This is a cool trick, using a UTF-8 parser differential between the client XML parsing library (Gloox) and the server side (fast_xml), to smuggling in characters that would end an XML tag prematurely and smuggle in new XML content.
A Transparency Consent and Control (TCC) bypass in macOS.TCC is the subsystem responsible for gating off access to privacy settings and iCloud account data and such...
A nice little logic error abusing an edge case between two different command flags.Curl may remove the wrong file when `--no-clobber` and `--remove-on-error` flags are used together...
Blogpost by Microsoft that details a few vulnerabilities in the `networkd-dispatcher` component in `systemd` which can be chained for LPE.When looking at the code flow, they noticed it would register a signal receiver on the system bus, and the handler would receive a `state` path followed by some data...
BlueZ would identify bluetooth controllers based purely on their self-reported `BD_ADDR` (the bluetooth version of a MAC address). A malicious device could identify with an existing `BD_ADDR` and obtain the link key for that device.
This one is a bit of a cross-user attack on the same machine, as `git` when executed in a directory that doesn't have a `.git` folder, will traverse upward looking for the `.git/` of the repo.The problem is if one accidentally invokes `git` while not in a repository it'll look in some potentially untrusted locations as it traverses by defualt all the way to the root of the storage...
Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user's Net-NTLMv2 hash could be disclosed.
Slight race-condition in the Pritunl VPN client leading to a semi-controlled file-write as SYSTEM which could be leveraged into code execution as SYSTEM.
Multiple bugs in Carbon Black and vRealize Operations Manager, authentication bypassing through proxy trickery, server-side request forgery, credential leaking, and ultimately RCE.
Little Snitch might block connections to some IPs, but only if they send data. Just opening the connection but not sending data is a fun way to get around the blacklist, and while significantly slower, one can still exfiltrate information using only a data-less connection.
Rocket.Chat will open links to the same domain within the main application window, with the abilitry to upload files an attacker can run Javascript and gain RCE (thanks to `nodeIntegration` being enabled).
There is an argument injection within the `ms-officemd` URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the `--gpu-launcher` argument for arbitrary command injection without any hassle.
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
It is possible to bypass macOS's System Integrity Protection (SIP) through the `system_installd` daemon. This daemon has the `com.apple.rootless.install.heritable` entitlement which means that any process started by the daemon will not be protected by SIP.