This week's binary exploitation episode has some pretty solid bugs.A string escaping routine that goes out of bounds, a web-based information disclosure. And a couple kernel issues, one in the Windows registry, a logical bug leading to memory corruption, and an AppleSPU out of bounds access.

For this week's bug bounty podcast We start off with a bit of a unique auth bypass in a firewall admin panel. We've also got a couple desktop-based software bugs, with a Docker Desktop privilege escalation on windows, and a chfn bug. We've also got a couple escalation techniques, one for Azure environments, and another trick for exploiting semi-controlled file-writes.

Part one: https://dayzerosec.com/blog/2023/04/17/reversing-the-amd-secure-processor-psp.html This is a follow-up part 2 to my previous post on the AMD Secure Processor (formerly known as the Platform Security Processor or "PSP"). In that post, I mentioned that the Cryptographic Co-Processor (CCP) is an essential component of how the PSP functions. It's primarily responsible for hardware-accelerated cryptography, but it's also used as a Direct Memory Access (DMA) copy engine for doing mass copy

AMD's Secure Processor (formerly known as Platform Security Processor or "PSP") is a very interesting piece of technology that is critical to the operation of all modern-day AMD CPUs. There's also very little public information about it and because of that, it's commonly misunderstood and fantasized about. Not only is it at the top of the chain of trust, but it's also responsible for initializing the CPU and facilitating attestation (TPM), hardware-accelerated crypto, and Secure Encrypted Virtua

We start with a hardware/glitching attack against the Wii U, then lets talk about integer overflows. We've got three integer overflows this week that lead to buffer overflows in different ways.

Some fun issues this week as we explore code execution in Synthetics Recorder stemming from a comment in the code. An auth bypass in Pentaho leading to RCE via SSTI, car theft via CAN bus message injection, and how to become a cluster admin from a compromised pod in AWK Elastic Kubernetes Service.

Just a few bugs this week, a classic buffer overflow because of an unbounded copy in SNIProxy. mast1c0re Part 2 with a few more easy vulnerability but some more complex and difficult exploitation. And a Samsung NPU in-the-wild double free.

Some audio issues this week, sorry for the ShareX sound. But we have a few interesting issues. A curl quirk that it might be useful to be aware of, Azure Pipelines vulnerability abusing attacker controlled logging. A look at a pretty classic Android/mobile bug, and a crazy auth misconfiguration (BingBang).

Its our 200th episode, and we've got some stats from our first 200 episodes. Then we talk some Pwn2Own policy changes, a couple memeable overflows, and some new anti-ROP mitigations on OpenBSD.

A look back at some statistics from our first 200 episodes of the dayzerosec podcast.