It seems that the syntax highlighting filter will read the `data-sourcepos` attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.
**tl;dr** Two CVEs, one an integer overflow due to incorrectly assuming the compiler would optimize an `enum` into a single byte, and the other some uninitialized kernel stack variables that could be exposed to userspace.
Follow-up to the December post which covered an int overflow in the CoreGraphics PDF parser for the JBIG2 image format, which implemented a weird machine / mini architecture to execute code. This post covers the sandbox escape that was chained with it, which unlike the first bug, is a logic issue rather than a memory corruption.
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
We've got two XSS "puzzles" in unnamed bounty programs, each with somewhat interesting exploit strategies. The original post is worth a read for more insight into the thought process leading to the discovery of each step.
It is possible for a malicious website to associate a visitor with their a known slack account.The attack relies on a difference in behavior when accessing a file with and without permission, and the ability to share a file with specific users...
The cool part of this paper is the speculative type confusion attack where the browser's optimizer is trained to expect a memory access will be a uint8 array, and the CPU branch predictor that it will always go down that path. Then the attack changes both conditions leading to the CPU speculatively executing the uint8 access using data from another object, aligned in memory such that two 32bit value in JavaScript become one 64bit value.
Great exploit chain starts with a newline injection, leading to the ability to write "2" to any file culminating in a login and root code execution, all doable with remotely hosted javascript.
12 CVEs, a few fundamental design issues, and some implementation issues.The implementation issues generally just removed some restrictions on abusing the design flaws making them more practical...
Interesting post that covers a bit about the meta of bug-hunting in Source Engine games and some how-to information. There are two OOB read vulnerabilities used in the chain.
Two vulnerabilities.Firstly the `SCM_RUN_FROM_PACKAGE` environment var within the Azure Function container contained a “Shared Access Signature” (SAS) that was scoped for r/w...
Base issue is that when handling a file upload (two locations do this) the buffer is allocated based on Content-Length, but the memcpy is based on the actual payload length. Creating a heap overflow.