Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a “feature” because the developers thought it was crashing on that point so disabled it to let the user continue to use the application…
Hard-coded crednetials strike again, enabled a couple Server Side Request Forgeries as the URL to be requested was inside an encrypted, but user-provided URL parameter.Within the application there were a couple endpoints that would take a Url
parameter…
Container escape within GitLab CI Runners abusing cgroup’s release_agent
functionality as CI jobs are allowed to mount file-systems.The release_agent
is a script that will be executed when a cgroup heirachy becomes empty…
Probably as easy of a 2FA bypass as I’ve seen, effectively if the account had 2FA the second stage of the password reset form would submit to /reset2fa
and if there was no 2FA registered for the account, it would submit to /reset
so the attack was just to modify the submission to point to /reset
instead of /reset2fa
and it wouldn’t prompt for the 2FA token.
With a FUSE (Filesystem in USErspace) there are two modes of IO, either the normal kernel page cache can be used for handling read/write attempts or using FOPEN_DIRECT_IO
in the open call the read/write requests can be sent directly to the userspace filesystem.In this mode the kernel will grab a reference to the userspace pages rather than copying them into kernel mode and map those pages over to the FUSE process…
Java’s implementation of ECDSA signature validation deviated from the algorithm in two distinct ways that could allow any attacker to craft a valid signature for any key.
For some UIBean
tags the name
field was vulnerable to a double OGNL evaluation when there was no corresponding value
field which could lead to remote code execution.
Another case of different normalization routines resulting in smuggling a request to an endpoint blocked by a reverse proxy.
BlueZ would identify bluetooth controllers based purely on their self-reported BD_ADDR
(the bluetooth version of a MAC address). A malicious device could identify with an existing BD_ADDR
and obtain the link key for that device.
AWS provided a hot-patching service that would patch Java binaries against the Log4Shell vulnerability but that introduced a container escape.