It is possible to bypass macOS's System Integrity Protection (SIP) through the `system_installd` daemon. This daemon has the `com.apple.rootless.install.heritable` entitlement which means that any process started by the daemon will not be protected by SIP.
Always a fun issue to see, the root of it being that a user-mode callback during a `ResetDC` (Reset Device Context) can unexpectedly tamper with the device context data that the kernel thinks will be stable.
Android's NFC stack uses `TCB` or which is assumed to stand for "task control blocks", which are used to track tasks that come from the NFC controller.The NFC specification supports a variety of formats for different types of NFC tags, and this tag type has to be tracked in the control block...
When purchasing coins for Reddit on Android there is a call to a `/verify_purchase` endpoint which is vulnerable to a race condition.The idea being that this endpoint, being provided some of the transaction information would validate it and give the coins to the purchaser, however there is a problem when handling multiple concurrent requests to endpoint...
An unauthenticated file read in GoCD's Business Continuity Addon (installed and enabled by default) due to change in configuration that that exposed the add-on to unauthenticated users.
Mermaid is a markdown-like syntax for generating flowcharts and is supported by GitLab's markdown parser.The Mermaid parser itself can be provided various configuration options at initialization time, and then some of those can be overloaded by inline directives...
Discourse exposes a webhook that takes a user-provided "subscribe URL" and passes it into `open()` unsanitized.Due to Discourse being written in Ruby, it's possible to get command execution via the subscribe URL by way of the pipeline operator...
Bit of a logic bug/abuse resulting in the ability to write files with semi-controlled content in any directory regardless of privileges. Under normal circumstances when a suid binary crashes, it will be considered non-dumpable, more generally speaking, when a process has a difference between its real and effective group or user ids it will not be dumped.
Ignoring plenty of nuance, `tiocspgrp` (TTY IOCTL Set Process Group) would grab the wrong lock.Pseudoterminals (pty) have a master and a slave device, both of which are controlled by userland and can have ioctls called on them...
A logic bug in the Chrome garbage collector was discovered which could cause use-after-free. The garbage collector (GC) is a monolithic and complex component of the browser, and some background knowledge is needed to appreciate the issue.
It is possible for a malicious website to associate a visitor with their a known slack account.The attack relies on a difference in behavior when accessing a file with and without permission, and the ability to share a file with specific users...