Vulnerabilities

Two null dereferences and a Heap-based Overflow in Radare2

The two null-dereferences are pretty straight forward instances, the first being that when an error happens early on, a buffer is never assigned a value after the initial NULL assignment.In generic error handling code, it gets dereferenced assuming the error happened after it had been setup…

 

Capability Check Bypass in Fuchsia OS

The majority of this post is going into background on Fuchsia and exploiting a fake vulnerability, there was one novel vulnerability that the author came across though.To obtain a KASLR bypass, the author thought to try and gain access to the kernel log for any pointers that might be leaked…

 

[Zoom] Remote Code Execution with XMPP Stanza Smuggling

This is a cool trick, using a UTF-8 parser differential between the client XML parsing library (Gloox) and the server side (fast_xml), to smuggling in characters that would end an XML tag prematurely and smuggle in new XML content.

 

VMware Authentication Bypass Vulnerability [CVE-2022-22972]

web

Honestly, this is a bit of a crazy issue to see, during Login, if the LocalPasswordAuthAdapter gets used, it will attempt to validate the login credentials with whatever host is in the Host header, an attacker can often control this header completely. And so by pointing the header to a domain the attacker controls they can setup a server that will respond with an HTTP 200 to the authentication request allowing the attacker to login.

 

[GitLab] Stored XSS in Notes (with CSP bypass)

It seems that the syntax highlighting filter will read the data-sourcepos attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.

 

Breaking Reverse Proxy Parser Logic

At its core, a simple issue with path normalization between a reverse proxy and the end server, one treated ..%2f as a traversal and the other did not.This was used by the author to access internal NGINX Plus endpoints and was able to take advantage of it and was able to add his own server to the upstream list…

 
1
2
3
4
5
6
7