Not a lot of interesting binary exploitation topics for this week, we've got a DHCPv6 service vuln, and a fun idea to use a timing side-channel to improve exploit stability. Then we end with a discussion about Rust coming the Windows operating system, what Rust means for the future of exploit development and vulnerability research and the value of memory corruption in Windows.
On this weeks bug bounty podcast we take a look at a few interesting issues. While they are all patched, there is reason to believe they'd all creep up in other applications too. First up is an RCE due to nested use of an escaped string. Second a fgets loop that doesn't account for long lines. A XML signature verification tool with a deceptive interface, and last a look at how Bash's privileged mode can backfire.
This week's binary exploitation episode has some pretty solid bugs.A string escaping routine that goes out of bounds, a web-based information disclosure. And a couple kernel issues, one in the Windows registry, a logical bug leading to memory corruption, and an AppleSPU out of bounds access.
For this week's bug bounty podcast We start off with a bit of a unique auth bypass in a firewall admin panel. We've also got a couple desktop-based software bugs, with a Docker Desktop privilege escalation on windows, and a chfn bug. We've also got a couple escalation techniques, one for Azure environments, and another trick for exploiting semi-controlled file-writes.
Part one: https://dayzerosec.com/blog/2023/04/17/reversing-the-amd-secure-processor-psp.html This is a follow-up part 2 to my previous post on the AMD Secure Processor (formerly known as the Platform Security Processor or "PSP"). In that post, I mentioned that the Cryptographic Co-Processor (CCP) is an essential component of how the PSP functions. It's primarily responsible for hardware-accelerated cryptography, but it's also used as a Direct Memory Access (DMA) copy engine for doing mass copy
AMD's Secure Processor (formerly known as Platform Security Processor or "PSP") is a very interesting piece of technology that is critical to the operation of all modern-day AMD CPUs. There's also very little public information about it and because of that, it's commonly misunderstood and fantasized about. Not only is it at the top of the chain of trust, but it's also responsible for initializing the CPU and facilitating attestation (TPM), hardware-accelerated crypto, and Secure Encrypted Virtua
We start with a hardware/glitching attack against the Wii U, then lets talk about integer overflows. We've got three integer overflows this week that lead to buffer overflows in different ways.
Some fun issues this week as we explore code execution in Synthetics Recorder stemming from a comment in the code. An auth bypass in Pentaho leading to RCE via SSTI, car theft via CAN bus message injection, and how to become a cluster admin from a compromised pod in AWK Elastic Kubernetes Service.
Just a few bugs this week, a classic buffer overflow because of an unbounded copy in SNIProxy. mast1c0re Part 2 with a few more easy vulnerability but some more complex and difficult exploitation. And a Samsung NPU in-the-wild double free.
Some audio issues this week, sorry for the ShareX sound. But we have a few interesting issues. A curl quirk that it might be useful to be aware of, Azure Pipelines vulnerability abusing attacker controlled logging. A look at a pretty classic Android/mobile bug, and a crazy auth misconfiguration (BingBang).