[Yoti] Pin Bruteforce Rate-Limiting Bypass
Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device’s time. So by changing the time on the device you can make more attempts at the pin.
Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device’s time. So by changing the time on the device you can make more attempts at the pin.
A chain of issues going from an XSS to a remote file download in a server-side PDF renderer, leading to remote-code execution.The XSS initally seemed a bit weak as the application had no secrets or even authentication so attacking other users would not provide much gain…
Simple container escape compared to several we’ve covered in the past, the sysctls
passed into the pinns
utility are delimited by a +
which can be maliciously included in a value to inject otherwise blocked sysctls
. There is some minimal validation on the sysctls
being passed in to ensure the keys don’t match any sensitive keys, however an attacker can set a value to +sensitive.key=othervalue
to smuggle in a blocked option.
Great bounty for a fairly simple bug, the showSaveFilePicker
would allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.
Yet another branch predictor bug was discovered by grsecurity when testing a performance optimization for Reuse Attack Protector (RAP) return hash sequences.RAP sequences have an unconditional jump, followed by a movabs
instruction and some int3
instructions for debugging purposes…
We have previously discussed this vulnerability, which provides a primitive to free adjacent memory.
A UAF in the Common Logging File System (CLFS).Some background is needed on how this custom filesystem works to provide context for the bug…
An attack which extends upon branch target injection, which is an attack where you train the branch predictor on an indirect branch to speculatively execute a branch erroneously and side-channel the cache to leak data.One of the various mitigations introduced by Intel and ARM were Enhanced Indirect Branch Restricted Speculation (eIBRS) and CSV2 respectively…
A nice chain leading to unauthenticated RCE, a path traversal leading to server-side request forgery, used to hit the application’s API from localhost and leak administrative credentials, then an unescaped argument in a privileged-off task for command injection.
Azure Automation would run an internal service serving JWTs that could be accessed across tenant boundaries.