Vulnerabilities (Page 3)

Hunting down the HVCI bug in UEFI

A logical issue that allows bypassing Hypervisor Code Integrity (HVCI) on certain Intel-based machines.HVCI is a Virtualization-Based Security (VBS) mitigation that protects kernel code pages from being made writable, as well as preventing new read/write/execute (RWX) mappings from being created by a compromised guest kernel…


ASLRn’t: How memory alignment broke library ASLR

A very interesting bug that impacts most common Linux-based distros (Ubuntu, Arch, Fedora) with linux >= v5.18 that severely hinders Address Space Layout Randomization (ASLR) on 64-bit binaries and completely negates it on 32-bit binaries.The root cause is fairly simple, and is the fact that in 5.18, a change was made in the thp_get_unmapped() function used by common filesystem drivers (ext4, ext2, btrfs, xfs, fuse) for mapping file-backed memory…


Ivanti's Pulse Connect Secure Auth Bypass and RCE

Two core issues here, first is an auth-bypass due to incorrect parsing, and the second is a pretty straight forward command inject in an authenticated feature. There is also a bit of a bonus issue in how they gained access to the source code.


[darkhttpd] timing attack and local leak of HTTP basic auth credentials

A timing side-channel vulnerability in darkhttp’s implementation for HTTP-based authentication.Since the auth check is done by a strcmp() call which iterates and compares each character of the string, by observing the amount of time taken in the auth check, each character can be side-channeled to bruteforce the HTTP password…