Hunting for ~~Un~~authenticated n-days in Asus Routers
Format string bugs, you’d think we’d be done with them by now, but Shielder here documents one in ASUS routers.
Format string bugs, you’d think we’d be done with them by now, but Shielder here documents one in ASUS routers.
Qualys at it again this time with a skipped initialization code path leading to a small allocation and a buffer overflow deep in glibc’s syslog.
Its long been a classic to abuse accidentally exposed file-descriptors through /proc/self/fds to break out of sandboxes, so its kinda fun to see a similar sort of bug impacting Docker. and enabling a container break-out either at run-time or during build time.
Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.
The issue itself is fairly easy to describe, Meta found that of 14 reputable brands seven had releases where one or more preinstalled APEX modules (privileged OS code) were signed using only the test keys that are publicly available in the Android Open Source Project (AOSP) repository.
This is a great crypto issue that I think anyone could hunt for, it has to do with seeding of random number generators.Generally speaking in many systems if you know the seed you can break/predict the values that will come from the random number generator…
Deep within Buildkit there is access to the privileged GRPC API that could be abused to break out of a container during build-time.
Though perhaps an accidental find by Abhi Sharma it is a great one none-the-less. With a race-condition leading to the bypass of a MFA check.
A logical issue that allows bypassing Hypervisor Code Integrity (HVCI) on certain Intel-based machines.HVCI is a Virtualization-Based Security (VBS) mitigation that protects kernel code pages from being made writable, as well as preventing new read/write/execute (RWX) mappings from being created by a compromised guest kernel…
A very interesting bug that impacts most common Linux-based distros (Ubuntu, Arch, Fedora) with linux >= v5.18 that severely hinders Address Space Layout Randomization (ASLR) on 64-bit binaries and completely negates it on 32-bit binaries.The root cause is fairly simple, and is the fact that in 5.18, a change was made in the thp_get_unmapped() function used by common filesystem drivers (ext4, ext2, btrfs, xfs, fuse) for mapping file-backed memory…
Two core issues here, first is an auth-bypass due to incorrect parsing, and the second is a pretty straight forward command inject in an authenticated feature. There is also a bit of a bonus issue in how they gained access to the source code.
This is a take on a somewhat classic Host-header injection attack strategy using a homograph attack to bypass the attempt to prevent such an attack.
Disclosure of private report titles on HackerOne if there is a pending email invitation for collaboration (made through the Manager Collaborators invitation panel). With an invite being made any anonymous user anyone can query that report’s title by id on the GraphQL API.
I had to go commit surfing to try and figure this out out as there is no write-up, but looking at the fix commit what I found is a bit of an interesting logic mistake.
A timing side-channel vulnerability in darkhttp’s implementation for HTTP-based authentication.Since the auth check is done by a strcmp() call which iterates and compares each character of the string, by observing the amount of time taken in the auth check, each character can be side-channeled to bruteforce the HTTP password…