The core issue is the use of MAP_FIXED flag with mmap.Basically pthread_allocate_stack for every thread it creates, starting its mapping a new STACK_SIZE memory segment to a fixed address (calculated relative to THREAD_STACK_START_ADDRESS and the number of threads already allocated)…
Great series of posts covering the authors research progress and eventual owning of a wireless scoreboard system.Unlike a lot of the attacks we cover, this had more of a hardware and even radio signal focus…
What happens when you tell a server to treat the Content-Length header as a hop-by-hop header and remove it? Request smuggling.
This seemed to mostly be an exercise in attack surface discovery, scanning the files used by Iconics they found support for gdfx files with support for embeded JavaScript, including the ability to load an ActiveX object and execute shell commands on the local machine. Despite this being an apparently surface level issue, it survived until Pwn2Own and through multiple other contestants (the author was 5th of 7 against the application) to net them a $20,000 bounty.
The Autofill Assistant has a chain of issues that could be abused for universal XSS in the context of an arbitrary website.
tl;dr Force others to pay you a fee for giving them a worthless token.
Eight vulnerabilities that were discovered by nccgroup in the UNISOC bootROM.One was in the second-stage recovery mode bootloader (FDL1), five were in the bootROM recovery mode, and two were in U-Boot…
A logic bug in the Linux kernel’s route4_change() function for route filters that lead to use-after-free (UAF).The problem has to do with how filters are added, particularly when a filter already existed on a handle and needs to be copied over to a new filter…
In responding to a static file request, the Crow HTTP framework would allocate a 16kb buffer and read the target file into it. It would then send the whole buffer to the client regardless of how many bytes were actually read.
A use-after-free vulnerability in the Crow HTTP Framework owing to the input reader being agnostic to HTTP Pipelining (sending more than one HTTP request without waiting for a response on the same connection) and asynchronous workers tracking state expecting one request per connection.
Cool research post introducing a few ModSecurity rule bypasses abusing different parser errors in the ModSecurity Code Rule Set.While those specific to ModSecurity are probably patched by now…
Three vulns that were discovered in Netlify’s Next.js lib, which is heavily used across many cryptocurrency sites due to it’s web3 support. With that context in mind, CIA (confidentiality, integrity, availability) is interesting with web3, as integrity is critical; the data coming from a trusted site needs to be trustworthy, as most users won’t go digging through the blockchain to verify a particular address or transaction matches.
The vulnerability as reported was closed as not a vulnerability, but it did uncover a bug in the Sanitizer API.
Two argument injections that were found in Bitbucket server, though only one of them was exploitable.The first was in the /rest/api/latest/projects/~USER/repos/repo1/browse endpoint, where an at parameter could be provided…
Just what can be accomplished when webhooks are allowed to access internal services, Cider Security takes a look specifically at abusing GitHub and GitLab webhooks to access internally hosted Jenkin instances.