Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
A privilege escalation to root in PHP FPM from a worker process where the attacker has arbitrary memory read/write and has escaped the PHP sandbox.
There is an out-of-bounds access that occures by causing Squirel to lookup a method in the array of class fields.
A logic bug in the Chrome garbage collector was discovered which could cause use-after-free. The garbage collector (GC) is a monolithic and complex component of the browser, and some background knowledge is needed to appreciate the issue.
Seven vulnerabilities in Windows.Starts off with a lot of background information on Windows kernel I/O, how Time-of-Check Time-of-Use (TOCTOU) works, and an overview of Advanced Local Procedure Calling (ALPC), which is a set of high performance IPC syscalls...
SharePoint Workflows are essentially a series of tasks to streamline a business process.With the clear potential for abuse there exist an `authorizedTypes` list that will both allow and block classes...
First a bit of background terminology as I understand it. Not being familiar with v8 there are likely some subtleties I am missing.
Thirteen distinct vulnerabilities in Apache Dubbo related to insecure deserialization, and an excellent look at using CodeQL to assist manual vulnerability research and attack surface discovery. A lot of the interesting points in this post are more about the discovery of new attack surface rather than in the vulnerabilities themselves.
This Talos report covers a non-trivial issue where a stack pointer is used after it went out of scope when invoking JS bindings, which are provided to document creators by Nitro Pro PDF for automating aspects of the document.When one of these bindings needs to be executed by the SpiderMonkey library, the `js32u.dll!js_Invoke` function is used to create stack space and push a `JSStackFrame` object to be used by the invoked binding...
A rather non-intuitive bug where sending `Content-Length: x` would result in source disclosure on Apache.