Another case of different normalization routines resulting in smuggling a request to an endpoint blocked by a reverse proxy.
BlueZ would identify bluetooth controllers based purely on their self-reported `BD_ADDR` (the bluetooth version of a MAC address). A malicious device could identify with an existing `BD_ADDR` and obtain the link key for that device.
AWS provided a hot-patching service that would patch Java binaries against the Log4Shell vulnerability but that introduced a container escape.
An uninitalized "Fast Tracker" in the Window's HTTP Protocol stack as used by IIS. Despite providing a bit of a crash analysis and a POC the post is missing information about the vulnerability as their primary focus was on building out the exploit.
Three part blog series by Connor Mcgarr which covers exploiting a type confusion in Chakra-based Edge. Part 1 covers environment setup and the vulnerability, part 2 the core exploitation primitives, and part 3 porting the exploit to Edge and bypassing Edge mitigations.
There is a good deal of complexity in the object structure that is detailed in the post that I'm going to gloss over.Effectively you have an array of entry objects, and each entry has a pointer to a `user_data_value_element`...
`strcat` was used in a callback to craft the `xpath` for each element and it did this without any bounds checking.By nesting XML structures they could eventually overflow the memory region they were allocated in...
This one is a bit of a cross-user attack on the same machine, as `git` when executed in a directory that doesn't have a `.git` folder, will traverse upward looking for the `.git/` of the repo.The problem is if one accidentally invokes `git` while not in a repository it'll look in some potentially untrusted locations as it traverses by defualt all the way to the root of the storage...
Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user's Net-NTLMv2 hash could be disclosed.
Copying and pasting an HTML element with a script within it can result in an XSS in vditor text editor.This does feel like a bit of a stretch for an attack scenario, pasting in malicious content to an editor, but not really a thread situation I've thought much about either...