Yet another case of bad syncronization or just performing operations in the wrong order.IIn this case ene_remove called when removing the device, will remove its internal allocations and everything before it actually unregisters the device…
A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0.The root cause of this bug is in the incorrect assumption made by sock_init_data() regarding the struct socket input…
Two vulnerabilities in the TPM 2.0 reference implementation’s CryptParameterDecryption().The Trusted Platform Module (TPM) is used for key storage, key generation, and attestation via storing and taking “measurements” (integrity checks) in the boot process…
A straightforward integer underflow issue in OpenBSD TCP/IP socket’s sockopt handling.While ip_dooptions() and the IPOPT_SSRR option handler will check the user-provided optlen isn’t too large, it won’t check if it’s too small…
An information disclosure in GitHub through the Security Advisories feature.GitHub allows maintainers to draft public advisories, and in doing so you can create a temporary private fork to collaborate on and review fixes without disclosing them publicly…
A lot of wrong turns, eventually leading to some parameter brute forcing and the discovery of an href param when submitting a Forgot Password request.The href value would be used to craft the forgot password link with the actual token appended to it that is reflected in the Forgot Password email…
A nice use of the a CRLF Injection to exploit a seemingly unexploitable injection because the browser wouldn’t render the page when a Location header was present.Basically just used the CRLF injection ot inject a Connection: Location header, telling the proxy to treat the Location header as a hop-by-hop header and drop it before passing it on to the end-user…
The XSS here is fairly basic, attacker controlled data reflected without sanitization, whats a bit more interesting is the input source, plugin metadata processed by the global Jenkin’s Update Center.There is a bit of a process to getting plugins listed in the Update Center, submitted a PR and the first plugin needs to be manually approved, though the authors note that this is mostly a procedural thing…
Relatively straight forward oauth hijack/account takeover flow with one interesting aspect in actually performing the login with the hijacked OAuth code.
A long, fairly beginner friendly post about attacking a Bluetooth lock, there is a lot of process information here as it was an intern’s research project. What the vulnerability comes down to though is a lack of any real authoization checking instead only validating the integrity (poorly!) of the request and trusting the app did all the heavy lifting.
In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword profile is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.
Several fun issues found in DataHub by GitHub Security Lab, we won’t summarize all of them here but a few of our favorites:
World’s worst fuzzer, leading to a traditional stack overflow in the kernel.Really not much to say about the vulnerability, copy_from_user with no bounds check into a fixed sized buffer on the stack…
A bug was found sort of accidentally in Adreno/KGSL GPU for Android devices.The post covers a lot of background, but what’s important is that userspace can map shared memory from the CPU into the GPU, and use it to pass buffers such as command buffers…
There are a few issues in this post, the first is SQL injection with nothing very special going on. The later issues though are more of a bypass of application logic which I think is fairly cool.