1 Program, 4 Business Logic Bugs and Cashing in 2300$.
Four issues, two are race conditions, two are due to lack of authorization checks on the API and only enforced on the front-end.
Vulnerabilities (Page 4)
io_uring: __io_uaddr_map() handles multi-page region dangerously
The vulnerability in the __io_uaddr_map() function of the Linux kernel involves the incorrect handling of multi-page regions imported from userspace.This function is intended to map a physically contiguous region of memory from userspace into the kernel’s linear mapping area…
Exploring Counter-Strike: Global Offensive Attack Surface
The key vulnerability discovered is a relative heap out-of-bounds write in the parsing of MDL files within CS:GO.
Exploiting a Factorio Buffer Overflow
A fun but simple buffer overflow in Factorio.When loading save files, the game will load a PropertyTree from the file…
Chromecast with Google TV (1080P) Secure-Boot Bypass
A secure boot bypass in Chromecast with the Google TV (CCwGTV)’s 1080p revision. This bypass sort of involves two issues, a hardware fault injection and a software logical bug, and this is due to mitigations and efforts Google has made since the exploit chain that was released against the 4K model previously.
Unauthenticated RCE in Adobe Coldfusion [CVE-2023-26360]
A somewhat odd vulnerability in Adobe Coldfusion, where it would take an attacker controllable classname parameter and use it to compile Coldfusion code on the fly to render in the response.If the classname didn’t match a valid Coldfusion Class, it would treat the it as a path to a Coldfusion template…
[GitLab] Account Takeover via password reset without user interactions
Dynamic typing strikes again! Once again some fun stuff can happen when passing in an array where a string is expected.
[Apache OFBiz] Poor handling of edge case return value allows for authentication bypass
Authentication Bypass in Apache’s OFBiz by including a the GET param requirePasswordChange=Y using this will simply bypass the need to authenticate due to some mishandling of errors.
GPSd NTRIP Stream Parsing access violation vulnerability
An integer underflow in GPSd (GPS daemon) in the parsing of Network Transport of RTCM via IP (NTRIP) packets.When parsing the HTTP response that contains the table of records for getting GPS data, they parse line-by-line until a carriage return (\r\n) or null byte is encountered…
Exploiting the libwebp Vulnerability, Part 1: Playing with Huffman Code
This is actually a follow-up in a sense to the WebP 0day post we covered on Episode 218. So I won’t rehash how the vulnerability works, instead these two posts dive more onto the exploitation side of things.