Podcast

Episode 44 - Raccoons, Incomplete fixes and Kernel Exploits

Leading off this week's discussion is the news about the now remote CCC and Offensive Security's plans to retire OSCE. On the exploit side of things, this week we have a few recent bug bounties including a Google Maps XSS, a FreeBSD TOCTOU, and a couple of Linux kernel vulnerabilities.

Episode 75 - Defcon Quals, Dead μops, BadAllocs, Wordpress XXE

Big episode this week, with a lot of discussion about CTFs, kernel drama, and Github's exploit policy. Then some really interesting exploit strategies on Tesla and Netgear, along with some simple, yet deadly issues in Wordpress and Composer.

Episode 73 - Windows Bugs, Duo 2FA Bypass, and some Reverse Engineering

Authentication bypasses, a Duo 2FA bypass, RCEs, a VM escape, and some reverse engineering writeups.

Episode 72 - Pwn2own, Linux Kernel Exploits, and Malicious Mail

MD5 is trending in 2021...a few kernel vulnerabilities, and some drama around pwn2own.

Episode 71 - Speculation in Predictive Store Forwarding, Broken Fixes, and Owning Rocket.Chat

One episode and several failed attempts to fix vulnerabilities, an interesting Rocket.Chat XSS and an exploitable TXT file abusing some weird features.

Episode 70 - Google exposes an APT campaign, PHP owned, and Several Auth Issues

Long episode this week as we talk about Google's decision to thwart a western intelligence operation (by fixing vulns), multiple authorization and authentication issues, and of course some memory corruption.

Episode 69 - Fast Fuzzing, Malicious Pull Requests, and Rust in my kernel?!

Time to rewrite Linux in Rust? Probably not, but it has landed in linux-next which we talked about. We also look at a couple interesting GitHub vulns, and talk about fuzzing.

Episode 68 - Hacking Cameras, Stealing Logins, and Breaking Git

RCE while cloning a Git repo, injecting video into network cameras, and stealing logins with HTML injection when XSS isn't possible.

Episode 67 - Buggy Browsers, Heap Grooming, and Broken RSA

This week we get to take a look into some basic heap grooming techniques as we examine multiple heap overflows. We also briefly discuss the hand-on (by the DoD and Synack) assessment of the "unhackable" morpheus chip, and briefly discuss the new-ish paper claiming to defeat RSA.

Episode 66 - BlackHat USA, Pre-Auth RCEs, and JSON Smuggling

This week we talk a bit about newly released Black Hat 2020 and NDSS 2021 presentation videos, before jumping into several pre-auth RCEs, and some interesting exploitation research to bring a PAC enforced Shadow Stack to ARM and an examination of JSON parser interoperability issues.

Episode 65 - PDF Exploits, GPGME Making Mistakes EZ and Favicon Tracking

A couple privacy violations, PDF exploits, and a complicated API being misused by developers.

Episode 64 - Industrial Control Fails and a Package disguised in your own supply

"Beg Bounty" hunters, dependency confusion, iOS kernel vuln, and how not to respond to security research.

Episode 63 - MediaTek BootROM Broken, Free Coffee, and an iOS Kernel Exploit

A lot of discussion this week about OSS security and security processes, an iOS kernel type confusion and MediaTek Bootloader bypass impacting everything since atleast 2014.

Episode 62 - OSED, North Korean hackers, NAT Slipstream 2.0, and PGP (in)security

Starting with a long discussion about the North Korean hackers targeting security reseachers, and some thoughts (rants) about the newly released Windows exploit dev course from Offensive Security before getting into some real exploits including NAT Slipstreaming 2.0 and a new Sudo vuln.

Episode 61 - Snooping YouTube History and Breaking State Machines

This week is a shorter episode, but still some solid bugs to look at. From a full chain Chrome exploit, to a Kindle chain from remote to root and a eBPF incorrect calculation leading to OOB read/write.

Episode 60 - Breaking Lock Screens & The Great Vbox Escape

Several lockscreen-related vulnerabilities this week, a cross-site leak, and the hijacking of all .cd domains.

Episode 59 - Universal Deserialization, Stealing Youtube Videos, and CTFs

A new universal deserialization gadget for Ruby, a Rocket.Chat SAML auth bypass, and some heap exploitation research.

Episode 58 - Hacking Nintendo 3DS, Apple vs Corellium, and Android Bugs

An update on Apple v. Corellium, some 3DS vulnerabilities, and some drama on this weeks episode.

Episode 57 - Fireeye, PS4 exploit, and MacOS LPE

Big news this week as several government agencies and contractors may have been compromised. We also have a number of great writeups this week covering everything from a PS4 webkit exploit, MacOS, and Windows.

Episode 56 - Rooting iOS, Hacking with cURL, and the end of Use-After-Free

Some solid exploit development talk in this episode as we look at an iOS vuln, discuss the exploitability of a cURL buffer overflow and examine a new kernel UAF mitigation.

Episode 55 - Bad Blocklists, Legal News, and Windows Vulns

More SD-PWN, more Tesla hacks, potential RCE in Drupal, and a couple windows vulns.

Episode 54 - Jailbreaks, Stealing Playstation Accounts, and Automatic Exploit Generation

This week we talk a bit about some Black Friday deals before jumping into another SD-WAN pwn, some jailbreaks, and research into automatic exploit generation.

Episode 53 - Hacking Voatz and Rooting Ubuntu

Some interesting tips and tricks as we look at multiple privileges escalations from XNU to Ubuntu, Bitdefender, and Dropbox (HelloSign).

Episode 52 - Pwn2Own, Tianfu Cup, and Other Hacks

A Facebook DOM-based XSS, Rocket.chat and Github Actions RCEs, and a Brave Browser information disclosure in this week's episode.

Episode 51 - A Look at OSEP, Hacking Metasploit, and the Legal Risks of Research

This week we are joined by CTS to discuss fuzzing. We also take at PEN-300/OSEP. Before jumping into this weeks exploits, from NAT Slipstreaming to a Metasploit command injection and plenty in between.

Episode 50 - Low-cost Penetration Testing, High Performance Fuzzing and Github RCEs

A lot to cover in this episode, from high performance fuzzing on GPUs, to low-cost pentesters, and APT groups. And, of course many vulns from GitHub RCEs to VMWare Workstation race conditions.

Episode 49 - Some Discord, a Bad Neighbor and a BleedingTooth

It has been a while since we had an exploit extravaganza but here we are. Several binary-level issues from Bad Neighbor on Windows to BleedingTooth on Linux, and several vulns in Qualcomm SoCs, even a Discord RCE.

Episode 48 - Breaking into HashiCorp Vault, Apple and Google

Its a web-exploit heavy episode impacing Apple, Hasicorp, Azure, Google, and even a DOMPurify Bypass. Then we end-off with a look into benchmarking fuzzers, and a look at the House of Muney heap exploitation technique.

Episode 47 - Fingerprinting Exploit Devs, BLURtooth and Punking Punkbuster

Every wondering how you might fingerprint and trace exploit devs in the wild? Wondered what a backdoor in a D-Link router looks like? Want to hack Facebook (for Android)? We have all of that and more!

Episode 46 - Instagram Hacks, Half-life 1 Exploits, and Gaslighting Android

Lets go back in time to look at the leaked WinXP source, and a Half-Life 1 exploit. And, while we are at it a couple Instagram vulns and a cheap hardware attack against Android.

Episode 45 - Bhyves and Evil LEDs (+Roulette)

A "trivial" Bhyve VM escape, a BitWarden "RCE", a ModSecurity "Denial of Service" and more scare quotes for your enjoyment in this week's episode.

Episode 74 - Bad Patches, Fuzzing Sockets, & 3DS Hacked by Super Mario

Some drama in the Linux Kernel and so many vulns resulting in code execution in Homebrew, GitLab, an air fryer, Source engine, Super Mario Maker, Adobe Reader and the Linux Kernel.

Episode 43 - Zoom E2E, 15 year old bugs, and killing 20 year old attacks

A quick chat about E2E Crypto and Zoom, followed by a few noteworth exploits including Bluetooth impersonation, a 15-year old qmail CVE, NordVPN, and an RCE in Google. Ending with some mitigation research looking at making singlely linked lists safe, XSS prevention, and Code-Reuse Gadgets.

Episode 42 - iOS 0days are worthless, PrintDemon, and a takeover of hackerone

Are iOS 0days now worthless? Can you hack a satellite...or hackerone? Are WAFs worthwhile? And more on a fairly discussion heavy episode of DAY[0].

Episode 41 - Defcon is canceled, Microsoft was hacked, Rust has vulns

It was a busy week, Microsofts Github account was hacked, Centurylink Routers have no security, and multiple interactionless RCEs in Samsung phones.

Episode 40 - Auth Bypass, XSS, RCE and more

Authentication bypasses, SQL injection, command injection, and more in this web-exploit heavy episode.

Episode 39 - Relyze Decompiler, jQuery XSS, Sandbox Escaping and 0-Click Mail RCE

Since we forgot to cover it when it came out, we look at Relyze's new decompiler that is available on the free version. There is also some sandbox escaping, some crypto issues (AMD's SME/SEV) and even some IBM 0days.

Episode 38 - Binary Ninja's Decompiler, git credential leak, cross-platform LPEs

Zoom vuln worth $500k? Probably not... What is worth $500k? Binary Ninja's new decompiler...okay probably not but it is exciting.We've also got some stupid issues and some interesting LPEs this episode.

Episode 37 - IDA...Go home, Sandboxie source, and some RCEs (TP-Link, Starcraft 1, OhMyZsh)

Starting off the week with a discussion about the disappointing IDA Home, before moving into a few easy command injections, code-reuse attacks applied to XSS, detecting trojaned hardware and ending with a subtle crypto-bug.

Episode 36 - Zoom-ers, VM Escapes, and Pegasus Resurfaces

First, we talk about Facebook trying to buy some spyware, and then we feast upon a number of Zoom "vulns." Follow that up wtih some interesting vulnerabilities including a hyper-visor Guest-to-host escape, a complicated Safari permissions bypass, and a Gitlab Parser Differential.

Episode 35 - A shortcut (.lnk) to RCE, Pi-Hole, Shadow Stacks, and fine-grained kASLR

Is there a shortcut to RCE? Well, on Windows .LNK files could be just that. We also talk about a few others vulnerabilities impacting Windows, Pi-Hole and Netflix. And end by looking at Window's new hardware enforced Shadow Stack and a proof-of-concept for fine-grained kASLR on Linux.

Episode 34 - Pwn2Own Results, Voatz (again), some web-exploits and a code-reuse mitigation

More discussion about election hacking with Voatz undergoing a more complete security assessment, we also discuss a few interesting web attacks and end with a good discussion about a new code-reuse mitigation: Hurdle.

Episode 33 - How to Hack a CTF and more (LVI, TRRespass and some web-exploits)

Start off by looking at a few Google Cloud attacks, a couple named vulns (LVI: Load Value Injection, and TRRespass) and then into some web-focused exploits including how to hack a CTF.

Episode 32 - FuzzBench, MediaTek-su, Request Smuggling, and Memory Tagging

A New AMD sidechannel, and an old Intel CSME attack, a couple deserialization attacks, and a few clever but not terribly useful attacks, and some discussion about memory tagging on this weeks episode of DAY[0].

Episode 31 - One-Two-Three Named Vulns (kr00k, Forgot2kEyXCHANGE, GhostCat) and more OpenSMTPD and Samsung Vulnerabilities

Join Specter and zi at they discuss several named vulns (kr00k, Forgot2kEyXCHANGE, GhostCat), the benefits of DNS-over-HTTPS, and a a few vulns in some of our regular targets: Samsung drivers, NordVPN, OpenSMTPd.

Episode 30 - A Dark White-Hat hacker? and various vulns ft. Cisco, Periscope, NordVPN and Tesla/EyeQ

Keeping up our streak, we talk about some vulnerabilities in Cisco, NordVPN and Tesla, and about SlickWraps being hacked by a very dark, white-hat.

Episode #29 - A New PWK/OSCP, Election Hacking, Kernel Exploits, and Fuzzing

Is the new OSCP worth-it? Can election apps be made secure? We'll talk about those questions and several kernel exploits and a few cool fuzzing innovations.

Episode #28 - Hack Twitter, WhatsApp and all your Cisco phones (CDPwn) ft. GhostKnight

Android, Bluetooth, Microsoft, NordVPN, Twitter, WhatsApp, Cisco, vulns for days impacting several big names and a couple new attack ideas, blind regex injection and GhostKnight a technique to breach data integrity using speculative execution.

Episode #27 - Ok Google, sudo ./hacktheplanet

Ok Google! Bypass authentication..and while we're at it, lets explot sudo and OpenSMPTD for root access. This week we dive into various code bases to explore several recent exploits that take advantage of some common yet subtle issues.

Episode 26 - Return of the Zombieload, Bezos Hacked, and other exploits

This week we look at 15 CVEs this week including the new MDS Attacks/Zombieload and GhostImage a cool attack against vision-based classification systems. We also have discussion about mobile vs desktop security.

Episode 25 - Project Verona, CurveBall, CableHaunt, and RCEs-a-plenty

Start off with some discussions about Google, privacy, Rust, and entitlement within open-source software. Then we look at some of the big vulns of the past week including CurveBall, CabelHaunt, and an RDP RCE.

Episode 24 - SHA-mbles, Shitrix, Responsible Disclosure, and wtf is TikTok doing.

Start off with zi fumbling to describe Sha-mbles, but quickly get into our groove as we discuss #Shitrix, Responsible Disclosure, and other exploits.

Episode 23 - First Edge bounty, Hacking Tesla, Cisco advisories, and Shadow Clones

First episode of the decade! First, CCC then some Kali news and all the technical details we can find behind several issues impacting the new Edge browser, Teslas, Cisco DC Network Manager, and others. Ending off with a discussion about a Data-Oriented Programming attack mitigation: Shadow clones.

Episode 22 - PlunderVolt, Real-World Bug Hunting, Presidents Cup CTF, SockPuppet and more

Starting off the episode is a quick review of Real-World Bug Hunting before moving into this week's news and the Plundervolt vulnerability.

Episode 21 - Permanent DoS, HackerOne Hacked, and Wide-OpenBSD

Permanent Android DoS vulnerability, snooping on VPN traffic, value of anti-viruses, contact-less payment vulnerabilities, and more in this episode of DAY[0]

Episode 20 - CWE Top 25, Hacking Anti-Viruses and Adversarial Machine Learning Attacks

In this episode we discuss some recent news regarding encryption laws, and the DHS updating the CWE Top 25 list. Then move into a handful of exploits before ending with some discussions about defending and attacking machine learning systems.

Episode 19 - What Does The NSA Say?

In this episode we discuss a recent NSA advisory regarding best practices for intercepting TLS traffic. We also take a look at a recent DOM Clobbering (XSS) finding, several VNC exploits, and end with a discussion on fuzzer performance and hardening against power-analysis side channels.

Episode 16 - A Bit of everything: 0days, Breaches, Lawsuits, Attacking AI, and some insecure

Episode 15 - NordVPN Again, Snowden, CPDoS, a PHP-RCE, and some console hacking

Episode 14 - Linux Exploits, Secure Credentials, Side-Channels and Election(SDK) hacking

Episode 13 - When your errors have errors...

Episode 12 - Exploits-galore iOS (checkm8), Android, Signal, Whatsapp, PHP and more