Straightforward use-after-free in libcurl when processing MQTTs.The mqtt_doing() routine will attempt to send any remainder of outgoing packet data using the mq->sendleftovers pointer, freeing that pointer, but then never clearing the reference…
Three bugs relating to insecurely configured CloudKit containers, the big one being the accidental deletion of all Apple Shortcuts, but also the ability to delete records on Apple News, and modify data used on the iCrowd+ website.
There are four vulnerabilities in Azure’s Open Management Infrastructure (OMI), one allowing an unauthenticated attacker on the internet to execute code as root, the other three allowing local users of any level to execute code as root.
This is effectively a replay attack.Join a channel you can comment in, place a comment and capture that POST request…
A WAF bypass by confusing the Adobe Experience Manager Dispatcher (load balancer/waf/etc).Not a crazy idea but I don’t think we’ve covered any WAF bypass quite like this on the podcast before…
For a GitLab bug, this one is nice and simple, stored XSS in the “default branch name” field.For a group you can setup what the group’s default branch name should be for any new repositories created…
When SmugMug bought Flickr from Yahoo they had to move the authentication system away from Yahoo’s authentication.A side-effect of this was that the account deletion process previously had used the Yahoo authentication code as the CSRF token so in the move the token was removed and not replaced with anything functionally equivalent…
A rather non-intuitive bug where sending Content-Length: x would result in source disclosure on Apache.
The cool part of this paper is the speculative type confusion attack where the browser’s optimizer is trained to expect a memory access will be a uint8 array, and the CPU branch predictor that it will always go down that path. Then the attack changes both conditions leading to the CPU speculatively executing the uint8 access using data from another object, aligned in memory such that two 32bit value in JavaScript become one 64bit value.
The idea here is that by overflowing the value containing the size of a header name you can cause the header to be misinterpreted.
There is an out-of-bounds access
Great exploit chain starts with a newline injection, leading to the ability to write “2” to any file culminating in a login and root code execution, all doable with remotely hosted javascript.
What if authentication was optional? That seems to be the case here where the Netgear Switch Discovery Protocol, a UDP based protocol where each datagram is a header following by a Type Length Value (TLV) chain.The expectation is that all of the “get” commands can be used without authentication but that “set” commands should send the password authentication entry (Type 10) as the first part of the TLV chain…
tl;dr A well positioned attacker (needs to be using the same IP as the victim) can hijack a successful authentication flow and take over the session victims session by polling the get.cgi endpoint after the victim’s login was successful but before the victim has polled the same page (which happens every second)
Authentication bypass by including a magic string in the URL.The string isn’t exactly magic, rather it seems like this page (setcup.cgi) has a single file that needs to be access without authentication…