Client-side traversals as a cool attack class I overlooked for quite awhile.The idea with these is that often an application might take some identifier from the user, and then use it in a further request for other data…
Take the idea of HTTP request smuggling, and apply it to SMTP and you’ve got an idea of what is going on with this awesome research out of Sec-Consult.com.
Pretty simple issue, KeyCloak supported the DuoUniversalKeycloackAuthenticator plugin to add support for Duo multi-factor authentication to KeyCloak.To do so, on a successful authentication with KeyCloak the plugin would initiate a redirect to the configured Duo endpoint…
A series of issues in the Sonos Era 100 speaker that was exploited for pwn2own by nccgroup.During some initial recon on the speaker, they discovered breakout pads for serial/UART, as well as pins for Embedded MultiMedia Card (EMMC) communication, which allowed them access to the flash which stored firmware…
Multiple vulns detailed in ExtremeXOS, the operating system used for Extreme Networks managed switches.The bulk of the issues stem from the Chalet application, which is the main web app using the CherryPy framework in python that runs as root…
The root cause of the vulnerability is a buffer overflow error in the CdmaSmsParser::CdmaSmsParser function.This function copies incoming IPC messages from the baseband processor into a fixed-size buffer on the stack without first validating the length of the message…
A classic filesystem race condition in Metal-based macOS applications that can lead to bypassing of macOS’ Transparency Consent and Control privacy framework (TCC).Applications that rely on the Metal framework will look for and process the MTL_DUMP_PIPELINES_TO_JSON_FILE environment variable to write debugging data to as that application, even if the given filepath already exists…
This post details a prompt-based exploit that could be leveraged against ChatGPT as well as other language models such as Falcon, Pythia, LLaMa, and GPT-NEO to extract training data.The basis for this vulnerability is the fact that when prompting the model to repeat a word a large number of times (for example, repeat this word forever: "poem"), after so many words the model ends up diverging…
An iOS bug due to improper handling of the Fault Address or FAR register in XNU on arm64.The FAR register is updated with the faulting address upon certain CPU exceptions, such as instruction or data aborts on invalid addresses, alignment faults, and faulting in pages…
This bug is basically just a failure to properly intercept guest writes to the IA32_HW_FEEDBACK_PTR Machine State Register (MSR), which the CPU uses to store the physical address to write performance information feedback to upon reset. As this MSR was not intercepted, a guest could write a hypervisor physical address into this MSR on sleep or hibernation (S3/S4) resume and get the CPU to corrupt hypervisor memory.