This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...
When using the `ssrfFilter` library in conjunction with the Request library in JavaScript there is a bug that can result in the SSRF filter being disabled.The way the anti-SSRF library, `ssrfFilter` works is that is creates its own object that cna be used in=place of Node's default request agent for http/http requests...
Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android's parcel API, without going into details about parcels you can think about this as similar to just opening a file.You usually need to provide a `mode`, like `w` for write, or `r` for read access...
A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0.The root cause of this bug is in the incorrect assumption made by `sock_init_data() `regarding the `struct socket` input...
A nice use of the a CRLF Injection to exploit a seemingly unexploitable injection because the browser wouldn't render the page when a `Location` header was present.Basically just used the CRLF injection ot inject a `Connection: Location` header, telling the proxy to treat the `Location` header as a hop-by-hop header and drop it before passing it on to the end-user...
In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword `profile` is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.
A bug was found sort of accidentally in Adreno/KGSL GPU for Android devices.The post covers a lot of background, but what's important is that userspace can map shared memory from the CPU into the GPU, and use it to pass buffers such as command buffers...
A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.
Some malformed hashes will "validate" with any value compared using `password_verify`. This is due to an old hack in PHP's Blowfish implementation where a malformed hash with a `$` character in the salt segment result in an early `break` and bad following logic.
A small bug in processing/validating the entries in the Merkel tree resulting in the theft of 2 million BNB ($586 Million USD at time of the original theft).
A cool bug that can inject a new user with controlled SSH key into a compute instance and the request doing this can be reached via a GET request with no anti-CSRF token.
Kinda of a cool race condition and sort of differential attack deep inside XNU's virtual memory system that allows for bypassing "copy on write" and writing to the underlying page without making a copy.
**tl;dr** Android Parcels have their own memory pool rather than being free'd all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a "use-after-free" like situation
A post by project zero on a vuln in a new library used for DER entitlements.Entitlements are Apple's fine-grained permission system and essentially define what capabilities an app or service has...
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.