The two null-dereferences are pretty straight forward instances, the first being that when an error happens early on, a buffer is never assigned a value after the initial `NULL` assignment.In generic error handling code, it gets dereferenced assuming the error happened after it had been setup...
Plenty of background regarding even getting to a place to start hunting for bugs on this printer, leading up two heap based overflows in `pjcc_act_checkUserPassword2`, and some discussion about exploiting the DryOS heap allocator.
The majority of this post is going into background on Fuchsia and exploiting a fake vulnerability, there was one novel vulnerability that the author came across though.To obtain a KASLR bypass, the author thought to try and gain access to the kernel log for any pointers that might be leaked...
This is a cool trick, using a UTF-8 parser differential between the client XML parsing library (Gloox) and the server side (fast_xml), to smuggling in characters that would end an XML tag prematurely and smuggle in new XML content.
Honestly, this is a bit of a crazy issue to see, during Login, if the `LocalPasswordAuthAdapter` gets used, it will attempt to validate the login credentials with whatever host is in the `Host` header, an attacker can often control this header completely. And so by pointing the header to a domain the attacker controls they can setup a server that will respond with an `HTTP 200` to the authentication request allowing the attacker to login.
It seems that the syntax highlighting filter will read the `data-sourcepos` attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.
At its core, a simple issue with path normalization between a reverse proxy and the end server, one treated `..%2f` as a traversal and the other did not.This was used by the author to access internal NGINX Plus endpoints and was able to take advantage of it and was able to add his own server to the upstream list...
On its own a pretty simple overflow.There exists a buffer for up to 32 elements to be read into, but the value that is used to determine how many elements to copy is not bounded and can be as high as 255...
Inspired by HTTPVoid's February write-up about [Hacking Google Drive Integrations](https://github.com/httpvoid/writeups/blob/main/Hacking-Google-Drive-Integrations.md). They took a bit deeper look at how HelloSign patched the SSRF documented.
A Transparency Consent and Control (TCC) bypass in macOS.TCC is the subsystem responsible for gating off access to privacy settings and iCloud account data and such...
Funny bug in Glovo, which is a delivery platform for taking orders and dispatching deliveries.The bug is an integer overflow in the quantity parameter of the POST request for the order, which can affect the total price of the order...
Bug comes from GitLab's use of Rails UJS (Unobtrusive JavaScript).While known `data-*` attributes like `data-url` and `data-method` are stripped by DOMPurify, arbitrary `data-*` attributes aren't...
Taking an unexpected reference to a `memoryview` object resulting in a use-after-free when the parent of said object is destroyed.Though this is a rather low impact bug because it requires control over the code being executed, so one could just write an `os.system(...)` call or something similar...
Heap overflow in the mbuf zone in the PPPoE driver, which the PS4/PS5 borrow from NetBSD.The issue is the fact that `pppoe_send_padr()` can calculate a packet length that exceeds `MCLBYTES` (2048 bytes)...