Vulnerabilities (Page 2)

Git Arbitrary Configuration Injection [CVE-2023-29007]

A logic bug when dealing with the parsing of the git/.config file, which could be triggered via git submodules.The relevant function for the vuln here is git_config_copy_or_rename_section_in_file(), which would remove or rename configuration sections in-place in the config file…


Shell in the Ghost: Ghostscript CVE-2023-28879 writeup

A pretty classic string escaping bug in GhostScript, one common and buggy edge case when escaping characters in a buffer is to not properly account for escapes that happen at the very limit of the destination buffer.As was the case here, despite checking that the limit of the buffer was not reached on every iteration, when a character was found that should be escaped, it would write to the destination buffer write, first with the escape character (0x01) and then again with an XOR’d version of the character to be escaped…


CVE-2022-32917: AppleSPU out of bounds write

A pretty straightforward out-of-bounds write (OOB write) in the Apple SPU kernel extension, which is used for managing drivers on macOS and iOS.The problem lies in the opcode handler for ALLOCATE_BUFFER messages sent to SPU via an IOUserClient


From listKeys to Glory: Abusing Azure Storage Account Keys

Orca Security presents a privilege escalation method in Azure environments, its nothing to crazy, but atleast worth taking note of.the first concept to understand are Azure Storage Account keys, when you first create a storage account, by default Azure generates a couple 512-bit storage account access keys that can be used to access the account…


Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2

Multiple symlink-style issues in the WindowsContainerController and HyperVController controllers in the Docker Desktop for Windows daemon (dockerd). When looking at the WindowsContainerController, they noted the start() and stop() methods as potentially interesting, as they would take start and stop request objects which were attacker-controlled input, and contained a DaemonJSON string, which pointed to the path of the configuration file for docker.