A post-auth remote information disclosure in the SecurePoint UTM firewall.The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used…
A pretty straightforward out-of-bounds write (OOB write) in the Apple SPU kernel extension, which is used for managing drivers on macOS and iOS.The problem lies in the opcode handler for ALLOCATE_BUFFER messages sent to SPU via an IOUserClient…
Another file-write to code execution escalation strategy to be aware of. Similar to others we’ve covered it requires control over the file being written (duh) and partial control over the contents; the start of atleast one line is sufficient.
Orca Security presents a privilege escalation method in Azure environments, its nothing to crazy, but atleast worth taking note of.the first concept to understand are Azure Storage Account keys, when you first create a storage account, by default Azure generates a couple 512-bit storage account access keys that can be used to access the account…
Multiple symlink-style issues in the WindowsContainerController and HyperVController controllers in the Docker Desktop for Windows daemon (dockerd). When looking at the WindowsContainerController, they noted the start() and stop() methods as potentially interesting, as they would take start and stop request objects which were attacker-controlled input, and contained a DaemonJSON string, which pointed to the path of the configuration file for docker.
Bit of an odd bug in the SecurityPoint UTM Firewall admin and user panels.During the normal login flow a user starts off with an empty sessionID value, once they authenticate successfully the server returns a filled in sessionID…
A local privileged escalation in bthport.sys the Windows bluetooth bus driver.The vulnerability exists in the Service Discovery Protocol (SDP)…
A fun bug, likely stemming from misunderstanding the return value from an snprintf call. Unfortunately (for us, good for security) only seems to be useful for a denial of service attack.
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
This article is about glitching the Wii-U’s read of One-Time Programmable (OTP) fuses into registers for verifying the boot process.Under normal circumstances, the boot ROM will verify the firmware stored in the NAND storage against a hash stored in fuses…