Vulnerabilities tagged 'background'

Nitro Pro PDF JavaScript document.flattenPages JSStackFrame stack-based use-after-free vulnerability

This Talos report covers a non-trivial issue where a stack pointer is used after it went out of scope when invoking JS bindings, which are provided to document creators by Nitro Pro PDF for automating aspects of the document.When one of these bindings needs to be executed by the SpiderMonkey library, the js32u.dll!js_Invoke function is used to create stack space and push a JSStackFrame object to be used by the invoked binding…


Cross-Account Container Takeover in Azure Container Instances

tl;dr Cool chain to escape and impact other containers on Azure Container Instances hosted by Kubernetes clusters (some are hosted by Service Fabric Clusters which are not vulnerable in this way), first is the container escape itself into the containing node/vm, followed by a leaked JWT useful to run commands against all nodes in the cluster.


Three Facebook Bugs Leading to Account Takeover

tl;dr - The Oauth endpoint parses URL paramters redirect_uri and redirect_uri[0 (note the missing ]) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the redirect_uri while the endpoint validates that the other value points to a whitelisted location


Security probe of Qualcomm MSM data services

First goes into some background details on QMI, what kinds of services it provides, and details on how they fuzzed the interface (used QEMU hexagon to emulate the modem in conjunction with AFL).They talk about one of the vulns the fuzzer dug up, which was a heap overflow in the voice service’s call_config_req handler…