Another case of different normalization routines resulting in smuggling a request to an endpoint blocked by a reverse proxy.
Vulnerabilities (Page 12)
BlueZ would identify bluetooth controllers based purely on their self-reported
BD_ADDR (the bluetooth version of a MAC address). A malicious device could identify with an existing
BD_ADDR and obtain the link key for that device.
AWS provided a hot-patching service that would patch Java binaries against the Log4Shell vulnerability but that introduced a container escape.
An uninitalized “Fast Tracker” in the Window’s HTTP Protocol stack as used by IIS. Despite providing a bit of a crash analysis and a POC the post is missing information about the vulnerability as their primary focus was on building out the exploit.
Three part blog series by Connor Mcgarr which covers exploiting a type confusion in Chakra-based Edge. Part 1 covers environment setup and the vulnerability, part 2 the core exploitation primitives, and part 3 porting the exploit to Edge and bypassing Edge mitigations.
There is a good deal of complexity in the object structure that is detailed in the post that I’m going to gloss over.Effectively you have an array of entry objects, and each entry has a pointer to a
strcat was used in a callback to craft the
xpath for each element and it did this without any bounds checking.By nesting XML structures they could eventually overflow the memory region they were allocated in…
This one is a bit of a cross-user attack on the same machine, as
git when executed in a directory that doesn’t have a
.git folder, will traverse upward looking for the
.git/ of the repo.The problem is if one accidentally invokes
git while not in a repository it’ll look in some potentially untrusted locations as it traverses by defualt all the way to the root of the storage…
Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user’s Net-NTLMv2 hash could be disclosed.
Copying and pasting an HTML element with a script within it can result in an XSS in vditor text editor.This does feel like a bit of a stretch for an attack scenario, pasting in malicious content to an editor, but not really a thread situation I’ve thought much about either…