Podcast
Episode 40 - Auth Bypass, XSS, RCE and more
Authentication bypasses, SQL injection, command injection, and more in this web-exploit heavy episode.
LinkEpisode 66 - BlackHat USA, Pre-Auth RCEs, and JSON Smuggling
This week we talk a bit about newly released Black Hat 2020 and NDSS 2021 presentation videos, before jumping into several pre-auth RCEs, and some interesting exploitation research to bring a PAC enforced Shadow Stack to ARM and an examination of JSON parser interoperability issues.
LinkEpisode 64 - Industrial Control Fails and a Package disguised in your own supply
"Beg Bounty" hunters, dependency confusion, iOS kernel vuln, and how not to respond to security research.
LinkEpisode 63 - MediaTek BootROM Broken, Free Coffee, and an iOS Kernel Exploit
A lot of discussion this week about OSS security and security processes, an iOS kernel type confusion and MediaTek Bootloader bypass impacting everything since atleast 2014.
LinkEpisode 62 - OSED, North Korean hackers, NAT Slipstream 2.0, and PGP (in)security
Starting with a long discussion about the North Korean hackers targeting security reseachers, and some thoughts (rants) about the newly released Windows exploit dev course from Offensive Security before getting into some real exploits including NAT Slipstreaming 2.0 and a new Sudo vuln.
LinkEpisode 61 - Snooping YouTube History and Breaking State Machines
This week is a shorter episode, but still some solid bugs to look at. From a full chain Chrome exploit, to a Kindle chain from remote to root and a eBPF incorrect calculation leading to OOB read/write.
LinkEpisode 60 - Breaking Lock Screens & The Great Vbox Escape
Several lockscreen-related vulnerabilities this week, a cross-site leak, and the hijacking of all .cd domains.
LinkEpisode 59 - Universal Deserialization, Stealing Youtube Videos, and CTFs
A new universal deserialization gadget for Ruby, a Rocket.Chat SAML auth bypass, and some heap exploitation research.
LinkEpisode 58 - Hacking Nintendo 3DS, Apple vs Corellium, and Android Bugs
An update on Apple v. Corellium, some 3DS vulnerabilities, and some drama on this weeks episode.
LinkEpisode 57 - Fireeye, PS4 exploit, and MacOS LPE
Big news this week as several government agencies and contractors may have been compromised. We also have a number of great writeups this week covering everything from a PS4 webkit exploit, MacOS, and Windows.
LinkEpisode 56 - Rooting iOS, Hacking with cURL, and the end of Use-After-Free
Some solid exploit development talk in this episode as we look at an iOS vuln, discuss the exploitability of a cURL buffer overflow and examine a new kernel UAF mitigation.
LinkEpisode 55 - Bad Blocklists, Legal News, and Windows Vulns
More SD-PWN, more Tesla hacks, potential RCE in Drupal, and a couple windows vulns.
LinkEpisode 54 - Jailbreaks, Stealing Playstation Accounts, and Automatic Exploit Generation
This week we talk a bit about some Black Friday deals before jumping into another SD-WAN pwn, some jailbreaks, and research into automatic exploit generation.
LinkEpisode 53 - Hacking Voatz and Rooting Ubuntu
Some interesting tips and tricks as we look at multiple privileges escalations from XNU to Ubuntu, Bitdefender, and Dropbox (HelloSign).
LinkEpisode 52 - Pwn2Own, Tianfu Cup, and Other Hacks
A Facebook DOM-based XSS, Rocket.chat and Github Actions RCEs, and a Brave Browser information disclosure in this week's episode.
LinkEpisode 51 - A Look at OSEP, Hacking Metasploit, and the Legal Risks of Research
This week we are joined by CTS to discuss fuzzing. We also take at PEN-300/OSEP. Before jumping into this weeks exploits, from NAT Slipstreaming to a Metasploit command injection and plenty in between.
LinkEpisode 50 - Low-cost Penetration Testing, High Performance Fuzzing and Github RCEs
A lot to cover in this episode, from high performance fuzzing on GPUs, to low-cost pentesters, and APT groups. And, of course many vulns from GitHub RCEs to VMWare Workstation race conditions.
LinkEpisode 49 - Some Discord, a Bad Neighbor and a BleedingTooth
It has been a while since we had an exploit extravaganza but here we are. Several binary-level issues from Bad Neighbor on Windows to BleedingTooth on Linux, and several vulns in Qualcomm SoCs, even a Discord RCE.
LinkEpisode 48 - Breaking into HashiCorp Vault, Apple and Google
Its a web-exploit heavy episode impacing Apple, Hasicorp, Azure, Google, and even a DOMPurify Bypass. Then we end-off with a look into benchmarking fuzzers, and a look at the House of Muney heap exploitation technique.
LinkEpisode 47 - Fingerprinting Exploit Devs, BLURtooth and Punking Punkbuster
Every wondering how you might fingerprint and trace exploit devs in the wild? Wondered what a backdoor in a D-Link router looks like? Want to hack Facebook (for Android)? We have all of that and more!
LinkEpisode 46 - Instagram Hacks, Half-life 1 Exploits, and Gaslighting Android
Lets go back in time to look at the leaked WinXP source, and a Half-Life 1 exploit. And, while we are at it a couple Instagram vulns and a cheap hardware attack against Android.
LinkEpisode 45 - Bhyves and Evil LEDs (+Roulette)
A "trivial" Bhyve VM escape, a BitWarden "RCE", a ModSecurity "Denial of Service" and more scare quotes for your enjoyment in this week's episode.
LinkEpisode 44 - Raccoons, Incomplete fixes and Kernel Exploits
Leading off this week's discussion is the news about the now remote CCC and Offensive Security's plans to retire OSCE. On the exploit side of things, this week we have a few recent bug bounties including a Google Maps XSS, a FreeBSD TOCTOU, and a couple of Linux kernel vulnerabilities.
LinkEpisode 43 - Zoom E2E, 15 year old bugs, and killing 20 year old attacks
A quick chat about E2E Crypto and Zoom, followed by a few noteworth exploits including Bluetooth impersonation, a 15-year old qmail CVE, NordVPN, and an RCE in Google. Ending with some mitigation research looking at making singlely linked lists safe, XSS prevention, and Code-Reuse Gadgets.
LinkEpisode 42 - iOS 0days are worthless, PrintDemon, and a takeover of hackerone
Are iOS 0days now worthless? Can you hack a satellite...or hackerone? Are WAFs worthwhile? And more on a fairly discussion heavy episode of DAY[0].
LinkEpisode 41 - Defcon is canceled, Microsoft was hacked, Rust has vulns
It was a busy week, Microsofts Github account was hacked, Centurylink Routers have no security, and multiple interactionless RCEs in Samsung phones.
LinkEpisode 65 - PDF Exploits, GPGME Making Mistakes EZ and Favicon Tracking
A couple privacy violations, PDF exploits, and a complicated API being misused by developers.
LinkEpisode 39 - Relyze Decompiler, jQuery XSS, Sandbox Escaping and 0-Click Mail RCE
Since we forgot to cover it when it came out, we look at Relyze's new decompiler that is available on the free version. There is also some sandbox escaping, some crypto issues (AMD's SME/SEV) and even some IBM 0days.
LinkEpisode 38 - Binary Ninja's Decompiler, git credential leak, cross-platform LPEs
Zoom vuln worth $500k? Probably not... What is worth $500k? Binary Ninja's new decompiler...okay probably not but it is exciting.We've also got some stupid issues and some interesting LPEs this episode.
LinkEpisode 37 - IDA...Go home, Sandboxie source, and some RCEs (TP-Link, Starcraft 1, OhMyZsh)
Starting off the week with a discussion about the disappointing IDA Home, before moving into a few easy command injections, code-reuse attacks applied to XSS, detecting trojaned hardware and ending with a subtle crypto-bug.
LinkEpisode 36 - Zoom-ers, VM Escapes, and Pegasus Resurfaces
First, we talk about Facebook trying to buy some spyware, and then we feast upon a number of Zoom "vulns." Follow that up wtih some interesting vulnerabilities including a hyper-visor Guest-to-host escape, a complicated Safari permissions bypass, and a Gitlab Parser Differential.
LinkEpisode 35 - A shortcut (.lnk) to RCE, Pi-Hole, Shadow Stacks, and fine-grained kASLR
Is there a shortcut to RCE? Well, on Windows .LNK files could be just that. We also talk about a few others vulnerabilities impacting Windows, Pi-Hole and Netflix. And end by looking at Window's new hardware enforced Shadow Stack and a proof-of-concept for fine-grained kASLR on Linux.
LinkEpisode 34 - Pwn2Own Results, Voatz (again), some web-exploits and a code-reuse mitigation
More discussion about election hacking with Voatz undergoing a more complete security assessment, we also discuss a few interesting web attacks and end with a good discussion about a new code-reuse mitigation: Hurdle.
LinkEpisode 33 - How to Hack a CTF and more (LVI, TRRespass and some web-exploits)
Start off by looking at a few Google Cloud attacks, a couple named vulns (LVI: Load Value Injection, and TRRespass) and then into some web-focused exploits including how to hack a CTF.
LinkEpisode 32 - FuzzBench, MediaTek-su, Request Smuggling, and Memory Tagging
A New AMD sidechannel, and an old Intel CSME attack, a couple deserialization attacks, and a few clever but not terribly useful attacks, and some discussion about memory tagging on this weeks episode of DAY[0].
LinkEpisode 31 - One-Two-Three Named Vulns (kr00k, Forgot2kEyXCHANGE, GhostCat) and more OpenSMTPD and Samsung Vulnerabilities
Join Specter and zi at they discuss several named vulns (kr00k, Forgot2kEyXCHANGE, GhostCat), the benefits of DNS-over-HTTPS, and a a few vulns in some of our regular targets: Samsung drivers, NordVPN, OpenSMTPd.
LinkEpisode 30 - A Dark White-Hat hacker? and various vulns ft. Cisco, Periscope, NordVPN and Tesla/EyeQ
Keeping up our streak, we talk about some vulnerabilities in Cisco, NordVPN and Tesla, and about SlickWraps being hacked by a very dark, white-hat.
LinkEpisode #29 - A New PWK/OSCP, Election Hacking, Kernel Exploits, and Fuzzing
Is the new OSCP worth-it? Can election apps be made secure? We'll talk about those questions and several kernel exploits and a few cool fuzzing innovations.
LinkEpisode #28 - Hack Twitter, WhatsApp and all your Cisco phones (CDPwn) ft. GhostKnight
Android, Bluetooth, Microsoft, NordVPN, Twitter, WhatsApp, Cisco, vulns for days impacting several big names and a couple new attack ideas, blind regex injection and GhostKnight a technique to breach data integrity using speculative execution.
LinkEpisode #27 - Ok Google, sudo ./hacktheplanet
Ok Google! Bypass authentication..and while we're at it, lets explot sudo and OpenSMPTD for root access. This week we dive into various code bases to explore several recent exploits that take advantage of some common yet subtle issues.
LinkEpisode 26 - Return of the Zombieload, Bezos Hacked, and other exploits
This week we look at 15 CVEs this week including the new MDS Attacks/Zombieload and GhostImage a cool attack against vision-based classification systems. We also have discussion about mobile vs desktop security.
LinkEpisode 25 - Project Verona, CurveBall, CableHaunt, and RCEs-a-plenty
Start off with some discussions about Google, privacy, Rust, and entitlement within open-source software. Then we look at some of the big vulns of the past week including CurveBall, CabelHaunt, and an RDP RCE.
LinkEpisode 24 - SHA-mbles, Shitrix, Responsible Disclosure, and wtf is TikTok doing.
Start off with zi fumbling to describe Sha-mbles, but quickly get into our groove as we discuss #Shitrix, Responsible Disclosure, and other exploits.
LinkEpisode 23 - First Edge bounty, Hacking Tesla, Cisco advisories, and Shadow Clones
First episode of the decade! First, CCC then some Kali news and all the technical details we can find behind several issues impacting the new Edge browser, Teslas, Cisco DC Network Manager, and others. Ending off with a discussion about a Data-Oriented Programming attack mitigation: Shadow clones.
LinkEpisode 22 - PlunderVolt, Real-World Bug Hunting, Presidents Cup CTF, SockPuppet and more
Starting off the episode is a quick review of Real-World Bug Hunting before moving into this week's news and the Plundervolt vulnerability.
LinkEpisode 21 - Permanent DoS, HackerOne Hacked, and Wide-OpenBSD
Permanent Android DoS vulnerability, snooping on VPN traffic, value of anti-viruses, contact-less payment vulnerabilities, and more in this episode of DAY[0]
LinkEpisode 20 - CWE Top 25, Hacking Anti-Viruses and Adversarial Machine Learning Attacks
In this episode we discuss some recent news regarding encryption laws, and the DHS updating the CWE Top 25 list. Then move into a handful of exploits before ending with some discussions about defending and attacking machine learning systems.
LinkEpisode 19 - What Does The NSA Say?
In this episode we discuss a recent NSA advisory regarding best practices for intercepting TLS traffic. We also take a look at a recent DOM Clobbering (XSS) finding, several VNC exploits, and end with a discussion on fuzzer performance and hardening against power-analysis side channels.
Link