A trivial out of bounds access in the iPod nano 3rd-5th generation's USB stack in the bootROM.The `USB::HandlePendingSetup()` handler for SETUP packets would accept a request and dispatch it to different sub-handlers based on the `bmRequestType`...
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
A couple command injection bugs on the NetGear RAX30 router, straight forward IoT bugs.
Two vulns in Netgear RAX30 routers that were patched 2 days before the Pwn2Own draw. One was a LAN bug, the other a WAN issue.
A timing-based side-channel in the `CHECK_DATA` Device Configuration Data could allow the value of memory to be disclosed and read even when reading was disabled.
The RH850 is an automotive MCU which features SecureOnboard Communication or SecOC, which includes read protections to prevent the ability to dump the ROM over serial.After reversing the protocol with a logic analyzer, they discovered the authentication was only gated on the sync command (which is required before any other commands are acknowledged)...
A post by NCCGroup which covers an older vulnerability in NXP .iMX High Assurance Boot (HAB). A bit of background is helpful for understanding the bug and it's impact.
Great series of posts covering the authors research progress and eventual owning of a wireless scoreboard system.Unlike a lot of the attacks we cover, this had more of a hardware and even radio signal focus...