186 - An XNU Exploit and a Chrome Heap Overflow

First, we take a look at some positive changes to OSS Fuzz, then we dive into some vulnerabilities. This includes an XNU heap out-of-bounds write vulnerability, a Chrome heap-based overflow vulnerability, and an out-of-bounds read in cmark-gfm that, while probably not exploitable, is still intriguing.

185 - Facebook Account Takeovers and a vBulletin RCE

Is it possible to escalate a self-XSS into an account takeover? Perhaps, we take a look at some potential options by abusing single-sign on. Then we take a look at a few Facebook/Meta authentication issues, and a deserialization trick to increase the usable classes in PHP.

182 - Exploiting Null Derefs and Windows Type COM-fusion

Null-dereferences might not be too exploitable on a lot of systems, what about the handling of a null-dereference. We cover a great Project Zero post on the topic, then look at a type confusion in Windows COM, a Nintendo buffer overflow, and several memory corruptions in git, highlighting their unique primitives and potential exploitability.

180 - An iPod Nano Bug, XNU Vuln, and a WebKit UAF

An Apple-focused episode this week, with a trivial iPod Nano BootRom exploit, and a WebKit Use-after-free. We also have a really cool XNU Virutal Memory bug, strictly a race condition and a logic differential between two alternate paths resulting in bypassing copy-on-write protection. We also handle a few questions from chat, how much reverse engineering is necessary for vuln research, how much programming knowledge is required, and a bit about AI's applicability to reverse engineering.

179 - Client-Side Path Traversal and Hiding Your Entitlement(s)

This week kicks off with another look at client-side path traversal attacks, this time with some more case-studies. Then we get into some mobile issues, one a cool desync between DER processors resulting in an iOS privilege escalation. The other a Bundle processing issue in Android that provides an almost use-after-free like primitive but in Java.