Thirteen distinct vulnerabilities in Apache Dubbo related to insecure deserialization, and an excellent look at using CodeQL to assist manual vulnerability research and attack surface discovery. A lot of the interesting points in this post are more about the discovery of new attack surface rather than in the vulnerabilities themselves.
Vulnerabilities tagged 'background'
This Talos report covers a non-trivial issue where a stack pointer is used after it went out of scope when invoking JS bindings, which are provided to document creators by Nitro Pro PDF for automating aspects of the document.When one of these bindings needs to be executed by the SpiderMonkey library, the
js32u.dll!js_Invoke function is used to create stack space and push a
JSStackFrame object to be used by the invoked binding…
A rather non-intuitive bug where sending
Content-Length: x would result in source disclosure on Apache.
tl;dr Cool chain to escape and impact other containers on
Azure Container Instances hosted by Kubernetes clusters (some are hosted by Service Fabric Clusters which are not vulnerable in this way), first is the container escape itself into the containing node/vm, followed by a leaked JWT useful to run commands against all nodes in the cluster.
tl;dr - The Oauth endpoint parses URL paramters
redirect_uri[0 (note the missing
]) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the
redirect_uri while the endpoint validates that the other value points to a whitelisted location
Plenty of background here, both in terms of software, architecture, and testing environment.Probably worth checking out if you want to get into car hacking…
Good bit of background on this one, does a good job of explaining the root of the issue.There are two parts, first is a 2020 CVE…
Interesting post that covers a bit about the meta of bug-hunting in Source Engine games and some how-to information. There are two OOB read vulnerabilities used in the chain.
Cool bug, but hard to actually exploit despite getting PC control.The vuln uses GLSL, a c-like shader language that gets translated into C before being executed…
First goes into some background details on QMI, what kinds of services it provides, and details on how they fuzzed the interface (used QEMU hexagon to emulate the modem in conjunction with AFL).They talk about one of the vulns the fuzzer dug up, which was a heap overflow in the voice service’s