The authors here focus on crafting the exploit for an already discovered vulnerability in Orthanc's DICOM server. The vulnerability is a natural consequence of two features:
An object type confusion was discovered in the Microsoft Kernel Streaming Server (`mskssrv.sys`), which is used for virtualizing camera devices and allowing multiple applications to access camera streams.The driver uses two main object types for allowing userspace to acquire a context and send/receive data, a `context` and a `stream`...
Log injections are a class of bug that is often overlooked, both because it is difficult to spot during a black box engagement, and because the impact is difficult to determine.IN this case though the impact was easier to spot because the program processing the output logs was part of the same application...
An interesting vulnerability was found in confluence that allowed for calling semi-arbitrary methods chains on the Action class being executed.This reminds me a bit of deserialization attacks, but in this case you've got the Xwork2 framework providing a `SafeParametersInterceptor` class...
Post from Man Yue Mo at GitHub Security Lab on an RCE in Chrome due to a bug in Chrome's JIT compiler (TurboFan).As a bit of background, modern browsers will often compile code/functions that are deemed as 'hotpaths' (aka executed a lot)...
A buffer overflow vulnerability was introduced in a 2021 patch to glibc's dynamic loader when processing `GLIBC_TUNABLES` environment variables.Tunables are basically configuration settings of the runtime that can be set via key/value pairs in the form of `key=val`...
Writeup for exploiting an io_uring bug submitted to kCTF (before io_uring was disabled in kCTF).The vulnerability itself was extremely straightforward and was in the handling for `IORING_OP_MSG_RING` command for signaling another ring...
A fairly simple processing bug in WinRAR resulting in code execution with benign seeming interaction with an archive; unfortunately this one was seen being exploited in the wild to spread malware.
A bit of an unexpected fault in GCC's `-fstack-protector` implementation that meant that the saved return address wasn't actually protected by the stack-protector on AArch64 in some cases.
Not making encrypted blobs tamper-proof is a pretty classic crypto issue that lead to an arbitrary file-upload and code execution vulnerability in ShareFile. The file upload functionality of ShareFile took a few natural arguments: a `filename`, an `uploadid` and a `parentid`...
The title gives this one away, the `header(...)` function in PHP will issue a warning (and keep executing) without adding the header to the response if the header contains a Carriage Return (\r), New-Line (\n) or Null-byte (\x00).That functionality may not be new to you as its purpose is to kill response splitting attacks, but @OctagonNetworks presents a fresh twist on this, probably not the first to have the thought but it was a neat idea to me...
A post-auth remote information disclosure in the SecurePoint UTM firewall.The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used...