Day[0]

Just a few bugs this week, a classic buffer overflow because of an unbounded copy in SNIProxy. mast1c0re Part 2 with a few more easy vulnerability but some more complex and difficult exploitation. And a Samsung NPU in-the-wild double free. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/202.html [00:00:00] Introduction [00:00:24] Spot The Vuln - Operational Set [00:03:37] SNIProxy wildcard backend hosts buffer overflow vulnerability [00:08:17] mast1c0re Part 2 - Compiler Attack [00:21:46] Samsung NPU device driver double free in Android [CVE-2022-22265] [00:41:52] CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Some audio issues this week, sorry for the ShareX sound. But we have a few interesting issues. A curl quirk that it might be useful to be aware of, Azure Pipelines vulnerability abusing attacker controlled logging. A look at a pretty classic Android/mobile bug, and a crazy auth misconfiguration (BingBang). Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/201.html [00:00:00] Introduction [00:00:39] The curl quirk that exposed Burp Suite and Google Chrome [00:03:33] Exploiting prototype pollution in Node without the filesystem [00:05:37] Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack [00:11:27] Attacking Android Antivirus Applications [00:20:59] BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Its our 200th episode, and we've got some stats from our first 200 episodes. Then we talk some Pwn2Own policy changes, a couple memeable overflows, and some new anti-ROP mitigations on OpenBSD. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/200.html [00:00:00] Introduction [00:00:52] Spot the Vuln - Just a Coupon [00:04:56] 200th Episode [00:14:52] Pwn2Own Vancouver 2023 - The Full Schedule [00:23:26] WellinTech KingHistorian SORBAx64.dll RecvPacket integer conversion vulnerability [00:28:23] ARM TrustZone: pivoting to the secure world [00:34:33] Synthetic Memory Protections - An update on ROP mitigations [00:57:51] Vulnerabilities 1002: C-Family Software Implementation Vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We are back with more discussion about applying AI/ChatGPT to security research, but before that we have a few interesting vulnerabilities. An OTP implementation that is too complex for its own good, a directory traversal leading to a guest to host VM escape, and server-side mime-sniffing. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/199.html [00:00:00] Introduction [00:00:31] Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research [00:07:45] Story of a Beautiful Account Takeover [00:14:06] Parallels Desktop Toolgate Vulnerability [00:18:50] Golang Server-Side MIME Sniff [00:25:55] InjectGPT: the most polite exploit ever [00:32:36] ChatGPT: The Right Tool for the Job? [00:40:38] GPT Trick Golf [00:49:19] [HackerOne] Arbitrary Remote Leak via ImageMagick [CVE-2022-44268] The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

We've got a pretty nice root/super-use check bypass in XNU this week, and a sort of double fetch issue in Intel's SMM leading to a potential privilege escalation into the Management system. We've also got a few meme-able Shannon Baseband issues and some tough to exploit out of bound reads in MIT Kerberos V5. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/198.html [00:00:00] Introduction [00:00:27] Spot the Vuln - The Right Context [00:02:52] Discussion: Using GPT-4 to Spot Vulnerabilities in Code (and SecGPT) [00:11:05] A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM [00:19:32] Out-of-Bounds Read in the MIT Kerberos V5 (krb5) library [00:25:35] XNU: NFSSVC root check bypass; use after free due to insufficient locking in upcall worker threads [00:32:36] XNU: NFSSVC root check bypass; use after free due to insufficient locking in upcall worker threads [00:36:35] Shannon Baseband: Intra-object overflow in NrmmMsgCodec when decoding Service Area List The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Recovering data from a cropped image (thanks to an undocumented API change, bypassing an origin check with an emoji, and a trivial SSRF filter bypass all in this week's bug bounty podcast. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/197.html [00:00:00] Introduction [00:00:32] SSRF Cross Protocol Redirect Bypass [00:08:08] EmojiDeploy: Smile! Your Azure Web Service Got RCE’d ._. [00:20:43] Multiple vulnerabilities in Apollo Configuration Management System [CVE-2023-25569, CVE-2023-25570] [00:29:00] Exploiting aCropalypse: Recovering Truncated PNGs The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Some simple, but interesting vulnerabilities. A use-after-free because of wrong operation ordering, an interesting type confusion, an integer underflow and some OOB access in TPM 2.0 reference code. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/196.html [00:00:00] Introduction [00:00:27] Spot the Vuln - Just be Positive [00:03:42] oss-sec: Linux kernel: CVE-2023-1118: UAF vulnerabilities in "drivers/media/rc" directory [00:07:56] oss-sec: CVE-2023-1076: Linux Kernel: Type Confusion hardcodes tuntap socket UID to root [00:11:21] GitHub - fuzzingrf/openbsd_tcpip_overflow: OpenBSD remote overflow [00:14:36] Chat Question: What Language is Most Effective for Writing These Types of Exploits [00:18:22] Vulnerabilities in the TPM 2.0 reference implementation code [00:28:19] Chat Question: Skillset for Exploit Dev as part of a Red Team [00:33:40] Espressif ESP32: Glitching The OTP Data Transfer The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A few varied issues this week, exploiting an apparently unexploitable CRLF injection, organization secrets exposure in GitHub, and a Jenkins XSS. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/195.html [00:00:00] Introduction [00:00:25] Abusing Hop-by-Hop Header to Chain A CRLF Injection Vulnerability [00:04:26] HubSpot Full Account Takeover in Bug Bounty [00:12:22] Unauthorized access to organization secrets in GitHub [00:17:39] CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE [00:26:37] Firefly: a smart black-box fuzzer for web applications testing [00:29:27] EJS - Server Side Prototype Pollution gadgets to RCE The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Just one vulnerability this week about hacking the Nintendo DSi browser, but we have a good discussion about fuzzing and a new paper "autofz". Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/194.html [00:00:00] Introduction [00:00:27] Spot the Vuln - Checking your Numbers [00:03:23] autofz: Automated Fuzzer Composition at Runtime [00:14:52] Alex Plaskett - Fuzzing Insights [00:23:08] Hacking the Nintendo DSi Browser [00:29:56] Espressif ESP32: Breaking HW AES with Electromagnetic Analysis [00:32:08] Finding 10x+ Performance Improvements in C++ with CodeQL – Part 2/2 on Combining Dynamic and Static Analysis for Performance Optimisation The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This episode covers a lot of ground, from an insecure OAuth flow (Booking.com) to a crazy JSON injection and fail-open login system (DataHub) to hacking Bluetooth smart locks (Megafeis-palm). And even a new ImageMagick trick for a local file read. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/193.html [00:00:00] Introduction [00:00:26] Traveling with OAuth - Account Takeover on Booking.com [00:13:25] Megafeis-palm: Exploiting Vulnerabilities to Open Bluetooth SmartLocks [00:22:46] GitHub Security Lab audited DataHub: Here's what they found [00:33:43] ImageMagick: The hidden vulnerability behind your online images [00:38:49] CI/CD secrets extraction, tips and tricks [00:39:30] A New Vector For “Dirty” Arbitrary File Write to RCE The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9