1 Program, 4 Business Logic Bugs and Cashing in 2300$.
Four issues, two are race conditions, two are due to lack of authorization checks on the API and only enforced on the front-end.
Four issues, two are race conditions, two are due to lack of authorization checks on the API and only enforced on the front-end.
The vulnerability in the __io_uaddr_map() function of the Linux kernel involves the incorrect handling of multi-page regions imported from userspace.This function is intended to map a physically contiguous region of memory from userspace into the kernel’s linear mapping area…
The key vulnerability discovered is a relative heap out-of-bounds write in the parsing of MDL files within CS:GO.
A fun but simple buffer overflow in Factorio.When loading save files, the game will load a PropertyTree from the file…
A secure boot bypass in Chromecast with the Google TV (CCwGTV)’s 1080p revision. This bypass sort of involves two issues, a hardware fault injection and a software logical bug, and this is due to mitigations and efforts Google has made since the exploit chain that was released against the 4K model previously.
A somewhat odd vulnerability in Adobe Coldfusion, where it would take an attacker controllable classname parameter and use it to compile Coldfusion code on the fly to render in the response.If the classname didn’t match a valid Coldfusion Class, it would treat the it as a path to a Coldfusion template…
Dynamic typing strikes again! Once again some fun stuff can happen when passing in an array where a string is expected.
Authentication Bypass in Apache’s OFBiz by including a the GET param requirePasswordChange=Y using this will simply bypass the need to authenticate due to some mishandling of errors.
An integer underflow in GPSd (GPS daemon) in the parsing of Network Transport of RTCM via IP (NTRIP) packets.When parsing the HTTP response that contains the table of records for getting GPS data, they parse line-by-line until a carriage return (\r\n) or null byte is encountered…
This is actually a follow-up in a sense to the WebP 0day post we covered on Episode 218. So I won’t rehash how the vulnerability works, instead these two posts dive more onto the exploitation side of things.
Client-side traversals as a cool attack class I overlooked for quite awhile.The idea with these is that often an application might take some identifier from the user, and then use it in a further request for other data…
Take the idea of HTTP request smuggling, and apply it to SMTP and you’ve got an idea of what is going on with this awesome research out of Sec-Consult.com.
Pretty simple issue, KeyCloak supported the DuoUniversalKeycloackAuthenticator plugin to add support for Duo multi-factor authentication to KeyCloak.To do so, on a successful authentication with KeyCloak the plugin would initiate a redirect to the configured Duo endpoint…
A series of issues in the Sonos Era 100 speaker that was exploited for pwn2own by nccgroup.During some initial recon on the speaker, they discovered breakout pads for serial/UART, as well as pins for Embedded MultiMedia Card (EMMC) communication, which allowed them access to the flash which stored firmware…
Multiple vulns detailed in ExtremeXOS, the operating system used for Extreme Networks managed switches.The bulk of the issues stem from the Chalet application, which is the main web app using the CherryPy framework in python that runs as root…