Day[0]

Just a couple issues this week, a cache coherency issue because the functions used to flush changes were not implemented on AARCH64. The second was using the "world's worst fuzzer" to find some bugs. Dumb fuzzer, but it worked. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/192.html [00:00:00] Introduction [00:00:24] Spot the Vuln - Targeting [00:06:16] Vulnerability Reward Program: 2022 Year in Review  - Correction: I mistakenly thought Google's Bug Hunter University was older than it is. It was started in 2021. [00:12:56] The code that wasn't there: Reading memory on an Android device by accident [00:22:37] Using the “World’s Worst Fuzzer” To Find A Kernel Bug In The FiiO M6 The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Parameter pollution for an auth bypass, SQL injection in an ORM, CRLF injection for a WAF bypass...this episode has a great mix of issues. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/191.html [00:00:00] Introduction [00:00:26] OpenEMR - Remote Code Execution in your Healthcare System [00:10:13] Vulnerability write-up - "Dangerous assumptions" [00:18:05] Chat Question: How do we find topics for the podcast? [00:19:22] Exploiting Parameter Pollution in Golang Web Apps [00:24:10] Using CRLF Injection to Bypass a Web App Firewall [00:34:17] Microsoft Azure Account Takeover via DOM-based XSS in Cosmos DB Explorer The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

This week we talk about more Rust pitfalls, and fuzzing cURL. Then we have a couple bugs, one involving messing with the TCP stack to reach the vulnerable condition. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/190.html [00:00:00] Introduction [00:00:27] Spot the Vuln - Insecure by Default [00:02:20] cURL audit: How a joke led to significant findings [00:09:45] Rustproofing Linux (Part 4/4 Shared Memory) [00:11:25] Rustproofing Linux (Part 4/4 Shared Memory) [00:17:22] Exploiting a remote heap overflow with a custom TCP stack [00:34:20] mast1c0re: Part 3 - Escaping the emulator The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

A variety episode this week with some bad cryptography in PHP and Azure, information disclosure in suid binaries, request smuggling in HAProxy, and some research on testing for server-side prototype pollution. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/189.html [00:00:00] Introduction [00:00:22] PHP :: Sec Bug #81744 :: Password_verify() always return true with some hash [00:11:25] Readline crime: exploiting a SUID logic bug [00:18:05] Azure B2C Crypto Misuse and Account Compromise [00:24:32] BUG/CRITICAL: http: properly reject empty http header field names · haproxy/haproxy@a8598a2 [00:27:23] Server-side prototype pollution: Black-box detection without the DoS [00:30:47] ThinkstScapes 2022.Q4 The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Few discussions this week, from using ASAN for effectively, to vulnerabilities in Rust code, and some discussion about exploiting the OpenSSH double free. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/188.html [00:00:00] Introduction [00:00:31] Spot the Vuln - Too Soft [00:04:19] One Weird Trick to Improve Bug Finding With ASAN [00:08:27] Rustproofing Linux (Part 2/4 Race Conditions) [00:22:39] OpenSSH Pre-Auth Double Free Writeup & PoC [CVE-2023-25136] [00:34:14] mast1c0re: Part 2 - Arbitrary PS2 code execution [00:42:39] All about UndefinedBehaviorSanitizer The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Bit slow this week, so we talk about the Top Web-hacking techniques of 2022, and some TruffleSec/XSS Hunter drama before so we cover a blockchain verification bug, and a simple path traversal to SSTI and RCE chain. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/187.html [00:00:00] Introduction [00:00:32] Top 10 web hacking techniques of 2022 [00:06:30] TruffleSec/XSSHunter Drama [00:15:33] Binance Smart Chain Token Bridge Hack [00:24:01] Insecure path join to RCE via SSTI [CVE-2023-22855] [00:29:06] Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation) The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

First, we take a look at some positive changes to OSS Fuzz, then we dive into some vulnerabilities. This includes an XNU heap out-of-bounds write vulnerability, a Chrome heap-based overflow vulnerability, and an out-of-bounds read in cmark-gfm that, while probably not exploitable, is still intriguing. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/186.html [00:00:00] Introduction [00:00:22] Spot the Vuln - The Great String Escape [00:03:03] Taking the next step: OSS-Fuzz in 2023 [00:09:48] XNU Heap Underwrite in dlil.c [CVE-2023-23504] [00:19:10] Chrome heap buffer overflow in validating command decoder [CVE-2022-4135] [00:26:19] Out-of-bounds read in cmark-gfm [CVE-2023-22485] The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Is it possible to escalate a self-XSS into an account takeover? Perhaps, we take a look at some potential options by abusing single-sign on. Then we take a look at a few Facebook/Meta authentication issues, and a deserialization trick to increase the usable classes in PHP. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/185.html [00:00:00] Introduction [00:00:21] Single-Sign On Gadgets: Escalate (Self-)XSS to Account Takeover [00:11:11] Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing [00:14:00] DOM-XSS in Instant Games due to improper verification of supplied URLs [00:18:55] Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation [00:29:33] Unserializable, but unreachable: Remote code execution on vBulletin [00:34:54] Lexmark MC3224adwe RCE exploit The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Discussion heavy episode this week, talking about KASAN landing on Windows, shuffling gadgets to make ROP harder, and a paper about automatic exploit primitive discovery. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/184.html [00:00:00] Introduction [00:00:26] Spot the Vuln - Just the Data [00:04:20] Introducing kernel sanitizers on Microsoft platforms [00:14:54] Fun with Gentoo: Why don't we just shuffle those ROP gadgets away? [00:25:14] Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs [00:35:44] Armed to Boot: an enhancement to Arm's Secure Boot chain [00:37:24] Pwning the all Google phone with a non-Google bug [00:39:01] AMD SP Loader The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Starting off the week strong we have a CSS injection turned full-read SSRF, and a MyBB exploit chain from XSS to server-side code injection. And we've got a couple auth token disclosures to end off the episode. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/183.html [00:00:00] Introduction [00:00:22] Unleashing the power of CSS injection: The access key to an internal API [00:06:50] MyBB <= 1.8.31: Remote Code Execution Chain [00:18:53] Client-Side SSRF to Google Cloud Project Takeover [Google VRP] [00:24:38] Account Takeover in KAYAK The DAY[0] Podcast episodes are streamed live on Twitch twice a week:  -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities  -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities  and exploits. We are also available on the usual podcast platforms:  -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063  -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt  -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz  -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9