In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword profile is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.
Several fun issues found in DataHub by GitHub Security Lab, we won’t summarize all of them here but a few of our favorites:
World’s worst fuzzer, leading to a traditional stack overflow in the kernel.Really not much to say about the vulnerability, copy_from_user with no bounds check into a fixed sized buffer on the stack…
A bug was found sort of accidentally in Adreno/KGSL GPU for Android devices.The post covers a lot of background, but what’s important is that userspace can map shared memory from the CPU into the GPU, and use it to pass buffers such as command buffers…
There are a few issues in this post, the first is SQL injection with nothing very special going on. The later issues though are more of a bypass of application logic which I think is fairly cool.
The vulnerability here isn’t too interesting, just a case of user-input being reflected into a header without sanitizing new-lines (CrLf injection). What is interesting is how they leverage this header injection primitive to bypass Akamai’s web application firewall.
A couple interesting issues in OpenEMR leading to unauthenticated remote code execution and file disclosure.
Couple vulnerabilities here, the first bad regex allowing for the origin validation on cross-origin messages to be bypass. The second is a pair of innerHTML assignments with data from a cross-origin message.
A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.
A PS2 emulator escape that can be exploited on PS4/PS5.In the previous binary episode we covered part 2 which was a stack overflow in Okage: Shadow King, by chaining that with this out-of-bounds (OOB) write in the emulator, full userland code execution is possible…