This is a great crypto issue that I think anyone could hunt for, it has to do with seeding of random number generators.Generally speaking in many systems if you know the seed you can break/predict the values that will come from the random number generator…
Deep within Buildkit there is access to the privileged GRPC API that could be abused to break out of a container during build-time.
Though perhaps an accidental find by Abhi Sharma it is a great one none-the-less. With a race-condition leading to the bypass of a MFA check.
A logical issue that allows bypassing Hypervisor Code Integrity (HVCI) on certain Intel-based machines.HVCI is a Virtualization-Based Security (VBS) mitigation that protects kernel code pages from being made writable, as well as preventing new read/write/execute (RWX) mappings from being created by a compromised guest kernel…
A very interesting bug that impacts most common Linux-based distros (Ubuntu, Arch, Fedora) with linux >= v5.18 that severely hinders Address Space Layout Randomization (ASLR) on 64-bit binaries and completely negates it on 32-bit binaries.The root cause is fairly simple, and is the fact that in 5.18, a change was made in the thp_get_unmapped() function used by common filesystem drivers (ext4, ext2, btrfs, xfs, fuse) for mapping file-backed memory…
Two core issues here, first is an auth-bypass due to incorrect parsing, and the second is a pretty straight forward command inject in an authenticated feature. There is also a bit of a bonus issue in how they gained access to the source code.
This is a take on a somewhat classic Host-header injection attack strategy using a homograph attack to bypass the attempt to prevent such an attack.
Disclosure of private report titles on HackerOne if there is a pending email invitation for collaboration (made through the Manager Collaborators invitation panel). With an invite being made any anonymous user anyone can query that report’s title by id on the GraphQL API.
I had to go commit surfing to try and figure this out out as there is no write-up, but looking at the fix commit what I found is a bit of an interesting logic mistake.
A timing side-channel vulnerability in darkhttp’s implementation for HTTP-based authentication.Since the auth check is done by a strcmp() call which iterates and compares each character of the string, by observing the amount of time taken in the auth check, each character can be side-channeled to bruteforce the HTTP password…