Vulnerabilities (Page 26)

A post by NCCGroup which covers an older vulnerability in NXP .iMX High Assurance Boot (HAB). A bit of background is helpful for understanding the bug and it’s impact.

When a docx parser encounters an end element, it assumes the pointer to the start element is already available and attempts to operate on it, leading to an out of bounds access immediate before the buffer.

Multiple static functions inInetAddress like getByName and getAllByName can be used both to resolve a name string to an IP address, and to validate the format of an address.The problem is that the OpenJDK implementation does not properly validate the format of an IP address string…

The title says pretty much all that you need to know, the got HTTP request library for Node will follow redirects to a Unix socket.So an attacker who can invoke a request (SSRF) to a server they control could redirect that request back towards a unix socket on the local machine…

This vulnerability builds on/is complicated by two past issues.The first being an RCE via caching of remote font files, we discussed this vulnerability on Episode 129…

The core issue is the use of MAP_FIXED flag with mmap.Basically pthread_allocate_stack for every thread it creates, starting its mapping a new STACK_SIZE memory segment to a fixed address (calculated relative to THREAD_STACK_START_ADDRESS and the number of threads already allocated)…

Great series of posts covering the authors research progress and eventual owning of a wireless scoreboard system.Unlike a lot of the attacks we cover, this had more of a hardware and even radio signal focus…

What happens when you tell a server to treat the Content-Length header as a hop-by-hop header and remove it? Request smuggling.

This seemed to mostly be an exercise in attack surface discovery, scanning the files used by Iconics they found support for gdfx files with support for embeded JavaScript, including the ability to load an ActiveX object and execute shell commands on the local machine. Despite this being an apparently surface level issue, it survived until Pwn2Own and through multiple other contestants (the author was 5th of 7 against the application) to net them a $20,000 bounty.

The Autofill Assistant has a chain of issues that could be abused for universal XSS in the context of an arbitrary website.