The authors here focus on crafting the exploit for an already discovered vulnerability in Orthanc's DICOM server. The vulnerability is a natural consequence of two features:
Not making encrypted blobs tamper-proof is a pretty classic crypto issue that lead to an arbitrary file-upload and code execution vulnerability in ShareFile. The file upload functionality of ShareFile took a few natural arguments: a `filename`, an `uploadid` and a `parentid`...
A post-auth remote information disclosure in the SecurePoint UTM firewall.The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used...
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
At its core, this is pretty easy to understand, and isn't especially novel, but it is an interesting area, stealing cars so worth covering.The core problem is simply that inside of a modern vehicle you have the Controller Area Network Bus (CAN Bus)...
An exploit chain that targets Samsung's TEEgris OS running in the ARM TrustZone secure world.TEEgris consists of a secure kernel and trustlets that run on the userspace side, which Android in the non-secure world can communicate with via Secure Monitor Calls (SMCs)...
Abuse ChatGPT and other language models for remote code execution, sounds great! This is quite literally just a case of determining how the AI is being leveraged in the backend and then engineering a prompt to ask the language model to respond with something malicious. The author has two examples on BoxCars:
Relatively straight forward oauth hijack/account takeover flow with one interesting aspect in actually performing the login with the hijacked OAuth code.
In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword `profile` is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.
A bug was found sort of accidentally in Adreno/KGSL GPU for Android devices.The post covers a lot of background, but what's important is that userspace can map shared memory from the CPU into the GPU, and use it to pass buffers such as command buffers...
The vulnerability here isn't too interesting, just a case of user-input being reflected into a header without sanitizing new-lines (CrLf injection). What is interesting is how they leverage this header injection primitive to bypass Akamai's web application firewall.
A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.