Vulnerabilities (Page 15)

Container escape on public GitLab CI Runners

Container escape within GitLab CI Runners abusing cgroup’s release_agent functionality as CI jobs are allowed to mount file-systems.The release_agent is a script that will be executed when a cgroup heirachy becomes empty…

 

2FA Bypass by Forcing Use of the non-2FA Endpoint

Probably as easy of a 2FA bypass as I’ve seen, effectively if the account had 2FA the second stage of the password reset form would submit to /reset2fa and if there was no 2FA registered for the account, it would submit to /reset so the attack was just to modify the submission to point to /reset instead of /reset2fa and it wouldn’t prompt for the 2FA token.

 

FUSE allows UAF reads or write() buffers in Linux < v5.17

With a FUSE (Filesystem in USErspace) there are two modes of IO, either the normal kernel page cache can be used for handling read/write attempts or using FOPEN_DIRECT_IO in the open call the read/write requests can be sent directly to the userspace filesystem.In this mode the kernel will grab a reference to the userspace pages rather than copying them into kernel mode and map those pages over to the FUSE process…

 

Exploiting Struts RCE on 2.5.26

For some UIBean tags the name field was vulnerable to a double OGNL evaluation when there was no corresponding value field which could lead to remote code execution.

 

Uninitalized value

An uninitalized “Fast Tracker” in the Window’s HTTP Protocol stack as used by IIS. Despite providing a bit of a crash analysis and a POC the post is missing information about the vulnerability as their primary focus was on building out the exploit.