Posts tagged 'Podcast'

Few discussions this week, from using ASAN for effectively, to vulnerabilities in Rust code, and some discussion about exploiting the OpenSSH double free.

Bit slow this week, so we talk about the Top Web-hacking techniques of 2022, and some TruffleSec/XSS Hunter drama before so we cover a blockchain verification bug, and a simple path traversal to SSTI and RCE chain.

First, we take a look at some positive changes to OSS Fuzz, then we dive into some vulnerabilities. This includes an XNU heap out-of-bounds write vulnerability, a Chrome heap-based overflow vulnerability, and an out-of-bounds read in cmark-gfm that, while probably not exploitable, is still intriguing.

Is it possible to escalate a self-XSS into an account takeover? Perhaps, we take a look at some potential options by abusing single-sign on. Then we take a look at a few Facebook/Meta authentication issues, and a deserialization trick to increase the usable classes in PHP.

Discussion heavy episode this week, talking about KASAN landing on Windows, shuffling gadgets to make ROP harder, and a paper about automatic exploit primitive discovery.

Starting off the week strong we have a CSS injection turned full-read SSRF, and a MyBB exploit chain from XSS to server-side code injection. And we've got a couple auth token disclosures to end off the episode.

Null-dereferences might not be too exploitable on a lot of systems, what about the handling of a null-dereference. We cover a great Project Zero post on the topic, then look at a type confusion in Windows COM, a Nintendo buffer overflow, and several memory corruptions in git, highlighting their unique primitives and potential exploitability.

We've got a cloud focused episode this week, starting with a logging bypass in AWS CloudTrail, a SSH Key injection, and cross-tenant data access in Azure Cognitive Search.

An Apple-focused episode this week, with a trivial iPod Nano BootRom exploit, and a WebKit Use-after-free. We also have a really cool XNU Virutal Memory bug, strictly a race condition and a logic differential between two alternate paths resulting in bypassing copy-on-write protection. We also handle a few questions from chat, how much reverse engineering is necessary for vuln research, how much programming knowledge is required, and a bit about AI's applicability to reverse engineering.

This week kicks off with another look at client-side path traversal attacks, this time with some more case-studies. Then we get into some mobile issues, one a cool desync between DER processors resulting in an iOS privilege escalation. The other a Bundle processing issue in Android that provides an almost use-after-free like primitive but in Java.