Sandbox Escape in Google App Engine
Very long post, covering an old issue (2013) tons of background about Java bytecode, App Engine and ASM (library).Some context for the issue is that App Engine would perform in-process sandboxing…
Very long post, covering an old issue (2013) tons of background about Java bytecode, App Engine and ASM (library).Some context for the issue is that App Engine would perform in-process sandboxing…
Race conditions on the web are one of my favorite vulnerability classes.Easy and often fairly impactful…
Fairly simple to understand bug in the JS Engine (v8) used by Foxit Reader. The crash is just two lines of code.
The device administration web-app fails to properly validate the session cookie allowing for an unauthorized attacker to gain access.The issue depends on the internal ifttt_token not being set (default)…
Two vulnerabilities.Firstly the SCM_RUN_FROM_PACKAGE environment var within the Azure Function container contained a “Shared Access Signature” (SAS) that was scoped for r/w…
This one is just a silly issue.On PHP versions under 8 libxml_disable_entity_loader(true) is called to disable external entities…
Two vulnerabilities and a good deal of background.Vulns happen in the UEFI Request hypercalls…
Two vulnerabilities, both in ConnMann a root service for managing network connections, a stack-based overflow and a stack leak.
Composer will query Packagist to obtain metadata about the package to download.This includes where to fetch the code from (both source and pre-build archives)…
Base issue is that when handling a file upload (two locations do this) the buffer is allocated based on Content-Length, but the memcpy is based on the actual payload length. Creating a heap overflow.
Some meme worthy vulnerabilities like unauthenticated root ADB access, don’t worry its not enabled by default. But the request to enable it doesn’t require authentication.
Gatekeeper would misclassify certain types of applications allowing them to run without any restriction. Specifically you can cause a confusion in the policy engine regarding whether the app is bundled or not…
Brave when configuring its File Provider exposes all files form its public and private directory. This means an app could trigger a download a Brave’s cookie database by making a request to the content:// url for it and have it downloaded into the Downloads folder where any app could read it.
/proc/<pid>/syscall fills in a struct syscall_info using an architecture specific implementation.The structure has a u64[6] for argument registers to be put into…
Two stage attack to fully takeover a facebook account.