SSH key injection in Google Cloud Compute Engine [Google VRP]
A cool bug that can inject a new user with controlled SSH key into a compute instance and the request doing this can be reached via a GET request with no anti-CSRF token.
A cool bug that can inject a new user with controlled SSH key into a compute instance and the request doing this can be reached via a GET request with no anti-CSRF token.
Two vulnerabilities, the first an insecure activity is exposed that allows other applications to automatically install any application on the Galaxy Store, the secondis a filter bypass which can lead to navigating the CloudGame webview to an untrusted domain.
An IDOR style issue allowing access to the data plane of a Azure Cognitive Search instance even if that instance was isolated from the internet.
Kinda of a cool race condition and sort of differential attack deep inside XNU’s virtual memory system that allows for bypassing “copy on write” and writing to the underlying page without making a copy.
A trivial out of bounds access in the iPod nano 3rd-5th generation’s USB stack in the bootROM.The USB::HandlePendingSetup() handler for SETUP packets would accept a request and dispatch it to different sub-handlers based on the bmRequestType…
Some funny vulns in an undisclosed forum’s “teams” feature where users could create their own teams and request to join others as different roles.Users could request to join a team as any non-admin role, and a team admin could accept the request…
tl;dr Android Parcels have their own memory pool rather than being free’d all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a “use-after-free” like situation
A post by project zero on a vuln in a new library used for DER entitlements.Entitlements are Apple’s fine-grained permission system and essentially define what capabilities an app or service has…
A fairly complex exploit of a use-after-free in netfilter.The vuln is detailed more in other posts linked off by exodus, but effectively the bug is a lifetime issue with netfilter sets that don’t have the NFT_EXPR_STATEFUL flag set but contain a reference to another set (such as lookup and dynset expressions)…
An out-of-bounds read/write in FreeBSD’s bhyve hypervisor.The vulnerability here is in the E82545 gigabit ethernet controller’s emulator, specifically e82545_transmit()…
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
A neat vuln with an interesting impact in Mario Kart 8 Deluxe on the Switch.The game has a feature where players can create tournaments with their own ruleset, accessibility, dates it will run, etc…
A JIT optimization based type confusion in jscript9.The root cause of this bug is the fact that the OptArraySrc optimization would call ShouldExpectConventionalArrayIndexValue() to decide if it should keep a type check in place, but that function could sometimes return false and cause the optimization to remove a type check when it shouldn’t…
Excellent post covering three vulnerabilities in Huawei’s Secure Monitor used to proxy/transition requests from the “normal world” usually from the hypervisor or kernel into the secure world.
A post on exploiting a bug that Jann Horn discovered in the linux kernel’s memory management (MM) subsystem.The bug isn’t detailed in this post and is fairly complex (there is a project zero bug report but it’s difficult to understand without deep knowledge of MM internals), though they state it will be written up in a future blogpost…