Vulnerabilities (Page 12)

Privilege escalation in AWS Elastic Kubernetes Service (EKS)

Nothing to crazy here, its well known that if someone can compromise something running within an AWS Elastic Kubernetes Service (EKS) pod, they can use that access to hit the AWS EC2 Metadata Service and gain the machine’s IAM token. There has been some prior research about performing a denial of service by removing a network interface with that token, but the author An Trinh here takes a look at going for a more significant privilege escalation.

 

SNIProxy wildcard backend hosts buffer overflow vulnerability

A stack-based buffer overflow in SNI Proxy, in parsing Hostnames to determine where to redirect traffic to the application would The vulnerability exists when aprsing IPv6 blocks, it’ll calculate the source length by looking for the end ] character, and then copy those characters into the target buffer. While it does “limit” the copy, it limits it based on the source length rather than the destination buffer size allowing for an overflow.

 

mast1c0re Part 2 - Compiler Attack

Multiple vulnerabilities that were found in the PS2 JIT emulator’s compiler process in PS4/PS5.The previous mast1c0re post we covered on episode #188 covered vulns and exploitation of the application process, which didn’t have direct JIT capability…

 

The curl quirk that exposed Burp Suite and Google Chrome

When using curl, if the --data-raw argument starts with a @ it will be treated as a filename and the file itself will be included as the data of the request. This sort of bug would be hard to exploit in the context of Burp and Chrome, requiring a victim to “Copy as cURL” a malicious request in the first place, and then run it…