Vulnerabilities (Page 18)

A rather simple bug in validating the origin of a Cross-window message due to inappropriately handling null values.

Starts off with an exposed activity in the KAYAK app, ends up with session hijacking.

BBCode XSS chained with an admin panel SQL injection for potential for code execution.

Service had a proxy.You would go through the oauth flow to get access to Google data, then it had an endpoint that would proxy requests adding the Authorization: header to them to the google backend…

Fun little CSS injection turned full-read SSRF thanks to an (imo) overly powerful PDF generator.

Another type confusion spawned from the usage of unions.This bug occurred in the COM+ (Component Object Model) event system services’ InMemoryRegRow::PutPropertyBag() method when handling PROPVARIANT objects (a generic container object that can hold integers or COM pointers)…

Multiple vulnerabilities were announced in Git, the most interesting to me though are the integer overflows in parsing .gitattributes leading to out-of-bounds reads and writes.

Straight-forward issue, but kinda fun as it impacts the network code in several first-part Nintendo games across multiple consoles (3DS, Wii U, Switch).The NetworkBuffer in the network library has two methods Add and Set which are used to fill the backing buffer with data from the network…

The last time we covered a “how to exploit a null-deref in the modern era” post we were…disappointed (and potentially attacked by North Korea but that’s another story), this one is legit. Rather than focusing on the null-deref as the core memory corruption though, it abuses the handling of the null-dereference with a kernel oops and the side-effects of the oops to overflow a reference count.

Cool, yet simple finding from the DataDog security team where calls to an undocument iamadmin service would also not appear in CloudTrail logs but could reproduce the functionality of several standard IAM service methods.