The last time we covered a "how to exploit a null-deref in the modern era" post we were...disappointed (and potentially attacked by North Korea but that's another story), this one is legit. Rather than focusing on the null-deref as the core memory corruption though, it abuses the handling of the null-dereference with a kernel oops and the side-effects of the oops to overflow a reference count.
**tl;dr** Android Parcels have their own memory pool rather than being free'd all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a "use-after-free" like situation
A fairly complex exploit of a use-after-free in netfilter.The vuln is detailed more in other posts linked off by exodus, but effectively the bug is a lifetime issue with netfilter sets that don't have the `NFT_EXPR_STATEFUL` flag set but contain a reference to another set (such as `lookup` and `dynset` expressions)...
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
A post on exploiting a bug that Jann Horn discovered in the linux kernel's memory management (MM) subsystem.The bug isn't detailed in this post and is fairly complex (there is a project zero bug report but it's difficult to understand without deep knowledge of MM internals), though they state it will be written up in a future blogpost...
Great documentation of the process finding a WAF process, building up the final payload bit by bit.
Two parts to the post the vulnerability is a simple SQL injection, URL data winds up in the query.Nothing too special there...
This blogpost is essentially using a previous sandbox escape they discovered against Backstage, which is Spotify's incubated solution for managing infrastructure and microservices and such.Backstage includes software templates, which can contain ` message` parameter that gets rendered in Nunjucks (a JS templating engine)...
A long chain of issues going from blind SSRF to new-line injection to a blind Livestatus Query Language (LQL) injection to arbitrary file deletion and finally a race condition leading to authentication bypass.
At its core, a simple, yet odd Linux kernel issue, `__io_req_init_async` assumes that the new request (`req`) being submitted was submitted by its own worker, so it sets the `req->work.identity` to `current->io_uring`.