Simple off-by-one issue, the application parses the Host header getting its length.Checks that length against the maximum size for the buffer its going to be copied into, copied the value over, and adds a null-byte to the end…
The bug here is pretty simple, the XML parser reads tags into a struct XMLTAG in that struct there is an array for storing attributes, which allocates space for at-most 10 attributes.The parser itself doesn’t check these bounds, allowing for a tag with more than 10 attribute to overflow on the stack…
Normalization gone wrong, Mastodon, when attempting to normalize a domain would intend to remove any trailing /from it, however they did this using .delete("/") which removes all / characters from the string instead of just a trailing /. This meant that someone could use an account like someone@mastodon.so/cial to spoof the account someone@mastodon.social.
Just a somewhat common and vulnerable use a cryptography.The signature of a firmware was not truly a signature but a hash of the content + a secret key, as the binary code that verifies the firmware is present on the device the “secret” key used is not kept secret and one could create their own firmware that would pass the signature check but contain arbitrary content…
A request smuggling to global cache poisoning chain impacting Akami Edge nodes in front of an F5 BigIP server.
iTLB Multihit exploits a low-level issue where instruction fetches from the instruction Translation Lookaside Buffer (TLB) can hit multiple entries for different page sizes.It’s suspected this bug is caused by electrical corruption due to data pins from different TLBs on the die being driven on the same line…
What happens when you don’t properly validate OAuth access tokens? Account takeovers.
The authors here focus on crafting the exploit for an already discovered vulnerability in Orthanc’s DICOM server. The vulnerability is a natural consequence of two features:
We rarely talk about memory corruption on our bounty episodes, but this one its a good one to keep in mind.Its a problem with snprintf the “secure” sprintf function…
An integer underflow vuln in Safari/WebKit, which as is typical with JSC bugs, is rooted in the ability for callbacks to change the state of objects. The root of the bug is that you can cause a copy on a zero-sized array to a destination index of something like 0x20, and when the JS engine tries to clamp the copy, results in a copy size of 0 - 0x20 = 0xffffffffffffffe0.
An object type confusion was discovered in the Microsoft Kernel Streaming Server (mskssrv.sys), which is used for virtualizing camera devices and allowing multiple applications to access camera streams.The driver uses two main object types for allowing userspace to acquire a context and send/receive data, a context and a stream…
Log injections are a class of bug that is often overlooked, both because it is difficult to spot during a black box engagement, and because the impact is difficult to determine.IN this case though the impact was easier to spot because the program processing the output logs was part of the same application…
An interesting vulnerability was found in confluence that allowed for calling semi-arbitrary methods chains on the Action class being executed.This reminds me a bit of deserialization attacks, but in this case you’ve got the Xwork2 framework providing a SafeParametersInterceptor class…
A straightforward path traversal issue in NodeJS.Node’s fs functions allow specifying paths in the form of either strings or Uint8Array objects…
Rapid Reset is a Denial of Service (DOS) attack that abuses the HTTP/2 RST_STREAM frames functionality.Where HTTP/1.1 is text-based with the more familiar header/body messages, HTTP/2 uses binary multiplexed streams, where frames are sent back and forth consisting of data and flow-control frames…