Episode 69 - Fast Fuzzing, Malicious Pull Requests, and Rust in my kernel?!

Time to rewrite Linux in Rust? Probably not, but it has landed in linux-next which we talked about. We also look at a couple interesting GitHub vulns, and talk about fuzzing.

• [00:00:28] Rust in the Linux Kernel
  
  • https://www.youtube.com/watch?v=FFjV9f_Ub9o&t=2066s
    
  • https://lkml.org/lkml/2020/7/9/952
    
  • https://lkml.org/lkml/2020/7/10/1261
    
• [00:13:40] Two Undocumented Instructions to Update Microcode Discovered
  
• [00:19:06] DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS
  
• [00:26:46] Abusing VoIPmonitor for Remote Code Execution
  
• [00:32:18] Stealing arbitrary GitHub Actions secrets
  
• [00:40:29] How we found and fixed a rare race condition in our session handling
  
• [00:49:05] GitLab - Ability To Delete User(s) Account Without User Interaction
  
• [00:52:49] New Old Bugs in the Linux Kernel
  
  • https://github.com/grimm-co/NotQuite0DayFriday/tree/trunk/2021.03.12-linux-iscsi
    
• [01:00:33] Fuzzing: FastStone Image Viewer [CVE-2021-26236]
  
• [01:06:53] A Replay-Style Deserialization Attack Against SharePoint [CVE-2021-27076]
  
• [01:12:38] One day short of a full chain: Part 2 - Chrome sandbox escape
  
• [01:18:58] Code execution in Wireshark via non-http(s) schemes in URL fields
  
• [01:21:59] Attacking and Defending OAuth 2.0 (Part 2 of 2: Attacking OAuth 2.0 Authorization Servers)
  
• [01:30:37] Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace
  
• [01:42:00] Pulling Bits From ROM Silicon Die Images: Unknown Architecture
  
• [01:42:28] 0dayfans.com
  
  • https://github.com/dayzerosec/feedgen
    
  • https://shop.spreadshirt.com/dayzerosec/
    

Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)