Day[0]

This week we we've got a neat little printer corruption, a probably unexploitable stockfish bug, though we speculate about exploitation a bit. Then into a VirtualBox escape bug, and an Andreno "vulnerability". Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/212.html [00:00:00] Introduction [00:01:31] Spot the Vuln - To Upload or Not To Upload [00:05:25] The printer goes brrrrr, again! [00:09:34] [Stockfish] Increase MAX_MOVES to prevent buffer overflow and stack corruption [00:27:53] Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991 [00:37:09] Qualcomm Adreno/KGSL: secure buffers are addressable by all GPU users [00:43:37] RET2ASLR - Leaking ASLR from return instructions [00:46:13] Apple Fails to Fully Reboot iOS Simulator Copyright Case The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

More bug bounty style bugs, but you'd be forgiven reading that title thinking we had a low-level focus this episode. We got some awesome bugs this week though from tricking Dependabot and abusing placeholder values, an IIS auth bypass. Ending off with a kernel bug (OverlayFS) and a VM escape (Parallels Desktop) Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/211.html [00:00:00] Introduction [00:00:28] Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot [00:12:39] Placeholder for Dayzzz: Abusing placeholders to extract customer informations [00:19:40] Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3 [00:33:44] PwnAssistant - Controlling /home's via a Home Assistant RCE [00:39:26] The OverlayFS vulnerability [CVE-2023-0386] [00:44:01] Escaping Parallels Desktop with Plist Injection The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 #BugBounty #BugHunting #InfoSec #CyberSec #Podcast

This week we go a bit deeper than normal and look at some low level TPM attacks to steal keys. We've got a cool attack that lets us leak a per-chip secret out of the TPM one byte at a time, and a post about reading Bitlocker's secret off the SPI bus. Then we talk about several Shannon baseband bugs disclosed by Google's Project Zero. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/210.html [00:00:00] Introduction [00:01:14] Spot the Vuln - Sanitize Now or Later [00:03:50] faulTPM: Exposing AMD fTPMs’ Deepest Secret [00:18:33] Stealing the Bitlocker key from a TPM [00:24:01] Shannon Baseband: Integer overflow when reassembling IPv4 fragments The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We open up this weeks bug bounty podcast with a discussion about Google's recent support for passkeys, tackling some misunderstanding about what they are and how open the platform is. Also some talk towards the end about potential vulnerabilities to look out for. Then we dive into the vulnerabilities for the week, involving bypassing phone validation in OpenAI, a bad origin check enabling abuse of a permissive CORS policy, and an order of operations issue breaking the purpose of sanitization in Oracle's Opera. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/209.html [00:00:00] Introduction [00:02:43] So long passwords, thanks for all the phish [00:23:49] OpenAI Allowed “Unlimited” Credit on New Accounts [00:28:53] A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF... [00:44:28] Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera [00:52:16] Testing Zero Touch Production Platforms and Safe Proxies The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Not a lot of interesting binary exploitation topics for this week, we've got a DHCPv6 service vuln, and a fun idea to use a timing side-channel to improve exploit stability. Then we end with a discussion about Rust coming the Windows operating system, what Rust means for the future of exploit development and vulnerability research and the value of memory corruption in Windows. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/208.html [00:00:00] Introduction [00:00:17] Spot the Vuln - Organizational Issues [00:09:21] RCE in the Microsoft Windows DHCPv6 Service [CVE-2023-28231] [00:12:29] PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique [00:22:16] Rust and the future of VR The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

On this weeks bug bounty podcast we take a look at a few interesting issues. While they are all patched, there is reason to believe they'd all creep up in other applications too. First up is an RCE due to nested use of an escaped string. Second a fgets loop that doesn't account for long lines. A XML signature verification tool with a deceptive interface, and last a look at how Bash's privileged mode can backfire. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/207.html [00:00:00] Introduction [00:00:31] Analysis of Pre-Auth RCE in Sophos Web Appliance [CVE-2023-1671] [00:07:16] Git Arbitrary Configuration Injection [CVE-2023-29007] [00:11:41] Redash SAML Authentication Bypass [00:18:51] Bash Privileged-Mode Vulnerabilities in Parallels Desktop and CDPATH Handling in MacOS [00:29:38] Ambushed by AngularJS: a hidden CSP bypass in Piwik PRO [00:34:37] [cPanel] Finding XSS in a million websites [CVE-2023-29489] [00:35:20] Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score [CVE-2023-1767] The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week's binary exploitation episode has some pretty solid bugs.A string escaping routine that goes out of bounds, a web-based information disclosure. And a couple kernel issues, one in the Windows registry, a logical bug leading to memory corruption, and an AppleSPU out of bounds access. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/206.html [00:00:00] Introduction [00:00:30] Reversing the AMD Secure Processor (PSP) - Part 1: Design and Overview [00:01:15] Spot the Vuln - Left-over Spaces [00:05:03] Shell in the Ghost: Ghostscript CVE-2023-28879 writeup [00:17:16] SecurePwn Part 2: Leaking Remote Memory Contents [CVE-2023-22897] [00:21:50] Windows Kernel insufficient validation of new registry key names in transacted NtRenameKey [00:30:38] CVE-2022-32917: AppleSPU out of bounds write [00:34:11] Compromising Garmin's Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine [00:35:27] The Fuzzing Guide to the Galaxy: An Attempt with Android System Services [00:36:51] Stepping Insyde System Management Mode The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

For this week's bug bounty podcast We start off with a bit of a unique auth bypass in a firewall admin panel. We've also got a couple desktop-based software bugs, with a Docker Desktop privilege escalation on windows, and a chfn bug. We've also got a couple escalation techniques, one for Azure environments, and another trick for exploiting semi-controlled file-writes. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/205.html [00:00:00] Introduction [00:00:32] SecurePwn Part 1: Bypassing SecurePoint UTM’s Authentication [CVE-2023-22620] [00:08:41] Abusing Linux chfn to Misrepresent etc passwd [CVE-2023-29383] [00:14:39] Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 [00:22:42] From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys [00:25:52] Pretalx Vulnerabilities: How to get accepted at every conference [00:34:07] LLM Hacker's Handbook The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We start with a hardware/glitching attack against the Wii U, then lets talk about integer overflows. We've got three integer overflows this week that lead to buffer overflows in different ways. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/204.html [00:00:00] Introduction [00:00:19] Spot the Vuln - Easy as ABC [00:06:18] de_Fuse, the One True Pwn [00:15:31] SonicWall Out Of Bounds Write DoS [00:26:43] Windows bluetooth vulnerability exploit [CVE-2022-44675] [00:28:52] Windows bluetooth vulnerability exploit [CVE-2022-44675] [00:30:06] Escaping Adobe Sandbox: Exploiting an Integer Overflow in Microsoft Windows Crypto Provider The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Some fun issues this week as we explore code execution in Synthetics Recorder stemming from a comment in the code. An auth bypass in Pentaho leading to RCE via SSTI, car theft via CAN bus message injection, and how to become a cluster admin from a compromised pod in AWK Elastic Kubernetes Service. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/203.html [00:00:00] Introduction [00:00:30] [Elastic] Synthetics Recorder: Code injection when recording website with malicious content [00:02:45] [Elastic] Synthetics Recorder: Code injection when recording website with malicious content [00:06:32] Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server [00:13:47] CAN Injection: keyless car theft [00:23:48] Privilege escalation in AWS Elastic Kubernetes Service (EKS) The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9