Two logic bugs that cause memory corruption in the handling of TLS packets due to unhandled error / return values when using the nanoSSL library, and a higher level design flaw with the firmware update system.
Leaving out many of the specifics about how Azure Sphere devices work.Under normal circumstances it appears that you shoudl neither be able to downgrade a devices firmware, nor install any firmware without providing the Microsoft-signed manifest beforehand...
Out of bounds access in the `GPIO_SET_PIN_CONFIG_IOCTL` leading to information disclosure.When parsing the `lineoffsets` field from the `gpiopin_request` object, there's no bounds checking on it before it's used as an index into an array of descriptions to get a `desc` pointer...
Great exploit chain starts with a newline injection, leading to the ability to write "2" to any file culminating in a login and root code execution, all doable with remotely hosted javascript.
What if authentication was optional? That seems to be the case here where the Netgear Switch Discovery Protocol, a UDP based protocol where each datagram is a header following by a Type Length Value (TLV) chain.The expectation is that all of the "get" commands can be used without authentication but that "set" commands should send the password authentication entry (Type 10) as the first part of the TLV chain...
**tl;dr** A well positioned attacker (needs to be using the same IP as the victim) can hijack a successful authentication flow and take over the session victims session by polling the `get.cgi` endpoint after the victim's login was successful but before the victim has polled the same page (which happens every second)
Synaktiv ended up investigating the Western Digital Pro PR4100 when looking at the target list for pwn2own tokyo 2020.When looking at this device, they took particular interest in the webserver, and reversed the cgi-bin that implemented it...
D-Link attempted to provide some protection against brute-force by delaying the response for three seconds on a bad login.The problem was that the delay only happened on a bad login meaning, so there was a clear timing difference between a good and bad login attempt...
Some meme worthy vulnerabilities like unauthenticated root ADB access, don’t worry its not enabled by default. But the request to enable it doesn’t require authentication.