An uninitalized “Fast Tracker” in the Window’s HTTP Protocol stack as used by IIS. Despite providing a bit of a crash analysis and a POC the post is missing information about the vulnerability as their primary focus was on building out the exploit.
Three part blog series by Connor Mcgarr which covers exploiting a type confusion in Chakra-based Edge. Part 1 covers environment setup and the vulnerability, part 2 the core exploitation primitives, and part 3 porting the exploit to Edge and bypassing Edge mitigations.
There is a good deal of complexity in the object structure that is detailed in the post that I’m going to gloss over.Effectively you have an array of entry objects, and each entry has a pointer to a user_data_value_element
…
strcat
was used in a callback to craft the xpath
for each element and it did this without any bounds checking.By nesting XML structures they could eventually overflow the memory region they were allocated in…
This one is a bit of a cross-user attack on the same machine, as git
when executed in a directory that doesn’t have a .git
folder, will traverse upward looking for the .git/
of the repo.The problem is if one accidentally invokes git
while not in a repository it’ll look in some potentially untrusted locations as it traverses by defualt all the way to the root of the storage…
Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user’s Net-NTLMv2 hash could be disclosed.
Copying and pasting an HTML element with a script within it can result in an XSS in vditor text editor.This does feel like a bit of a stretch for an attack scenario, pasting in malicious content to an editor, but not really a thread situation I’ve thought much about either…
Great oversight spotted by the Light Spin team in Amazon Relational Database Service’s (RDS) PostGre service allowing for arbitrary file reading and ultimately disclosure of internal service credentials.
A bug and exploit that hearkens back to old-school browser exploitation. The bug is a use-after-free in concat_function()
for variable concatenation, which is abused in the PHP engine to escape disable_functions
and open_basedir
sandboxing.
Rather subtle bug in the ASN.1 parsing state machine that comes down to one area of code being unaware of an edge case in another.