We've got a cloud focused episode this week, starting with a logging bypass in AWS CloudTrail, a SSH Key injection, and cross-tenant data access in Azure Cognitive Search.
An Apple-focused episode this week, with a trivial iPod Nano BootRom exploit, and a WebKit Use-after-free. We also have a really cool XNU Virutal Memory bug, strictly a race condition and a logic differential between two alternate paths resulting in bypassing copy-on-write protection. We also handle a few questions from chat, how much reverse engineering is necessary for vuln research, how much programming knowledge is required, and a bit about AI's applicability to reverse engineering.
This week kicks off with another look at client-side path traversal attacks, this time with some more case-studies. Then we get into some mobile issues, one a cool desync between DER processors resulting in an iOS privilege escalation. The other a Bundle processing issue in Android that provides an almost use-after-free like primitive but in Java.
In this episode, we discuss the discovery of a type confusion in Internet Explorer's JScript. We also explore a fun exploit strategy for a low-level memory management bug in the Linux kernel and delve into several issues in Huawei's Secure Monitor that enable code execution in the secure world.
A variety of issues this week, DOM Clobbering, argument injection, a filesystem race condition, cross-site scripting, and a normalization-based auth bypass.
The end of kASLR bypasses? Probably just click-bait, but the patch gap is real and we discuss that a bit before getting into a couple AI-based corruptions.