Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
A logic bug in the Chrome garbage collector was discovered which could cause use-after-free. The garbage collector (GC) is a monolithic and complex component of the browser, and some background knowledge is needed to appreciate the issue.
Seven vulnerabilities in Windows.Starts off with a lot of background information on Windows kernel I/O, how Time-of-Check Time-of-Use (TOCTOU) works, and an overview of Advanced Local Procedure Calling (ALPC), which is a set of high performance IPC syscalls...
SharePoint Workflows are essentially a series of tasks to streamline a business process.With the clear potential for abuse there exist an `authorizedTypes` list that will both allow and block classes...
Thirteen distinct vulnerabilities in Apache Dubbo related to insecure deserialization, and an excellent look at using CodeQL to assist manual vulnerability research and attack surface discovery. A lot of the interesting points in this post are more about the discovery of new attack surface rather than in the vulnerabilities themselves.
This Talos report covers a non-trivial issue where a stack pointer is used after it went out of scope when invoking JS bindings, which are provided to document creators by Nitro Pro PDF for automating aspects of the document.When one of these bindings needs to be executed by the SpiderMonkey library, the `js32u.dll!js_Invoke` function is used to create stack space and push a `JSStackFrame` object to be used by the invoked binding...
**tl;dr** Cool chain to escape and impact other containers on `Azure Container Instances` hosted by Kubernetes clusters (some are hosted by Service Fabric Clusters which are not vulnerable in this way), first is the container escape itself into the containing node/vm, followed by a leaked JWT useful to run commands against all nodes in the cluster.
**tl;dr** - The Oauth endpoint parses URL paramters `redirect_uri` and `redirect_uri[0` (note the missing `]`) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the `redirect_uri` while the endpoint validates that the other value points to a whitelisted location
Plenty of background here, both in terms of software, architecture, and testing environment.Probably worth checking out if you want to get into car hacking...
Interesting post that covers a bit about the meta of bug-hunting in Source Engine games and some how-to information. There are two OOB read vulnerabilities used in the chain.