A fun bug, likely stemming from misunderstanding the return value from an `snprintf` call. Unfortunately (for us, good for security) only seems to be useful for a denial of service attack.
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
At its core, this is pretty easy to understand, and isn't especially novel, but it is an interesting area, stealing cars so worth covering.The core problem is simply that inside of a modern vehicle you have the Controller Area Network Bus (CAN Bus)...
An exploit chain that targets Samsung's TEEgris OS running in the ARM TrustZone secure world.TEEgris consists of a secure kernel and trustlets that run on the userspace side, which Android in the non-secure world can communicate with via Secure Monitor Calls (SMCs)...
A directory traversal vulnerability in Parallels Desktop for MacOS has been identified, leading to a guest-to-host VM escape.Parallels ToolGate, a virtual PCI device, facilitates communication between the guest and host operating systems...
Abuse ChatGPT and other language models for remote code execution, sounds great! This is quite literally just a case of determining how the AI is being leveraged in the backend and then engineering a prompt to ask the language model to respond with something malicious. The author has two examples on BoxCars:
The vulnerability is a Server-Side MIME Sniff issue in the answerdev/answer project (a Q&A platform) that leads to a stored XSS vulnerability. What is really interesting is that the bug primarily only appears when running the application under Docker.
This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...
Effectively, a double-fetch vulnerability in Intel SMM's SMI handler that could allow a local attacker to escelate into System manage Mode.It recieves a `CommBuffer` that contains a `Data` pointer and a size value...
Yet another case of bad syncronization or just performing operations in the wrong order.IIn this case `ene_remove` called when removing the device, will remove its internal allocations and everything before it actually unregisters the device...
A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0.The root cause of this bug is in the incorrect assumption made by `sock_init_data() `regarding the `struct socket` input...
The XSS here is fairly basic, attacker controlled data reflected without sanitization, whats a bit more interesting is the input source, plugin metadata processed by the global Jenkin's Update Center.There is a bit of a process to getting plugins listed in the Update Center, submitted a PR and the first plugin needs to be manually approved, though the authors note that this is mostly a procedural thing...
Relatively straight forward oauth hijack/account takeover flow with one interesting aspect in actually performing the login with the hijacked OAuth code.
A long, fairly beginner friendly post about attacking a Bluetooth lock, there is a lot of process information here as it was an intern's research project. What the vulnerability comes down to though is a lack of any real authoization checking instead only validating the integrity (poorly!) of the request and trusting the app did all the heavy lifting.