Vulnerabilities (Page 5)

SMTP Smuggling - Spoofing E-Mails Worldwide

Take the idea of HTTP request smuggling, and apply it to SMTP and you’ve got an idea of what is going on with this awesome research out of


Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100

A series of issues in the Sonos Era 100 speaker that was exploited for pwn2own by nccgroup.During some initial recon on the speaker, they discovered breakout pads for serial/UART, as well as pins for Embedded MultiMedia Card (EMMC) communication, which allowed them access to the flash which stored firmware…


Multiple Vulnerabilities In Extreme Networks ExtremeXOS

Multiple vulns detailed in ExtremeXOS, the operating system used for Extreme Networks managed switches.The bulk of the issues stem from the Chalet application, which is the main web app using the CherryPy framework in python that runs as root…


CVE-2023-30644: Samsung RIL Stack Buffer Overflow

The root cause of the vulnerability is a buffer overflow error in the CdmaSmsParser::CdmaSmsParser function.This function copies incoming IPC messages from the baseband processor into a fixed-size buffer on the stack without first validating the length of the message…


lateralus (CVE-2023-32407) - a macOS TCC bypass

A classic filesystem race condition in Metal-based macOS applications that can lead to bypassing of macOS’ Transparency Consent and Control privacy framework (TCC).Applications that rely on the Metal framework will look for and process the MTL_DUMP_PIPELINES_TO_JSON_FILE environment variable to write debugging data to as that application, even if the given filepath already exists…


Extracting Training Data from ChatGPT

This post details a prompt-based exploit that could be leveraged against ChatGPT as well as other language models such as Falcon, Pythia, LLaMa, and GPT-NEO to extract training data.The basis for this vulnerability is the fact that when prompting the model to repeat a word a large number of times (for example, repeat this word forever: "poem"), after so many words the model ends up diverging…


That's FAR-out, Man

An iOS bug due to improper handling of the Fault Address or FAR register in XNU on arm64.The FAR register is updated with the faulting address upon certain CPU exceptions, such as instruction or data aborts on invalid addresses, alignment faults, and faulting in pages…


How I found Microsoft Hypervisor bugs as a by-product of learning

This bug is basically just a failure to properly intercept guest writes to the IA32_HW_FEEDBACK_PTR Machine State Register (MSR), which the CPU uses to store the physical address to write performance information feedback to upon reset. As this MSR was not intercepted, a guest could write a hypervisor physical address into this MSR on sleep or hibernation (S3/S4) resume and get the CPU to corrupt hypervisor memory.