Kicking off the week with a bit of Pwn2Own drama, then taking a look at an OAuth attack against Grammarly and a couple other sites, a fun little polyglot file based attack, and Citrix Bleed, a snprintf information disclosure vulnerability on the web.
Diving right into some binary exploitation issues this week. Starting wtih a look at a rare sort of curl vulnerability where a malicious server could compromise a curl user. Then we take a look at a pretty straight-forward type confusion in Windows kernel code, and an integer underflow in Safari with some questionable exploitation. Ending the episode with some thoughts on how impactful grsecurity's "constify" mitigation could be.
We've got a mix of topics this week, started with a bit of discussion around the recent Rapid Reset denial of service attack, before diving into a few vulnerabilities. A Node "permissions" module escape due to having a fail-open condition when unexpected but supported types are passed in. Then we talk about some common AWS Cognito issues, a fun little privilege escalation in Confluence, and a log injection bug leading to RCE.
Some complex and confusing vulnerabilities as we talk about the recent WebP 0day and the complexities of huffman coding. A data-only exploit to escape a kCTF container, the glibc LPE LOONY_TUNABLES, and a Chrome TurboFan RCE.
This week we've got some fun issues, including a WinRAR processing bug that results in code execution due (imo) to a filename adjustment when extracting that isn't performed consistently. A MyBB admin-panel RCE, fairly privileged bug but I think the bug pattern could appear elsewhere and is something to watch out for, And several silly issues in a "next-gen" firewall, including source disclosures and RCEs from the login page.
A binary summer-recap episode, looking at some vulnerabilities and research put out over the summer. Talking about what TPM really offers when it comes to full-disk encryption, some thoughts on AI in the fuzzing loop. Then into some cool bugs, kicking off with some ARM Memory Tagging Extension vulnerabilities, a `-fstack-protector` implementation failure and bypass, and then a look at a Android exploit that was found in-the-wild.
We are back, and talking about our summer with a lengthy discussion about our DEF CON experiences before getting into some favorite issues from the summer. Including a neat twist on a PHP security feature that might be using in your bug bounty chains. A look at classic crypto issue (unauthenticated encrypted blobs), and an easily missed caching issue.
Unfortunately, we will not be directly selling these shirts, but I have another post tutorial on how to reproduce the shirt if you want to put in the bit of extra work to get one.
Regex (bug-bounty style vulnerability)
We've covered this vulnerability multiple times on the podcast and it was our Spot the Vuln on Episode 152 (written in Golang).
The regex in allow. It looks normal, and if you test it in the obvious ways it seems to work. api.safe.com passes, api.notsafe.com fails. Because
Unfortunately, we will NOT be selling the "Spot the Vuln" shirts we mentioned on the podcast. Its just due to some tax things I don't have the time to deal with right now, maybe next year.
If you're willing to put in some effort though what follows is basically a tutorial on recreating the shirt within Printify so you can order it from a producer yourself.
Printify is kind-of a drop-shipping system for custom clothing. You can create a product that will be fulfilled by some producer. You can
This week we've got a handful of low-level vulns, VM-escape, Windows EoP, and a single IPv6 packet leading to a kernel panic/denial of service, and one higher-level issue with a bug chain in CS:GO.
This is our final episode until September 25th as we will be heading off on our regular summer break.