] CVE-2020-19909 is everything that is wrong with CVEs [00:58:40] PHP servers drop any header if the header has "\r" [@OctagonNetworks] [01:03:10] Encrypted Doesn't Mean Authenticated: ShareFile RCE [CVE-2023-24489] [01:11:40] How Private Cache Can Lead to Mass Account Takeover [01:15:20] From Terminal Output to Arbitrary Remote Code Execution [01:16:37] Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 #BugBounty #BugHunting #InfoSec #CyberSec #Podcast Continue? (y/N) n 2023/09/26 00:57:09 [1] Set Start Time and Offset 2023/09/26 00:57:09 [2] Download and Convert Episode 2023/09/26 00:57:09 [3] Youtube Stuff 2023/09/26 00:57:09 [4] Print Episode 2023/09/26 00:57:09 [5] Create Blog Post Selection: 4 2023/09/26 00:57:11 215 - DEF CON, HardwearIO, Broken Caching, and Dropping Headers [Bug Bounty Podcast] [bounty] DEF CON, HardwearIO, Broken Caching, and Dropping Headers ============================================ We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/215.html [00:00:00] Introduction [00:02:15] Summer Recap - HardwearIO [00:11:51] Summer Recap - DEF CON [00:49:20] CVE-2020-19909 is everything that is wrong with CVEs [00:58:40] PHP servers drop any header if the header has "\r" [@OctagonNetworks] [01:03:10] Encrypted Doesn't Mean Authenticated: ShareFile RCE [CVE-2023-24489] [01:11:40] How Private Cache Can Lead to Mass Account Takeover [01:15:20] From Terminal Output to Arbitrary Remote Code Execution [01:16:37] Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week we've got a handful of low-level vulns, VM-escape, Windows EoP, and a single IPv6 packet leading to a kernel panic/denial of service, and one higher-level issue with a bug chain in CS:GO. This is our final episode until September 25th as we will be heading off on our regular summer break. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/214.html [00:00:00] Introduction [00:01:12] Spot the Vuln - Reference Check [00:06:56] Exploiting VMware Workstation at Pwn2Own Vancouver [CVE-2023-20869/20870] [00:17:44] CS:GO: From Zero to 0-day [00:30:27] CVE-2022-41073: Windows Activation Contexts EoP [00:38:37] Linux IPv6 Route of Death 0day [00:46:36] Google Chrome V8 ArrayShift Race Condition Remote Code Execution [00:47:46] Specter Will Give Hardwear.IO PS5 Talk [00:49:11] Resources while we are on bread The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Another bug bounty podcast, another set of vulnerabilities. Starting off with a desktop info-disclosure in KeePass2 that discloses master passwords to attackers (with a high-level of access). A couple Jellyfin bugs resulting in an RCE chain, and a pretty classic crypto issue that allowed for renting luxury cars for extremely cheap. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/213.html [00:00:00] Introduction [00:02:48] KeePass2 Password Disclosure [00:10:10] Peanut Butter Jellyfin Time [00:19:14] Abusing Time-Of-Check Time-Of-Use (TOCTOU) Race Condition Vulnerabilities in Games, Harry Potter Style [00:22:19] Discovering a Hidden Security Loophole: Rent luxury Cars for a Single Dollar [00:27:00] Bug bounties are broken – the story of “i915” bug, ChromeOS + Intel bounty programs, and beyond [00:35:28] Resources while we are on break The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9