Vulnerabilities (Page 19)

A cool bug that can inject a new user with controlled SSH key into a compute instance and the request doing this can be reached via a GET request with no anti-CSRF token.

Two vulnerabilities, the first an insecure activity is exposed that allows other applications to automatically install any application on the Galaxy Store, the secondis a filter bypass which can lead to navigating the CloudGame webview to an untrusted domain.

An IDOR style issue allowing access to the data plane of a Azure Cognitive Search instance even if that instance was isolated from the internet.

Kinda of a cool race condition and sort of differential attack deep inside XNU’s virtual memory system that allows for bypassing “copy on write” and writing to the underlying page without making a copy.

A trivial out of bounds access in the iPod nano 3rd-5th generation’s USB stack in the bootROM.The USB::HandlePendingSetup() handler for SETUP packets would accept a request and dispatch it to different sub-handlers based on the bmRequestType…

Some funny vulns in an undisclosed forum’s “teams” feature where users could create their own teams and request to join others as different roles.Users could request to join a team as any non-admin role, and a team admin could accept the request…

tl;dr Android Parcels have their own memory pool rather than being free’d all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a “use-after-free” like situation

A post by project zero on a vuln in a new library used for DER entitlements.Entitlements are Apple’s fine-grained permission system and essentially define what capabilities an app or service has…

A fairly complex exploit of a use-after-free in netfilter.The vuln is detailed more in other posts linked off by exodus, but effectively the bug is a lifetime issue with netfilter sets that don’t have the NFT_EXPR_STATEFUL flag set but contain a reference to another set (such as lookup and dynset expressions)…

An out-of-bounds read/write in FreeBSD’s bhyve hypervisor.The vulnerability here is in the E82545 gigabit ethernet controller’s emulator, specifically e82545_transmit()…