Linux kernel: erroneous error handling after fd_install()
There is a bit of a race condition in some areas of kernel code a file that has been closed by userspace will still be accessed by the kernel.
There is a bit of a race condition in some areas of kernel code a file that has been closed by userspace will still be accessed by the kernel.
Exactly as the title puts it, cross-site scripting through content injected from the X-Forwarded-Host
header. Its interesting that this one was paid out as without some other issue like cache poisoning it would be impossible as far I am aware to exploit this as you cannot control the headers of a random user’s requests.
An inability to decode the character in a user’s post, leading to HTTP 500 response.
Just send an email pretending to be part of another report and the system will make you part of it.Its really that simple, sending an email using your the email associated with your Researcher portal account with the subject VULN-<report number>
will get that email added to the report and be copied on future updates…
Little Snitch might block connections to some IPs, but only if they send data. Just opening the connection but not sending data is a fun way to get around the blacklist, and while significantly slower, one can still exfiltrate information using only a data-less connection.
This is almost an intended feature, basically if an attacker can craft a their own State cookie, they can trick the StateFilter
into reading the forwardPath
and forwarding their request to another servlet directly. The interesting side-effect here is that the redirect will bypass any other filters left in the chain and go directly to the other servlet.
Two vulnerabilities in Zoom, a buffer overflow that affected Multi-Media Routers (MMR) servers and client, and an infoleak that only affected MMR servers. Both issues were found in various load_from()
methods for serialization classes used in Real-time Transport Protocol (RTP) for audio/video content.
Use-after-free in the ipc_port
subsystem of XNU, specifically the ipc_port_copy_send()
function.This function would try to copy and send data on an IPC port, and attempts to account for a bunch of edge-cases on the state of the port…
Kernel bug in KCodes’ NetUSB kernel module, which is used by various network device vendors for routers and such.The vulnerability is in the dispatchNormalEPMsgOut()
handler for an unlabelled command of 0x805f
…
Integer underflow in fs_context.c
’s legacy_parse_param()
function which was introduced in v5.1.When bounds checking the provided options length, they compare it with system page size - 2 - context data size
…
The issue here is relatively simple despite the technical depth the authors go into on the crypto and how it’s used.AES-128 keys are used to encrypt challenge codes for the authentication flow between NFC tags and the alarm system, but the way these AES-128 keys are generated is naive and insecure…
While the hostnames were being validated for this vulnerability, injecting a @
into the path argument was sufficent to mislead the final URL parser and actual code making the HTTP request to go to an unapproved domain by tricking it into thinking the path is actually the host and everything before the @
is just credentials.
The gist of this is that an attack can use their own Time-based One-Time-Password (TOTP) code on another user’s account.
Combination of a local file inclusion bug and a file write bug.Firstly, the user/loader.php
and /user/index.php
pages had some interesting code where it would take a scripts
GET parameter to construct an include path in PHP…
The inital vulnerability here is an unbounded sscanf
into a stack variable.In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world…