RCE in Tailscale, DNS Rebinding, and You [CVE-2022-41924]
A number of bugs in Tailscale leading to an RCE chain.
Vulnerabilities tagged "desktop"
Cross-Site Tracing was possible via non-standard override headers [CVE-2022-45411]
Cross-Site Tracing is a vulnerability I didn't think I'd be hearing about again, yet here we are.
[Chrome] heap-use-after-free in AccountSelectionBubbleView::OnAccountImageFetched
Callbacks can be tricky in memory-unsafe languages, here we have the Chrome Account Selection feature creating an image view and an image fetcher. Sets up a callback function to be called once the account's image has been fetched and passes in the raw pointer to the created image_view, the problem being that the image view may be destroyed before the callback happens.
Multiple memory corruptions in MS Edge
Multiple memory corruptions in Microsoft Edge browser, there are several issues here but they all generally can be summed up as "self-corruptions".Its things like a use-after-free by opening a dialog, closing the backing page that spawned the dialog, and then closing the dialog triggering a callback that no longer exists...
[Cisco Jabber] XMPP Stanza Smuggling with stream:stream tag
Cisco's Jabber, an XMPP client would treat the ending `` XML tag as a special case resetting the state of the XML parsing, which would allow any next tag to be treated as the root of the XML document and allow injecting of control stanzas.
Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1
So Java's Swing UI Toolkit in some cases will try to parse any strings that start with a `<` as HTML, and dangerously so as its handling of `
Hancom Office 2020 Hword Docx XML parsing heap underflow vulnerability
When a docx parser encounters an end element, it assumes the pointer to the start element is already available and attempts to operate on it, leading to an out of bounds access immediate before the buffer.
Iconics Support for `gdfx` Files Results in Command Injection
This seemed to mostly be an exercise in attack surface discovery, scanning the files used by Iconics they found support for `gdfx` files with support for embeded JavaScript, including the ability to load an ActiveX object and execute shell commands on the local machine. Despite this being an apparently surface level issue, it survived until Pwn2Own and through multiple other contestants (the author was 5th of 7 against the application) to net them a $20,000 bounty.
[Zoom] Remote Code Execution with XMPP Stanza Smuggling
This is a cool trick, using a UTF-8 parser differential between the client XML parsing library (Gloox) and the server side (fast_xml), to smuggling in characters that would end an XML tag prematurely and smuggle in new XML content.
macOS Vulnerability "powerdir" could lead to unauthorized user data access
A Transparency Consent and Control (TCC) bypass in macOS.TCC is the subsystem responsible for gating off access to privacy settings and iCloud account data and such...