Vulnerabilities (Page 32)

[Nextcloud] Bypass the protection lock in andoid app

Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a “feature” because the developers thought it was crashing on that point so disabled it to let the user continue to use the application…

 

Container escape on public GitLab CI Runners

Container escape within GitLab CI Runners abusing cgroup’s release_agent functionality as CI jobs are allowed to mount file-systems.The release_agent is a script that will be executed when a cgroup heirachy becomes empty…

 

2FA Bypass by Forcing Use of the non-2FA Endpoint

Probably as easy of a 2FA bypass as I’ve seen, effectively if the account had 2FA the second stage of the password reset form would submit to /reset2fa and if there was no 2FA registered for the account, it would submit to /reset so the attack was just to modify the submission to point to /reset instead of /reset2fa and it wouldn’t prompt for the 2FA token.

 

FUSE allows UAF reads or write() buffers in Linux < v5.17

With a FUSE (Filesystem in USErspace) there are two modes of IO, either the normal kernel page cache can be used for handling read/write attempts or using FOPEN_DIRECT_IO in the open call the read/write requests can be sent directly to the userspace filesystem.In this mode the kernel will grab a reference to the userspace pages rather than copying them into kernel mode and map those pages over to the FUSE process…

 

Exploiting Struts RCE on 2.5.26

For some UIBean tags the name field was vulnerable to a double OGNL evaluation when there was no corresponding value field which could lead to remote code execution.