208 - Timing Attack for Exploitation and VR in the wake of Rust

Not a lot of interesting binary exploitation topics for this week, we've got a DHCPv6 service vuln, and a fun idea to use a timing side-channel to improve exploit stability. Then we end with a discussion about Rust coming the Windows operating system, what Rust means for the future of exploit development and vulnerability research and the value of memory corruption in Windows.

207 - Git Config Injection and a Sophos Pre-Auth RCE

On this weeks bug bounty podcast we take a look at a few interesting issues. While they are all patched, there is reason to believe they'd all creep up in other applications too. First up is an RCE due to nested use of an escaped string. Second a fgets loop that doesn't account for long lines. A XML signature verification tool with a deceptive interface, and last a look at how Bash's privileged mode can backfire.

206 - A Ghostscript RCE and a Windows Registry Bug

This week's binary exploitation episode has some pretty solid bugs.A string escaping routine that goes out of bounds, a web-based information disclosure. And a couple kernel issues, one in the Windows registry, a logical bug leading to memory corruption, and an AppleSPU out of bounds access.

205 - SecurePoint UTM, Chfn, and Docker Named Pipe Vulns

For this week's bug bounty podcast We start off with a bit of a unique auth bypass in a firewall admin panel. We've also got a couple desktop-based software bugs, with a Docker Desktop privilege escalation on windows, and a chfn bug. We've also got a couple escalation techniques, one for Azure environments, and another trick for exploiting semi-controlled file-writes.

Reversing the AMD Secure Processor (PSP) - Part 2: Cryptographic Co-Processor (CCP)

Part one: https://dayzerosec.com/blog/2023/04/17/reversing-the-amd-secure-processor-psp.html This is a follow-up part 2 to my previous post on the AMD Secure Processor (formerly known as the Platform Security Processor or "PSP"). In that post, I mentioned that the Cryptographic Co-Processor (CCP) is an essential component of how the PSP functions. It's primarily responsible for hardware-accelerated cryptography, but it's also used as a Direct Memory Access (DMA) copy engine for doing mass copy

Reversing the AMD Secure Processor (PSP) - Part 1: Design and Overview

AMD's Secure Processor (formerly known as Platform Security Processor or "PSP") is a very interesting piece of technology that is critical to the operation of all modern-day AMD CPUs. There's also very little public information about it and because of that, it's commonly misunderstood and fantasized about. Not only is it at the top of the chain of trust, but it's also responsible for initializing the CPU and facilitating attestation (TPM), hardware-accelerated crypto, and Secure Encrypted Virtua

203 - Pentaho Pre-Auth RCE and Theft by CAN Injection

Some fun issues this week as we explore code execution in Synthetics Recorder stemming from a comment in the code. An auth bypass in Pentaho leading to RCE via SSTI, car theft via CAN bus message injection, and how to become a cluster admin from a compromised pod in AWK Elastic Kubernetes Service.

201 - Bamboozling Bing and a Curl Gotcha

Some audio issues this week, sorry for the ShareX sound. But we have a few interesting issues. A curl quirk that it might be useful to be aware of, Azure Pipelines vulnerability abusing attacker controlled logging. A look at a pretty classic Android/mobile bug, and a crazy auth misconfiguration (BingBang).